I've been in infosec for the past 14+ years and hiring these types are pretty nuanced and complex. On one hand, you have a person who shows their ethics are questionable at best. Do you want those folks having the proverbial "keys to the kingdom"?
On the other hand - people make mistakes and learn. And these types of folks are decently effective at what they do - although I will say the fact they got caught demonstrates they're not THAT good.
I'd probably pass on this specific person for the latter reasons.
It article says “domestic flights [plural], and at other locations that police said were linked to the man’s previous employment”, so it’s possible they checked passengers in common between two or more flights that had reports of bad portals as well as other locations that pointed to this guy.
WiFi's signal strength can be used as a proximity sensor for the source. It doesn't give you a direct location of your signal source, but the less amplitude your client radio reports needing is the closer you're likely getting to the emitter.
> The fake pages were allegedly set up at Perth, Melbourne and Adelaide airports, on domestic flights, and at other locations that police said were linked to the man’s previous employment.
Very bad Opsec, literally did his crime at the most surveilled places in the world and at his former job lmao.
Isn’t that good opsec? He already had a reason to be on those flights as opposed to them finding out this one guy is always traveling as a tourist where there are issue.
Well good might be pushing it since it would have been better for him to fly to another city then drive to the destination to leave less of a paper trail.
sounds like he was simulating openid-connect flows by saying "login with Google" or "login with Facebook" and then storing the credentials entered which would be cleartext.
I always suspicious of these flows for specifically this reason. The flows are secure as long as you know you are talking to the correct identity provider, but I think most laymen would not understand that concept.
Gotta be careful with that too. If your password manager offers to auto-fill on the base domain - for example, *.google.com, it would be fooled by any phishing site hosted on google sites or google forms.
Wow, that seems like a huge security risk for Google that people can create phishing sites on their auth domain. I don’t think Google Forms allows login forms, but I’m surprised Google Sites would offer hosting on the primary Google domain.
Yes? This is unsurprising and doesn’t represent gross incompetence on the part of the victim. Computers are inscrutably hard to understand. Anyone that’s lost sight of that is in an echo chamber.
I'm not blaming the victims, but at the same time they will have seen several warnings from their browser indicating that the sites are unencrypted and not to send sensitive information.
LetsEncrypt cert? The domain could be something like amazon.freeewifi.com, it can have a username/password field and a text above it that says "enter your Google/Facebook/Amazon login", and the majority of users won't realize that this is a 3rd-party site. Experts like us might notice "That's not how 3rd party auth is supposed to work!", but the majority really won't know.
A few years ago I read a statistics that most (90%+) computer users just do things based on rote memorization of sequences of actions, not understanding what happens in the background. I wonder how it is nowadays.
Maybe AI that can "smell" if you're on a scammy site (e.g. prompts to enter your Google/FB/Amazon password) would be useful, but then again the implementation might end up being like MS's "let us record your screen, for AI!" horseshit..
I was imagining them trying to spoof an amazon.com domain using an evil dns server or something of that nature. That would be much harder to detect, but the cert is an issue.
I guess it's overcomplicating things, though. Most people will just not notice that whatever domain they use is not legit.
Amazon is also super sloppy with domains even when its legit. Working there I had to put my password into probably four or five tlds, and the onboarding process involved giving my SSN to an non amazon.com tld linked from an email that was from a different non amazon tld with a misconfigured cert that got it sent to spam by gmail and dotted with red rectangles and stop signs
Yeah, just like "I'm a prince who needs your help to move money" scams are riddled with poor grammar, it's easier to keep it dumb, to attract the unsuspecting.
But on the flip-side, if there's an expert on the flight, they'd notice it's a spoof site and chances are higher they'll report it to the crew. I can imagine the trick is to show a page that says "For free WiFi, follow our Instagram account, click here for our account", and the click will fail because there's no connection (if we're on the plane), but the click can trigger some Javascript to say "If you couldn't follow our Instagram, login using your Google/Amazon account: Username: ____ Password: ____". Or a more sophisticated trick would be to show a DIV that looks like Instagram and the "follow" button, which will then show the fake login...
The privacy-wary IT expert will look at the "Follow our Instagram" and think "Fuck off, I'm not doing that!" and might miss the spoofed login prompt...
Make the domain login-to-[airline]-wifi.com, get a real cert, and return a form with <h1>Login with Facebook</h1> and you won't ring alarm bells for the average user
I wouldn't say "never was". EV certs were an attempt to do exactly that for a time period of about 10 years. And many users were explicitly trained to trust EV certs as indicating that the site was independently validated as trustworthy, during that time period.
HSTS is a great mechanism to help protect against this. Although it assumes the user has visited the site previously within the HSTS expiration period. There’s also the HSTS preload list: https://hstspreload.org/
I don't think HSTS will help if he is running his own WWW site on his laptop with a proper CA signed cert. If I understand correctly his laptop was presenting a proper WWW login page presumably over HTTPS after victims connected to his WIFI. What he was probably faking was the redirect to the Identity Provider (IDP) by staying on his own properly credentialed HTTPS site which would pass all HSTS checks. He may have also been faking DNS responses to keep users where he wants them.
Exactly this. Apple devices in fact use a domain https://captive.apple.com/ to detect when to redirect to a captive portal which will grant the user access to the internet. HTTPS isn't used here because the captive experience is to re-write all DNS lookups to a local IP to serve the captive experience.
This experience would just redirect the user to a site they've never been to before, say: wa-man-likes-your-data.com. This could have a legitimate signed cert from anywhere and look legitimate to the device with a lock icon. Put the airline's logo and a form for PII, wait a couple of hours and you've collected a plane load of data.
I used to think about doing something similar but as an education campaign. Similar to Phishing Simulators at large corporates, I had the idea to display a captive page that explained what the user did and how they can learn to avoid it in future.
Apple & Google should really make it clearer on phones that users are joining untrusted networks, especially any network not implementing Wi-Fi Certified Passpoint (Hotspot 2.0).
How would they have got a proper CA signed cert for a domain they don't own?
HSTS will only make a HTTPS connection. Without the valid certificate, they should get a warning.
The only way this "works" is if a captive portal pops up a browser to a site that looks the same like amaz0n.com. Password manager wouldn't popup, but many people don't use them.
Faking DNS also won't help with the TLS warning, they won't have the certificate.
Criminals are smart enough to skip any of that -- they'll trick you into opening a site that has the "same" domain and looks the same, except that the domain uses a Unicode character that is just a tiny bit different from the real one. (Thank you ICANN!) I get junk email from them every day. Even if just 1 out of 50 people fall for this, they get a good payout.
And that's just one of the many possible scenarios. When you control someone else's Internet, there is a lot of things you can do. Google's certificate transparency is going to help a lot here, but only as much as what happens in a browser.
HSTS does absolutely nothing to protect against evil portals. These portals aren't spoofing DNS for google.com, they're typically displaying their own TLS-enabled site with a familiar-looking login flow, i.e. "Log in with Facebook/Google/Amazon to access Wi-Fi."
Just do a captive portal redirect to "google.johnsmith.example.com" with a properly signed certificate, add google logo and login fields, and after a user enters his credentials, just redirect them to actual google.com.
Most people don't look at domains in the url. You can actually probably register a domain like "freegooglewifi.com" or something.
Pretty sure they can glean some info just by looking at dns requests. Maybe could infer who is who by MAC address. Though, I think you need to act like a router. I think could just listen to all of this on public Wi-Fi though
Maybe someone here can enlighten me. I usually don't bring my phone into stores.
But the other day I went to Home Depot and I had my phone on me. Despite my settings of "Do not connect to any wifi network", I look and I am shocked to find that my phone is connected to some random wifi network. Odd.
I get home and all the sudden my phone won't connect to my wifi and when I try to connect it to my home wifi, it says, "incorrect password" and its connection was intermittent. It would come back for a second if I turned the wifi on and off again.
Eventually I deleted every known wifi network from my phone and its been solid since. But what the heck happened at home depot?
This sounds right. But why would it cause my phone to give me “incorrect password” to only go on and connect later. My wifi password hasn’t changed in 10+years…
Your phone will do this automatically and will not show you you have been connected to a hotspot on the main screen, it will still show you as connected to cellular, this is most likely a carrier hotspot.
That doesn't explain how his phone auto connected to the network despite new connections being blocked, nor does it explain why it broke the saved configuration for his home network
Let’s say he’s a high value target.
Put one at a place he goes regularly and 7 more outside his home to be stronger than the home network.
It’s the entry level MiTM. Routers have vulnerabilities that do not get patched. Idk what phone, VPN, or network setup he has.
Apple: Known networks will be joined automatically. If no known networks are available, you will be notified of available networks.
Option 2: notified -> asked.
Option 3: manually select a network.
Lol, can’t imagine I’d be a “high level target” but I appreciate the compliment..
I should have been notified when asked to join the network at hd, I didn’t consider it a known network. Only wifi network I’ve ever connected to is from home. Don’t trust the rest…
Depending on your home isp - some effectively turn some of their routers into a huge mesh network so that when you’re not home you can have WiFi provided by routers they own practically anywhere. I don’t think it uses homeowner routers but just business routers, though not sure.
WA is the state code for Washington in the US, by the way. Is WA commonly thought of as "Western Australia" worldwide outside of the US? If not, maybe consider using less overloaded abbreviations in your titles.
It looks like the article was written by and for Guardian Australia. Local abbreviations are frequently used in news written with a local audience in mind, and when syndicated to a larger audience, this situation frequently pops up.
My first reading is 'WhatsApp', which just makes him sound like a pretty lame superhero.
My second reading was an assumption that it was a US state code (maybe I could have arrived at Washington if I thought for long enough about it) and that there'd be a comment here very much like yours but complaining about 'US defaultism'.
So no, it probably isn't that common outside of Australia, but this is so so common, and bear in mind it's usually a US thing. (Anything 'national' or talking about 'the nation' generally means 'the US' on HN, for example.)
I can see how that would confusing. I did submit with the original title "WA man set up fake free wifi at Australian airports ...", but I think edit by a moderator removed Australian part. In hindsight, the title should have been "Australian man ...", but I can't edit the submission now.
I'm sure you wouldn't be making this complaint if it were the other way around. Rather than demanding the rest of the world avoid abbreviations that coincide with US states, perhaps just accept others can use their own abbreviations.
I understand you being offended. I'm sure internet users outside of the US are annoyed by US posters using terms/abbreviations that mean different things to different countries. However, I did purposefully add the question "Is WA commonly thought of as \"Western Australia\" worldwide outside of the US?" as a form of olive branch to people outside of the US, in case I'm the one being ignorant here. So in this case, I kind of think your inflammatory comment is unwarranted though.
In fairness, this site skews super US/SV-centric, so a majority of people might read it as Washington :) Nothing against local abbreviations.
The ramifications of hijacking the wifi used by frequent flyers/tech workers between Seattle <-> SJC/NYC/etc have a very different 'vibe' to it than the actual one in the article.
Interesting, but does this rise to the level of a crime? Only in Australia? What if I put a box that says fill out this card and be entered into a drawing to win a free car. Instead I steal the data. It sounds like fraud, but there's no exchange of money and the data itself would have diminutive value. Only when I use the data might it rise to the level of a crime.
Anyone with knowledge of Australia's legal system that could please explain how this is a crime?
I'm not a lawyer, nor know anything about Australian law, but from the police press release [1] the charges are:
Three counts of unauthorised impairment of electronic communication, contrary to section 477.3 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is 10 years’ imprisonment;
Three counts of possession or control of data with the intent to commit a serious offence, contrary to section 478.3 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is three years’ imprisonment;
One count of unauthorised access or modification of restricted data, contrary to section 478.1 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is two years’ imprisonment.
One count of dishonestly obtain or deal in personal financial information (being usernames and passwords) contrary to section 480.4 of the Criminal Code Act 1995 (Cth); The maximum penalty for this offence is five years’ imprisonment; and
One count of possession of identification information with the intention of committing, or facilitating the commission of, conduct that constitutes the dealing offence, contrary to section 372.2 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is three years’ imprisonment.
sweepstakes are highly regulated so without looking it up I expect you cannot offer a prize unless you're prepared to deliver one, even without accepting money
> The 42-year-old has been charged with unauthorised impairment of electronic communication; possession of data with the intent to commit a serious offence; unauthorised access or modification of restricted data; dishonestly obtaining personal financial information; and a possession of identification offence.
Yeah, I believe many charges get added on to work towards plea deals, at least in the U.S. “disturbing the peace” is pretty common here and can be applied to anything.
Intent is a critical piece of prosecution, though. Hard to argue that you were storing passwords for any good faith purpose, so I’d expect that charge to stick.
In this case, I think the charge fits the crime. This is a pretty bog-standard MITM attack with a clear-cut motive and intent to cause harm. It wasn't simply that they were mirroring a connection to others, but that they had compromised it with the purpose of tricking the users.
None of this is to say that overkill doesn't exist in the intelligence/policing communities. But this guy was running a Kali Linux social engineering party trick from 2013; it's about as clear-cut of a computing crime as you can get.
This is called an evil portal, it's super simple to do - Flipper has inbuilt functionality for this. It's super simple, broadcast an SSID with "Amazon Free Wifi" - when the user connects serve up a simple login page with Amazon logo, prompt for username and password - save the username and password, and just do nothing... end user doesn't understand why it didn't work, but it's too late at this point. Remarkably simple.
Seems he was able to do the technical part, but not the not getting caught part. He's is probably not so smart if he's doing it on flights. The police would just need 2 reports from 2 different flights, and then check the passenger lists to find that he was on both flights...
Please don't spread misinformation about Flipper Zero, there is enough of that already. The device has no Wi-Fi capabilities without hardware modifications.
The dev board is not some obscure or custom part. It’s sold alongside the flipper zero. I think mine came as an official bundle and you need it to do pretty much any coding for it. Every review promotes it for WiFi pen testing.
