How Wi-Fi spy drones snooped on financial firm Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. The idea of using consumer-oriented drones for hacking has been explored over the past decade at security conferences like Black Hat 2016, in both the US and in Europe. Naomi Wu, a DIY tech enthusiast, demonstrated a …
...where having centralised offices is quickly dying. Please, Captains of Industry, understand that if you have everything in one building (people, kit, processes and so on) you are a much bigger target...just let people work from home, decentralise your confidential information storing platforms and for fuck sake get rid of the massive buildings.
Also, please don't use Atlassian products kids. You'll always get fucked in the end.
This post has been deleted by its author
One large building might make for a more focused target, but it's not obvious that many scattered targets, with a larger attack surface, a wide range of access devices in use, many personal and not under meaningful central control, and with varying local arrangements for digital and physical access, would be either more secure, or as easy to secure.
I wonder how many people work in the local Starbucks, etc., without a thought of Wi-Fi security / snooping / infiltration / etc.
Not that remote working doesn't have many advantages, but it also has weaknesses and security might be one of them.
>I wonder how many people work in the local Starbucks, etc., without a thought of Wi-Fi security / snooping / infiltration / etc.
Well if they are using a company laptop to access corporate systems (on-prem and/or cloud) then if the laptop doesn't automatically use end-to-end VPN etc. suggest the IT department needs talking to...
Obviously VPN products such as NordVPN being sold to joe public are also a defence to the coffee shop Wi-Fi attack vector, but how many have set these to automatically carry all traffic once outside of the home network....
My devices only connect via my VPN. Both my consumer class ISP and cellular data carrier have been caught out snooping and meddling with traffic. I don't have to remember to enable VPN for untrusted networks. I simply don't trust any. I use on average 5 networks a day. VPN has to be well vetted and trustworthy and verified.
Set one up yourself?...
Back in 2005 that is effectively what I did, however, it was for a mobile telco (and not my own business venture) and formed their secure remote access offer to business.
In the (joe public) personal space things aren't so simple, with people relying more on word-of-mouth and media campaigns, hence why NordVPN are doing so well and why practically all security suites are pushing their VPN offering. A problem is websites blocking traffic from (known) VPN gateways, however, I would expect the majors, especially the security suite vendors, to provide privacy-maintaining ways around such blocks.
As for the eavesdropping on the traffic going through the gateways, well perhaps a good starting point is to not use any VPN product from a US company...
Upvoted, but this
>company laptop... laptop doesn't automatically use end-to-end VPN etc. suggest the IT department needs talking to
is significant and good practice can not be assumed
Neither can it be assumed that all access to corporate systems is via company laptops, or even laptops. Much isn't.
> I wonder how many people work in the local Starbucks, etc., without a thought of Wi-Fi security / snooping / infiltration / etc.
Shoulder surfing? A quick smartphone pic of screen with customer name, address, dob, acct numbers and balances. Jus' sayin' ...
@AC - "if you have everything in one building (people, kit, processes and so on) you are a much bigger target...just let people work from home, decentralise your confidential information storing platforms and for fuck sake get rid of the massive buildings"
Yes, send all your workers home, then the attacker doesn't need to invest in a drone, they can sit in the neighbours' garden and launch an attack from there, and with all those workers, there are so many more neighbours to check out. Surely that is a much bigger target?
Isn't the lesson "don't rely on eggshell security"? Kudos to the team that noticed the "unusual activity", none for whoever thought the right MAC address was sufficient to allow sensitive network access.
Isn't the lesson "don't rely on eggshell security"?
If somebody was able to connect via wifi and eavesdrop on internal comms then it would appear that the addition of an eggshell layer to security would be a very considerable improvement.
From the article:-
The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register."This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures."
So securing the wifi network, or not allowing wifi access to secure resources would appear to be the right way to go.
"Surely that is a much bigger target?"
Unless you can find a way to access the home addresses of employees of the target company, then WFH might make it harder to target a specific company. But with lots of people working from home, finding a random juicy target becomes a lot easier. Most people seem to use WiFi at home, and even if they do use a wired connection at times, they almost certainly have WiFi access switched on on their ISP provided router with full access to the internal home network. A bit of security by obscurity for anyone with a "not on the ball" IT department.
Potentially, but the chances of a persistent attack are extremely limited. People working from home don't typically sit at their desk for a straight 8 hour session. Work is interspersed with other activities...picking up the kids, dropping kids off, doing the laundry, going for a walk etc etc...the kind of work / life balance stuff they couldn't do at an office...which is why many are choosing WFH over going to the office.
A lot of attacks rely on persistence to work.
Quite a few attacks rely on old fashioned social engineering as well...for example, if you managed to get a reverse shell or some other form of persistence on an employees PC at the office, if you wanted to do something heavy that might be noticed, you could phone their office and ask if they're at their desk...or just wait until late at night when they won't be there...because typically people would leave their machines running at work.
At home, however, people have a more chaotic work pattern and tend to switch their laptops off at the end of the day which makes persistence much, much harder. If you bust a WFH laptop, you have to pivot fast to hop into the corporate network and that risks you being spotted because you now have far less control over when you can do things.
"...you are a much bigger target... "
About six weeks into lockdown, I got a priority-one email from our security team insisting that I change the password on my router. Now I had already done this - did it pretty much the day we got it installed - but it makes me wonder how many of my co-workers had not done so - or had even bothered following up on the email, after all, there was no way for the security team to check.
In one building, your security people have focus: they don't need to worry about however-many independent routers, much less people working from their local coffee shop etc. So they can pour all their resources into protecting this one - admittedly big - target, rather than hundreds of little ones.
After all, the bad guys only need one suitable mistake to gain access to your firm's data...
I worked in a factory in the 1990's and as part of our 802.11b deployment, we received a couple of high-gain antennas. One day I took one of them and my laptop across the interstate from the buiding (10 lanes, plus two access roads), pulled into a business parking lot which gave me a direct view of our building, pointed the antenna at the upper windows.....and connected to the network.
WiFi's not the problem, its the authentication setup. We're all used to using pre-shared keys at home but these just don't make it for commercial use. Same with other legacy mechanisms such as authenticating on MAC address. This organization should have been using 802.1x, its been on all Microsoft servers since the mid 2000s but it seems that only relatively few IT departments use it (based on my personal observation its because they just don't understand how it works). This will not only authenticate a user through an access point without allowing general access through that AP but also set up an appropriate single use key.
It may come as a surprise but the even WEP -- the original security setup that was about as 'secure' as wet tissue paper -- can be made secure provided you use the longer key and change that key at appropriate intervals. 802.1x and its attendant protocols can do this seamlessly; its not 100% perfect by modern security standards (the actual key exchange protocol is, IMHO, a potential weak link) but its tight enough for most purposes.
One other advantage of this system is that it can seamlessly divert traffic that doesn't authenticate to either a DMZ or a honeypot. The person failing to log in doesn't need to know they failed.
I rather like 802.1x certs for wired connections, but I think you have to start with the basic security principle that a WiFi network is effectively a public one and act accordingly - you should at least need a VPN to reach a DMZ. If I treat the WiFi network as public it makes it universal - wherever you are you will always have a VPN protected connection also in a hotel or at the airport (where WiFi is guaranteed to be intercepted so best avoid looking up anything dodgy).
This article actually makes me glad that I already planned to cable the house I'm about to buy (CAT8 so I don't have to do it again anytime soon). Not because I don't have decent WiFi gear, but exactly because I like things to be a tad more secure. The WiFi gear has VPN capabilities built in, I just have to get it to generate a key and import it on the various devices which are all capable of automatically loading a VPN anyway.
I do like the honeypot idea, which was essentially an evolution of Fred Cohen's Deception Toolkit. I need to see if I can cook up something like that on a machine - could be fun to watch.
That said, I have come across hotels that filter out VPN traffic. That usually means they get one warning, and if it isn't addressed I move hotel.
Now if could only train this to generate extra fake traffic. Or get it to play GTA, of course.
802.1x was originally designed for switches and should be used by default to manage exactly what goes on the switch. The WiFi variant is similar, the authentication protocol is separate from standard network protocols and is designed to be useless for any other traffic. Once the credential exchange is successfully completed between the wireless station and the authentication server then the server tells the access point and the station what encryption key to use and instructs the the AP to open the port (just like it would if was a wired switch). The assumption is that all wireless traffic is visible to everyone so everything must be encrypted at all times (authentication is protected by signing just like you'd do on a wired network, again the assumption being that any and all of the exchange could be intercepted, read and messed with).
"You bounce a user off the real network and try to get them to connect to your fake network,"
Sounds like no-one has enabled 802.11w...it's not like it hasn't been around for a while. That said, most AP manufacturers seem to leave the 'default' setting at 'optional', so it's a conscious action to turn it on.
As for VPN, I'd like to mention Wireguard - again. Ideal for securing stuff over iffy wi-fi.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
