Wireless security across London remains flaky despite the well-known risks, according to an infosec bod who has been riding his bike all around town identifying insecure wireless networks and highlighting shoddy user behaviours that could be exploited by rogue hackers. James Lyne, global head of security research at Sophos, …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

Monday 5th May 2014 14:57 GMT Arachnoid

only allows specified MACs to connect

MAC Blocking is not a security method to rely on.

As for the original story Id be more impressed by the report if they had actually tried to access some of the insecure systems and proved the point rather than relying on supposition.

6 0
1. Monday 5th May 2014 19:41 GMT Ole Juul
  
  Re: only allows specified MACs to connect
  
  As for the original story Id be more impressed by the report if they had actually tried to access some of the insecure systems and proved the point rather than relying on supposition.
  
  That's what I thought too. I'm not entirely sure that there is much to be learned for the information provided.
  
  As for MAC blocking that is not secure, as you say, however it does mean that only "hackers" will get in. Nevertheless, if one only allows one connection at a time then the worst that someone could do is read the stream which is generally of no consequence.
  
  0 0
2. Tuesday 6th May 2014 16:15 GMT atlatl265
  
  Re: only allows specified MACs to connect
  
  As regards 'MAC spoofing", I use WPA2, block my SSID transmission and specify only the MAC's on my network. Seems pretty secure when used in this combination. BTW, my "smart TV has WPA2, but now that I think about it, I am Not so sure about my BluRay DVD player. The industry seems to be pushing to make the BluRay DVD player, the Internet connection for your Home Entertainment center.
  
  atlatl
  
  0 0
  1. Tuesday 6th May 2014 19:54 GMT Alan Brown
    
    Re: only allows specified MACs to connect
    
    Blocked SSIDs still leak and MACs are easily tweaked.
    
    At least some of the kit I've used happily shows the SSID of "cloaked" APs.
    
    WPA2 is only secure when used in conjunction with a decent password, as otherwise a snoop session can deduce the password over a few hours without issuing any packets (or it can bother the AP for more data, faster)
    
    0 0
Monday 5th May 2014 16:30 GMT Don Jefe

Labor Intensive

It seems like working out a deal with cab companies in the target cities would be a lot easier and deliver a considerably more robust data set that evolves over time. You could also develop targeted awareness campaigns for dense trouble spots. You could probably even talk banks into paying for the exercise.

There's an apartment building in Alexandria, VA where an interested tenant put a flyer on everyone's door with basic info about open networks and put his email address and phone number there with an offer to help secure their networks for free. A month later there are zero open networks in the building. People didn't even get too mad about the flyers he wasn't supposed to be posting.

What I'm getting at, is that traditional awareness techniques have obviously penetrated as far as they are going to go. People that aren't aware aren't going to be aware unless they are informed in a new way and you need to find those people, and track the effectiveness of the new message delivery vehicle(s). A tech guy doing a tech thing being covered on a tech site has a rather small audience that isn't aware of open network risks.

4 1
Monday 5th May 2014 17:37 GMT Anonymous Coward

Streetview cars

Isn't this exactly what Google got busted for? Double standards....

0 5
1. Monday 5th May 2014 20:00 GMT Jon 37
  
  Re: Streetview cars
  
  Streetview was sniffing and recording actual WiFi traffic, including some things that people might consider private. For example, they recorded fragments of unencrypted HTTP requests and responses.
  
  Sophos only looked for the SSID broadcasts, which are *meant* to be received by any WiFi device in range.
  
  5 0
Monday 5th May 2014 17:38 GMT DavidON

VPN's are safer...but are they safe?

I've been a long-timer user of VPN's on my laptops, primarily to allow me to safely use public networks. So, when I finally got an Android phone, this was one of the first things that I set up on it.

However, despite constantly seeing VPN's quoted as the cure-all for public networks, I have been unable to adequately protect my (unrooted) phone, as I can't find a VPN/app which blocks traffic before it's connected. I've spoken to a number of leading VPN providers and they have all, eventually, admitted this as a problem - the "best" response I got was the company who said they were working on a solution.

Does anyone who, unlike me, knows something about Android, know of a solution to this?

Thanks,

David.

0 0
1. Monday 5th May 2014 23:59 GMT Don Jefe
  
  Re: VPN's are safer...but are they safe?
  
  There are always going to be tradeoffs with any type of security. It doesn't matter if it's data, gold bullion or hostages. Usability and security are two sides of the same coin. Once something is absolutely secure it becomes a Schrodinger's Cat sort of thing. Is the thing you're protecting really still in there? The only way to know for sure is to look, but then your thing is no longer secure.
  
  But you've got the traditional valuation problem. If the thing you're tying to protect is so valuable that making it inaccessible, thus truly secure, is the thing really that valuable? Only you can decide that. Museums have been tossing that problem around for a good century or so now. They go back and forth on the issue every few years. Most organizations and individuals with the means eventually say fuck it, and just insure the hell out of whatever it is. You still practice the security fundamentals, but the value of something is reduced by the value of time and resources you put into protecting it,
  
  But to answer your question, there's no pre-connect blocking VPN for Android. My wife uses Android and she hasn't been able to find an OTS solution either. She just doesn't do anything involving potentially dangerous personal info with those devices.
  
  0 0
2. Thursday 8th May 2014 02:35 GMT Aslan
  
  Re: VPN's are safer...but are they safe?
  
  The solution is just get root already you really should have posted your phone model here so you could be helped with that, and then install Cyanogenmod. If you're a nervous Nelly about getting root access through some security hole your phone manufacturer has allowed to persist for the last year (on Windows these are the updates that get a critical label), the buy a Nexus 5 phone which allows you to easily and officially take root privileges. https://www.google.com/nexus/ or if you're really serious there's always https://www.blackphone.ch/
  
  Basically any VPN that blocks traffic before there is a VPN connection is going to be hacking your phone as bad as anything that give you root privileges unless something changes in a future version of Android.
  
  0 0
Tuesday 6th May 2014 07:35 GMT Anonymous Coward

Ah yes, here we have

The revelation that everyone and his dog who get a router delivered from an ISP is a tech guru that could not be bothered to recode in Unix or Perl their entire router firmware to the utmost security level.

On the bus to work each day, my phones tell me "wifi access found, connect?"

most people will say "yes, don't ask again" same as they store passwords in browsers.

the masses are not even aware they have wifi let alone unsecured else all the war drivers, wifi hackers, spammers n scammers would be out of business

In other news water discovered to be wet!!!

0 1
Tuesday 6th May 2014 12:50 GMT Anonymous Coward

Surprisingly

I live in one of the less salubrious bits of east London, but to my surprise, every one of the wifi points I can see in the area (30+ from my house, about 100 between here and the station) are now WPA2, with the exception of the odd BT public wifi, and a few BT-FON connections (I assume those also work with a landing page). There's not a single WEP or WPA to be seen.

The area has a fairly transient population, and so I'd assume a high rate of turnover with ISPs, and I'm wondering if the reason is that ISPs have now largely 'got it', and are sending out new routers pre-configured to WPA2. BT in particular got badly bitten on wifi security a couple of years ago, so maybe they actually learned the right lesson for a change.

1 0
Tuesday 6th May 2014 15:32 GMT bod43

"29.5 per cent were using either the insecure Wired Equivalent Privacy (WEP) algorithm, or no security encryption at all ... A further 52 per cent of networks were using Wi-Fi Protected Access (WPA)"

I find that very hard to believe. In the places that I go there are no WEP WiFis at all. Everything is WPA2, or is deliberately open. FON, BTOpenview etc. I have occasionally made a point of noticing.

For years all new home routers have been set up for WPA2. Many people seem to change their ISP quite regularly and have new routers.

0 0
Thursday 8th May 2014 02:23 GMT Aslan

Free Wifi for all

My connection is unencrypted and open to all it's rare I have to block a MAC address for using to much bandwidth. Internet should be free to anyone who wants it.

0 0