[Owasp-singapore] [security-77] Fake Wireless at SG AP at AMK?

Donald Ong donald.ong at gmail.com
Sat May 30 10:39:33 EDT 2009


Hi,

I agree with Onn Chee on against the idea of using a public wireless AP like Wireless at SG. However, I also support IDA movement to promote free wireless usage around Singapore.

The impt point lacking is really educating the public the risk in using public AP. A simple guy like me, I can sniff all packets going through the standard Wireless at SG AP once I'm connected. That means I stands a chance to gain access valuable personal information if the website the public is accessing is not secure at all by default.

IDA must find another solution to ensure the public is accessing a genuine Wireless at SG other than just a simple login authentication it currently have. It is a tricky problem as the public is not that tech savy, nor have the knowledge what risk is it, n when it will affect them.

3G would not have this problem because it is sitting on top of GSM, which have a end to end security encryption protection on the data transfer. 

Could we raise this issue to IDA on this current problem?


Regards,
Donald

Ray Foo <gunblad3 at gmail.com> wrote:

>Hi Onn Chee,
>
>Wireless at SG is risky being a public wifi network, but for some other  
>uses (like non-personal/secret sites, or https sites with working  
>certs) it's still ok.
>
>Another way is to use VPN but not everyone knows how to use, or cares  
>to.
>
>If it's really not illegal to run a fake AP, maybe we should be  
>enforcing/educating even more the use of encryption... Or getting the  
>law makers to amend the CMA :P
>
>Ray.
>
>On May 30, 2009, at 6:27 PM, Wong Onn Chee <ocwong at usa.net> wrote:
>
>> Hi Ray,
>>
>> I will strongly recommend against using Wireless at SG, as anyone can
>> masquerade their rogue AP as Wireless at SG.
>>
>> 3G broadband is a much safer option.
>>
>> Again, pardon my limited legal knowledge, but it may not be an offence
>> to masquerade Wireless at SG unless IDA or the providers complain.
>> Akin to our previous thread on the cyber-squatting of domain names.
>>
>>
>> Ray Foo wrote:
>>> Nope, I don't even get the login page.
>>>
>>> Ray.
>>>
>>> On 5/30/09, Frenky Tjioe <tjioefrenky at gmail.com> wrote:
>>>
>>>> Did you test the "fake" Wireless at SG with wrong password?  If it's  
>>>> fake, it
>>>> won't be able to tell whether your password is wrong.
>>>>
>>>> Regards,
>>>>
>>>> On Sat, May 30, 2009 at 12:19 PM, Ray Foo <gunblad3 at gmail.com>  
>>>> wrote:
>>>>
>>>>
>>>>> Hi guys,
>>>>>
>>>>> Was at AMK (hawker center behind Jubilee, not the S11) where I  
>>>>> found
>>>>> something weird when I was surfing around on Wireless at SG, not sure
>>>>> whether it's a fake AP, but it definitely isn't normal.
>>>>>
>>>>> I didn't seem to have authenticated properly (my initial  
>>>>> oversight),
>>>>> but when surfing later, HTTP sites all were served ok, but all  
>>>>> HTTPS
>>>>> sites (including Gmail) returned a cert error.  Can anyone confirm
>>>>> this?
>>>>>
>>>>> I wasn't able to check the cert details as I was using my iPod  
>>>>> Touch
>>>>> then, and I didn't want to accept the wrong cert to find out what
>>>>> happens...
>>>>>
>>>>> Hope someone's not running a fake AP, it'd be pretty  
>>>>> dangerous...Fyi
>>>>> the range of the AP was detectable for a pretty large area in AMK
>>>>> central as I was walking around.
>>>>>
>>>>> Ray.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Please Note: If you hit "REPLY", your message will be sent to  
>>>>> everyone on
>>>>> this mailing list (security-77 at meetup.com)
>>>>> http://security.meetup.com/77/
>>>>> This message was sent by Ray Foo (gunblad3 at gmail.com) from The  
>>>>> Singapore
>>>>> Security Meetup Group.
>>>>> To learn more about Ray Foo, visit his/her member profile:
>>>>> http://security.meetup.com/77/members/5643827/
>>>>> To unsubscribe or to update your mailing list settings, click here:
>>>>> http://www.meetup.com/account/comm/
>>>>> Meetup Support: support at meetup.com
>>>>> 632 Broadway, New York, NY 10012 USA
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>> --
>>> Please Note: If you hit "REPLY", your message will be sent to  
>>> everyone on this mailing list (security-77 at meetup.com)
>>> http://security.meetup.com/77/
>>> This message was sent by Ray Foo (gunblad3 at gmail.com) from The  
>>> Singapore Security Meetup Group.
>>> To learn more about Ray Foo, visit his/her member profile: http://security.meetup.com/77/members/5643827/
>>> To unsubscribe or to update your mailing list settings, click here: http://www.meetup.com/account/comm/
>>> Meetup Support: support at meetup.com
>>> 632 Broadway, New York, NY 10012 USA
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> Owasp-singapore mailing list
>> Owasp-singapore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>_______________________________________________
>Owasp-singapore mailing list
>Owasp-singapore at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-singapore


More information about the Owasp-singapore mailing list