Posts tagged infosec

Counteracting Imposter WiFi Networks

This fault in mobile devices was recently covered in a LinkedIn Pulse article by Niels Kunis. I wanted to do it a little more comprehensively.

Image credit - 2.bp.blogspot.com
Image credit - 2.bp.blogspot.com

The threat

When your phone connects to an open WiFi network, it remembers that network afterward. An automatic connection occurs if it ever detects that network again.

For secured networks this isn't a big deal. Your phone reconnects based on the network name and key being the same.

But for unsecured networks, your phone only checks for the name.

I used to be a serious WiFi hopper at McDonald's - for reasons I'll be more vocal about once a 5-year statute of limitation is up - and their free network was always "attwifi."

Connect to attwifi at one McDonald's, your phone will automatically connect from now on at any McDonald's.

Convenient right? Except, what if I set up a portable malicious hotspot called attwifi? I'm carrying it around in a backpack or whatever. Your phone connects automatically. Now it's not much of a leap to do bad things to your phone.

Image credit - Escanav
Image credit - Escanav

Tools of the trade

Step for a minute into the shoes of someone who wants to take advantage of this, instead of protect against it.

You're going to want a WiFi Pineapple. Then set up an open wireless network with an SSID appropriate for who you want to target.

People who have used McDonald's WiFi before? attwifi.

St. John's studens? sjustudent, sjumobile, or one of their other networks. There are a bunch.

On your Pineapple you'll want to at least employ dsniff, karma and sslstrip. This is a good tutorial focusing on the latter two.

Image credit - WiFiPineapple.com
Image credit - WiFiPineapple.com

If you don't have a Pineapple, similar results could be achieved with through a laptop with mobile hotspot capabilities.

Or, you know, laptop and router. But portability is a big part of running this scheme successfully.

Protecting yourself

For any mobile device, you can turn off your WiFi when not on a network you absolutely trust. Have your phone "forget" open networks after you connect to them.

If you're running Android, the app Open WiFi Cleaner automates this for you. It's rather basic but gets the job done.

There isn't anything like this on iOS because Apple disallows apps from changing wireless settings.

Image credit - Northcloud
Image credit - Northcloud

Conclusion

Your phone is trusting to a fault.

Open wireless networks shouldn't be judged by their SSIDs.

A little paranoia beats having your identity or Bitcoin stolen, opening yourself up to blackmail, etc.

Related viewing

Watch this seven-year-old girl set up a rogue network.


LIFARS can secure your digital world. Email me or check out the newsletter.

It’s Time for an Oracle Bug Bounty Program

oracle-bug-bounty

If you haven’t heard by now, several days ago Oracle Chief Security Officer Mary Ann Davidson used the corporate blog to go on a scriptural tirade. In her now-deleted post, Davidson went on the offensive towards bug bounty programs and any third-party poking into Oracle software.

“Please comply with your license agreement and stop reverse engineering our code, already,” wrote the CSO, who presumably reads all license agreements in their entirety before clicking ‘accept.’

Davidson goes on to make the following points:

  • Customers can’t determine whether something they found is a false positive or not
  • Only vendors can make a patch
  • And how many times does she have to say you’re violating the license agreement

If interested, backups of the post exist. One instance is here on InfoSecNews.

Naturally this yielded a strong response from the cybersecurity community. A response that makes one wonder if the post originated not with Davidson, but the Oracle marketing department.

Imagine it was planned out like this - first the post would go up from Davidson. Then it's taken down, and by now everyone is talking about it. Major press from Business Insider to Fortune to Ars Technica.

Next Oracle issues an apology. Edward Screven, Oracle’s Chief Corporate Architect, has already done so: “We removed the post, as it does not reflect our beliefs or our relationship with customers."

And finally, while Oracle still has the cybersecurity world’s ear, it’s the perfect time to say, “Despite what Davidson posted, Oracle believes in bug bounties. We’re announcing a bug bounty program.” A marketing move right out of the Ryan Holiday playbook.

Other massive firms see the value of bug bounty programs. One look at HackerOne and you’ll see offerings from Yahoo, Twitter, and Adobe. Microsoft recently raised its own reward to $100,000.

Bug bounties give whitehat operators worthwhile research to do during off-time. Plus it’s not hard to imagine they entice would-be blackhat operators too, preventing malicious acts and bad press.

On all sides of the ethical fence, many cybersecurity operators probably view the Davidson post as a challenge. Oracle can choose to utilize that constructively or await possible backlash.

The monetary cost of a bug reward is small compared to a breach. Those cost firms money and the trust of their customers.


LIFARS can secure your digital world. Email me or check out the newsletter.