In the first installment of “Protecting my Mom,” we discussed some phone phishing attacks that I was targeted for. What was a truly believable attack that would have been successful if it had targeted someone that wasn’t so computer-savvy. In this second part, we discuss a real-life attack that occurred to me at the Minneapolis/St. Paul airport while I was preparing for a flight.

Access DeniedWe’ve all been there, right?  With all the technology we have grown accustomed to in life some have theorized, either jokingly or seriously that Maslow’s hierarchy of needs should be reviewed to include a layer below Physiological needs (“Breathing, Water, Sleep…”) called “Connectivity,” which includes Wi-Fi, Ethernet, Web Browser and a terminal of some sort. In those desperate times where you are away from you home, or in a public place, you scour for available Wi-Fi.  Through my years, I’ve connected to countless networks… in fact, I just looked at my list of Wi-Fi networks that I’ve connected to and it’s well over 40.

On this particular day, I was walking through the airport and saw an email come across my inbox that required my immediate attention. I quickly dodged some electric carts being driven at ridiculous speeds for a walkway to find a seat where I could open up my laptop.  Immediately I checked my connectivity and luckily had previously connected to the airport Wi-Fi.  Just as I would expect, up popped my browser home-page, and my email displayed the “Connected to xxxxxxx” in the bottom so I could begin my work.  – As sluggish as airport Wi-Fi was, it didn’t matter, I was off and working and all was well.

Or was it?  About a minute into composing my email, I couldn’t help but notice my Wi-Fi icon (which I keep at double-size for informational purposes) was receiving data non-stop at an alarmingly high-rate of speed. I immediately brought up one of my security Virtual Machines to look a bit more at what my machine was doing and get a better feel for the traffic. Much to my surprise, my machine was getting hit by a series of hacking tools that were looking for open ports on my machine, while I was also getting hammered on my database port (1433) someone was trying to brute-force a password for the system administrator account (which coincidentally, I have disabled).

Wait a minute… it seems so irresponsible to me that someone would be hacking me on the airport wireless.  Surely safeguards are in place to make sure that no one could reach my machine. I’ve got to be safe right?  Upon close inspection, I checked my wireless connection and immediately found the problem. While I was trying to connect to the airport Wi-Fi, my machine had found a network called “Linksys” which I obviously connected to at some point in the past, and wandered onto that open-Wi-Fi, versus the airport one.  A brilliant trap, and a brazen one at that.  Someone at the airport was sitting there with their laptop connected to a personal network they had setup and was bridging my traffic through them so they could see me.  Brilliant!

Using my security VM, and figuring that the access point they were using was likely open so they could do their dirty work, I began to inspect their setup. On the Wi-Fi side, I could ping a bunch of machines – 8 to be exact- that were connected to this network. All of them probably not realizing they were either already victims of an attack or that someone was on their way to stealing their data. I figured the hacker was probably the first machine to connect and since there was a machine on 192.168.1.100 I decided that was my counter-target. I began to run my port-scan of their machine and look for any signs that would identify the owner.  Approximately one minute into my scan, the Linksys network suddenly was shut-down. Dang… this one was good enough to know they were my target.

What Could Have Been

While my machine is well protected (most are now). This attack I chronicled above would have allowed a hacker to pick up unsuspecting machines in a public setting and sit there (at least until there, or their victims, plane left) while they attacked a machine. As I’ll discuss in part three, given time and generally un-protected machines, this could be an incredibly dangerous scenario where data could be exfiltrated in a matter of minutes.

For all of us, there are some great lessons to be learned from this:

  1. Make sure you connect to Wireless networks that you know are safe.
  2. Set the networks that you connect to for a one-time purpose to not “auto-connect”.  In this case, this was my error on this network.
  3. Don’t connect to networks that are out-of-the-box Wi-Fi networks. Networks like “Linksys”, “Netgear”, “Cisco”, and “Asus” are ones that should be avoided.
  4. In your home, make sure to change the default network to something you recognize, but IS NOT IDENTIFIABLE TO YOU.  Knowing who you are hacking is almost as valuable as having someone to hack, so calling your wireless your last name, address is bad. Keep it generic… and if you are really cool, name it after a Thundercat!

Now, take this opportunity to remember that while wireless is fantastic; it is dangerous if you don’t connect to it properly!