How a $100 device can track Wi-Fi users’ online activities
By Reginald Davis
Apr 5, 2013, 06:21 pm CDT
John Simek threw a Pineapple into the works of online security Friday.
Neither a spiky fruit nor the hand grenade nicknamed after it, the Pineapple used by the vice president of Sensei Enterprises Inc. is a device that could cause explosive damage for users of Wi-Fi to access and operate on the Internet.
Speaking at an ABA Techshow program with a pedestrian name, “Understanding Network Penetration Testing,” Simek turned on his WiFi Pineapple Mark IV, available online for $99.99, and showed how he could find every device in the conference room seeking a Wi-Fi connection. And smartphones, tablets and laptop PCs often automatically seek such connections to any Wi-Fi source, including ones accessed days, months or years before.
What the Pineapple does, Simek explained, is pretend to be those Wi-Fi sources, becoming the middle man between the device and the Internet. The interloper can then record keystrokes on the intercepted device, look at information being sent (and disrupt encrypted transmissions to encourage the sender to skip encryption), and even send the unsuspecting victim to a website where malware will be immediately downloaded to the compromised device. Simek’s site had the ABA Techshow logo and read “You’ve been Pwned.”
Simek noted that, using the device at home, he was able to follow online activities of a neighbor who works for a security firm hired by the federal government.
The Pineapple is actually being sold to help in “pen,” or penetration, testing, and Simek and fellow panelist Chris Ries of Oracle Corp. discussed the various ways such testing can and should be done regularly to secure Internet activity on law firm networks. Testing methods should follow procedural steps to research and collect information about the network, exploit the information to see if access can be gained, leverage the access to see what data may be stolen or damaged, and report the results with ways to fix the vulnerabilities.
Most of the audience questions were about the difference between security of law firm servers and cloud-based services. Though Simek and Ries said that information is hard to come by unless a breach is reported in the news media, they suggested demanding certain measures in initial contracts with cloud-service providers and regular reports on pen testing at both the firm and the cloud service can help.
Ries noted a 2011 report showed that 96 percent of discovered breaches were not sophisticated hacks, but attacks that might be easily prevented though simple controls. Yet 92 percent of those were discovered by third parties, often months after the networks were breached.
And what gets taken? According to a report of a law firm that received FBI notice of a breach, “they had all our client files.”