How do you tell a major corporation they have open wifi access safely?

Viewing 15 reply threads
  • Author
    Posts
    • #4036
      Dav_Id
      Participant

      Hi All,

      I have lurked for a while hoping to find the answer.

      Here’s the thing. I have stumbled onto an open wifi access point via my phone  😉 and it gave me an IP address!

      The question is how to tell the corporation, which is actually a retail store, they have an open wireless network with out:-

      a. Getting some one knows what I’m talking about.

      b. Getting someone that will not get me arrested- I visit the store a lot, hey you gotta eat right!

      c. Do I advise the PCI DSS that they have an open point, maybe they could be the first on to actually be fined 😛

      I have tracked down the IT Directors email address and he is not responing to my emails – well why would he!

      Thanks Guys!

      Dav

    • #25695
      elcapitan
      Participant

      “Open” like you can access their internal protected network after receiving an IP address?

      Unless you have performed some recon to determine what you can actually touch, this might be a non-issue to them.

      At the same time, depending on your local laws, this recon activity may get you in trouble.

    • #25696
      Dav_Id
      Participant

      Hi,

      Thanks for the reply.

      It gives an IP address to there internal network.

      A laptop gets given an IP address and ‘network places’ is full of computers some with names ending PDC – I wonder what they might be  ;).

      I have not gone any further as if Microsoft is ‘given’ these details I have not actively searched for them. (Grey area in the eyes of the law maybe?)

      I understand the legal implications but want to let them know that a more ‘inquisitive’ person may go further.

      Do you see my predicament?

      Any ideas anyone??

      Dav

    • #25697
      KamiCrazy
      Participant

      What sort of retail store is it?

      If it is a coffee shop for instance, it might be open on purpose for customer use… It’s a bit too vague for me to make a judgement call.

    • #25698
      UNIX
      Participant

      The easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).

      Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel “overrunned”. It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.

      If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.

      I know of some similar “problems” where people also were in the same situation as you. The results could range from some kind of nice “thank yous” up to get sued by the company.
      What you will do have to be decided by yourself – is it too risky for you, just do it anonymously.

    • #25699
      Dav_Id
      Participant

      @KamiCrazy wrote:

      What sort of retail store is it?

      If it is a coffee shop for instance, it might be open on purpose for customer use… It’s a bit too vague for me to make a judgement call.

      Hi,

      It is LARGE . Google says it has a turn over of 12.5 Billion pounds and has over 350 store, somewhat a bit on the big side I would say!

      By the way no internet access once you join the network. So I would guess not for public consumption.

      Dav

    • #25700
      Dav_Id
      Participant

      @awesec wrote:

      The easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).

      Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel “overrunned”. It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.

      If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.

      I know of some similar “problems” where people also were in the same situation as you. The results could range from some kind of nice “thank yous” up to get sued by the company.
      What you will do have to be decided by yourself – is it too risky for you, just do it anonymously.

      Hi Awesec,

      I value your feedback.

      I have tried the following to email anonymously, I think messagelabs eat it!

      I have also tried adding the IT director as a friend in linkedin, under my pseudonym of course.- No luck.

      I tries asking for his Direct dial number so that I could leave a message out of hours to be anonymous (no chance of caller id slip up – also though of my imac reading it out via speech but that is just too Hollywood cheesy  ;D . ) -not giving out direct dial numbers!

      It looks as if it would have to be snail mail with a link to an email address for more info.

      Very frustrating as all I am being very Ethical and just trying to help!

      Life of Brian: There’s no pleasing some people.

      I will keep you posted.

      Dav

    • #25701
      unsupported
      Participant

      Ignore it and move on.  It is not your responsibility.  While you are being a nice guy in trying tell management, it is beyond your responsibility.

      Now, I’ll indulge you for a minute.  If you decide to send a letter, make sure it is certified so you know if/when they get it.

      Blowing the PCI DSS whistle may not be enough, because for PCI DSS you only need to encrypt any traffic which touches credit card data.

      And time for the reality check.  You are one step above some kid with a new laptop who wants to war drive in his neighborhood to sell their services as a “security professional” by locking down wireless routers.

      And last but, not least, you did not obtain permission to access their network.  As mentioned, depending on where you are, simply obtaining an IP and browsing the network is an illegal act.  You’ve admitted to doing this twice.  Once on your phone and once on a laptop.  You also have tried to use the networks internet.  The internet may have a proxy.  Leading me to believe that you are not familiar with the concepts of networking or security beyond “Let’s try to connect to open APs”.

      Doing something ethically, means not breaking laws, having permission, and signed contracts limiting your liability. You say you are being ethical, since you like movie quotes, “You keep using that word. I do not think it means what you think it means.” – The Princes Bride.

    • #25702
      KamiCrazy
      Participant

      If it is such a big organisation I would be inclined to agree with just ignoring the problem.

      It’s not your issue and you don’t have any real rights to push the issue.

      If it was a relatively small or medium sized business then you could approach the stakeholders and speak with them without a huge risk on your part but you since you are dealing with a large corp it isn’t really worth your trouble.

    • #25703
      UNIX
      Participant

      Although I have posted something different, I would also recommend to adhere to unsupported’s advice as it seems more equitable. Haven’t thought of the “it’s none of your business” thing.

    • #25704
      Anonymous
      Participant

      From the sounds of it, you’ve attempted to contact them anonymously a few times with no success.  At that point, I would agree with other posters here and just forget about it.  You’ve done your part and informed them.  If they don’t want to listen, it’s their fault and will likely see the error in their ways sooner or later.  Just know that you’ve done the right thing and be happy with that.

    • #25705
      Dav_Id
      Participant

      I just wanted to say a big thank you to you all for your posts.

      I actually wrote the letter yesterday, but did not send it. It is still on my desk.

      My ‘Ethics’ are based on honesty and integrity.

      You are correct in saying if they do not want to listen – it is their problem.

      I just feel that if some took the time to sit down and hack it they may be able to sniff the data between the petrol station and the main store and capture customer data. ( I have now spotted the 2 Cicso wifi antenna bridging the to sites) Or Nessus scan the network break in etc and walk the network from there.

      Ok. The Letter is now trashed. I gave it to the dog he is best shredder I ever bought, organic too  😉

      In the words of Paul Mcgee I will S.U.M.O ( Shut Up and Move On)

      Cheers!

      Dav

    • #25706
      ants
      Participant

      Hi Dav_Id,
      I don’t think what you have done is necessarily unEthical in a philosophic sense, (I don’t think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.

      I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough.  But if their internal network is exposed, I’d refrain from using my credit card there – just to be sure.

      This is just my opinion…

      Ants

    • #25707
      Dav_Id
      Participant

      @Ants wrote:

      Hi Dav_Id,
      I don’t think what you have done is necessarily unEthical in a philosophic sense, (I don’t think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.

      I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough.  But if their internal network is exposed, I’d refrain from using my credit card there – just to be sure.

      This is just my opinion…

      Ants

      Hi Ants,

      I only use cash at that store. Although saying that a skimming ‘device’ was found at the ATM outside the store back in March, so what you gonna do  🙂

      Dav

    • #25708
      unsupported
      Participant

      Ok, now that this is all settled, welcome to EH-Net.  Sorry if I was sounding too harsh.  I was just trying to prove a few points.  It is nice to see the spark of security minded computer people.  You are more than welcome to stick around, learn a few things, and ask as many questions as you want.

      I know I did not want you going down the wrong path in regards to security.  Information security not as much of the wild west as it once was.

    • #25709
      Dav_Id
      Participant

      @unsupported wrote:

      Ok, now that this is all settled, welcome to EH-Net.  Sorry if I was sounding too harsh.  I was just trying to prove a few points.  It is nice to see the spark of security minded computer people.  You are more than welcome to stick around, learn a few things, and ask as many questions as you want.

      I know I did not want you going down the wrong path in regards to security.  Information security not as much of the wild west as it once was.

      Hi Unsupported,

      Not at all.

      I just think it is crap that a large company, with responsibilities to share holds etc etc. Has such a lax attitude to security. Anyway SUMO.

      Always happy to learn !

      Dav

Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?