.

How do you tell a major corporation they have open wifi access safely?

<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Sat Jul 18, 2009 5:30 am

How do you tell a major corporation they have open wifi access safely?

Hi All,

I have lurked for a while hoping to find the answer.

Here's the thing. I have stumbled onto an open wifi access point via my phone  ;) and it gave me an IP address!

The question is how to tell the corporation, which is actually a retail store, they have an open wireless network with out:-

a. Getting some one knows what I'm talking about.

b. Getting someone that will not get me arrested- I visit the store a lot, hey you gotta eat right!

c. Do I advise the PCI DSS that they have an open point, maybe they could be the first on to actually be fined :P

I have tracked down the IT Directors email address and he is not responing to my emails - well why would he!

Thanks Guys!

Dav
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Sun Jul 19, 2009 9:16 pm

Re: How do you tell a major corporation they have open wifi access safely?

"Open" like you can access their internal protected network after receiving an IP address?

Unless you have performed some recon to determine what you can actually touch, this might be a non-issue to them.

At the same time, depending on your local laws, this recon activity may get you in trouble.
CISSP, Security+, CEH, OPP, et alii
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Mon Jul 20, 2009 12:51 am

Re: How do you tell a major corporation they have open wifi access safely?

Hi,

Thanks for the reply.

It gives an IP address to there internal network.

A laptop gets given an IP address and 'network places' is full of computers some with names ending PDC - I wonder what they might be  ;).

I have not gone any further as if Microsoft is 'given' these details I have not actively searched for them. (Grey area in the eyes of the law maybe?)

I understand the legal implications but want to let them know that a more 'inquisitive' person may go further.

Do you see my predicament?

Any ideas anyone??

Dav
<<

KamiCrazy

Jr. Member
Jr. Member

Posts: 78

Joined: Wed Jun 17, 2009 8:40 pm

Post Mon Jul 20, 2009 3:25 am

Re: How do you tell a major corporation they have open wifi access safely?

What sort of retail store is it?

If it is a coffee shop for instance, it might be open on purpose for customer use... It's a bit too vague for me to make a judgement call.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Jul 20, 2009 6:03 am

Re: How do you tell a major corporation they have open wifi access safely?

The easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).

Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel "overrunned". It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.

If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.

I know of some similar "problems" where people also were in the same situation as you. The results could range from some kind of nice "thank yous" up to get sued by the company.
What you will do have to be decided by yourself - is it too risky for you, just do it anonymously.
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Mon Jul 20, 2009 7:05 am

Re: How do you tell a major corporation they have open wifi access safely?

KamiCrazy wrote:What sort of retail store is it?

If it is a coffee shop for instance, it might be open on purpose for customer use... It's a bit too vague for me to make a judgement call.


Hi,

It is LARGE . Google says it has a turn over of 12.5 Billion pounds and has over 350 store, somewhat a bit on the big side I would say!

By the way no internet access once you join the network. So I would guess not for public consumption.

Dav
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Mon Jul 20, 2009 8:14 am

Re: How do you tell a major corporation they have open wifi access safely?

awesec wrote:The easiest way would be by notifying them anonymously. This would pose yourself minimal risk but at the same time it would also limit your actions (e.g. discussing about the found problems).

Another possibility would be to drop a mail for the responsible persons, telling that you have found by accident a vulnerability. The responsible persons should contact you and then you give them further details about the problem. If you tell them right away everything they may feel "overrunned". It is important to speak with the responible persons and not with the amanuensis or other third-persons. As you wrote that they are ignoring your mails you could try to write it in a letter.

If you get asked for further details you should be cooperative. If they ask for a PoC you should only do it after you got written permission by them. Maybe it would also be a good idea to stress that you have found this by accident and that you were not trying to get access by purpose and that you are now concerned about this.

I know of some similar "problems" where people also were in the same situation as you. The results could range from some kind of nice "thank yous" up to get sued by the company.
What you will do have to be decided by yourself - is it too risky for you, just do it anonymously.



Hi Awesec,

I value your feedback.

I have tried the following to email anonymously, I think messagelabs eat it!

I have also tried adding the IT director as a friend in linkedin, under my pseudonym of course.- No luck.

I tries asking for his Direct dial number so that I could leave a message out of hours to be anonymous (no chance of caller id slip up - also though of my imac reading it out via speech but that is just too Hollywood cheesy  ;D . ) -not giving out direct dial numbers!

It looks as if it would have to be snail mail with a link to an email address for more info.

Very frustrating as all I am being very Ethical and just trying to help!

Life of Brian: There's no pleasing some people.


I will keep you posted.

Dav
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Mon Jul 20, 2009 10:05 am

Re: How do you tell a major corporation they have open wifi access safely?

Ignore it and move on.  It is not your responsibility.  While you are being a nice guy in trying tell management, it is beyond your responsibility.

Now, I'll indulge you for a minute.  If you decide to send a letter, make sure it is certified so you know if/when they get it.

Blowing the PCI DSS whistle may not be enough, because for PCI DSS you only need to encrypt any traffic which touches credit card data.

And time for the reality check.  You are one step above some kid with a new laptop who wants to war drive in his neighborhood to sell their services as a "security professional" by locking down wireless routers.

And last but, not least, you did not obtain permission to access their network.  As mentioned, depending on where you are, simply obtaining an IP and browsing the network is an illegal act.  You've admitted to doing this twice.  Once on your phone and once on a laptop.  You also have tried to use the networks internet.  The internet may have a proxy.  Leading me to believe that you are not familiar with the concepts of networking or security beyond "Let's try to connect to open APs".

Doing something ethically, means not breaking laws, having permission, and signed contracts limiting your liability. You say you are being ethical, since you like movie quotes, "You keep using that word. I do not think it means what you think it means." - The Princes Bride.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

KamiCrazy

Jr. Member
Jr. Member

Posts: 78

Joined: Wed Jun 17, 2009 8:40 pm

Post Mon Jul 20, 2009 4:44 pm

Re: How do you tell a major corporation they have open wifi access safely?

If it is such a big organisation I would be inclined to agree with just ignoring the problem.

It's not your issue and you don't have any real rights to push the issue.

If it was a relatively small or medium sized business then you could approach the stakeholders and speak with them without a huge risk on your part but you since you are dealing with a large corp it isn't really worth your trouble.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Jul 21, 2009 12:16 am

Re: How do you tell a major corporation they have open wifi access safely?

Although I have posted something different, I would also recommend to adhere to unsupported's advice as it seems more equitable. Haven't thought of the "it's none of your business" thing.
<<

Laz3r

Post Tue Jul 21, 2009 12:40 am

Re: How do you tell a major corporation they have open wifi access safely?

From the sounds of it, you've attempted to contact them anonymously a few times with no success.  At that point, I would agree with other posters here and just forget about it.  You've done your part and informed them.  If they don't want to listen, it's their fault and will likely see the error in their ways sooner or later.  Just know that you've done the right thing and be happy with that.
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Tue Jul 21, 2009 3:00 am

Re: How do you tell a major corporation they have open wifi access safely?

I just wanted to say a big thank you to you all for your posts.

I actually wrote the letter yesterday, but did not send it. It is still on my desk.

My 'Ethics' are based on honesty and integrity.

You are correct in saying if they do not want to listen - it is their problem.

I just feel that if some took the time to sit down and hack it they may be able to sniff the data between the petrol station and the main store and capture customer data. ( I have now spotted the 2 Cicso wifi antenna bridging the to sites) Or Nessus scan the network break in etc and walk the network from there.

Ok. The Letter is now trashed. I gave it to the dog he is best shredder I ever bought, organic too  ;)

In the words of Paul Mcgee I will S.U.M.O ( Shut Up and Move On)

Cheers!

Dav
<<

ants

Newbie
Newbie

Posts: 25

Joined: Sun Mar 15, 2009 8:51 am

Location: Ireland

Post Tue Jul 21, 2009 4:00 am

Re: How do you tell a major corporation they have open wifi access safely?

Hi Dav_Id,
I don't think what you have done is necessarily unEthical in a philosophic sense, (I don't think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.

I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough.  But if their internal network is exposed, I'd refrain from using my credit card there - just to be sure.

This is just my opinion...

Ants
CEH, GPEN, GCFW
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Tue Jul 21, 2009 5:36 am

Re: How do you tell a major corporation they have open wifi access safely?

Ants wrote:Hi Dav_Id,
I don't think what you have done is necessarily unEthical in a philosophic sense, (I don't think that obeying the law and being ethical are always mutually inclusive) but it is rather against the Code of Ethical Hackers.

I think that it would be best to inform them but I think that you would be lucky to be able to find somebody from the company who cares enough.  But if their internal network is exposed, I'd refrain from using my credit card there - just to be sure.

This is just my opinion...


Ants


Hi Ants,

I only use cash at that store. Although saying that a skimming 'device' was found at the ATM outside the store back in March, so what you gonna do  :)

Dav
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Tue Jul 21, 2009 7:41 am

Re: How do you tell a major corporation they have open wifi access safely?

Ok, now that this is all settled, welcome to EH-Net.  Sorry if I was sounding too harsh.  I was just trying to prove a few points.  It is nice to see the spark of security minded computer people.  You are more than welcome to stick around, learn a few things, and ask as many questions as you want.

I know I did not want you going down the wrong path in regards to security.  Information security not as much of the wild west as it once was.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Next

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software