GottaBeSecure: WiFi and the Rookie Looks at Data Seepage (Part 5 of 5)
Over the past few weeks, we’ve discussed passive mobile security threats, active hacker threats, and tablet PC theft. In the final installment of this series on mobile security, we’ll be looking at an advanced mobile security issue, data seepage.
Tablet PC’s and ultra-mobile devices have opened up a whole new world of productivity and connectedness for people who need to work and stay in touch no matter where they go. However, operating computers in the unprotected realms of coffee shops and hotel broadband networks also opens up risks that most road warriors don’t anticipate.
Did you know that your tablet PC or ultra-mobile device may be leaking personal information to everyone within WiFi range? This information could include who you are, your company name, your previous IP address, where you’ve been, and much more
Robert Graham of Errata Security revealed at July’s Black Hat security conference just how much personal data mobile computers leak with his ““Ferret†WiFi information gathering tool. Graham, a security researcher and CEO of Errata Security, briefed attendees on the wide range of information mobile WiFi devices running MS Windows broadcast to anyone who’s listening to include:
– Computer name
– Computer description
– Previous IP address used (from the DHCP broadcast)
– A list of wireless network names your PC has previously connected to when it can’t find it’s ““preferred†wireless network
The Ferret tool also sometimes picks up usernames and passwords sent without encryption (but WiFi and the Rookie readers already know that from Part 1 of this series ). The combination of personal information (often contained in the computer description, for example ““Sally Smith’s tablet PCâ€Â) and the broadcast of previous wireless networks is a serious privacy concern. Using this information, a stalker or high-tech thief could locate your house and use your wireless network as confirmation that he has the right ““Sally Smith.â€Â
To reduce your risk from data seepage, employ basic operational security measures, like the military. Don’t give your computer a name or description that reveals your real name or work affiliation. To check or change your computer’s description, follow these steps:
– Click on Control Panel from the Start menu
– Open the System icon
– Select the Computer Name tab
– Change what’s in Computer description, if necessary
Also, it’s a good idea to keep your wireless network name at home generic (““linksys†should be just fine even if you’re access point is not made by Linksys) and turn off the SSID broadcast.
Unfortunately, you can’t keep MS Windows from broadcasting various bits of information to the wireless network, but you can control what some of that information looks like. For more information on data seepage, check out Robert Graham’s excellent briefing from Black Hat 2007, which is posted here: https://www.erratasec.com/BH_DC_07_Data_seepage.ppt
This concludes my initial series on mobile security. I hope you’re enjoyed reading it as much as I’ve enjoyed writing it. I plan to continue to publish these articles on a weekly basis, but need your help finding topics. Please post any ideas you have for future articles as comments to this article.
