There Are No More Secrets
     
        			Ron DuFresne  2002
     
     A few weeks ago Best Buy was embarrassed throughout the country with the
     finding that it was using POS  cash registers that worked
     with wireless technology to cash various customers out when making
     purchases.  What was so humiliating for them was the discovery that these
     POS systems had been installed and implimented without any sense of
     security.  There was no encryption enabled with these devices so they
     transmitted customer information via the airwaves to anyone that wished to
     capture it with the various techniques many people are now employing to
     "map" wireless networks and security issues.  This customer information
     included credit card information.  Nasty hackers could indeed use this 
     information for various fradulent activities.  This breach of customer
     privacy was deemed serious enough when it became highly visualized via the
     vuln-dev mailing list, maintained by Blue Boar, off securityfocus.com.
     The flurry of correspondence on this list resulted in the media picking up
     the information and running with it also.
     
     http://www.msnbc.com/news/746380.asp
     
     This ended up by prompting Best Buy to make changes to the cashiering
     systems as was noted in their response to one of the lists posters that
     apparently made direct contact with Best Buy management:
     
     
     
     Thank you for contacting Best Buy's corporate headquarters
     with your concerns.  Regarding this issue, Best Buy has
     deactivated our temporary wireless cash registers that
     transmit information via LAN connections.
     These registers are not Best Buy's main register terminals
     and represent a small percentage of the transactions
     processed within our stores.  Please be assured that
     customer privacy is of the utmost importance to Best Buy and
     we will further investigate this matter.
     
     We do appreciate your taking the time to share your concerns
     with us.
     
     Respectfully,
     Alex Reynolds
     Contact Center Escalations
     Best Buy Enterprise Customer Care
     
     
     
     Now, it had been suggested in the vuln-dev mailing list that Best Buy was
     a single example, and just the tip of the iceberg, as anyone looking into
     the issues of wireless implimentations and issues via their own sniffing
     and the various wireless mapping projects accross the US have laid bare.
     
     
     http://sysinfo.com/wire1.html

     
     The above paper cites some wireless mapping work in the NC Research
     Triangle Park area by local resident Alan Clegg, with direct links to his
     mapping efforts.  Recently Mr. Clegg contacted this author via e-mail
     concerning another thread in the firewalls security mailing list hosted by
     gnac.net, on another wireless related topic, to let us know that in the
     RTP area, he had mapped both Petsmart and CVS Pharmacies using wireless
     technolgies without any encryption enabled.  Which starts to expose more of
     the proposed iceberg syndrome to light.  Granted, WEP, Wired Equivalent
     Privacy, is not the best, it can be broken, but, it takes far more effort
     then clear text flowing through the airwaves avialable to anyone with a
     few hundred dollars worth of equipment to pick it up like one might grab
     police calls with a scanner.  If wireless is going to be used, it should
     at least function in the most secure manner avaailable, anything less
     demonstrates not only a lack of understanding, but, in cases like these a
     complete failure of corporate institutions to take even minimal care with
     the private information of their customers.  Petsmart, following along the
     heels of the embarassment and humiliation of Best buy in letting credit
     card information flow freely into the airwaves is bad enough, but, CVS
     Pharmacies, soon to be tasked with HIPPA (Health Insurance Portability
     and Accountability Act) compliance early next Spring demonstrates at the
     best careless indifference to those they are serving.  The Standards for
     Privacy of Individually Identifiable Health Information are designed to
     help guarantee privacy and confidentiality of patient medical and
     insurance information.  Those who miss the deadline for compliance face
     steep fines and Federal criminal penalties.  The glaring exposure of
     customer information by companies and health related organizations like
     CVS Pharmacies is a glaring deficiency and total disregard of very
     sensitive customer information.  And yet the iceberg of such negligence
     in wireless rollouts is still but a shadow of the issue of private and
     finacial information leakage many are suffering already, without much
     awareness of the fact.
     
     
     http://www.symbol.com/news/pressreleases/pr_foodndrug_cvs.html
     
     
     The various vendors marketing wireless toys are not blameless either.  In
     fact a large burden of the blame for leakage of information and the
     vulnerable systems being pushed into place by companies like Best Buy and
     Petsmart, as well as CVS and others relates to how they distribute their
     wares.  They do so with the most insecure "plug and pray" configurations
     possible, most often with documentation about how to try and secure these
     toys burried deep in their distribution media.  Until vedors take some
     sense of responsibility and force their customers to shoot themselves in
     the foot, rather then pushing out products that are configured in a manner
     whence their customers are shot in the head from the point of
     installation, we will continue to have some very exploitable setups by the
     less clued network folks these vendors are making their money from.
     
     
     
     Additionally see, note the terms 'opt' when they document configuration
     issues at the site, as well as targeted customer categories listed, then
     wonder where *your* private information might be leaking from:


     
     http://www.symbol.com/products/wireless/wireless_sp24_11mbps.html
     
     
     ...
     AP 41X1 Access Point Series
     
      It's known as the intelligent access point. Built beyond defined
      standards, the AP 41X1 integrates features only possible from
      the wireless engineering experts at Symbol. Advanced algorithms
      prioritize data, voice and multimedia transmission for uninterrupted,
      quality service. An embedded HTTP server allows administrators to use any
      Web browser to monitor performance, change configuration, and run
      diagnostics on any AP 41X1 from anywhere on the network. Antenna options
      provide maximum range and throughput to support application
      requirements with coverage up to 300 ft./90 m indoors and 1500 ft./460 m
      outdoors and will support up to 256 clients as well as Simple Network
      Management Protocol (SNMP).
     
     ...
      WEP Encryption for High-Speed Security Wired Equivalent Privacy (WEP)
      encryption combined with access control lists and domain identification
      features provide powerful user authentication and data encryption and
      decryption capabilities for data security. Wireless clients may also
      opt to use 128-bit encryption keys and the RC4 algorithm to further
      encrypt the wireless portion of data transmission.
     ...
     
     
     		    Retail
     
     
                         Healthcare
     
     
                         Hospitality
     
     
                         Education and Corporate Training
     
     
                         Manufacturing
     
     
                         Government
     
     
                         More Flexible Office and Public Space Environments
     
     
     
     
     
     	Thanks;
     


     		To Alan Clegg for the mapping info and heads up to these
     		sites, as well as their wireless vendors.


Hosted by: Enter: sysinfo.com
©copyright 1995-2002 sysinfo.com