Skip to main content

Honeypot WIFI networks - Stealing your datarz :-)

I occasionaly connect to WIFI networks that redirect me and ask for some type of username and password. Often when out and about, on trains and at airports are good examples. Luckily in my laptop I have a 3g sim and so don't have a need for their wallet busting prices. 

I suppose if you were fairly keen on getting a username and password for one of these services, you could always

  • Connect to the network in question
  • Save the page the you get redirected to
  • Set up your laptop as a wireless hotspot and call the network BT_OPENZONE
  • Modify the page slightly, posting and saving to a text file of your choice and force visitors to redirect to your new Page. Anyone foolish enough to login (not noticing that it's not on https etc..) will give you their password and username.
  • Logon using your stolen details. Of course you need to remember that the action would be illegal..

It got me thinking that you could be even more malicious. Sitting down in a Starbucks, mimicking their WIFI and modifying your hosts file to redirect to fake local pages of major banks, email sites and the like is essentially a giant honeypot for collecting personal data. Someone could even prepare a complete web server install so that numpties wouldn't have to code the various fake sites etc... 

Having thought of this makes me glad I stick to my 3g! I wonder how many people don't even think about accessing private sites without https on public networks. I wonder how many people walk out of The House Of Commons into a local pub and access sites on their Smartphones over the local WIFI without even thinking about things like this. If I was a nasty little spy I would be doing things like this. In fact I am certain they are doing things like this to our technologically demented MPs right now. 

Comments

Dom Finn said…
Nice one, I'll check it out!

Popular posts from this blog

My home office upgrade wish list.

My home office is almost due an upgrade. I have been holding off until my youngest daughter is out of her cot as then we can finally dispatch the enormous monstrosity of a cot out from the kids bedroom and the drawers that are in my office can be banished giving me better access to my wonderful whiteboard. My other improvements will be purchasing a new, larger monitor. I currently work from a single 22ich Samsung which just doesn't cut it anymore, I did have two at some point but I can't recall what I did with it. I really enjoy using a touch screen so I think I will go for one of these 27inch Hannspree models that I have used before. I put a lot of hours in at home and whilst I have a reasonable chair I still tend to suffer with some back problems, so my next port of call will be to get a Varidesk for home. It works an absolute treat at work and just lets me switch stuff up when I feel like it. they take a reasonable amount of desk space up but I tend to leave my desk fairly

Arduino ethernet shield

My ethernet shield arrived this morning from Hong Kong. Looking forward to making a little Arduino based Web server! The price for the shield was only ?5 on ebay including delivery :-) super cheap considering how much they cost a couple of years ago.

Specflow

After listening to .Net Rocks with Scott Millett this week I felt a renewed enthusiasm for trying out some BDD. I downloaded Specflow and got straight on with the screen cast they have on their website. The video acts as a good introduction into how to get up and running in Specflow. Interestingly it also gave me a better insight into how bowling works. I have never really thought about it. I normally just wang the balls down the lane until the game is over! Specflow introduces the idea of writing the specification first. It uses a specific language called Gherkin which comes from Ruby land. You will need NUnit installed as well. An example of it is:  [edit: NUnit is what I have used up to now but Specflow is compatible with other testing frameworks aswell. See the comments section below.] Feature : Passwords In order to have a strong password As a new user or existing user changing my password I need to check if my password is alphanumeric and is greater than 6 characters Scenario