Of late I have been enjoying playing with an app on my iPhone called WiFiTrak. It has been a handy way to scan for wireless networks and it doesn’t appear as obvious as it would were I carrying around a laptop. I have seen a great many open or WEP ’secured’ corporate networks that should have been fixed a long long time ago.
Bad vendor delivery? Well, in one case the state of New York decided that they have had their fill and pulled the rug out from under M/A-COM who was contracted to build out a public safety wireless network statewide.
From Computer World:
New York State has canceled the multibillion-dollar contract it awarded to M/A-COM to build a statewide wireless network for public safety use, saying the vendor has failed to adequately deliver on the deal.
A document released by the state showed excessive equipment failures after testing, including radios with stuck volume controls, “black screens” that render the devices unusable and microphones that randomly turn on, unintentionally transmitting audio.
According to the state, testing done in November showed that M/A-COM failed to fix 15 of 19 deficiencies described in an earlier complaint. M/A-COM, however, is disputing the charges. “We believe that M/A-COM has fulfilled its contractual obligations and delivered a state-of-the-art system that would benefit the residents of New York. We recognize that the State’s current priorities may no longer support the construction of a statewide network and we have made several attempts to address this amicably with the State. Tyco Electronics and M/A-COM will take all necessary steps to protect the company’s rights under the contract,” it said in a statement.
The state of NY still intends to build the network but, they will now have to hunt for a new vendor.
Read on.
So why the fuss over the MIT student presentation that “never was” at Defcon? Why the court order barring them from speaking AFTER the presentation had been handed out to 7000 or so attendees and had been available on an MIT website for several months?
Well, money. MBTA is drowning in red ink.
From The Boston Globe:
Strapped with an $8.1 billion debt, the MBTA can’t afford expensive upgrades to its automated fare equipment. That may explain, in part, why the transit agency put such extraordinary legal pressure on three MIT students who claim to have found a way to hack into the transit system’s $180 million automated fare system. But trotting out the lawyers didn’t make the T less vulnerable to future hackers.
Well, the gag order has been lifted. Which, in all fairness, should never had been in place to start with.
The MIFARE wireless chips are popping up in transit systems all over the place. Case in point, in the greater Toronto area (GTA) an amalgamated transit card is being rolled out that will provide users the ability to travel several systems on one card. London’s implementation of Mifare technology has been less than stellar.
Our own Myrcurial attempted to contact the Prestocard folks about the Mifare technology at the beginning of July but, he was given the Heisman (a “straight arm” for the non-sports inclined). So, is the Presto Card headed for an epic failure? We’ll have to wait and see.
Tags: MBTA, Charlie Card, MIT Hackers
I thought this was an interesting read.
From Network World:
Jason Crawford has learned that if you want to break into secure Wi-Fi networks, you don’t need to buy equipment from the black market. Instead, you can buy it from Toys “R” Us, he says.
Crawford, who works as a principal investigator for R&D projects at Lockheed Martin’s newly opened wireless-security laboratory, says he has figured out how to crack the seemingly secure wireless networks that consumers and corporations use — with nothing more than a cluster of eight PlayStation 3s. Crawford won’t go into the details of just how he used the PS 3s to hack Wi-Fi networks, but he says that you don’t have to be a top-level hacker to figure it out.
For the full piece read on.
This strikes me as a troubling story.
From RFID News:
Axcess International has announced its Micro-Wireless RFID system will be used by the U.S. military to enable automatic inventory accounting and perimeter security for ordnance assets. Using the Axcess’ Dot tag design, the system uses ultra-small, low cost RFID transmitters assigned to each asset, enabling automatic tracking and automatic security monitoring.
Maybe I’m being paranoid but, I’ve seen enough presentations by Adam Laurie to have earned my paranoia.
Then I read this passage,
Any unauthorized movement of an armament outside the storage area automatically triggers an alert, but the handling of armaments can be linked to authorized service personnel via an RFID personnel badge
But, what of a cloned RFID tag? And what of the DHS report that slammed RFID?
Ah the joy of the first panicked post departure phone call. Today is my first day away from the office and my now former day joy called. It turns out that an old wireless router that had been sitting in a box in my office had been pinched soon after I left. That’s fairly typical. Someone exits the company whether on bad or, in my case, good terms, they leave things behind in their office.
Well, the router was one of them.
An old Linksys.
Damn if someone didn’t just pinch it. No. They had to go one step further. Some knothead plugged it in. Suffice as to say the hunt is on. Good luck folks.
Pity the half wit that thought it would be a good idea to plug it in.
Hmm. OK.
I’m not sure what to make of this one. RFID is not my specialty to say the least. Any one have thoughts on this one?
From RFID Journal:
NeoCatena, a Sunnyvale, Calif., startup company, has emerged to address an issue its founders believe is of growing importance to end users of RFID technology: system security. The firm has created a security appliance designed to act as a firewall between RFID interrogators and the edge server of middleware an end user employs to collect and transmit RFID tag data upstream to its enterprise software.
The appliance, known as RF-Wall, runs software developed by NeoCatena to protect an RFID network from counterfeit RFID tags, and from attempts to use tags encoded with malware to introduce a virus to back-end systems, or to execute some type of breach to the security of sensitive data, according to the company’s cofounders, Boris Wolf and Lukas Grunwald.
While there have been no publicized incidents involving the use of RFID-based network attacks or counterfeit RFID tags, Wolf and Grunwald believe the threats to be real, and say experiments performed by Grunwald dating back to 2004 have proven such things possible.
Read on.
Big брат is watching you. In a further attempt by the Russian government to turn the screws on the populace they are now mandating that all wireless APs, wireless devices, and the like, are registered with the government.
From Computer World AU:
Business travellers to Russia might want to keep their laptops and iPhones well-concealed – not from muggers, necessarily, but from the country’s recently formed regulatory super-agency, Rossvyazokhrankultura (short for the Russian Mass Media, Communications and Cultural Protection Service).
In the UK, Ofcom made deregulation one of its first priorities upon coming into existence, but the Russian equivalent is doing just the reverse, including an ominous-sounding policy of requiring registration for every Wi-Fi device and hotspot, according to a report this week from news agency Fontanka.
Rossvyazokhrankultura’s interpretation of current law holds that users must register any electronics that use the frequency involved in Wi-Fi communications, said Vladimir Karpov, the deputy director of the agency’s communications monitoring division, according to an English commentary provided by website The Other Russia.
Um, this has a rather chilling affect for any travelers heading to Russia. Not to mention end users in the country. I wonder how well this type of law is communicated to the people. Are folks in Russia aware of this interpretation by the Rossvyazokhrankultura?
Here’s another quote:
“Setting up a home Wi-Fi network or a hotspot would require what sounds like vast amounts of paperwork, akin to putting a cell tower,”
Damn. So are they planning to war drive looking for offenders? How is this going to play out for Russian wireless users?
It appears that there is some interesting legislation afoot in Maryland. From the Herald-Mail “Purposely surfing the Internet on someone else’s wireless connection, without permission, would be a crime under a bill Del. LeRoy E. Myers Jr. presented Tuesday.”
This is an odd one because, if I remember correctly, XP is a bit of a promiscuous wench when in comes to associating with any open wireless connection. For example, in my neighbourhood in Toronto if I were to search for a wireless connection I find no less than 20 connections. Of that group 5 or six are wide open. I’m a little torn here as I can understand not wanting other folks on my wireless access but, I can always enable the security features (and I have). If someone were to access and surf the interweb after that point then yes, that would be theft. But, if you leave your access wide open aren’t you just asking for trouble?
Myers, R-Washington/Allegany, said his bill is meant to clarify intentional theft vs. accidental use.
He told the House Judiciary Committee that one of his neighbors, after buying a new laptop computer, got onto the Internet, thinking it was through a cable TV hookup.
Actually, the connection was through Myers’ home wireless Internet system.
He said he didn’t want unintentional use like that to be prosecuted the same as computer hacking.
According to the bill, intentional unauthorized access to another person’s computer, network, database or software is a misdemeanor. The penalty is up to three years imprisonment and a fine of up to $1,000.
Hmm, this would a difficult one to prove. The fine is so low as to not be worth prosecuting. Although, the three year jail sentence has some teeth.
Thoughts?
In a bid to avoid offending some by blocking “racy sites” Denver airport has been filtering website access from their free wi-fi hotspots. But, in their bid to address our collective squeamishness they are also blocking the likes of boingboing dot net and …Vanity Fair?
Um, OK.
From the Denver Post:
Airport spokesman Chuck Cannon says officials decided to block potentially racy sites when the airport made its wireless internet service free in November. Previously, there was a fee for using it.
Cannon says the airport would rather weather infrequent complaints about access than handle angry parents whose children might see pornography.
I’ll be willing to wager that if you wander around the airport you’ll be able to pick up an open AP from one of the first class lounges. At LAX one of the airlines is good enough to provide free wireless to their passengers…and anyone else in range of gate 26 in terminal two.
If anyone if traveling through Denver I’d love to know if access to Liquidmatrix is blocked as well.
Tags: Denver Airport Wi-Fi, Internet Censorship
From Daily Progress.com:
A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.
With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.
With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.
“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.
So, why does this seem familiar? The article seems a touch confusing. Did he break crypto or simply RFID? The quote from the article “found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.” seems to indicate that they merely attacked the RFID as opposed to some encryption. Does anyone have a link to Nohl’s presentation from CCC?
Tags: RFID, Karsten Nohl
