found a bank using unsecure wireless

i was wardrivin today out havin fun and just messin around, found the usual 'default' 'linksys' and the stupid stuff people dont change, found only a couple wep enabled AP's, and then....i found a ssid of 'finance' as i was driving by a bank. i pulled over and parked, and sat there in awe. a banks finance department, using wireless that is un-encrypted (even if it was it'd be crackable) i didnt know what to do. i always do everything legal and dont actually connect to AP's, just log traffic with kismet and airsnort, finding anywhere from 80 to 120 wireless AP's. so im in a pickle, do i just let the bank go by their business, and hope nothing bad happens, or should i let them know....'hey your broadcasting your customers financial information out in the public air unecrypted for anyone to see' and risk gettin a bad look and in trouble (i havent done anything legal but they might freak out) or what? really i'd like some advice on what to do. i know its not illegal just wardrivin only when you connect to them, and i havent connected. i'd like to inform them and maybe tell them to set up wep or wpa or whatever just to keep anything from bad happening, but i also might get in trouble for stumbling accross a bank institutions unencrypted network...advice please??? thanks.

hi,
you should definetely tell them. I believe that you have a certain moral responsability in protecting innocents (the bank's customers) against possible harm.

However, I do understand the situation that you are in: I was in similar situation last year, except with a pharmacy using insecure wireless were presciptions and the medical history of patients was transmitted...

If you want to make sure that you don't get into any trouble, just send them an anonymous letter explaining the situation and possible ways of resolving it.

On the other hand, I'm sure that they would much appreciate it if you set up an appointement with the branch director and explained him the situation. In most case, they will see the intent behind the action and will be thankful.

hope this helps...

all the best,
banshee

guess im not really in a 'situation', guess im just more nervous about tellin the guy his network is sort of open. im pretty convinced im gonna tell them now about it, just hoping they dont flip or something.

maybe just a phone call explaining everything? Or, print out this page and set up an appointment with a director and explain your concern for the customers and their data (are you a patron of that particular bank as well? That might help keep things calm with the person you speak with) I think its an honest thing expressing your concern. Of course, if you speak with some un-informed average joe, he might think your discovery of the signal might constitute as 'hacking'. I, as well as most everyone here (IMO) do NOT think you have done anything illegal or wrong.

-summary-

just tell them the truth. If i were a bank, i would want someone to let me know that my door was wide open, and hopefully the person you speak with would want the same thing.


-z3

enron Part 2 gonna hapen. in this case the customers will lose

so tell the authorities and u dunno may get a reward

commision here too.... heh h e eh


;)

First off I would check out if there was a diner or something of the sort close to the bank. If there is I would then go and have a coffee there and see if I could pick up the network. If that was sucessfull then I would go to the bank and tell them you were working on your laptop and noticed that your wireless card was picking up a connection and you traced it to them. Otherwise tell them you were thinking of opening an account with them and you wanted to make sure their IT system was secure.

edit if they get difficult and start making threats just make the point it is like they left their keys in the door and instead of walking off with the keys you knock on the door to let them know.
Let us know what happens in any case.

Quote:

---

i always do everything legal and dont actually connect to AP's, just log traffic with kismet and airsnort i'd like to inform them

---

Banks use to be very nervous about this kind of news. Even you are legal (that activity isnt legal here), i advise you to inform them ANONYMOUSLY.

Print all data, write a letter and send it thru regular mail. Address your letter to Internal Audit Dept. Be clear that is not a threat, you just picked traffic by "accident" (dont go further about your wardriving) and you are trying to help them to fix the problem.

Only a very small percentage of banks use wireless. Chances are this is some dumbsh! user who thought it would be cool to smack a wireless gateway to sync his palm. Drop a note in the night deposit "Attention IS Manager" or something or call and ask for the Bank Security Officer who is outside IT (hopefully).

Or something being overlooked.

Possible HoneyPot.
I mean the ssid is finance. Just sounds so sweet to your blackhat wardriver.

If it is like a small local bank then it is also very possibly just some dumb IT staff.
Tell them there open then. A phone call from a pay phone if you want to be anonymous.
Its really up to you, you have no obligation to tell them.

I have also stumbled upon a local bank that is using unsecure wireless, and informed them thru before written letter and via email. That was several months ago, yet as far as I can tell, nothing has changed.
I can sit in the shopping center parking lot, or for more comfortable, at Dunkin Dounuts. can gateway out thru them all day long. I can NOT however access anything on their local network, it appears to be a simple internet gateway, and that is all (not that I looked TOOO hard).
I personally wouldnt worry too much about informing them, I would just tell them you were using your notebook in the care, and picked up the signal. Hell tell them you were in your contact manager looking up a cellphone number.
Unless you have tried to break into their net, and tripped al sorts of alerts, you really havent done anything wrong. Make sure you document everything the best you can, and I am sure that if they decide to bonehead into causing you trouble, they won't like their name on the front page of the local paper "Bank using unsecure network".
Your call, but I would inform them.

MrCoffee

Ethics says go in, tell the bank manager, SHOW him how you found it, then hit him up for a high paying IT job - or a contractor 'fix' at a nice phat price.

If I had a huge security hole and I didn't know about it, and someone came in and told me aobut it, I'd be a happy IT person.

Don't forget that in some companies / businesses, it is the person who understands the computers just a little more than the boss that can get put in charge of the entire computer department. If that is the case, then this could become a job opportunity if handled correctly.

Keep us posted please if you do approach them.

~Halv

i was out again today and i was looking at the data strings i had dumped goin across my screen and saw several Hospital (i was parked near a hostpital) and saw the records including the injury, room, phone number, name, and other stuff it was scrollin fast didnt get a good look. i'll examine the packet in a bit to see what it was all about. but the hospital is using cisco AP's and cisco equipment and IOS software, and they supposedly have wep enabled too so im not sure how that came out unencrypted in plain text, also they have some hardware called cisco1900, not sure what it is havent looked on their site. should i let them know too that they are broadcasting patient info out in the open. im startin to wonder if i could make a lil non profit competely legal service that goes around helping the public secure and give out notices about wireless security and such, i dont know the more i found out there the more i think about it. should i let the hospital know? especially with all that cisco equipment you think that that info wouldnt get out.

They have a legal requirement under HIPAA to fix this.

If you like you can drop me a PM with the name and location, (preferably a web site), for the hospital and I will act as a "go-between" for you.

It will be clear that I'm not wardriving them but that someone else who shall remain anonymous is concerned about their lack of security in breach of the law..... if you like I'll do the same for the bank....

Actually, thinking about this.... I'm going to start a thread called "Anonymous Wireless Reporting". If anyone is interested I just respond to it.

im more afraid of lettin the hospital know rather than the bank, im pretty convinced im goin to tell the bank. The hospital has all that cisco equipment so you know they are serious, but i still stumbeled upon patient information so they are going to be curious as to how/why it happend and what i was doin, i mean if i were them and i had all that equipment and someone got leaked patient information i would be wondering how they got it too, but its the truth so there has to be a legit reason. i might start a local service here goin around tellin people about their Open AP's, i get alot of stray Arp packets broadcasting IP's which makes it all the easier to connect, people these days.

My town is the same way. Every since wireless came into play this little town of less than 10,000 people has over 120 open networks. Many of them on commercial property.

The down side is that telling a company they are open or insecure can often bring on more problems than not telling them...for you at least. I tried explaining to two banks that their wireless network was un-safe. Since I wasn't the lazy IT guy they didnt believe me. A few months later over 300 credit cards where comprimised. The culprit..their wireless network.

I do not see where a wireless network is an asset to any business. It can not be secured, WPA and WEP can be cracked. And with the traffic most banks/companies push, it could be done in no time.

I tried to even tell the ISP how un-safe it was, All I got was a bunch of double talk about how it is secure. B.S.

I say tell the bank, and if they don't want to listen, its time to get the word out some how about how un-secure wireless is, and that some banks in your town are using it. Don't mention names, the people will do the rest.

There are secure wireless networks. They are not however WiFi, they are expensive and propietary. WPA has been cracked?

//EDIT it appears some claim to have "proof of concept" to cracking WPA but only on weak passwords and non-radius based authentication?

Road:

You can also run IPSEC under WPA or WEP so even if they do crack the encryption they simply run into a second level that isn't as easy.... And it's free.... I dunno what the problem is.... ;)

I recently enabled a WAP at work too..... MAC filtered, WPA encrypted, the whole 9 yards.... What's even better is that when you work your way all the way through the security and figure "I'm in!!!" you slowly find out that you spent all that time getting onto a WAP that is outside, (not DMZ, Outside), the firewall..... :D. You need to authenticate and create a VPN tunnel to get inside.... bummer.... You could have got there from your home box in the warmth and comfort of your living room..... ROFLMAO

That is true. I have been playing alot with OpenSSH the last 2 days. For windows that is.

WPA is still safe depending on setup. Some random gooooooogles.


http://www.techworld.com/mobility/ne...fm?NewsID=2577

http://wifinetnews.com/archives/004428.html

http://blogs.zdnet.com/Ou/index.php?p=9

Chances are if a bank is failing to use WPA or Radius/MAC filtering. Then the passwords they pick won't be that great.

You can also spoof a mac address in any OS. Some systems work better than others, Brillan has MAC checking and spoof checking.

No matter how secure a wireless network is today, it'll be cracked tomarrow.
I would'nt be suprised if the next kismet/airsnort/wepcrack can crack WPA in a few hours.

The bank is probably using cheap linksys/agere wireless equipment. So I'd probalby try getting them to replace it when you tell them about the ensecurity.

You could always report this to your local news media. The tv stations where I live just love stories like this. Plus it would educate a lot more people than just the bank or the hospital about how insecure the technologies are.

The people where I work are bugging the daylights out of me about wireless. I tell them it'll happen about the fifth of never and point them to wireless hacking sites to read up.

I think you worried to much... :)
ethically, as everyone said before, just tell them.
Mayb u get a reward, or the worst u'll be interrogate.. If u still not sure, go anonymously.

A new whitehat service business, is also a good option though.. hehe

First time poster here, Hello everyone.

Anyways, glad you brang this up, I have a hobby of wardriving, even though I am too young to drive, my uncle usually drivers me around. Hospitals, banks and other businesses are unsecure all over the world. I'm planning to make a video with my cousin explaining how people just buy a access point, plug it in and final (without settting any security settings). We will "wardrive" and find OPEN wireless networks, run up to their front door, ring the bell, and basically tell them how unsafe they are, and if they take me to court/press charges, so be it, judge will most likely see what kind of a situation I'm in. Anyways, I would go and tell them.

Acidloop :
Please note the flashing date at the top of the thread.
it shows that the thread is OLD.

Take care with your posting.

enjoy it here at AO.

Alrighty thanks alot for that.

Quote:

---

Please note the flashing date at the top of the thread.
it shows that the thread is OLD.

---

It's only 14 days old, according to those who have been with the thread posted above. Not a big deal :) Besides, if more information and opinion can be shed on an old topic, why not? The more input the merrier and maybe it will enlighten those who did not see it the first time?

Welcome to AO acid :)

Hehe thanks. This forum is pretty warm-welcoming compared to many other forums I've joined. How do I get a custom Avatar? In options I can't find anywhere where I can browse?

Sorry Pooh :

Just a reaction, but I didn't say it was bad, just advised him to be careful.

As you say, sometimes it is better to re-open an old thread, and continue it, rather than start a new one.

Done it myself :cool:

[edit]
custom avatars come available after 10 posts:

If you want to continue to post questions re:- AO, then please put them into the correct forum, in this case General Chit Chat [GCC] or Questions about AO.

All are accessed via the front page : Active In AntiOnline's Forums :

Ok, I will just wait after 10 posts, thanks. Also, I keep getting emails when someone replies to me on AO, how do I get rid of that?

when you posted your reply, you had the opportunity to subscribe to the thread. Get EMails.
To stop them click on the UN subscribe link at the bottom of the thread.

Quote:

---

If you want to continue to post questions re:- AO, then please put them into the correct forum, in this case General Chit Chat [GCC] or Questions about AO.

---

Welcome to AO :D

Front page
Left Hand side
"Edit Site Options"
Check the little green dot into the "no" hole

Cheers
:)

Thanks for the greets guys, alrighty thanks.

Are we allowed to talk about wardriving in here and other things?

Last time Acidloop :
Delete this post, re-post in GCC............

Thars a varmit loose in the dungeon.

I was in a situation very close to your just this year. I worked for a small medical clearing hose in town and someone found a hole while trying to script into our system. They contacted us and let us know if the hole, he was about as nervous as you are right now.

We invited him into the facility to talk about what he found, he met with us.
We agreed that we would listen to what he had to say, and signed a Non Disclosure Agreement with him.

Bottom line, he found the hole, we did not have him replicate it, but I got enough information from him for me to try and recreate it. I was sucessful and broke in the same way he did. I then located the source of the problem, recreated it, fixed it, and am forever greatfull that he did find it and inform us. Otherwise it still may of been open today.

The person that informed us was a CISSP and I belive that he did the right thing by letting us know, as Ms. Mittens will probably let you knoe, when you do get your CISSP and you have studied to get there, that you are also bound by the CISSP code that pretty much stated taht you are obligated to report such an incident if you know about it...its your duty.

Just my 2 cents.

Hope this help with your choice.

Quote:

---

Last time Acidloop :
Delete this post, re-post in GCC............

---

Sounds like this topic is in full swing again, no need to go around deleting things.

I never knew about this topic until it was brought up again, and it's been a very interesting read. What other experiences have people had in regards to similar wardriving ethical situations?

See, new members can make a differece hehe.

Acidloop,

I am being very serious now, so please read this more than once and THINK about it?

I am forty years older than you............... :eek: ...........In fact I could probably beat you in a Zimmer Frame race :D

OK the serious bit:

What do you think the probability of being convicted in a court is if you and I appeared charged with the same thing?

Errrr..........I am an adult, have a career, qualifications............etc..........? do you see what I am getting at?

My "ethical problem" is that you may get into trouble, and this could impact on the rest of your life?

Please be careful.......

Good call nihil, wasent thinking about that when I posted above.

If you want to make a differance, please be careful.

but it is still good that you got advice first, an I hoped it helped.

As for closing the thread, I think it is good that it was revitalized, no use being harsh about closing a thread if it still has great feedback.

Kruptos:

If you want to make people aware of their security holes I offered in another thread to be a go between for anyone not in the SE Michigan area to pass that information back to the owner of the network _if_ you can positively identify them for me.

I'm not interested on Joe Public's WAP in his front room, I can find a million of those just round here. But if you found a bank, medical facility, law enforcement agency who are passing confidential information in clear.... Don't go cracking their WEP to show me how 1337 you are.... then just give me a PM with the business name, address, phone, date/time of capture, SSID and a sanitized packet capture of what you can see so I can make a case for you. Sanitized means leave in the first name and initial of the last name of a capture of client data, if it's CC information just leave in the last 4 digits of the CC - same with an SSN. If it's medical or law enforcement then leave the diagnosis or other info in but make sure the name is sanitized.

I will be happy to make contact with the owner and pass the information on while keeping you out of the picture. You will need to be contactable by me but _only_ for further verification of data. You can do that through a throwaway account at Yahoo or whatever which puts a further layer between you and me which would considerably up the costs of anyone who choses to be really stupid - but i don't think they will.... They have to go through me first..... and I can be a tad feisty when you rattle my cage.... ;)

Please note: I will not do this for anyone who locates an insecure WAP within 100 miles of my locaton at the time of the capture. eg: If I fly to Ft. Lauderdale on my way to the Keys and you send me a packet dump from Miami on the day I passed through Ft. Lauderdale then it's a "no-go". But I do have one other volunteer who lives a long way away that I could put you on to to do the same thing if he is still willing.

Maybe we could create a network of third parties to maintain a buffer between those who want to do the right thing and those who may turn "nasty" because they are incompetent..... With a network several people could all pass the same information at the same time with only one person knowing the actual email address of the sender.... The more we put up the investigative costs for someone who doesn't appreciate the "intrusion on their happy little world" the less likely they are to pursue and the more likely they are to accept the issue and hopefully fix it...... Anyone interested? It'd be really nice to have an "international" group.... That would screw them right up.... :D