Avast Suckers GOP Delegates Into Connecting To Insecure Wi-Fi Hotspots (theregister.co.uk) 109
Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport, using common network names like "Google Starbucks" and "Xfinitywifi" as well as "I vote Trump! free Internet". An anonymous reader quotes this report from The Register:
With mobile devices often set to connect to known SSIDs automatically, users can overlook the networks to which they are connecting... Some 68.3 percent of users' identities were exposed when they connected, and 44.5 per cent of Wi-Fi users checked their emails or chatted via messenger apps... In its day-long experiment Avast saw more than 1.6Gbps transferred from more than 1,200 users.
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."
Avast didn't store the data they collected, but they did report statistics on which sites were accessed most frequently. "5.1 percent played Pokemon Go, while 0.7 percent used dating apps like Tinder, Grindr, OKCupid, Match and Meetup, and 0.24 percent visited pornography sites like Pornhub."
Will you do the same at the Democrat convention? (Score:5, Interesting)
Results will be skewed, because the Dem convention delegates will know that somebody is (probably) waiting to entrap them. The Pubs won't have had the same emphasis placed on cyber security before their convention.
And if the results are bad for the Dems, will you all publish?
Re: (Score:2)
What law prohibits setting up a wireless network?
What law prohibits inspecting the traffic traversing your own network?
Surely it's an illegal wiretap (Score:1)
Within the meaning of 'wiretap'; gaining access to personalised data that was innocently passed by an individual. If I listen in to a phone call that's not for me, that's illegal. This is surely equivalent.
Re: (Score:3)
Considering the stuff coming out of the 20k emails leaked by wikileaks? There's going to be a lot of very nervous people at the DNC this week, so yep I expect that they figure someone will want to fish for information and they'll likely have signs up saying only xyz are approved hotspots or some such.
Re: Will you do the same at the Democrat conventio (Score:2)
A) Twenty blind lesbians at a fish market...
Re: (Score:1)
Q) What's the very definition of confusion?
A) Twenty blind lesbians at a fish market...
How many people on Slashdot will even get that joke?
Hilarious though.
Farther still (Score:1)
I think you'd need to make the wall go even further down, the tunnels the Clintons built to smuggle in under-age Mexican girls for Bill, and to smuggle out incriminating evidence against Hillary out of the country is probably at least 200 feet down.
Re: (Score:2)
Dating is only tiny sliver of what meetup.com. Take for example the hundreds of these politics-related [meetup.com] meetups.
And if the results are bad for the Dems, will you all publish?
Of course, they will. Avast is a scamware company. They thrive on misinformation, fear, and publicity.
http://avastscam.com/a-track-record-of-fraud/ [avastscam.com]
Avast's CEO has even blamed its affiliates for their scams, which he claims they deactivated and are no longer forwarding phone calls from their 800 numbers to, but once the bad press [reddit.com] died down, nothing changed, and their current affiliates are still sca
Re: (Score:1)
They don't need to worry about that anymore. They simply won't prosecute them, just like Hillary. So they can feel free to talk about their illegal donations and so on.
Impeach! (Score:1)
Holy shit they used insecure internet! Isn't that grounds for a felony?
Re: (Score:2, Informative)
Re: Impeach! (Score:3, Interesting)
It's only a felony for the little people.
Clintons don't have to follow the same laws.
Dumbass OP shouldn't have touched this one if he's a Clinton supporter.
The sane people in this country who aren't drowning in koolaid or ever worked anywhere in security know she should absolutely be in prison right now. No buts what's ifs.
She is a criminal who put this nations security at risk in a direct and premeditated effort to skirt the freedom of information act, committing two crimes at one go.
Only a Clinton could
Re: Impeach! (Score:2, Interesting)
Benghazi is not something that defines her, it's merely a drop in the ocean of what she has done so far and what she is capable of doing.
Vote whoever, just not her.
Meetup is a dating site (Score:2)
Re: (Score:2)
At least in my area there are several singles (speed dating) groups, but most of them are actually pretty small. It's indeed a bit odd to add it to dating sites.
Besides, is it nowadays immoral to even just visit dating sites?
Re:BREAKING NEWS (Score:5, Insightful)
Re: (Score:3)
If they're a level up, they might have an automated Metasploit script to throw at servers.
Re:BREAKING NEWS (Score:4, Insightful)
So in other words, they did their job and got paid.
They were contracted to find vulnerabilities, and they accurately determined that user credentials were easily compromised with a basic attack. If they were not pentesters, but rather actual attackers, they would have everything they need to access the company servers and start wreaking havoc. Even if they only sniffed users' personal credentials, they still have enough access to start social engineering or coercion attacks against the employees.
Depending on the terms of the contract, the consultants may not be allowed to test passwords they find. They may only be allowed to report that they found something that looks like it should be a password.
Of course, it may also highlight some other key details, like company devices automatically connecting to known SSIDs, or a lack of encryption on the legitimate wireless network. If their attack went undetected by the company's security team, a suitably-paranoid company may want to install systems to detect rogue access points.
A colleague of mine once was hired to do a week of pentesting. The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins. Those let him access every server he tried, and he ended up cutting the test short by lunch. He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive. His recommendation was to cancel the security testing contract and move the budget to basic security training.
Re: (Score:2)
So in other words, they did their job and got paid.
Problem is the company probably is no more practically secure after the consultants came than before.
The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins.....He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive.
Yeah, that's a pretty common sort of scenario.
Re: (Score:2)
The weren't "practically" secure before the test, and given the extreme lack of protection, probably weren't even aware of it. Now they are aware of it, and can start pursuing better options for protection. The servers and networks haven't changed, but the improvement in awareness puts them in a much better position. Now they can improve.
Again, a consultant's job really boils down to the terms of the contract. If the contract says to evaluate the company security, that's what you do. If the result of that e
Re: (Score:2)
Security is not a checklist, despite what managers might think.
Yeah, you're right.
You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.
And yet that's what many snake-oil consultants offer.
Re: (Score:2)
You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.
And yet that's what many snake-oil consultants offer.
...but a comprehensive practical test is what you complained about in the first place!
they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, th[e]y sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.
If they're a level up, they might have an automated Metasploit script to throw at servers.
So let me get this straight... a consultant who walks in and says "look how insecure you are!" and raises general awareness of security is a bad thing, per your earlier post. A consultant who offers a list of exploits is only "a level up" from that. Per your last post, you agree that a consultant delivering just a list of patches is bad.
What do you think a good security consultant would deliver, exactly?
Re: (Score:2)
What do you think a good security consultant would deliver, exactly?
A) actual skills, not just a script-kiddy with corporate backing.
B) when they were done, they would leave a place relatively more secure. For example, I can go to a place and say, "look, your windows are insecure, and if you put bars on the windows, it will be more secure." That will be 100% accurate, but not particularly useful, and in practice doesn't address most threats companies face.
C) the primary focus generally should be on securing against remote attacks, because that's where your highest exposu
Re: (Score:2)
A) actual skills, not just a script-kiddy with corporate backing.
Elitism. Got it.
B) when they were done, they would leave a place relatively more secure. For example, I can go to a place and say, "look, your windows are insecure, and if you put bars on the windows, it will be more secure." That will be 100% accurate, but not particularly useful, and in practice doesn't address most threats companies face.
That depends entirely on the client. Bars on the windows are important for a convenience store in a bad neighborhood. Similarly, a reinforced perimeter is important for any facility whose risk is more physical than electronic. One example that comes to mind is a store's cash supply. I've seen a restaurant whose cash was stored in the manager's office, which had a single-pane window into the dining area.
C) the primary focus generally should be on securing against remote attacks, because that's where your highest exposure is. Anyone can plop down a wifi pineapple, but most people who do so are security consultants. In practice, black-hats favor remote exploits.
Black-hats favor whatever gets to their target. Remote exploits are easy and safe, but als
Re: (Score:2)
Incidentally, a lot of "security" consultants use this trick.....they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, thy sniff some passwords.
Indeed they do expose a serious security risk: browsers (or other software) sending login credentials in plain text over an untrusted connection (which is ANY connection on the Internet, except maybe a patch cable between your laptop and the server you try to connect to).
Re: (Score:2)
Right, because only a moron has their wireless device set to automatically re-connect to SSIDs they have previously connected to - if you read the excerpt above you'll see they used SSIDs identical to popular hotels, coffee shops, etc.
And of course, by moron I mean everyone that accepts the defaults on their iPhone, Android, other device.
Pornhub should be the default page (Score:2)
Re: (Score:1)
Only 0.24% went to porn sites. I really question the drive of these republicans, they do not seem like real men and women.
Re: Pornhub should be the default page (Score:1)
What does porn have to do with drive? I don't watch or look at porn. I have a SO, so why bother?
Re: (Score:1)
Or do the math. That's what? 3 users of the 1200 quoted? I'd call that a fairly positive statistic.
So what? (Score:1)
I am not sure the point. We got a thousand connections, sure they should connect to free wi-fi however...
1. So they found out what sites they went to. Now much of that data was incrypted. So the details weren't too obvious.
2. The numbers were not that crazy.
TFA said about 1000 people connected. So...
About 50 people played a popular game
7 people were using a dating app
3 people viewed porn.
Being that it is populated with many people who's main candidate married a porn star is it that surprising.
3. What doe
Re: (Score:2)
Avast conned more than 1,200 people into connecting to fake wi-fi hotspots set up near the Republican convention and the Cleveland airport
...meaning they caught a lot of non-Republicans in their little "sting operation". All in all, a non-news story. I'm sure they were really hoping that they'd find 10% of the people looking at porn, or something more salacious. Why call out porn and dating apps in the first place?
All this proves is that we really need encryption everywhere, and that we need to make sure it's turned on by default, so that ordinary users don't have to think about it too much (because let's face it - that will never happen).
Re: (Score:2)
I look forward to DNC results (Score:5, Insightful)
Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?
The difference is (Score:1)
Re: (Score:1)
Neither do the Republicans - one of the signature speakers at the RNC was gay after all.
Isn't it better than the Democrats approach which is to treat the gay community like garbage because they assume the gay community will always vote democratic? Nothing like being taken for granted.
At this point the Democrats are by far the worst party to support if you are gay, because after all if you aren't having sex 24/7 you are just like everyone else being screwed over by terrible immigration policy, or the after-
Re: (Score:2)
Re: (Score:2)
Trump doesn't follow the platform, so why should it matter what it says?
I think you are confused and ignorant of what is really going on now.
I'll bet in fact YOU have not read the platform and just believe someone else's lies as to what is really in it.
Re: (Score:2)
You think... well, you would be wrong about your thoughts. I've certainly have not read all of the platform, only some of it, the parts I was referring to. Whoever wins the election, it won't matter much what they personally think or plan to do, the president does not pass laws. So Trump can shoot off his big fat goofy ass mouth all he likes but he won't be able to do much without the backing of Congress.
You really need to read the platform because you should not be confused & ignorant as to what yo
Re: (Score:1)
I'm not sure the R's have those things either, but exactly how few people would have to connect to porn before it didn't get the headline? The number they report is POINT TWO FOUR. That's a quarter of one percent. That means that out of every four hundred that connected, one of them needed to spank one out. Those are shockingly low numbers for people. I bet you won't hear what the Democrats do- even if they only access porn at the same rate as the general public, they'll still blow these Republican num
Re: (Score:2)
It's free internet, most people probably don't even care who's listening...
Re: (Score:2)
Surely they plan to do the same thing at the Democratic convention - does anyone doubt the results would be similar? People in general, no matter political affiliation, are prone to connect to insecure WiFi. How is that even news?
I use free Internet but because unless I am buying something or using account that is attached to my bank account/credit card I don't care. When I want to use them I just use Tor anyway so it doesn't matter anyway. When I had a server i would just use it as a VPN by tunneling all of my traffic over it.
Re: (Score:2)
I seldom connect to any public hotspot. And I never engage in commerce on My phone. But then, I have unlimited data so I really don't need a hotspot.
Re: I look forward to DNC results (Score:2)
At DNC fewer attendees will connect to the "I vote Trump!" network.
Are you joking? (Score:2)
I forget where I read it but I think I remember reading an article some years ago where someone stood up a free Wifi network named something along the lines of "get hacked" and it still had many, many users...
If it's free WiFi people will use it regardless of potential danger, the name is literally nothing.
Re: I look forward to DNC results (Score:1)
I'd expect the same. Their nominee already said she "[doesn't] know how it works digitally at all."
https://m.youtube.com/watch?v=... [youtube.com]
Re: (Score:3)
So devices automatically connected to spoofed names.. how is that 'news' or relevant to the convention? How would anyone really know if you hit a spoofed wifi like xfinity?
The only thing of note here is that everyone should be using vpn if they are using public wifi.
So what if it s fake? check sites that you login to have a valid https cert. if the cert is bad most major browsers will give you repeated warnings not to trust the site. if you are just browsing reddit or slashdot or watching youtube who cares.
Re: (Score:2)
and even Slashdot has switched to https recently (just yesterday noticed it, not so long ago I was still connecting on http)
Re: (Score:1)
The ISP is not publishing their results at this time. Neither are Starbucks or McDonalds. So I disagree with your suggestion that connecting to "real" hotspots vs these "faked" ones is an identical situation.
But I do agree that we would be better off if we all assumed that all Internet traffic should be considered to be "untrusted" and that end to end encryption, including anonymity would make us all a lot safer from profiling and reduce the potential for invasion of privacy (like these guys did).
Only 0.24%? 0.7%? (Score:2)
I'm impressed, I would have put those numbers much higher.
Re: (Score:2)
I'd wager it was Anderson Cooper and Don Lemon.
Hillary and Trump, (Score:2)
Apart from "I vote Trump! free Internet" there is also a "I vote Hillary ! free Internet".
Expectedly...
"Of the people connecting to the fake candidate name Wi-Fi in Cleveland, 70 per cent connected to the Trump-related Wi-Fi, 30 per cent to the Clinton-related Wi-Fi."
Kids these days (Score:5, Interesting)
People use free WiFi without encryption. Not only is this unremarkable, it should not be in any way remarkable. The Internet Protocol and its children, UDP and TCP, were designed from the very beginning with one overriding goal: the intelligence is at the edges. Only the nodes matter. Everything else is just transit. Whether or not Layer 2 is encrypted is irrelevant. Only Layer 6/7 encryption can be trusted.[1] It is equally as safe to use any random wifi hotspot as it is to use your cable modem at home.
Knowing what we know about NSA spying, let me repeat that: it is equally as safe to use any random wifi hotspot as it is to use your cable modem. Historically, the various protocols that were designed to run over TCP/IP and UDP[2] largely assumed that transit would be benign. That's because IMAP and POP and HTTP were designed by engineers who were unaccustomed to designing a world that's proof against flaming assholes. Those days are over.
Now that the whole world uses the Internet, engineers have to design protocols and systems that are proof against flaming assholes. It's no longer optional. Avast saw identity leakage because not all software has come to grips with the new reality. Eventually, when all the software is updated, there will be nothing to report. The grand strength of the design of the Internet will once again make itself felt: upgrade the nodes to use encryption (math is your friend) and transit is just transit, as was and ever shall be. You and I already have the ability to upgrade the nodes under our control to be proof against flaming assholes. Eventually the nodes that Jane and John Q. Public buy will come configured that way out of the box.
We just want our packets routed. The SSID will be totally irrelevant. People who already treat it as if it is aren't wrong. They just need to use a slightly smarter node. Apparently 30% of users already have one.
---
[1] Or possibly you can squeeze it all the way down to Layer 4, if you use Authentication Header and Encapsulating Security Payload. (IPSEC)
[2] Why does no one ever write UDP/IP?
Re: (Score:2)
That's because IMAP and POP and HTTP were designed by engineers who were unaccustomed to designing a world that's proof against flaming assholes.
Actually IMAP was designed by an engineer who was himself a flaming asshole.
Re: (Score:2)
My mail server doesn't even accept imap connections, only imaps. That is one of the measures I took almost without thinking years ago when I set it up. Why even still support unencrypted imap? No good reason for that. The imap port is even closed in the firewall.
When connecting to a hotspot I prefer it to be an encrypted over-the-air connection (WPA-PSK for example), but that is often not available. Starbuck's et.al. don't do that, it's easier to connect without. No password. Just an activation code (hard e
0.24 percent visited pornography (Score:2)
0.24 percent visited pornography
I suppose that sounds more impressive the saying 3 out of over 1200 random people.
And how many of the "GOP delegates" connected to “I vote Hillary! free Internet”?
I run an open wifi (Score:2)
Pineapple (Score:3)
A Pineapple is a home made device using a small router connected to a cellular hotspot. Every computer actually broadcasts the networks it has saved in order to locate one of the networks. The Pineapple sees these probes and instantly becomes that wifi network allowing them to connect without a password. Then all traffic is passed onto the hotspot but at this point the attacker is a man in the middle and can intercept all traffic. Unless the user is using encryption such as SSL, VPN, there is quick a bit of information that can be obtained. Also any zero days could be attempted to hack their device.
Walk through any airport with a Pineapple and you will hit 1,200 people easily. The Pineapple is cooler than setting up multiple phony hotspots because it can fit in your pocket or laptop bag and you can just walk around scooping up connections to investigate.