Here's something I found on another group that I'd like to share.
Wardriving the nation's capital
Source: Security Management
Publication date: 2003-09-01
Arrival time: 2003-10-01
Have you ever come home to discover that you left the door unlocked? A
heart-stopping moment, indeed. Usually, however, you'll open the door to find
everything untouched because burglars had no way of knowing that the house was an
easy target that day. Fortunately, no one rides the roads in search of those
unlocked doors to publish their locations on the Web for anyone who might want to
take advantage of the vulnerability.
But in the wireless world, it's a different story. Unsecured wireless connections
are sought out and listed on the Internet. The companies that gather this
information are doing nothing illegal, and some may argue that they provide a
service by raising awareness and forcing companies to confront their wireless
security shortfalls. Others may see them as abetting hackers.
Whether the practice is good or bad, security directors should be aware of it. To
that end, "Tech Talk" took a firsthand look during a recent IT security conference
at how the information is gathered by going along on a "wardriving" mission in a
black Hummer H2 with Todd M. Waskelis, director of security services for Guardent,
a Boston- based managed security services provider.
The ride begins at 9 a.m. As we go along, Waskelis is balancing a notebook
computer loaded with a wireless access card and running a free software program
called NetStumbler. Waskelis is holding a square, booksized antenna out of the
Hummer's window.
As the behemoth prowls through the District's tony neighborhoods, NetStumbler
scans the radio frequency for wireless access points- the devices that allow
wireless users to connect to a wired local area network. The notebook pings
relentlessly as access points are identified: In the first minute of the drive,
more than 30 have already been logged.
NetStumbler reveals a host of information about each access point, including the
SSID number (the name of the device that the access point broadcasts so that
clients can link to it) and the manufacturer of the access point device. The
program also reveals whether the devices are using WEP (wired equivalency
protocol, a basic and relatively weak type of encryption scheme).
Waskelis points out that the many points being logged using Linksys routers (the
inexpensive choice for most home networks) are likely for individuals, not
businesses; these are the ones that have SSIDs such as "martin" or "smokeyjoes,"
or in most cases simply "default." He also notes that they are not necessarily
vulnerable to hijacking just because their SSIDs are discoverable. They could be
using some third-party software to provide authentication that is not made clear
to NetStumbler.
Also running on the laptop is a GPS program that logs longitude and latitude for
each access point. Should we find an interesting location-a big company, perhaps,
or an open access point emanating from within an embassy-it would be easy to
pinpoint the site for further investigation and exploitation.
Only 23 minutes after the wardrive began, more than 120 access points have been
located. At a red light on Connecticut Avenue and 18th Street, the pings continue
unabated as Waskelis shifts the antenna across building fronts. Some are meant to
be found, like the one coming from Starbucks, which opens a wireless access point
for its customers. But most others have simply been set up incorrectly, or
worse-some may have been installed surreptitiously on corporate networks by users
who want to be able to access the company network from the lounge or conference
room, he says.
How dangerous is all this for a company? There is a significant risk, Waskelis
says. An executive working at home may be connecting to her company through a
virtual private network (VPN), a protected tunnel that ostensibly prevents
eavesdroppers from accessing sensitive corporate networks. But if the VPN is not
set up properly, and the home user has an open wireless access point, then it
would be easy for an attacker to pass through the VPN into the heart of the
company's business network with the identity of the executive herself-and with all
of her rights and privileges.
By 10 a.m., we are back at the hotel, and NetStumbler has located 194 access
points. Waskelis filters the data and reveals that 114 of those were not protected
by WEP. More than 30 of the access points are Linksys routers. A graph indicates
the strength of each access point, while the GPS provides the precise location for
each.
Once the data has been filtered, Waskelis can upload it to the NetStumbler Web
site (as most wardrivers do) where a database of such maps are kept; interested
parties can query the database to find a free on-ramp to the Internet from dozens
of locations across the country. (The site also provides ads for wardriving kits,
complete with magnetically mountable antenna, for under $100.) Those who find
their SSID published on the NetStumbler site can request that it be removed.
The wardrive made clear the ease with which wireless networks can be located and
exploited and served as a reminder for network administrators and home users alike
to take steps to lock down wireless access points before they are found and
exploited by those seeking free wireless services or worse, malicious access to
the corporate network.
@ SM Online has a link to NetStumbler's maps.
Illustration by Steve McCracken
Just 23 minutes into the wardrive, more than 120 access points have been found.
http://cnniw.yellowbrix.com/pages/cnniw/Story.nsp?story_id=42199867&ID=cnniw&scategory=Telecommunications%3AWireless&
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
