Sitting In Starbucks. Or, Is There An Easy Way Around Pay WiFi?

October 15, 2009

I was just sitting there having a large Americano with an extra shot idling away some time and with the wireless function enabled on the netbook it detected and connected the coffee shop’s wireless network perfectly. Except that Starbucks use a BTOpenzone pay service which got me thinking. How do you regulate a pay wireless service which is unencrypted without installing any software on users devices or getting hostnames or MAC addresses from customers?

Firing up Firefox, I shoved the address for Google in the address bar and press Return. Rather than loading Google’s homepage, it instead takes you to a BTOpenzone login page where it prompts you for a username and password. So they must do a DNS hijack which redirects to their proxies where they check whether a time limited cookie is amongst your cookies. If not, you get the login page.

So, could using a service like OpenDNS allow you to bypass this and get the service for free? Coffee for thought…

Of course, if they’re sensible, they’ll block outbound DNS requests except those originating from their own DNS servers. Experience dictates though that most IT Security teams only ever patch holes in their security arrangements after someone has been exploiting it for some time and they notice it when auditing the log files, and how many of a coffee shop’s punters would even know how to do this let alone think about it?

For a corporate network, you should never be able to do this as the default behaviour should be to block all outbound traffic except that which has been explicitly permitted, and a good asset management process with solid CMDB to track changes along with thorough audit procedures allows you to do just that. If someone needs something opened up then they submit a change request with the requisite business case which then gets approved or denied.

But you can’t do this for public networks where your users will be doing everything from email to browsing to VPNing into work to playing online games such that you have no idea as to what needs to be opened up or not. Restricting your paying customers to just surfing the web isn’t going to hold much dice, and would just encourage more and more businesses and software developers to continue the rampant misuse of ports 80 and 443 and to expand on the trend to treat the http and https ports as ‘universal ports’.

InfoSec. Or, Why You Don’t Leave Your Car Keys in the Car

October 13, 2009

Wireless connectivity has become ubiquitous as have people using laptops as their main computer.

I would never do either by choice.

It’s a fundamental maxim of security that if more than one person knows a secret then it isn’t a secret. Even if just one person knows then they could potentially be socially engineered into giving out the apparent secret information.

In the IT world this can have far more serious consequences than it could if a burglar were simply to break into your home. Break into the right system where proper controls aren’t in play and you can wreak a special kind of havoc were that your desire.

As I post this I’m using someone else’s internet connection to do so. I’m also doing my usual of listening to Radio 5Live as background noise (in this instance, streamed via the iPlayer) – in this instance by streaming over the net connection I have. Yet I’m whoring someone else’s internet connection.

How am I doing that? Easy.

When my netbook came through I had already packed up my home and moved everything into storage bar anything I didn’t care about. One of those things was my cable modem – upon calling up Virgin Media to cancel my subscription (I was getting a very good deal on a 20Mbps connection) I was told that they didn’t want the modem back even though it is, in principle, something that is merely leased.

As a result, it is still sitting here with me in the flat and is still wired up. Except there is a problem…

When I packed everything up I also grabbed the Cat5 patch cable which had been connecting my modem to my router. It was done more as a part of clearing everything up.

The problem arose when I returned to my flat for the last few days (I get kicked out tomorrow) and realised I didn’t have a workable net connection.

Had I thought about it in advance, though my thoughts were elsewhere, I would have retained the patch cable upon my person and simply used the 20Mbit connection I had (I never got around to upgrading it to 50Mbit) and hooked my netbook up that way. Unfortunately I didn’t do that.

It is though a netbook. It’s designed to take advantage of the ubiquity of wifi/wireless net connections. And everyone and their dog seems to like not having wires around.

When 802.11 first came into play most people who didn’t understand the concept of information security would have routers set up as access points with no form of security at all. This led to the phenomenon termed, at the time, as ‘war-chalking’ whereby people would drive around with the appropriate kit and identify spots where you could access an unsecured wireless internet connection.

As broadband internet access advanced and people increasingly used laptops (I might post at some point about why the netbook was an inevitable consequence of why people use computers, though it may be some time), wireless routers and connections began to proliferate.

This, of course, led to those who knew what they were doing taking advantage of the net connections of those who didn’t and also raised a host of legal issues. How do you find out who has been downloading kiddie porn when it’s been done via an unsecured wireless internet connection? I’m not suggesting this was a common occurrence or that it even occurred but it was a situation that existed.

As a result, ISPs started providing their routers pre-configured to at least use the most basic of security (in the form of WEP) so that the service couldn’t be instantly hijacked and they also provided software discs which needed to be use to configure a Windows-based PC with no user intervention (support for Macs does occur but Linux seems to be outwith their stream of awareness) – this incidentally leads me to believe that all wireless routers from the likes of Sky are configured in the same way which means the WEP keys they use will work on any other router/modem issued by them… But ISPs these days at least take steps to stop hijacking of a connection.

So, what does this have to do with what I premised this post on?

Simple. I’m whoring someone else’s internet connection using a wireless connection over 802.11b/g to make this post.

When I powered up my netbook in order to do some non net-related work I decided to do a quick check to see what wireless networks it could connect to. And I happened to find a completely unsecured network that I could connect to. So I did.

Operating on the assumption that anyone who has an unsecured router probably hasn’t changed the default passwords to administer the router I grabbed the IPĀ  for the default gateway for my now live connection (which is always the router) and fired up Firefox and logged into it via HTTP – the various bits of info and error pages told me what router it was (a Buffalo AirStation) and a quick google gave me the default user ID and password.

I was right about this info and able to log into the router.

What I found from reviewing the logs on the router was that whoever’s internet connection I’m whoring for the moment has (at least) a Mac, a PC with a cute hostname and a Nintendo DS. They also have another computer which is hardwired to the router if I recall correctly.

Were I so interested then I likely could have remoted onto any of those computers as they likely have them configured to do auto-logins. In other words, anything of value they might have had I could have grabbed were I that way inclined.

What can they do to resolve this situation?

There is no such thing as perfect security, and the more people who have access to information then the more likely it is that security is going to compromised. Wireless communications exacerbate that problem as you’re ‘casting security-related information to a large number of people. Given stories about groups having figured out how to take down the most secure wireless security protocols in as little as fifteen minutes then this brings things into focus.

The fundamental limitation is the Nintendo DS which only supports WEP as opposed to WPA/2. But that can still be alleviated by configuring the router to do MAC filtering so that only authorised devices can connect. Plus, the router simply should not be broadcasting its SSID – the only time you turn on broadcast is if you have a new device which you need to connect via the router.

None of that is perfect, but at the moment they are leaving the car keys in the car. Were I a malicious individual then I could bar all their devices from connecting to the net.

You wouldn’t leave the door of your house lying open, but people do it far too often with their net connections…