One should always ask himself if the wireless gateway he uses is trustworthy.
Depict yourself the following situation:
You are sitting in a coffee shop, seeking for wireless networks. what are you gonna do next? connect to a network which SSID's is similar to the coffee shop's name, or if none exists, connect to the first open network you find.
If the coffee shop doesn't have a wireless network, it gives a malicious user an opportunity to run his own network, on behalf of the coffee shop to attract clients. Otherwise, he will have to spoof the legitimate access-point's MAC, and race for new clients.
Everyone knows that open wireless networks are prone to sniffing, but most people are unaware of the fact that active attacks could take place as well, and it is especially easy if the malicious user controls the gateway.
This video demonstrates how an exe file is injected transparently into an innocent HTTP session.
What happens behind the scenes is the use of a transparent proxy I built, which terminates HTTP traffic, and searches for exe download patterns (Content-Type:\s+application/octet-stream to be exact). When it matches an exe pattern, it replaces the response with a malicious binary. The proxy runs on the gateway, which is fixed with an iptables rule (iptables -t nat -A PREROUTING -i [interface] -p tcp --dport 80 -j REDIRECT --to-ports [proxy interface]) that forwards all transit HTTP via the proxy.
By the use of PKI you can ensure you pass your malicious gateway without data mutation.
So consider yourself one of the following countermeasures:
1) Download binaries from SSL sites only (and verify the certificate!)
2) Use an SSL proxy (and again verify the certificate)
3) Tunnel traffic through a VPN
4) Tunnel traffic through SSH
5) Download signed binaries, and verify the digital signature.
This reminds me of the Up-Side-Down-Ternet http://www.ex-parrot.com/~pete/upside-down-ternet.html
Posted by: kingthorin | November 23, 2007 at 09:30 PM
Turn wireless off or use an SSL VPN such as the open-source SslExplorer. Most people don't have the know-how to purchase a virtual host to run SslExplorer (could be Windows, Linux, et al), but imagine how much safer it would be if they did.
The real problem are websites that do not support SSL (and most importantly: redirect to SSL), thus leaving their users unprotected in the face of often severe danger where credentials and/or sensitive information can be easily compromised. Worse, any unencrypted web traffic provides a nice vector for injection of malicious anything - including regular and browser backdoors.
Please somebody tell me there is a better solution to either:
1) not using WiFi
or
2) always using WiFi with an SSL VPN
Posted by: dre | November 24, 2007 at 01:52 PM