Page 3 of 11 FirstFirst 12345 ... LastLast
Results 21 to 30 of 104

Thread: News from the front....

  1. #21
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by bolexxx View Post

    If you change the wep to something else, well you have to set up all their computers then, and hey, some guy has a laptop and he is on vacation, when he comes back to work, the internet wont work, who is he gonna call? who will give the support? there are some older cards who doesnt support wpa, or just dont work with wpa ( happened to me all the time when i installed modems for ISP company) , will you buy them a new card? will you set up the new card?
    Not only that, but mix and matching different manufacturer's versions of WPA doesn't always work. I've seen more than one instance where different brands don't work together.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  2. #22
    Senior Member Talkie Toaster's Avatar
    Join Date
    Jun 2008
    Location
    Scotland
    Posts
    131

    Default

    Do members not feel that after the TK Max/TJX affair where millions of credit card details were stolen with fairly simple tools AND because of some very bad IT security procedures that time is now up for WEP in a commercial enviroment?

    Before TJX then maybe a IT admin could be forgiven for not knowing the 'latest' about wifi encryption, but now there really is no excuse. After all,the skiddies have read the TJX news stories too..... and you can bet your last $ that they will now be armed with the same tools,same intentions and probably wardriving right now looking for similar targets!

    I helped out a friends boss (supermarket manager) after i noticed 3 pcs near his store sending out probes for the shops network, their wireless should have been for pricing guns/printers only, with no internet or corp Lan connection needed. After showing the manager how long WEP takes to crack (shock 1!) i first fired up wireshark, thinking i would need to detect the IP scheme being used, only to notice DHCP was in use (shock 2!) and that every other pc and point-of-sale was also visable and most traffic was sniffable(shock 3!).

    The naming scheme was also stupid, names like WIN2000BOFF1 (WINdows 2000 Back OFFice 1) just make things too easy for unauthorised 'visitors' on the network, all computers in the shop were named like this...... (shock 4!)

    The worst part is still to come though, when the manager FINALLY managed to get a hold of one of his companies IT contractors, the guy frankly didn't seem to care. He at first said it was impossible for me to see the non-wireless devices,it took about 2 mins of me and the manager reading out hostnames and IPs till we hit one important enough(!) for him to know about it before he started to listen. It turns out that the contractors buy in the wireless pricing guns/printers from a 3rd party and just plug them in..... Any further setup "depends on which guy fitted them".

    Only after about 10 mins on the phone to this guy did he actually ask a "what can i do to stop this" question, i told him to go out on site and have a look for himself, and then i asked what pentest distro and equipment he used....

    Him"uh, oh here it is, its called auditor......."
    Me:"you do know thats a couple of years out of date, at least, backtrack 3 beta is the newest version of that live cd?"
    Him:"no....."

    This supermarket is another TJX just waiting to happen, and it just pisses me off so much that they are just not bothered about it!

    The same supermarket shares its WEP key between ALL UK stores btw......

    I would call the above situation commercial negligence after the publicity surrounding TJX, and if it was my choice the IT contractors would have got the boot.
    He even tried to defend the use of WEP by pointing out that a WPA enabled pricing gun was £20 more each because it needs a keyboard attaced. When i asked him how much in labour alone it would cost to have someone come in and setup the routers properly, catalouge all equipment (for MAC listing) and set up a VPN or something to try make the WEP more secure he quickly saw my point......

    TT

    ps:The shocks were to the manager,not me. Well apart from the Contractor maybe, that shocked me!
    Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

  3. #23
    Moderator
    Join Date
    Apr 2007
    Posts
    1,644

    Default

    Well thats "normal". There are good services, and bad services. For everything, repair car shops, dentists, it security...

    There are a lot of unqualified people working in any of this branches and the best you can do is sell your knowledge, but you will not do that knocking on people doors offering something quick for free.

    Build a company, sell yourself, and you will protect not only one, but many firms offices etc.

    It would be even more stupid of someone then using a wep, letting someone to "do something" to a router.

    Dont you even think about that?
    I can come and pretend that i want to fix a network encryption, i bring my laptop, i plug in, and i stole the data i need.

    Now how stupid would that be?

    Imagine a guy, who wanted to change my lock on my door for free, cause its insecure?
    Would you let this guy in your house? Or maybe he want to repair your gas pump, some electric instalation, etc...

    Why on earth would anyone trust someone who comes knocking on the door? well, i know they would, but thats stupid

  4. #24
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by bolexxx View Post
    Well thats "normal". There are good services, and bad services. For everything, repair car shops, dentists, it security...

    There are a lot of unqualified people working in any of this branches and the best you can do is sell your knowledge, but you will not do that knocking on people doors offering something quick for free.

    Build a company, sell yourself, and you will protect not only one, but many firms offices etc.

    It would be even more stupid of someone then using a wep, letting someone to "do something" to a router.

    Dont you even think about that?
    I can come and pretend that i want to fix a network encryption, i bring my laptop, i plug in, and i stole the data i need.

    Now how stupid would that be?

    Imagine a guy, who wanted to change my lock on my door for free, cause its insecure?
    Would you let this guy in your house? Or maybe he want to repair your gas pump, some electric instalation, etc...

    Why on earth would anyone trust someone who comes knocking on the door? well, i know they would, but thats stupid
    Excellent points to be sure. It should also be noted that not everyone that works in IT is aware of all the issues that we're aware of. Not everyone can be an expert in every field of IT.

    I'm quite sure that I could post a scenario here that I just resolved at my office that I think there's maybe 1 or 2 people that post here regularly that would have a clue to what I'm talking about. Does that make the rest of you idiots or lamers, no, it just means you have had that experience yet, probably because no one brought it to your attention.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #25
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    Quote Originally Posted by bolexxx View Post
    its seems like you learned how to crack a wep key a week ago, and now you wanna go show of your skills to other people. really

    you are totally to pushy, and not polite. i dont understand the anger you seems to have, "WHY THEY USE THE WEP WHEN ITS INSECURE!??!?"

    Because they are human, and maybe WEP isnt the biggest concern for them. I just dont know why are you so pissed off, really

    Btw, have you even think of what changing the encryption means?
    Yes.

    Quote Originally Posted by bolexxx View Post
    If you change the wep to something else, well you have to set up all their computers then
    OK.

    Quote Originally Posted by bolexxx View Post
    , and hey, some guy has a laptop and he is on vacation, when he comes back to work, the internet wont work, who is he gonna call?
    Me.

    Quote Originally Posted by bolexxx View Post
    who will give the support?
    Me.

    Quote Originally Posted by bolexxx View Post
    there are some older cards who doesnt support wpa, or just dont work with wpa ( happened to me all the time when i installed modems for ISP company) , will you buy them a new card?
    No.

    Quote Originally Posted by bolexxx View Post
    will you set up the new card?
    Yes.

    Quote Originally Posted by bolexxx View Post
    Its not so simple as you think...they have someone who works for them (or they dont) , and they are happy with them.
    Introduce yourself, and your company, offer yourself or your services, make a sell pitch, and thats it.
    You cant just show up at someones door and said, hey, thats wrong, i will fix that for you for free.

    Well, you can, like you did, but the outcome isnt nice.
    We all live and learn. Sometimes you can help people. Sometimes you can't. But, you should always try.

  6. #26
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    Quote Originally Posted by bolexxx View Post
    Well thats "normal". There are good services, and bad services. For everything, repair car shops, dentists, it security...

    There are a lot of unqualified people working in any of this branches and the best you can do is sell your knowledge, but you will not do that knocking on people doors offering something quick for free.
    It is difficult to say the least. Only a 10% success rate so far.

    Quote Originally Posted by bolexxx View Post
    Build a company, sell yourself, and you will protect not only one, but many firms offices etc.
    But, if businesses don't know they have a problem, they won't make a move. Why should they? They think they are safe and secure.


    Quote Originally Posted by bolexxx View Post
    It would be even more stupid of someone then using a wep, letting someone to "do something" to a router.

    Dont you even think about that?
    I can come and pretend that i want to fix a network encryption, i bring my laptop, i plug in, and i stole the data i need.

    Now how stupid would that be?
    VERY STUPID. That's why I gave them a set of business references that they can call to check me out.

    Quote Originally Posted by bolexxx View Post
    Imagine a guy, who wanted to change my lock on my door for free, cause its insecure?
    Would you let this guy in your house? Or maybe he want to repair your gas pump, some electric instalation, etc...

    Why on earth would anyone trust someone who comes knocking on the door? well, i know they would, but thats stupid
    Ergo the references.....

  7. #27
    Moderator
    Join Date
    Apr 2007
    Posts
    1,644

    Default

    squishyalt, you own a company or not?

    cause if you dont, its very hard to do something for someone if you dont own your own bussines, you know the obvious reasons. and dont think you will do anything except "irritate" (it)stuff of the companies you are trying to help. so start your own company first.

    on the other hand, if you do have a company, you need to take another, more professional approach.

  8. #28
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Talkie Toaster View Post
    Do members not feel that after the TK Max/TJX affair where millions of credit card details were stolen with fairly simple tools AND because of some very bad IT security procedures that time is now up for WEP in a commercial enviroment?
    First, let me state this: TJX was bad, no question. However, it was a failure of risk assessment and proper network design and rather than the wireless or encryption per sé.

    Wireless was the way in*, but it was poor IT and management practices that caused it to be available.

    Many wireless scanners used for retail inventory control only support WEP, and many do not support encryption at all. For what they are doing, that is perfectly reasonable; encryption can be an unnecessary overhead on the processors. The problem comes in that the wireless networks used for inventory control are not properly assessed for risk, and failing that, improper network design is then followed. Instead of having a wireless segment designed only for inventory control that is firewalled, isolated, and routed separately for the rest of the network, management sees the convenience of going without wires, and that convenience overcomes common sense. They then fail to understand the risks or blindly ignores them, and ignore best practices for network design. By the way, those best practices have long predated the use of wireless networking.

    *TJX wasn't the first, by a long shot. Best Buy and Lowe's have also had similar problems. In the case of Best Buy, the cash registers were known to be transmitting credit card information over an open wireless network. Lowe's had an identical issue as TJX. Access to the backend systems was available through a wireless system. What was the saving grace in that case was that the script used by the criminals to collect customer info was faulty, and was discovered. A sting was then set up, and the criminals were caught in the act of accessing backend servers over the wireless network of a particular store.
    Thorn
    Stop the TSA now! Boycott the airlines.

  9. #29
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Overall it's very easy to be a couch quarterback and criticize companies for their breaches. But unless you were there during all the meetings and planning stages, you have no idea what was pressed by management without technical knowledge.

    We've all sat in meeting with upper management that doesn't understand technology but seems to think that saving $20/unit on a large purchase is a good idea. Management's job is to look at the bottom line and save money. IT's job is to try to convince them that they really need to go with better equipment. Sometimes it works, many times it doesn't. I'm fortunate where I am because I get everything I ask for regardless of price. But I do tons of research before I propose anything to management.

    Large corporations are more about business politics than much else. IT many times gets the short end of the stick and then when things fail, they're the ones to blame. It sucks, but that's the way it is. Everyone wants the best for IT on a minimum budget possible.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #30
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    Quote Originally Posted by streaker69 View Post
    Excellent points to be sure. It should also be noted that not everyone that works in IT is aware of all the issues that we're aware of. Not everyone can be an expert in every field of IT.
    I agree. But, we aren't talking about some exotic SQL exploit of little known buffer overflow in Flash here. We're talking about a HUGE story on TJX that was on every TV, in most every newspaper and is of concern to every consumer out there.

    NOT knowing this, considering the press coverage, ease of hacking and the size security hole that it places on an IT professional's clients is just not acceptable.

    Quote Originally Posted by streaker69 View Post
    I'm quite sure that I could post a scenario here that I just resolved at my office that I think there's maybe 1 or 2 people that post here regularly that would have a clue to what I'm talking about. Does that make the rest of you idiots or lamers, no, it just means you have had that experience yet, probably because no one brought it to your attention.
    I'm sure that you could. Most people here could bring up a scenario like that too.

    But, I am not talking about some obscure hack. The WEP flaw has been in newspapers all over the world. It has been talked about on television news stories. It is not even a part of the wireless specification as a result of this flaw.

    Comparing obscure exploits to WEP is comparing apples and oranges.

Page 3 of 11 FirstFirst 12345 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •