I'm glad I don't use credit cards at best buy
-----Original Message-----
From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 28, 2002 9:40 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: wireless woes in the triangle and beyond!
There Are No More Secrets
Ron DuFresne <c> 2002
A few weeks ago Best Buy was embarrassed throughout the country with the
finding that it was using POS <point of sales> cash registers that worked
with wireless technology to cash various customers out when making
purchases. What was so humiliating for them was the discovery that these
POS systems had been installed and implimented without any sense of
security. There was no encryption enabled with these devices so they
transmitted customer information via the airwaves to anyone that wished to
capture it with the various techniques many people are now employing to
"map" wireless networks and security issues. This customer information
included credit card information. Nasty hackers could indeed use this
information for various fradulent activities. This breach of customer
privacy was deemed serious enough when it became highly visualized via the
vuln-dev mailing list, maintained by Blue Boar, off securityfocus.com.
The flurry of correspondence on this list resulted in the media picking up
the information and running with it also.
http://www.msnbc.com/news/746380.asp
This ended up by prompting Best Buy to make changes to the cashiering
systems as was noted in their response to one of the lists posters that
apparently made direct contact with Best Buy management:
Thank you for contacting Best Buy's corporate headquarters
with your concerns. Regarding this issue, Best Buy has
deactivated our temporary wireless cash registers that
transmit information via LAN connections.
These registers are not Best Buy's main register terminals
and represent a small percentage of the transactions
processed within our stores. Please be assured that
customer privacy is of the utmost importance to Best Buy and
we will further investigate this matter.
We do appreciate your taking the time to share your concerns
with us.
Respectfully,
Alex Reynolds
Contact Center Escalations
Best Buy Enterprise Customer Care
Now, it had been suggested in the vuln-dev mailing list that Best Buy was
a single example, and just the tip of the iceberg, as anyone looking into
the issues of wireless implimentations and issues via their own sniffing
and the various wireless mapping projects accross the US have laid bare.
http://sysinfo.com/wire1.html
The above paper cites some wireless mapping work in the NC Research
Triangle Park area by local resident Alan Clegg, with direct links to his
mapping efforts. Recently Mr. Clegg contacted this author via e-mail
concerning another thread in the firewalls security mailing list hosted by
gnac.net, on another wireless related topic, to let us know that in the
RTP area, he had mapped both Petsmart and CVS Pharmacies using wireless
technolgies without any encryption enabled. Whih starts to expose more of
the proposed iceberg syndrome to light. Granted, WEP, Wired Equivalent
Privacy, is not the best, it can be broken, but, it takes far more effort
then clear text flowing through the airwaves avialable to anyone with a
few hundred dollars worth of equipment to pick it up like one might grab
police calls with a scanner. If wireless is going to be used, it should
at least function in the most secure manner avaailable, anything less
demonstrates not only a lack of understanding, but, in cases like these a
complete failure of corporate institutions to take even minimal care with
the private information of their customers. Petsmart, following along the
heels of the embarassment and humiliation of Best buy in letting credit
card information flow freely into the airwaves is bad enough, but, CVS
Pharmacies, soon to be tasked with HIPPA <Health Insurance Portability
and Accountability Act> compliance early next Spring demonstrates at the
best careless indifference to those they are serving. The Standards for
Privacy of Individually Identifiable Health Information are designed to
help guarantee privacy and confidentiality of patient medical and
insurance information. Those who miss the deadline for compliance face
steep fines and Federal criminal penalties. The glaring exposure of
customer information by companies and health related organizations like
CVS Pharmacies is a glaring deficiency and total disregard of very
sensitive customer information. And yet the iceberg of such negligence
in wireless rollouts is still but a shadow of the issue of private and
finacial information leakage many are suffering already, without much
awareness of the fact.
http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html
The various vendors marketing wireless toys are not blameless either. In
fact a large burden of the blame for leakage of information and the
vulnerable systems being pushed into place by companies like Best Buy and
Petsmart, as well as CVS and others relates to how they distribute their
wares. They do so with the most insecure "plug and pray" configurations
possible, most often with documentation about how to try and secure these
toys burried deep in their distribution media. Until vedors take some
sense of responsibility and force their customers to shoot themselves in
the foot, rather then pushing out products that are configured in a manner
whence their customers are shot in the head from the point of
installation, we will continue to have some very exploitable setups by the
less clued network folks these vendors are making their money from.
Additionally see, note the terms 'opt' when they document configuration
issues at the site, as well as targeted customer categories listed, then
wonder where *your* private information might be leaking from:
http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html
...
AP 41X1 Access Point Series
It's known as the intelligent access point. Built beyond defined
standards, the AP 41X1 integrates features only possible from
the wireless engineering experts at Symbol. Advanced algorithms
prioritize data, voice and multimedia transmission for uninterrupted,
quality service. An embedded HTTP server allows administrators to use any
Web browser to monitor performance, change configuration, and run
diagnostics on any AP 41X1 from anywhere on the network. Antenna options
provide maximum range and throughput to support application
requirements with coverage up to 300 ft./90 m indoors and 1500 ft./460 m
outdoors and will support up to 256 clients as well as Simple Network
Management Protocol (SNMP).
...
WEP Encryption for High-Speed Security Wired Equivalent Privacy (WEP)
encryption combined with access control lists and domain identification
features provide powerful user authentication and data encryption and
decryption capabilities for data security. Wireless clients may also
opt to use 128-bit encryption keys and the RC4 algorithm to further
encrypt the wireless portion of data transmission.
...
Retail
Healthcare
Hospitality
Education and Corporate Training
Manufacturing
Government
More Flexible Office and Public Space Environments
Thanks;
To Alan Clegg for the mapping info and heads up to these
sites, as well as their wireless vendors.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
