July 26th 2011
Did You Hear What I Said?
Steven H. Blackwell
News media on both sides of the Atlantic were all agog last week over the alleged hacking of cellular phone voice mail accounts of politicians and crime victims by reporters of the now defunct News of the World tabloid. These are serious matters, and much of the coverage has been appropriately professional. Other media coverage however can be characterized in my view as lurid and as having an undertone of “Look what we caught the other guy doing!”
Irrespective of the tone of the coverage however, there has been very little coverage or explanation of how relatively easy it was to access these voicemail accounts. One American media outlet WNYC [
] and noted security blogger Brian Krebs [
] have both explored this issue in some detail. Both point to the relative ease with which these voicemails were accessed.
All of this brings me to the key point I want to make in this posting: namely that wireless networks are frequently completed unsecured and wide open for eavesdropping. It has now been ten years since I cautioned about this vulnerability in a presentation at the 2001 DevCon in Orlando, Florida. This vulnerability is even more widespread today than it was decade ago. While this is distinct from unsecured cellular voice mail accounts, the underlying concepts are the same.
Wireless Internet access in public areas is now widespread. Whether it’s coffee shops, restaurants and cafes, airports, hotel lobbies, or even public streets and parks, wireless Internet access is pervasive, readily accessible, and almost expected as a matter of course. And it’s just as accessible to someone who wants to snoop on what you’re sending over the Internet as it is to you. An eavesdropper’s reading your email, both inbound and outbound, is easy. Capturing your email log-on credentials, or credentials to organization file servers or web sites, or passwords to on-line financial accounts can be easily done if your access methods or the network you are using isn’t protected.
Moreover, such unprotected networks offer access points to unprotected shares and to unprotected hosted FileMaker files (on FileMaker Server) that might be present on machines connected to the network. Even if protected, if credentials for these are obtained, or if they are easily guessed, contents of the share or hosted files may be at risk. Additionally, unscrupulous persons might be able to introduce malware onto these machines.
All of this of course could include many of the wireless networks likely to be found at the upcoming 16
FileMaker DevCon in San Diego. Wireless networks in the hotel public areas as well as in the conference functions areas, networks that may be accessible in physically adjacent nearby buildings, and any point-to-point networks that might be created using the public switched telephone network from someone’s laptop all furnish avenues of access.
So when using wireless networks ask yourself who might be affirmatively able to answer the question “
Did You Hear What I Said?”
Use VPN’s or SSL or HTTPS sites to access emails or on-line sites to lessen the likelihood of someone’s monitoring your transmissions. If accessing remote networks, consider using two-factor authentication methods. Do not presume that no one is eavesdropping, because someone can be.
It is perfectly possible using readily available and inexpensive software programs for someone with a laptop computer to be outside the DevCon Exhibit Hall during lunch, or outside a session meeting room, or on the hotel terrace by the pool and capture the target IP address, account names, and passwords that
others are transmitting
on whatever network everyone happens to be using.
As with all security questions there are always balances to be achieved. We trade confidentiality in some instances for the convenience of ready accessibility. If so, let’s make that an informed choice, not an inadvertent one.