Network Security Blog

I’ve been pleasantly surprised this morning. Security Focus has published an online article about the wardriving case I wrote about earlier this week, and they have more details than I ever would have expected to see. You can read the article here.

This article makes it pretty clear to me that the gentlemen in question are fools and deserve to have the FBI slap them down hard. Not that I have definite opinions on the matter, mind you. It looks like this was a case of two guys exploring the capabilities of technology, and when they found a Lowe’s store they could exploit, they went from seekers of knowledge to seekers of credit card numbers. It’s always the stoopid hackers that get caught. The smart ones are still out there.

Wardrivers charged with hacking Lowe’s and stealing credit card details

Read the article if your interested, but the basic gist of this article is that two gentlemen were apparently wardriving in thier hometown and came across a number of Lowe’s stores with wireless access and decided to hack the networks. If what the article is saying is true, than these guys deserve whatever the federal government has to throw at them. But the article leaves so much unsaid that I’m not even sure what they really did. And that has me concerned.

Why am I concerned? This story is very vague on exactly what the two culprits did to the network, which could be anything from passively finding open 802.11x access points to using those access points for Internet access to actively hacking the Lowe’s network. Wardriving is the act of driving around in your car with a laptop, a wireless card, an antenna, and a GPS. Every so often, usually several times a second, the laptop sends out a signal that basically says, “If your an Access Point, please respond”. If an Access Point is set up to respond, the laptop gets back information about the Access Point, if it is using encryption and the signal strength of the Access Point. Additionally, the software on the laptop uses the signal from the GPS to mark down the physical location where the signal was recieved.

Wardriving is in kind of a legal limbo at this time. In the strictest sense, you have made a connection to the network, but at such a low level as to be unusable. A very rough analogy to the physical world would be to drive around a building to see if it has doors and looking if the door has a lock. At this point, you haven’t even jiggled the lock. Like most loitering, this is frowned upon, but wardriving is equally hard to detect and stop. I have yet to hear of anyone being charged with anything for wardriving, and I’m more than a little afraid that this may be one of the first examples. If it is, I’ll be very interested in seeing how the courts treat it.

A second scenario concerning this incident might be passive sniffing of the network at Lowe’s. Setting up wireless Access Points isn’t that hard to do correctly and securely, but it’s even easier to do incorrectly and insecurely. If these guys were just sitting in the parking lot watching the Lowe’s network traffic as it flowed by, then they deserve a slap on the wrist. Lowe’s, on the other hand, deserves a big, fat lawsuit. I can imagine that the basic logic would be, ‘You didn’t secure your network, my credit card information was stolen and you have to pay up!’. When are companies going to start having to pay for ignoring basic security practices?

Finally, if, as this story suggests, the gentlemen in question were actively exploring the Lowe’s network and trying to get credit card information, I hope the Fed’s throw the book at them. When your using a wireless connection, it’s pretty easy to feel like you’ll never be caught. Except for the fact that the radio communication flows in two ways and the budget the Fed’s have for catching hackers allows them to buy the sort of equipment you need to follow the signal back to a car. Not to mention a little footwork will allow you to find two guys who have been sitting in front of your store for hours staring at a computer screen.

I hope more details come out about this case. I really want to know what happens. If wardriving is ruled as illegal, I want to make sure that I don’t get caught doing it. Nothing like a hacking charge to ruin a network security career.

As a security professional, one of the things I have to remind myself of occassionally is why I do this. It is so easy to get caught up in creating security for the sake of being secure, but that is not really what we’re here for. I’m here to make sure that my company can continue to do business, despite the fact that there are people out there who want to interfere with that business. I’m not here to make the network so secure that even the users can’t use it.

I had that illustrated to me last week; a portion of the users base want’s to install a FTP server to enable file transfer with other businesses. I started listing off ways to secure the connection, the sort of non-disclosure agreements that should be in place, the possibility of using SCP, and about a dozen other ways of securing the connection. When I brought this up to my team lead, he pointed out that these were good suggestions, but that the users wouldn’t be able to actually use the system if they were all put in place. That’s when the light went on.

Security is great, and should be part of the business decision making process, but it is not the be all and end all. A number of security professionals have pointed out that we can make a perfectly secure computer; unplug it and put it in a closet somewhere. There has to be a fine balance between securing the systems and make them usable. But the users have to be able to do their job. After all, their work pays my check.