[LINK] The Degree of Peril in an Insecure Wifi Network
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Jul 16 11:16:41 AEST 2011
[Comments at end]
Wi-Fi hijackers cause download of trouble
Aaron Cook July 16, 2011
SMH
http://m.smh.com.au/technology/security/wifi-hijackers-cause-download-of-trouble-20110715-1hhrm.html
THOUSANDS of Sydney households are placing their personal information
at risk and inadvertently protecting fraudsters and users of child
pornography by not securing their home Wi-Fi networks, a Herald
investigation has shown.
NSW Police have prosecuted individuals for crimes involving fraud and
child exploitation material who were using unsecured wireless
internet networks to commit offences, said Bruce Van Der Graaf from
the NSW Police fraud squad.
''This results in the innocent user being asked to explain why their
internet service was used,'' he said.
[... asked how it was possible for their Internet connection to be
used by someone else, maybe? How would they know *why* it was used??]
An internet security expert from RMIT University in Melbourne, Mark
Gregory, said unsecured Wi-Fi could attract attacks on any devices on
the same network, leading to the loss of personal data, such as bank
statements and credit card numbers. ''The likelihood that the Wi-Fi
will be used by someone else is high,'' he said. Hackers can turn
home computers into robots, using them to send spam and attack other
computers.
''All of the detrimental effects of being hacked will then follow,
except the hacker has been given an easy and exploitable way into the
network,'' Dr Gregory said.
[Isn't Gregory confusing rather separate things here? Is it
significantly easier to break into a device via a wifi network than
over the Internet connection? And even if it is, does that approach
scale sufficiently to make it worth a miscreant's while using this
approach rather than mounting the attack over the Internet?]
Wi-Fi is a technology used to make an internet or computer connection
available to wireless devices such as laptops and smartphones within
a range of about 100 metres from a transmitting device.
The Herald discovered unsecured Wi-Fi networks in 10 out of 20
residential locations visited during a test across Sydney. In total,
382 networks were detected with 2.6 per cent operating without
password protection.
[That's 10 out of 382. That strikes me as a remarkably low
percentage! And I do hope that the white-hat they used took
precautions to ensure that they only captured beacon-data!]
Dr Gregory estimates 20 to 30 per cent of homes are operating Wi-Fi
networks. Extrapolating the Herald's results, there could be more
than 10,000 unsecured networks across Sydney.
The arrest in March of a man in Buffalo, New York, by armed
Immigration and Customs Enforcement agents, who threw him down some
stairs and called him a paedophile and pornographer, highlighted the
danger of leaving a network unsecured.
[As distinct from the danger of employing thugs as law enforcement
employees, encouraging them to exercise their thuggery, and failing
to control their thuggery?]
The man's Wi-Fi router was used to download thousands of images of
child exploitation and it took three days for investigators to
establish his innocence. His neighbour was later charged with
distributing child pornography.
Nicolas Suzor, a law lecturer at Queensland University of Technology,
said that if an unauthorised user illegally downloaded copyrighted
material, it could be traced back to the network owner. ''It could be
quite difficult to prove that it wasn't in fact you,'' Dr Suzor said.
[Nic, I assume you were selectively quoted.
[The norm in the criminal law is for guilt to be proven by the
prosecutor, not innocence by the prosecutee. The combination of:
- absence of any evidence on the devices in question
- sworn testimony by the individual(s) concerned
- evidence that the wifi network was not password-protected
must surely lead even the police, let alone a court, to conclude that
there is (a great deal more than) a reasonable doubt about the
person's guilt.
[I've had a go at this a couple of times, including twice in expert
evidence. See, for example:
http://www.rogerclarke.com/II/OffIm0511.html
[I couldn't quickly locate any sources on the extent to which legal
compulsion exists to secure a wife network. Does anyone know the
story?
[Leaving your front door unlocked probably compromises your
insurance, at least on the basis of contributory negligence alone
(leaving aside the probability that there's a relevant clause
somewhere in the insurance policy); but it doesn't justify a
criminal charge of aiding and abetting the committing of a criminal
offence.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list