Unsecured networks open door for hackers, spies

http://www.af.mil/news/story.asp?id=123035765

Unsecured networks open door for hackers, spies

by Airman 1st Class Andrew Dumboski
99th Air Base Wing Public Affairs

1/3/2007 - NELLIS AIR FORCE BASE, Nev. (AFPN) -- With wireless
technology, consumers can easily network their computers within their
household and access the Internet through any of their computers.

Consumers can sit in a lawn chair on their back porch and catch up on
their e-mail and news, even do some online banking. But with this
newfound convenience lies a new danger.

"Any information that travels over a wireless network can be accessed
by anyone on that network," said Steve Carlson, 99th Communications
Squadron wireless security manager. "Even if you're accessing a secure
Web site, your information is only secure between the Internet and your
wireless router. Everything traveling between that wireless router and
your laptop is visible."

A quick drive through base housing, with a laptop searching for
wireless networks revealed many unsecure networks.

Part of Mr. Carlson's job is to test wireless networks on base to
ensure none of the residential networks are infringing on any of the
government ones. He estimates more than half of the networks he has
found are not secure.

"Having a wireless network without any form of security is equivalent
to allowing a complete stranger to look over your shoulder while you
work on your computer," said Special Agent Randy Bond, of the Air Force
Office of Special Investigations. "Someone could drive by your house,
monitor your wireless signals, and collect all kinds of information
about you."

This could lead to identity theft or worse. Depending on how the
computer is configured, a hacker with a moderate amount of knowledge
could log on to someone's network and have complete access to the
victim's files. The hacker could install keystroke loggers and viruses
with just a few clicks of a mouse.

"As military members, we have access to sensitive information; other
people are aware of that. (Operational security) isn't just for use on
the job; we must make it a practice in our personal lives too," Agent
Bond said.

"People who use their personal computers to access their Web-based
government e-mail are a perfect example," he said. "If you're accessing
that e-mail through an unsecure wireless connection, anyone could
connect to that network, and, with the right software, monitor every
one of your keystrokes. They could have your logon (information) and
even password information and you would never know it."

Adding to that danger, people who live near the outer wall of the base
risk their network being accessed by someone off base.

>From the visitor's center parking lot, use of a standard laptop
recently found three wireless networks visible, two of which were
unsecure. The secure network was from a business on the other side of
Las Vegas Boulevard. Both of the unsecure networks were broadcasting
from Nellis AFB.

"From time to time, I turn on my laptop and test to see how many
unsecure networks are visible while I'm on my way to work," Mr. Carlson
said. "Between Nellis' main gate and the intersection of Martin Luther
King Boulevard, I've counted about 270 wireless networks. More than
half had no security turned on at all."

Unsecure networks on military installations present a big operational
security risk, Agent Bond said.

However, people driving around with a laptop searching for unsecure
networks are not always trying to steal personal information. Often
they're just looking for access to the Internet, Agent Bond said.

"It's called 'wardriving,'" he said. "Someone drives around looking for
an open network, logs on and surfs the Internet. To your Internet
service provider, they appear to be you."

Victims of wardriving have no idea it's happening. The person can sit
in a car outside, surf the net or hack a computer, and drive away. They
could also steal personal information from the victim, drive to another
open network and use the first victim's identity. Any attempt to trace
the identity theft would lead to the second victim.

Store-bought routers usually come with some form of protection.

"If you don't know how to set up wireless security on your router, the
owner's manual usually explains it well. You can also get information
on the Internet," Agent Bond said.

As technology becomes more accessible and cheaper, unscrupulous people
also advance in their ability to use that technology for their own
agendas.

"It's important for people to take measures to protect themselves from
being victimized," Agent Bond said.

miso@sushi.com wrote:
> ...said Special Agent Randy Bond, of the Air
> Force Office of Special Investigations...

Bond, Randy Bond.


Lumpy
--
Did you do a lot of those Emergency Broadcast Warnings?
Yes. Had it been an actual emergency, I would have had told you.
www.lumpyvoice.net

Lumpy wrote:
> miso@sushi.com wrote:
> > ...said Special Agent Randy Bond, of the Air
> > Force Office of Special Investigations...
>
> Bond, Randy Bond.

Yes, I found the name amusing.

The DOD went on the rampage about 4 years ago regarding wifi on
military bases. I'm assuming they got them off their intranets, but I
don't see how you could get wifi out of the housing unless they sniff
each residence.

Nellis has a very powerful wifi network for their airplane maintenance.
It is encrypted of course. Somewhere on the net is an article
describing how the mechanics request parts via wifi. Stuff like that.

If you park on Las Vegas Blvd to watch planes land, the Nellis wifi can
easily be detected. There is also an encrypted wifi for Las Vegas Metro
that you can detect from the same general area.

I ran netstumbler one time on a trip to Central Nevada via Las Vegas.
[I didn't bother to run the GPS, though in retrospect, I will do this
next time.] You got hits in the expected places (near motels, truck
stops, etc.] What made me pull over and investigate was a hit from a
power line. The ID was for a power company, so I gather they can read
some instrumentation via wifi.

Heading up route 93, the first place you find wifi is in Alamo. Just
residences. Not a hit in Hiko or Rachel. I've been working on getting
the Quick Pick to set up wifi. It may happen, but it is not a priority.

I'm told but haven't verified that some of railroad lines have wifi in
their infrastructure.

>
>
> Lumpy
> --
> Did you do a lot of those Emergency Broadcast Warnings?
> Yes. Had it been an actual emergency, I would have had told you.
> www.lumpyvoice.net

..... snipped for sanity ............


hummmmmm ............. interesting. odd sounding tho , as the
" secure " areas that I'm familiar with are strictly " swept " on a
regular schedule and in between ( randomly ) to boot , plus have
strict sets of rules covering this kind of stuff.

usually a person ( worker or civilian ) has to ask for facility
permission to " transmit " anything in the secure or restricted
access areas ( including base housing ) and register their
transmitter. facilities are particularly alert to wi-fi ( vhf ham
gear, microwave transmitters including motion detectors ,
satellite internet operations etc. ) and even connecting to wi-fi
in town from the areas mentioned above ( using an outside gain
antenna for range ) , because they often access base related
resources or may pose interference issues with base equipment.
even " civilian only " usage ( say a satellite dish internet
connection ) often can translate to " base " information access
or interference of certain types and is subject to approval and close
scrutiny.
this approval process can sometimes take months and is often
disallowed with NO explanation. most of these types of places , these
days, provide their own wi-fi and / or internet connections to
eliminate this type of problem and provide their users with state of
the art internet / intranet resources.

you can bet that if that article was " really " the case , then some
base security people screwed up somewhere , someone on base is going
to be ( or has been ) hammered for breaking the rules, that because
they have made a public mention of it NO current possibilities for
unsecured wi-fi exists. they probably had to hammer some innocent but
" influential " home wi-fi user and made this public ( political )
attempt to explain it and smooth it all over somewhat ! ah aha hahaha
a

facility wardriving isn't what it once was , I can tell you for sure
! in times past, enforcement of these
rules was pretty much laxidasical or nonexistent , but since homeland
defense got into full operation ( and all the other mil / government
/ contractor security resources started having testosterone
competitions with those homeland guys ) ... strong enforcement and
checking / sweeping activities have been the " rule " . it's more
to do with everyone checking on everyone else and " being right " (
and justifying your own existence / budget and looking like you are
doing something ) than anything really to do with security ! <g>

In article <1167891719.482665.4360@11g2000cwr.googlegroups.co m>,
<miso@sushi.com> wrote:
>http://www.af.mil/news/story.asp?id=123035765
>
>Unsecured networks open door for hackers, spies
>
>by Airman 1st Class Andrew Dumboski
>99th Air Base Wing Public Affairs

....


>"Even if you're accessing a secure
>Web site, your information is only secure between the Internet and your
>wireless router. Everything traveling between that wireless router and
>your laptop is visible."

But isn't the encryption performed on the PC via the web browser? How can
encrypted browser data transmitted between the router and the laptop be
considered "visible"?

retsuhcs@xinap.moc (Mike S.) wrote in news:enmdgh$3qr$1@reader2.panix.com:

>
> In article <1167891719.482665.4360@11g2000cwr.googlegroups.co m>,
> <miso@sushi.com> wrote:
>>http://www.af.mil/news/story.asp?id=123035765
>>
>>Unsecured networks open door for hackers, spies
>>
>>by Airman 1st Class Andrew Dumboski
>>99th Air Base Wing Public Affairs
>
> ...
>
>
>>"Even if you're accessing a secure
>>Web site, your information is only secure between the Internet and your
>>wireless router. Everything traveling between that wireless router and
>>your laptop is visible."
>
> But isn't the encryption performed on the PC via the web browser? How can
> encrypted browser data transmitted between the router and the laptop be
> considered "visible"?
>
>

Yes, the encryption/decryption is done at the browser, so that point in the
article is incorrect.

"Lumpy" <lumpy@digitalcartography.com> wrote in news:5043deF1dk704U1
@mid.individual.net:

> miso@sushi.com wrote:
>> ...said Special Agent Randy Bond, of the Air
>> Force Office of Special Investigations...
>
> Bond, Randy Bond.
>

In British English - Randy is : Sexually aroused; full of sexual lust.