Posted Jun 01, 2013 07:10 am CDT
John Simek threw a Pineapple into the works of online security. Neither a spiky fruit nor the hand grenade nicknamed after it, the Pineapple used by the vice president of Sensei Enterprises Inc. is a device that could cause explosive damage to those who use Wi-Fi to access and operate on the Internet.
Speaking at a program with a pedestrian name, “Understanding Network Penetration Testing,” Simek turned on his WiFi Pineapple Mark IV, available online for $99.99, and showed how he could find every device in the Chicago Hilton Hotel conference room seeking a Wi-Fi connection. And smartphones, tablets and laptop PCs often automatically seek such connections to any Wi-Fi source, including ones accessed days, months or years before.
What the Pineapple does, Simek explained, is pretend to be those Wi-Fi sources, becoming the middleman between the device and the Internet. The interloper can then record keystrokes on the intercepted device, look at information being sent (and disrupt encrypted transmissions to encourage the sender to skip encryption), and even send the unsuspecting victim to a website where malware will be immediately downloaded to the compromised device. Simek’s site had the Techshow logo and read “You’ve been pwned.”
Simek noted that, using the device at home, he was able to follow the online activities of a neighbor who works for a security firm hired by the federal government.
The Pineapple is actually being sold to help in “pen,” or penetration, testing, and Simek and fellow panelist Chris Ries of Oracle Corp. discussed the various ways such testing can and should be done regularly to secure Internet activity on law firm networks. Testing methods should follow procedural steps to research and collect information about the network, exploit the information to see whether access can be gained, leverage the access to see what data may be stolen or damaged, and report the results with ways to fix the vulnerabilities.
Most of the audience questions were about the differences between security of law firm servers and cloud-based services. Though Simek and Ries said that information is hard to come by unless a breach is reported in the news media, they suggested demanding certain measures in initial contracts with cloud-service providers, and getting regular reports on pen testing at both the firm and the cloud service.
Ries noted that a 2011 report showed 96 percent of discovered breaches were not sophisticated hacks, but attacks that might be easily prevented though simple controls. Yet 92 percent of those were discovered by third parties, often months after the network breaches.
And what gets taken? According to a report of a law firm that received FBI notice of a breach, “they had all our client files.”