homepage Welcome to WebmasterWorld Guest from 54.197.110.151
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Largest Wifi Hacking Bust Ever In San Jose
40 million credit and debit cards compromised
incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3716320 posted 6:48 am on Aug 6, 2008 (gmt 0)

The Department of Justice announced Tuesday that 11 people allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card number have been charged.

[nbc11.com...]

Just last week I started a thread about insecure Wifi and MITM (main in the middle) attacks [webmasterworld.com] and sure enough a major bust happens from people exploiting those very same wifi networks.

The indictment alleges that the people charged hacked into the wireless computer networks of major retailers including TJX Cos, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

If all these major corporations can't secure their wifi then what are the odds your communications at any wifi hotspot are secure?

 

cmendla

10+ Year Member



 
Msg#: 3716320 posted 12:20 pm on Aug 6, 2008 (gmt 0)

When travelling, I tend to treat public wifi the same as public restrooms.

- Use it only in a DIRE emergency
- Touch as little as possible
- get out as quick as possible.
- Change passwords/wash hands thoroughly
- hope for the best.

The 60 bucks a month I spend on my cellular aircard is well worth it in terms of peace of mind.

cg

pageoneresults

WebmasterWorld Senior Member pageoneresults us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3716320 posted 12:26 pm on Aug 6, 2008 (gmt 0)

If all these major corporations can't secure their wifi then what are the odds your communications at any wifi hotspot are secure?

But wait! I'm confused. In that other MITM topic, there was a poster (infp [webmasterworld.com]) that heartily disagreed with your findings. But yet this particular story negates what that poster stated?

I read that article and it gives me more ammunition to Ban 75% of the Planet [webmasterworld.com] in 2009 January!

SEOMike

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3716320 posted 1:49 pm on Aug 6, 2008 (gmt 0)

I have a great little hardware firewall made by a company called Yoggie. It's a small USB device that is a self contained computer with it's own processor and Linux OS. When I was at SMX Advanced in Seattle I was amazed at how many attempts were made to access my computer while sitting in a session. There were over 400 attempts recorded within the first few minutes of turning it on.

It's amazing how many places have unsecured wireless access. A lot of smaller companies will often just have WEP encryption which is very easily broken. There used to be something called the worldwide wardrive and people would go out and drive around to sniff out wireless networks and list their level of security. It was amazing to see how many businesses had open wireless networks.

I was watching a show a few months back and it was talking about coffee shop wireless networks. The guy they were interviewing had a sweet Mac laptop and the software he was using was allowing him to capture all the traffic from users on the wireless. He could capture their passwords and watch their internet traffic (even HTTPS) just like it was him that was surfing. No firewall can protect you from that!

grelmar

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3716320 posted 1:56 pm on Aug 6, 2008 (gmt 0)

It amazes me how poor some corporations are at securing their WiFi, and the type of information they let fly over their WiFi networks.

Rather than run RJ45 at 50cents a meter, they hook their smart "Point of Sale" tills to their central network over WiFi (a bad security decision, regardless of setup). To make the system more reliable, they install signal boosters.

I can think of a couple of cafes in town where the pay-for-access WiFi of the cafe is drowned out by the signal of a nearby business. Which is fine, because in the two cases I can think of off hand, those business WiFi networks are totally unsecured, so I can just tap into them to surf the web. They even have convenient, easy to spot network names like "XYZ-DrugMart POS Network."

The problem in the cases mentioned in this article is, essentially, that the WiFi networks weren't properly secured in the first place. They made it all too easy for the hackers to sniff.

I'm less worried about the security of my data when I'm using public WiFi. What worries me is the security of my credit card info when I buy something at a place that uses WiFi to connect their POS system together. There are just far too many lazy network admins out there.

grelmar

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3716320 posted 2:01 pm on Aug 6, 2008 (gmt 0)

Oh! And before anyone suggests I let the stores know their networks are insecure:

The last time I tried that, the manager of the store had security lock me in a room and called the cops, and it was a week before I got my laptop back.

Lts95

10+ Year Member



 
Msg#: 3716320 posted 2:21 pm on Aug 6, 2008 (gmt 0)

The last time I tried that, the manager of the store had security lock me in a room and called the cops, and it was a week before I got my laptop back.

Good thing you don't hold a grudge. I'm sure your local news would have loved to show someone sitting outside a popular store pulling other peoples data out of the air.

Webwork

WebmasterWorld Administrator webwork us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3716320 posted 2:55 pm on Aug 6, 2008 (gmt 0)

Let's see . . Privacy/Identity Protection/Guard service for 30 million people for at least 2+ years . . 30,000,000 x $200.00+ = $6,000,000,000.+/- . . I smell class-action lawsuit.

I never would have thought that this type of personal data was being passed around via the airwaves.

pageoneresults

WebmasterWorld Senior Member pageoneresults us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3716320 posted 3:03 pm on Aug 6, 2008 (gmt 0)

I never would have thought that this type of personal data was being passed around via the airwaves.

Me neither! I'm glad I had an ultra-geeky type person install all my network stuff back then. He explained to me that I should stay away from anything public, not safe at all. I didn't understand the warning back then but, I surely understand it now.

I too have one of those little modem thingies. How secure are those? I've only used it once or twice. I bought it for emergency purposes. I'm rarely away from the core systems. ;)

goodroi

WebmasterWorld Administrator goodroi us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 3716320 posted 3:20 pm on Aug 6, 2008 (gmt 0)

Seems like you might be able to make a case for e-commerce being safer than visiting certain brick and mortar stores.

ogletree

WebmasterWorld Senior Member ogletree us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3716320 posted 4:23 pm on Aug 6, 2008 (gmt 0)

goodroi is right. I feel safer online than I do at a store. Problem is most IT people are apathetic and inexperienced. I used to work in IT and fact was not held in high regard. Everybody spoke in generalizations. They made decisions on information they never checked out. Most don't bother to learn how systems actually work. They just know how to pull up a control panel and hit some buttons.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3716320 posted 5:49 pm on Aug 6, 2008 (gmt 0)

Problem is most IT people are apathetic and inexperienced.

It's kind of hard to secure an enterprise network when the wireless LAN software has flaws [blogs.zdnet.com] that are easily cracked, possibly how this attack was mounted.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3716320 posted 6:06 pm on Aug 6, 2008 (gmt 0)

here used to be something called the worldwide wardrive and people would go out and drive around to sniff out wireless networks and list their level of security.

Amusing you mention this because I found another article with more details about how they hacked into these places!

[nbc11.com...]

... used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.

So it was literally drive by wifi hacking.

iThink

10+ Year Member



 
Msg#: 3716320 posted 7:02 pm on Aug 6, 2008 (gmt 0)

Last month some bomb blasts happened in a city in India (Ahmedabad). A lot of people died in the blats. Minutes before the blast an email was sent by islamic terrorists to some media outlets to stake the claim for the blasts. The email was traced to an American expat living in Bombay, who was using a wifi router in his rented flat. Apparently his wifi connection was somehow used by terrorists to send the email without his knowledge. The cops took his computer and related stuff for investigations and sealed his flat as well.

Credit card theft is a very small crime compared with what these terrorists and such people do. When I learned about that incident, I just removed the wifi router from my office and have locked it in a cupboard. Now we use only wired connections in the office.

Goodbye wifi, for now.

[edited by: iThink at 7:20 pm (utc) on Aug. 6, 2008]

namniboose

10+ Year Member



 
Msg#: 3716320 posted 7:18 pm on Aug 6, 2008 (gmt 0)

I think in the future there will be Wi-Fi & cell phone hot spots away from the general public, like the smoking areas of today.

I can't sleep with a wi-fi router in the house and get palpitations from DECT phones. I guess I'm the canary in the coalmine but long-term I think it is horrendous what we are doing to ourselves (and others) with microwave technology.

Anyway, realise I'm talking about this in the 'wrong' forum but just thought I would throw it out there.

Security is not the only issue with wi-fi!

Aline

Murdoch

5+ Year Member



 
Msg#: 3716320 posted 9:40 pm on Aug 6, 2008 (gmt 0)

So it was literally drive by wifi hacking

I think in today's abbreviated world that would be known as DriBiWiFi...

signor_john



 
Msg#: 3716320 posted 10:06 pm on Aug 6, 2008 (gmt 0)

I think in today's abbreviated world that would be known as DriBiWiFi.

Sounds like a neighborhood name in Manhattan.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 3716320 posted 10:57 pm on Aug 6, 2008 (gmt 0)

I never would have thought that this type of personal data was being passed around via the airwaves.

That brings up a very good point about the Visa's CISP (Cardholder Information Security Program)Compliance and whether all these companies passed or not.

If they did pass the Payment Card Industry (PCI) Data Security Standards [pcisecuritystandards.org] then those standards aren't worth the toilet paper they're written on.

In CA any company that has compromised data is required by law to notify all potentially compromised card holders.

Wonder if anyone on WebmasterWorld will get notified? ;)

LifeinAsia

WebmasterWorld Administrator lifeinasia us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3716320 posted 11:08 pm on Aug 6, 2008 (gmt 0)

I seem to remember we got something several months back (but I think it was from Visa, not TJ Maxx) stating somethign about the CC information being stolen. I think they offered a free 1-year credit monitoring or some such token.

blend27

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3716320 posted 2:04 am on Aug 7, 2008 (gmt 0)

--- free 1-year credit monitoring ---

This is when you agree for the provider to run your credit report, and then they SELL your data(some of it at least) to third parties and you start getting junk paper mail... right?

added:

and then thouse third parties get hacked....

LifeinAsia

WebmasterWorld Administrator lifeinasia us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3716320 posted 4:26 pm on Aug 7, 2008 (gmt 0)

This is when you agree for the provider to run your credit report, and then they SELL your data(some of it at least) to third parties and you start getting junk paper mail... right?

No, it was directly from one of the 3 credit bureaus (I forget which one). So no worries- they're already selling our data to 3rd parties. :)

mrMister

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3716320 posted 10:43 am on Aug 11, 2008 (gmt 0)

I have a great little hardware firewall made by a company called Yoggie. It's a small USB device that is a self contained computer with it's own processor and Linux OS. When I was at SMX Advanced in Seattle I was amazed at how many attempts were made to access my computer while sitting in a session. There were over 400 attempts recorded within the first few minutes of turning it on.

As you mentioned later in your post, a firewall offers no protection whatsoever from WiFi snoopers. A snooper doesn't even need to connect to your computer to read your packets. The "attempts" you saw were probably just automated port scans and traffic from network worms. You'd get those on a wired network as well, it has nothing to do with WiFi protection.

[edited by: mrMister at 10:47 am (utc) on Aug. 11, 2008]

mrMister

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3716320 posted 10:45 am on Aug 11, 2008 (gmt 0)

For what it's worth, when connecting over a public WiFi network, I always connect to the Internet via an encrypted tunnel using either PPTP or SSH. Tor would also do the trick in a lot of situations, as would Hamachi.

[edited by: mrMister at 10:48 am (utc) on Aug. 11, 2008]

J_RaD

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3716320 posted 12:27 am on Aug 19, 2008 (gmt 0)

WiFi should never be used in business enviroments!
I don't even use it at my house.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved