Comments on: Are hackers infesting O'Hare and LAX?

Question: Are hackers infesting O'Hare and LAX?

soulbarn — Thu, 23 Feb 2006 10:35:50 -0800

This happened to me last week at O'Hare - and now, today, in LAX. I opened my laptop in the terminal and checked for wireless networks. I noticed that there was a "computer-to-computer" network called "Free Public Wifi" available. I didn't try to connect, because I know that such networks generally can't provide internet access if there's no other connection available. Does this mean there are folks trying to socially engineer gullible wireless users? What could they gain? Would Windows be more vulnerable than Macs? AND how would a curious samaritan figure out who, amongst the dozen or more folks with open laptops in the vicinity, the culprit is?

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 10:45:48 -0800

I'm not sure about LAX in particular, but many airports are providing free wireless for business travellers. I think it should be safe.

Besides, network security is quite high at such locations. If a Hacker randomly opened a WiFi hotspot there, the network admins would know about it, track it down, adn remove it.

Finally, secure your own machine. Limit access to share points using user security. You should be fine if you take care of your own box.

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 10:46:52 -0800

Here you go.

It's being provided by the Hilton hotel at LAX.

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 10:48:15 -0800

And here. SBC and Avis are providing it at O' Hare.

Google is your friend ;)

By: evariste

evariste — Thu, 23 Feb 2006 10:51:18 -0800

Always ALWAYS always use an SSH tunnel to secure your connection when you surf the net, check email, etc when you are on an insecure, public network. Always. Or some wandering jackass with a packet sniffer will own your life.

Cotse is a great SSH tunnel service provider if you need one, at about $6 a month. If you want to roll your own, get a unixshell server for $7 a month, install a base debian system on it (takes 3 minutes from their control panel), then apt-get install squid for a web proxy. sshd is already installed for everything else. Download Bitvise Tunnelier to set up your tunnels from your laptop to your unixshell server or your Cotse account, and you are in business, using free WiFi securely with no danger of eavesdroppers sniffing your passwords.

By: Good Brain

Good Brain — Thu, 23 Feb 2006 10:51:38 -0800

If it's a computer-to-compter network one possibility is that someone has a 3G wireless card for their laptop and are deliberately making the net access available for free to other travelers.

By: soulbarn

soulbarn — Thu, 23 Feb 2006 10:54:57 -0800

Thanks for the replies. I don't think this is the SBC connection; it specifically identifies itself as an "AD HOC" computer-to-computer connection. And it isn't Hilton, because the Hilton hotel is over a mile from here.

Moreover, I just noticed somebody attempting to connect to it (I'm in the terminal now, using my GPRS connection) and they got a successful connection to the computer - but no web access. I use the public Wifi networks and don't they generally start you at a log-in (and payment) homepage?

I still think this is an invidual attempting, for whatever reason, to get people to connect - after all, why would a commercial provider call their service "Free Public Wifi" and only offer it as an ad hoc connection (that doesn't actually work.)

thanks!

By: mzurer

mzurer — Thu, 23 Feb 2006 11:00:00 -0800

I ran into this at LAX and wondered the same thing. WinnipegDragon, attention to detail is your friend. It is called "Free Public Wifi" but it does not provide free public wifi. It's peer-to-peer, not an access point. I am pretty sure someone is trying to surf the hard drives of people who log onto the network.

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 11:00:41 -0800

Hmm... My apologies, if it was computer to computer than what I said was most likely crap :)

The point still stands though, secure your own box and you should be fine. Evariste covered it better than I could.

By: nomisxid

nomisxid — Thu, 23 Feb 2006 11:01:03 -0800

I suspect it's more of a prank-while-bored style issue, than someone with nefarious plans. IF they did offer internet access thru the ad-hoc network, then I'd be suspicious.

By: Mid

Mid — Thu, 23 Feb 2006 11:02:04 -0800

On one of the last few TwiT podcasts, some of the guys said that when they travel they create ad-hoc networks that say "Free WiFi" just for laughs to see if anyone tries to connect.

By: GuyZero

GuyZero — Thu, 23 Feb 2006 11:03:34 -0800

I had figured out many years ago that this would be a great scam... fake login page, take credit card numbers and then just serve up endless 404s after that. It's probably a scam.

By: jaysus chris

jaysus chris — Thu, 23 Feb 2006 11:04:15 -0800

I get a lot of "ghost" computer-to-computer networks on my list of available networks in crowded spaces, mostly in the form of "XYZ Coffee Shops" and "Anywhere Public Library" even when the shops and libraries are miles away. Could this be part of the same phenomena? This happens even when I know the people present to be too nice or too unsophisticated to be setting traps.

By: soulbarn

soulbarn — Thu, 23 Feb 2006 11:05:42 -0800

create a fake network as for laughs?

THAT is definitely setting the bar for humor way, way low! Now I'd like to detect these guys so I can hand them something really funny...like a whoopee cushion or the DVD collector's edition of "Full House."

:)

By: bradhill

bradhill — Thu, 23 Feb 2006 11:09:57 -0800

WinnipegDragon has no idea what he's talking about. It could quite easily be a "rogue" access point. There is no network security at airports, and even if there were, no good way to tell which of dozens of computers in range is acting as an unauthorized access point.

This is besides the fact that you simply cannot trust any public network, wired or wireless, encrypted or not, where you do not trust every computer on the network.

You are always opening yourself to attack when you use a public access point, no matter how well managed.

If you are going to use public access points, your machine should be properly secured against attack (up-to-date, firewalled, anti-virus protection), and you should never trust that anything you do on the network is secure or that sites are who they seem to be. The only thing you can trust are protocols that provide their own security, such as https. If you want to "securely" visit non-https websites or check mail, etc. you always need to use an ssh or VPN tunnel to a trusted proxy.

By: curse

curse — Thu, 23 Feb 2006 11:20:18 -0800

I think Windows XP pre-SP2 and the Zero Config Wireless stuff would automatically create an ad-hoc network if someone manually entered an SSID for an access point that did not exist (or existed at one time, but no longer).

When I was in class, we had a flaky wireless connection, and whenever that would drop, I would start seeing people accidentally creating ad hoc networks when they were trying to figure out why they could no longer see the internet.

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 11:24:00 -0800

Thanks for that bradhill. I appreciate the personal attack.

By: WinnipegDragon

WinnipegDragon — Thu, 23 Feb 2006 11:25:00 -0800

Oh by the way, I know someone who does network security for an airport.

By: Freen

Freen — Thu, 23 Feb 2006 11:28:48 -0800

Exactly what bradhill said.

On my mac, I use SSH Tunnel Manager to connect to my home server, before I head out into the wilds of the internet.

It slows down the connection a bit, but when you are on the road, it's not like you want to watch movie trailers.

By: Freen

Freen — Thu, 23 Feb 2006 11:50:06 -0800

Well, the nastiness was unnecessary, but bradill is essentially correct, it's not the internet provider that is the weak point in security, it's the fact that you are sending packets on a network that anyone in range can sniff.

The girl sitting next to you with an iBook could be reading your IM conversation and email.

So, when you are on the road, and on a network with untrusted hosts, tunnel out.

By: cyrusdogstar

cyrusdogstar — Thu, 23 Feb 2006 12:04:58 -0800

WinnipegDragon: I think the reason people are jumping on you is because you jumped into the thread acting somewhat know-it-all, and then misread the question to boot. It tends to get people irritated, so they then rub it in your face when correcting you. It may not be good manners but you half asked for it =/

On topic, I tend to agree with Freen and bradhill re: network security in public areas (essentially, anywhere where sniffing your traffic requires anything less than compromising your home's, or your ISP's, networking hardware*).

As for the specific situation soulbarn mentions, yea, I would wager that it's someone goofing off and hoping to gain peer-level access to random passersby. Considering most people use Windows and most Windows installs are woefully under-secured, this means that if you sit in a crowded terminal for an hour or so you have an excellent chance of getting access to at least a handful of hard disks for a while.

I would guess that the chances of such an individual looking to really cause serious havoc, though, are pretty slim.

* I.e. on a wired network, they plug into your hub and run a sniffer, or somehow obtain access to the ISP side of things and sniff from there; or of course, wireless.

By: paulsc

paulsc — Thu, 23 Feb 2006 12:12:05 -0800

It's a feature, people, not a bug...

Ad hoc wireless networks are handy, for folks doing collaborative stuff, who don't want to lug around a bunch of cables and a switch. And more than once, I've used an adhoc connection to share a wired connection with someone in a small business situation, when there was no wireless access point, otherwise. But don't use them, and don't open any on your machine if they aren't appropriate for your use. It's not like ad hoc networks are some big security threat to the civilized world.

As for the specifics of the name and intentions of the ad hoc connection reported by the OP, I don't know that a whole lot can or can't be read into what he observed. It's possible evil haxor dudes are cruising LAX for personal info from unsuspecting wireless users. It's equally possible that some clueless user of a Centrino equipped laptop has mis-configured some wireless connection, trying to connect some place he/she was staying that advertised "Free Public Wifi" who thought their connection had to be named that to connect...

And if you want to figure out who is the ad hoc source, shoot, then get up, walk around, try the connection from a few places in a 200 foot radius, and do a little triangulating.

By: kindall

kindall — Thu, 23 Feb 2006 12:16:04 -0800

Most likely it's someone who connected to a peer-to-peer network named "free public wifi" at one point. If you have ever connected to a peer-to-peer network, your machine will continue to advertise that network pretty much forever if you don't specifically turn off the ad hoc connection capability.

(I used my Windows laptop to share the wired Ethernet at the Marriott in SF at Macworld with my roommate... and had to use ad hoc mode since I couldn't figure out how to get the laptop to pretend to be an access point. If I hadn't turned this off, I would still be advertising "slivernet".)

By: exhilaration

exhilaration — Thu, 23 Feb 2006 13:40:55 -0800

I thought that when you use a SSH tunnel your DNS queries still go out unencrypted? That's why you can't securely surf the web at work through a SSH tunnel, because your employer can still see the DNS requests.

If you're connected to a compromised access point, can't they simply intercept your DNS queries and send you to a spoofed website?

By: evariste

evariste — Thu, 23 Feb 2006 13:45:16 -0800

Hmm...exhilaration, interesting question. I wonder what the best practice there is.

By: I Love Tacos

I Love Tacos — Thu, 23 Feb 2006 14:00:55 -0800

I can't help but think that this could be thoroughly automated, and could be exceptionally profitable. There are certainly people who travel with unreleased profit sheets, M&A plans and such, that could be used to invest very, very wisely.

And I'd bet against the SEC ever figuring out what the connection was, since the only thing tying you to each company would be the fact that one of their high-level employees flew through O'Hare or LAX with slightly unpatched laptop.

By: kindall

kindall — Thu, 23 Feb 2006 14:01:30 -0800

I thought that when you use a SSH tunnel your DNS queries still go out unencrypted?

Depends on the type of proxy you're runinng on the other end. HTTP, no, the DNS is done at the remote end. SOCKS4, the DNS is done locally. SOCKS5, I believe it's optionally done at the remote end.

However, most users don't think to do secure HTTP (https) through ssh tunnels... and in that case DNS will go out in the clear.

By: I Love Tacos

I Love Tacos — Thu, 23 Feb 2006 14:01:51 -0800

(I saw this as well, and was also confused.)

By: I Love Tacos

I Love Tacos — Thu, 23 Feb 2006 14:04:59 -0800

For what it's worth, when I got it in O'Hare, I was sitting at a table in the food court in the center of terminal 3.

By: majick

majick — Thu, 23 Feb 2006 15:02:36 -0800

I occasionally fire up a peer access point when I'm in public and hanging my EDGE phone off my laptop for network access. I often use an inviting name like "Free Access" to entice people to take advantage of it. I don't mind sharing, my wireless bandwidth is unmetered.

It turns out that certain platforms, like OSX, make setting this up a more or less one-click operation.

By: Gerard Sorme

Gerard Sorme — Thu, 23 Feb 2006 15:05:53 -0800

I spend $8 a month for HotSpotVPN and never use public wi-fi without it. I lose no speed (that I notice) and it gives me great peace of mind.

By: bradhill

bradhill — Thu, 23 Feb 2006 16:32:42 -0800

I can't help but think that this could be thoroughly automated, and could be exceptionally profitable.

Yes, indeed. And thus for an attacker, well worth paying the ten bucks to get on to the legit network and mount attacks from there. Much more interesting targets than the cheapskates who try the "free wireless" instead of just expensing it.

The AP described in the initial question is almost certainly someone trolling, but an unsophisticated amateur. A smater attacker will wait until you think the network is safe because you just paid $10 to use it.

By: breath

breath — Thu, 23 Feb 2006 16:59:11 -0800

I think it was this Windows 'vulnerability/feature'. Basically the gist of it is that if your windows box is misconfigured in a particular way, it will go about advertising ad-hoc wireless networks that have the same SSID as the previous network it was connected to. So, you probably just saw some poor schlub's laptop, who had previously been getting his free wifi from "Free Public Wifi".

Of course, it still was correct of you to not connect to that network, and it almost always will be correct to not connect to ad-hoc networks you don't know about.

But it probably is a bit much to assume that it was a hacker.

By: drstein

drstein — Thu, 23 Feb 2006 21:32:37 -0800

Just because it says "ad hoc" doesn't mean it's crap. A local coffee shop somehow has their WAP set up in such a fashion that it shows up as an ad-hoc network. So, you never know.

But please, use SSH tunnels or VPN. :-)