Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Insecurity in our daily lives

Insecurity in our daily lives

  • Comments 13

Last week (or so), Joe Wilcox of MicrosoftMonitor posted this article describing the Joe’s experiences in a hotel. 

He is SO on.  A couple of weeks ago, I spent the afternoon at an espresso stand on Queen Anne Hill which advertised free WIFI access (I’m not going to mention their name for reasons which will become obvious).

They DID have free WIFI.  Unprotected WIFI (not the end of the world, my laptop’s locked down reasonably tightly).  But just for grins, I connected my browser to http://192.168.0.1.

And there was the admin interface to their WAP in all its glory.  Yup, they hadn’t bothered to set an admin password on the WAP.  I had an easy dump of the IP addresses of all 6 machines connected to the network.  And the names of the computers too, if I was so inclined.

I was astonished that they were so lax in their security.  I mentioned it to the barista and her only response was effectively “Huh?”

We can’t expect our systems to remain secure unless everyone who offers access to the net takes at least the simple steps to secure the network.

 

  • I recently found out that a friend, who has a grad degree in CS, works as a dev (not in Microsoft, but elsewhere) has a WiFi router at home that is unsecure.

    Why ? Becuase my friend thinks that it is too much work to figure it out, set a WEP key and configure the laptop!

    I too tried to access http://192.168.0.1 on that network, and it was wide open!

    Naive coffee shop owners are understandable - they are ignorant. But coming from someone who makes a living out of coding for Windows... All I can say is - 'My story tops yours!'
  • Yup, you got me :)
  • It depends on the risk. I'm a paranoid schtizo where electronic funds transfer software is concerned, somewhat dedicated for data that people may like to steal (customer lists), minimally compentent for annual holuday rosters, and don't give a stuff for my own computer (want to steal my data - send me an email and I'll turn on telnet for you - there isn't anything interesting).

    But I'm most concerned about inside jobs.

    One needs to ask "what is the worse that can happen?" If, in a coffee shop, it is reinstall windows or reset cnfiguration on a router, then the effort of security may outweigh the effort of recovery.

    If Larry is concerned for the other users rather than the coffee shop then those users are compromised whereever they go anyway.

    I'm not saying I would leave it open but I might based on my risk assesment (I probably wouldn't).

    I do leave telmet open at home from time to time (access without a password) and take the position that noone is probably trying to telnet in at any particular time, and if they do - so what? All they can do is delete files and they can be restored in 5 minutes. Chkdsk is far more likely to do that anyway (I toy with the idea of deleting autochk.exe). And I'm smarter than any virus yet written.

    And virus checking is so easy on XP - I open msinfo32 - Loaded Modules, sort on company name, and it shows what shouldn't be there. Of course if any virus writer becomes smart enopugh to write Microsoft (R) in the VerInfo block it will become harder, but virus writers won't do that for some reason.

    I been infected twice (both in the last year) because it was more important to drop the firewall (had to get music for a funeral and didn't have time or inclination to stuff about with configuring the firewall) and cleaning, with taskkill, del, and a quick look at symantec's site to make sure I got it all.

    Any software I've pirated, and it's all in the long ago past (15 years), I did by asking MS employees to steal it for me (MS Sound System software which wasn't sold standalone else I would have bought it). Internal security is far more important.
  • Vatsan: WEP? That is not much secure, either. (Wired Equivalent Privacy isn't.)
  • This is troubling. Although it would be trivial to require a password be set before the unit is operational, its probabably 'bad for business'. Most home-users buying gear want to plug the thing in and go. The reality is that people aren't going to read the manuals. This is going to result in a lot of support phone calls to Netgear or Dlink or whoever, with folks wondering why their wifi doesn't work. From the manufacturers perspective, the simple solution is to ship with the router wide open.
  • >>Vatsan: WEP? That is not much secure,
    >>either. (Wired Equivalent Privacy isn't.)

    He he... For someone who wouldn't *set* a password, firmware-upgrading to support WPA is a tad bit of a tall order - dont you think ? :)

  • Vatsan: You are of course right, but what do you know, maybe the AP does not support anything better and the admin decided that "false sense of security" given by WAP is not worth it, so he'll stay with visible insecurity... :-)

    money: another possibility, which is almost 0.01% better, and is used by some manufacturers, is to set the password to some predefined value, written in manual. Not that it would be any difference for "hackers", just that Larry would have to look up the manufacturer and their default password before writing such an article. .-)
  • What I'd like to see is a serial number sticker that looks very similar to microsoft's, with a randomly generated administration password and default WEP key on it, and a router reset will reset to those defaults. Which solves much insecurity out-of-the-box, makes no difference if you lose or refuse to read the manual (as long as the sticker's pointed out), and will make the process less mysterious for the average user. It's better than nothing; we're now buying the security equivalent of windows 95.

    It worked for desktops for a long time before OEMs started preloading keys. Couldn't hurt, but it'd require a change of philosophy on the part of router manufacturers. ("Let 'em get hacked if they can't bother to secure it.")

    On a personal note, setting up WEP was a huge pain even for me, a technical person, because of bad assumptions (the laptop came with 802.11g, WPA is usable in XP SP1) and a buggy router firmware that caused it to switch modes and drop connections with uPnP enabled. I'm sure most of the negative reviews I find on amazon and the like for APs are situations like that, I was about to take it back before I found an explanation and workaround after much googling and frustration.
  • It isn't as easy as you might think. If they had set up a WEP key then they would have had to have been able to advise all the customers how to configure the same key on their laptops. It's fairly easy with XP, especially with SP2 but before that every card came with a different driver property page/control panel applet/system tray utility for setting up the connection.

    If a sign say "Free WiFi" people will expect to just be able to use it, not wait around for someone to tell them the password.

    Admittedly it would have been a good idea for them to have set a password on the management interface of the access point.

    It's not even that easy when you do want to set it up. I had a belkin access point and I could never seem to get it to connect when a WEP password was set. The access point needed a 14 character code and windows could take an unlimited character passphrase or something like that.

    I have since upgraded to a Netgear wireless router that supports WPA-PSK but then found that one of my wireless cards, a DLink DWL650 is now unsupported and does not work with WPA.

    I'm not that worried, I live out in the country and I don't think anyone else near me has wireless networking at all.

    I like the idea of the SP2 wireless config thing that stores your settings on a USB key, but I don't think there are that many routers with USB ports on them.
  • 8/9/2004 8:47 PM David Candy

    > I do leave telmet open at home from time to
    > time (access without a password) and take
    > the position that noone is probably trying
    > to telnet in at any particular time, and if
    > they do - so what? All they can do is delete
    > files and they can be restored in 5 minutes.

    With incoming attacks running about 1 per minute now, how many minutes until you're cooperating with a visitor and sending out spams? The worst that you do to your own files is not the worst that you do to the community.
  • PingBack from http://workfromhomecareer.info/story.php?id=8282

  • PingBack from http://thebasketballhoop.info/story.php?id=2980

  • PingBack from http://debtsolutionsnow.info/story.php?id=8645

Page 1 of 1 (13 items)