KeriBlog

Cars, Security & a Peek into my Life

Why Airport WiFi is the Most Hostile Network

I’ve harped on you for years via social media, “stay off airport WiFi, it’s dangerous and even the best guys don’t connect to it”.

When I travelled to Arizona two weeks ago, sitting at the terminal I was like, “okay fine, I have to wipe my phone soon anyway, and should demonstrate why I keep harping”.

I connect to the terminal’s free network.

Using an app on my phone, I scan the network.

1 – there are 573 devices connected to the network

2 – the brand of each device is displayed

3 – I can choose to see what each device is doing

4 – I can pick one device and track it! I assign it the name, “Test”

1 – listed are the IP (like an address) and MAC address (like a serial number) of all connected devices

2 – let’s see what’s happening with THYSSENKRUP-PC

3 – that’s his IP and MAC address, of his Intel PC

4 – the numbers on the left are his ports, and what traffic is going in/out on each  

* – this traveller has his business card taped to his laptop.

The Attack

A business traveller has connected both his phone and laptop, he’s working away. The attacker notes his brand of device, the device’s name, MAC and IP address, and what is happening on which ports.  Added bonus is the business card taped to the laptop.

The attacker does some social media mining, then a week later, the traveller gets a phone call.

“Jimmy hi! Karl from IT here. Look, there’s a bit of a meltdown happening at HQ, sorry but this is urgent, you were at Pearson airport last Tuesday, right?

You’re on a Blackberry, MAC address 00:1F:3B:Bo:D2:D3, and were connected to our Microsoft Exchange server, right?  Yup, look, we have a compromise here, and I’m going to need your access to your laptop…”

***

An elaborate example, because really, someone skilled now has enough information to breach Jimmy’s system, with neither the laptop lid business card, or a phone call.

The Defence

Use your phone (via USB, not Bluetooth) to connect to the internet.  Reduce the attack surface.

The Better Defence

Just don’t.

If you must, avoid entering any passwords, and certainly no banking or credit card numbers.

(see also: Protecting your Phone in an Uncertain Environment)

 

Cleaned up a Compromise

Took all day. It was a big one this round: 3 computers, 2 phones, and I had to completely replace my router.

Another breach. All this security nonsense I blog is not without consequence.

Files go missing, my calendar is altered, a 4-star American General friends me on an unpublished Skype account, a fake POF account created to an email I haven’t posted online, my webcam turns on by itself, I am terrified of March 19th. That’s not even the highlight reel.

It frequently bleeds into my real life, too… my credit card has been compromised so often, the bank no longer blinks. I haven’t banked online since 2008. The mail I receive is wacked. Ever wonder why you no longer see me wearing a Bluetooth headset? And what’s the thing about Bluetooth? That its range is 30 feet. Think that through.

For sure I’m more organized and prepared for this than you, and still, to clean up took 9 hours focused like a laser beam.

What’s your plan is this happens to you,
what’s your disaster strategy?

Where are your backup(s) located? Copy of your passwords? Your contacts? Time is of the essence in these situations, can’t be looking around, hunting and gathering files. Your palms will be sweaty, and your mind scattered, scared, and prone to making mistakes. Prepare and practice your strategy.

And despite all those hours, that doesn’t include re-building my phone. Right now, the only way you can reach me, is if you have my phone number.

I am living your nightmares. Please go change your passwords, so it’s not for not.

This is a good password: (jO&X[NG}a[1rL];@jBmc@Ij$ TTY Monday.

 

 

My First Data Block

What Happened – using my mobile blog app, I hit publish on a blog post, and it failed to upload.

Fine, I’ll post from my laptop then.

Tethered my phone > opened a new browser > this page is there:

  1. an alert: you have exceeded your monthly data plan by $50, you’re now denied access to all data
  2. to restore data, text TELUS “Yes”, you understand, and agree, to additional data costs
  3. or instead of text, call. Which I did, because I’m not clicking on something so odd

And it’s TELUS, so I got back an educated, helpful answer:

To avoid bill shock, the CRTC has set a cap on additional phone charges. Once the cap is reached, the data connection is shut off unless the consumer actively agrees to spend more.

Caps are: $50 data – $100 phone calls

That feeling, when I had no data: gah

All my accounts out there, all logged in, alone and unattended.

To get online I’d have to leave the house, and even then it wouldn’t be on my phone, my usual tool, where all my information is… find a computer, import contacts, good thing I have a copy of my contacts… do you… here’s how to properly backup.

A giant wave of “how will I run my life tomorrow, if I can’t use my phone?”.

I wouldn’t be able to. Gah.

 

 

This is a Working EMP Device

Photo: eV2

EMP – ElectroMagnetic Pulse

EMPs (electromagnetic pulses) are often featured in movies – characters in The Matrix: Revolutions used them to defend against the sentinels, and do you remember Ocean’s Eleven? In that movie, a character is seen pulling into a parking lot in a white panel van that’s holding a giant machine, which he powers up and uses to knock out the power to the casino a block away. That’s an EMP attack.

Very basically, the targeted car is blasted with high-power radio frequencies and microwave waves, confusing the electronics system until the engine just gives up and shuts down. – Autonet.ca

That’s newspaper writing, in blog writing:

Radio Frequencies (RF) are pulsed at the car, which just melts the electronics like, you don’t bounce right back from an EMP attack.

Neat eh, movie-kinda stuff indeed.

Until UK company eV2 built the one above, and demonstrated its device to the BBC on an unused airport runway.

It was touted in the press as:
the device that would end car chases

Wrote about it at work, here.