Wireless insecurity at NANOG meetings

• Previous message (by thread): Wireless insecurity at NANOG meetings
• Next message (by thread): Wireless insecurity at NANOG meetings
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 21, 2002 at 05:46:27PM -0400, Sean Donelan wrote:
> 
> I'm waiting for one of the professional security consulting firms to issue
> their weekly press release screaming "Network Operator Meeting Fails
> Security Test."
> 
> The wireless networks at NANOG meetings never follow what the security
> professionals say are mandatory, essential security practices. The NANOG
> wireless network doesn't use any authentication, enables broadcast SSID,
> has a trivial to guess SSID, doesn't use WEP, doesn't have any perimeter
> firewalls, etc, etc, etc. At the last NANOG meeting IIRC over 400
> stations were active on the network.

What do you mean "trivial to guess", its started at www.nanog.org. :)

I'm not aware of any wireless networks setup at conventions with the
purpose of sharing confidential data and keeping people out. It is there
as a "public service", for everyone to use. I'm certain that the company
providing the bandwidth doen't put it inside their corporate firewalls.

Would WEP solve anything other than keeping the casual person on the
street who doesn't know what NANOG is from getting free bandwidth for a
couple days? I don't think so.

> Are network operators really that clueless about security, or perhaps we
> need to step back and re-think.  What are we really trying to protect?

If I sit down at a crowded presentation with a Windows laptop, I'm sure to
get an infrared connection to at least 3 people within 10 minutes. If I
set my wireless to ad-hoc mode, I can find at least 10 people in any given
room with open shares. And if you ever fire up a sniffer, you'll get a
good laugh. Hundreds of plaintext passwords, plaintext mails, people
irc'ing, hell there are even warez transfers. There are also people 
ssh'ing to personal and corporate machines from the terminal room where 
the root password is given out or easily available.

Clearly *SOME* NANOG participants aren't terribly security conscious. But 
are these the experienced network operators, or just the people who show 
up because someone at their company thinks its a network training camp? 
That's what the password board is for I guess.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

• Previous message (by thread): Wireless insecurity at NANOG meetings
• Next message (by thread): Wireless insecurity at NANOG meetings
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]