'Evil Twin' WiFi Scare Stories Make A Comeback
from the missing-the-point dept
A few years ago, when stories hyping up the security risks of WiFi were commonplace, articles about "evil twin" access points were a favorite. "Evil twins" were access points given SSIDs that made them appear legitimate, only they were controlled by a malicious actor rather than a real hotspot provider. The FUD was then that these malicious actors could steal anything that went across the access point -- even though most sensitive information is transmitted with encryption, a point the articles never bothered to mention. It looks like the evil twin -- or at least hype about it -- is making a comeback, as the head of a trade group of IT security professionals says such attacks are on the rise. He says it's due to the growth in the use of WiFi, but doesn't offer up any real evidence that the attacks are a problem, just saying that they present a risk for people's passwords that are sent as clear text, skipping over the fact that any service provider worth their salt doesn't send passwords in the clear if they're protecting any sort of sensitive information. Instead of harping on about a largely mythical "problem" with WiFi, wouldn't this guy's energy be better spent drawing service providers' attention to the need to encrypt passwords, thereby cutting out the supposed problem?Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Encryption should help
Any well designed encryption scheme will authenticate both ends and protect against a man in the middle attack, so i am not sure I buy that part. Maybe with stupid users clicking ok certificate warnings, but I would hope that they wouldn't do that before divulging very sensitive data.
[ link to this | view in chronology ]
passwords are only part of the story
[ link to this | view in chronology ]
Re: passwords are only part of the story
The technology is not the weak point in the equation, the stupid users who pick the wrong access point are... although the people who's point they are attempting to connect with should be checking for such issues or at very least have a very specific name that people will be able to distinguish from illegitimate points.
[ link to this | view in chronology ]
Re: passwords are only part of the story
With stories posted like this one, my mom's gonna be wanting wireless now. Like Mike talk her down this time.
[ link to this | view in chronology ]
Protect Yourselves
Data thieves don't hijack people's data.
Data thieves hijack stupid people's data.
Protect yourselves; don't rely on others to do so. Especially since protecting yourself is reeeaally easy if you take the time to do it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
neh
I think this is a way for the phone companies to get people worried about using free Wi-Fi. They are some sneaky and immoral bastards (Take Verizon for instance)...
[ link to this | view in chronology ]
Re: neh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
> just saying that they present a risk for people's
> passwords that are sent as clear text
The FUD he is spewing is laughable, but it's pretty scary that this person
is in the 'security' industry. I wonder if this just goes to show that
anyone can call themself a 'security professional' , after all, there
are no credentials or experience required.
[ link to this | view in chronology ]
select infrastructure only
[ link to this | view in chronology ]
infrastructure
[ link to this | view in chronology ]
free security
[ link to this | view in chronology ]
I know quite a few people who use neighbors wifi points because they dont have to pay for internet that way. Also, I still see quite a few network thats are security free, and those are subject to arp poisoning attacks which would provide the same access as an "evil-twin" access point.
[ link to this | view in chronology ]
Most folks have a POP3 e-mail account that does not require (or even allow) encryption to login. And most people fail to realize that an identity is generally as secure as that user's e-mail account.
Process to rip off a user via an "Evil Twin" (or by simply monitoring an unencrypted or weakly encrypted wireless network):
1) Harvest POP3 authentication, use a script to analyse a packet dump to correlate user ID, password and account name.
2) Monitor the POP3 account for e-mail from sites of interest (retailers, banks, credit card companies)
3) Visit said site, attempt to login with password used for e-mail account. If that fails, click the "Forgot my Password" link. Chances are good the password will be sent to the comprimised e-mail account without asking a "validation" question (and even that could probably be guessed).
I don't have a problem with an occasional scare story. I like it when my mother calls and asks questions now that someone in "the news" told her what I've been telling her for years.
For technical and security minded people these stories are an overreaction. I don't use the same password on more than one site. I don't use e-mail services that require "in-the-clear" login. And when I'm working on an open AP, I use an SSH tunnel to my home PC as added protection (I'd rather the guy on the other side of Panera with the Kismet screen up not read my Instant Messages)
While you're generally right, most sensitive data is sent encrypted, *some* isn't, and for many users it only takes one unencrypted authentication to give up their "universal password". And that e-mail client that's checking for new messages every 5 minutes creates traffic that is an easy target.
I can't tell you of a single person outside of my line of work that has more than three different passwords, knows that their home wireless AP is "wide open" or is even concerned that someone could be collecting their traffic while they're working at a coffee shop.
[ link to this | view in chronology ]
Is it a problem? Yeah - don't manage your banking from starbucks, but, not that big of an issue. It'd be better to tell people common sense things then to have weird security freakouts, but, security experts always have and will have the need to feel technical.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They Ask For Billing Info Via SSL
[ link to this | view in chronology ]