Re: Walmart using WEP

From: s-williams@nyc.rr.com
Date: Sun Jul 30 2006 - 14:27:22 EDT


My point exactly, its all in the process of learning and if someone finds a problem then the will get the chance to fix it before having it fully exploited. That in my opinion maked this a ok post.
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: Gary Nichols <gnichols@phx1.bcbsaz.com>
Date: Fri, 28 Jul 2006 13:13:25
To:pen-test@securityfocus.com
Subject: Re: Walmart using WEP

Perhaps I'm missing something here, but how exactly were these posts
reckless?

Examples:

Is this reckless?: OMG Walmart had an open access point and I hax0red their
POS sysytem and dropped the price on all Britney Spears CDs to 25 cents! The
new WEP key is '0wn3d!'.

Yes. That would be reckless, but I didn't see that in this thread.

Is this reckless?: It would appear that Walmart is using 802.11 networking
and WEP on their inventory scanners. This could be bad if someone cracked
the WEP key. Not a very good security practice.

No. I don't see it. Looks like a good discussion topic to me.

Is this reckless?: I saw an 802.11 WAP on top of a door at Walmart. I
wonder if it's an open network. The next time I war drive the neighborhood
I should check.

No. The poster never made mention of connecting to the network. Checking
the presence of a broadcasted SSID and its encryption method/status is *NOT
ILLEGAL*. Most commercial entities appreciate it when you alert them that
they have an open access point on their network. Of course, with everyone
screaming "HACKER! TERRORIST!" nowadays, white and grey hats alike are
paranoid to advise anyone of anything.

Now, if the poster connected to the network, grabbed an IP and started
snooping around... Well, then I'd be flaming him too.

Sorry to beat the horse to death, but I hear this argument all too
frequently and it just gets tiring.

> From: "Hawkins, Ray (721)" <Ray.Hawkins@protiviti.com>
> Date: Thu, 27 Jul 2006 19:27:20 -0700
> To: Gary Nichols <gnichols@phx1.bcbsaz.com>, <pen-test@securityfocus.com>
> Conversation: Walmart using WEP
> Subject: RE: Walmart using WEP
>
> the community that the retired granny three doors down has a broken lock on
> her backdoor rather than just telling her directly. No amount of
> pontificating over responsibility legitimizes reckless posts.
>
> -----Original Message-----
> From: Gary Nichols [mailto:gnichols@phx1.bcbsaz.com]
> Sent: Thursday, July 27, 2006 9:07 PM
> To: pen-test@securityfocus.com
> Subject: Re: Walmart using WEP
>
> Yes, this forum is for professionals to learn and share. As a matter of
> fact, many of us actually learn from the mistakes of others. I don't see
> anyone here advocating wardriving for the purpose of mischief. I see a
> couple of people talking about how irresponsible some commercial entities
> are in deploying their wireless architectures, and one individual that was
> going to drive around and see if his theory held water.
>
> I had a chuckle when I read that "...war driving should be confined to
> legally permitted isolated networks...". Wardriving doesn't lend itself to
> your suggestion by its very definition:
>
> http://en.wikipedia.org/wiki/Wardriving
>
> Don't apologize for not being impressed. Most of us dressed-down for the
> list today.

The information in this E-mail message is confidential and for
the sole use of the intended recipient. If you are not the
intended recipient, you are hereby notified that any
dissemination, distribution, copying or use of this information
is strictly prohibited. If you received this communication in
error, please notify the sender immediately. Blue Cross and
Blue Shield of Arizona, Inc. and its subsidiaries and affiliates
are not responsible for errors, omissions or personal comments
in this E-mail message.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:27 EDT