As part of the SANS2009 conference, there are a variety of additional talks that add value to a number of the courses that SANS offers.  Tonight Joshua Wright of InGuardians presented a one hour talk on "Privacy Loss in a Pervasive Wireless World".  This talk was not on the traditional topic of securing your wireless access point, but instead focused on bringing to light privacy risks that may not be obvious at first glance.  Wright's overall theme was that there are many areas of  life where we as a society have risked giving up privacy and anonymity in exchange for convenience. 

Many of the areas that Wright pointed out focused around technologies that are taken for granted without much thought.  A primary example of such a technology was Wright's discussion of preferred network lists.   The first example was of an individual who had used his laptop in Vegas at a number of different areas.  By watching the networks that the individual tried to automatically connect to, we were able to discover that the person had a wild Vegas vacation.  With the list of networks that the individual tried to connect to, using tools readily available on the web, we were also able to pinpoint the location of the owners house based on the name of the person's home AP SSID. 

Wright continued on to discuss vulnerabilities with wireless peripherals, pointing out that the security risks of using wireless peripherals may not be at the foremost of the buyers mind.  Wright discusses the risks involved with these devices including the ability to sniff the communications between these peripherals and the computer.  With development work being done by others to create a portable wireless, the risk of these types of passive attacks seems to be rising.

The final examples focused on wireless technologies which make use of unique identifiers.  Whether it is a bluetooth device, the Nike + iPod sports kit, or a toothbrush, devices which broadcast unique identifiers could compromise a persons anonymity.  Wright makes the case that by deploying wireless sensors, these types of devices could be used to facilitate tracking, stalking, or profiling an individual.  In some cases, once a device has been profiled, it may be possible to inject data into an unsecured device.  While that may not inspire fear when an individual is tracking which teeth need additional brushing attention, being able to inject packets into bluetooth point-of-sale devices or a cell phone does have significant risk depending on the payload.  Tracking these types of devices may provide additional benefit, such as a sales person greeting you by name as you enter a store.  With no restrictions being put on how this information is used however, there is no reason why it couldn't be used to profile an individuals personal risk in many facets of life, and then be used in assessing insurance rates, employability, or credit risk.

This talk had a lot of great examples, many of which I hadn't considered in the past.  As technology progresses and security and regulations lags behind the cutting edge, these are issues that need to be brought to light for consideration.  If you have a chance to check out this presentation in the future, I'd definitely recommend it. On your way out of the talk, you'll be double checking your gadgets to make sure they aren't broadcasting.