Security Dilema with Large UK High Street Chain!

Hi

I work for a IT Consultancy, and was recently called out to visit a
client site that was having difficulties with the Wireless Network we
had installed a few years ago, which has been working flawlessly.

Whilst on-site I found the problem immedialtey, cross channel
interference caused by another wireless LAN.

This wireless LAN has been implemented by a very LARGE UK HIGH Street
CHAIN, in this one location was

25 ACCESS POINTS per this one store
NO WEP ENCRYPTION
NO MAC FILTERING
DHCP ISSUED TO ANY MAC ADDRESS

lots of other details, but I'm not listing them.

and to my amazement, CREDIT CARD details, names and addresses of
customers, across the LAN from sales systems, travelling across the
network in CLEARTEXT!

As for our client, it is currently difficult to support them, until
something is done about this company, as they PC's seem to be
accessing their network on occasion.

I don't know why, because the SSIDs are completely different.

Professionally, I think I should report this to the LARGE UK HIGH
Street CHAIN, but they may feel, that we've been hacking their network

what do other's think?

What experience have others had?

Andy Davies

You should get your client (possibly with you) to contact the store and
explain they are causing a problem.
Regards,
Martin

> Professionally, I think I should report this to the LARGE UK HIGH
> Street CHAIN, but they may feel, that we've been hacking their network

Personally, I think that when possible, you should always notify people of
security risks. If you won't do it, other people may take advantage of it.

From my perspective, connecting to a wide-open network can't be seen as
hacking.

Erik

> You should get your client (possibly with you) to contact the store and
> explain they are causing a problem.

Point is though that in an unlicenced frequency band, as long as they
aren't putting out more power than is legal, they although they might be
causing a problem, aren't actually doing anything that they aren't
allowed to do.

Being stupid is altogether something else.

David.

In message <(E-Mail Removed)>, David Taylor
<(E-Mail Removed)> writes
>> You should get your client (possibly with you) to contact the store and
>> explain they are causing a problem.
>
>Point is though that in an unlicenced frequency band, as long as they
>aren't putting out more power than is legal, they although they might be
>causing a problem, aren't actually doing anything that they aren't
>allowed to do.

I think the issuers of credit cards may have a different opinion about
security of card numbers.

--
Paul Shirley: email anti-spammed

> I think the issuers of credit cards may have a different opinion about
> security of card numbers.

I agree, but that bears no relationship to the problem of interference
which was the original posters issue for their customers LAN. Other
peoples credit card details are a seperate issue.

Just out of curiosity, how many people go around fishing CC carbons from
bins and then finding the original owner to tell them that's not a good
idea either?

David.

As a possible customer of the company you mention - of course I don't know
which it is but there are a good few - I am appalled. If they are a large
and well-known chain then I am sure that their senior management will
realise immediately that they must act to stop customers' credit card
details etc being (effectively) broadcast locally in this way. They will
realise that this is not an issue of you hacking - especially given the
legitimate work you were doing for a neighbouring client of long standing -
but of their own credibility as retailers. Please tell them at once. And
thank you.


"Andy Davies" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi
>
> I work for a IT Consultancy, and was recently called out to visit a
> client site that was having difficulties with the Wireless Network we
> had installed a few years ago, which has been working flawlessly.
>
> Whilst on-site I found the problem immedialtey, cross channel
> interference caused by another wireless LAN.
>
> This wireless LAN has been implemented by a very LARGE UK HIGH Street
> CHAIN, in this one location was
>
> 25 ACCESS POINTS per this one store
> NO WEP ENCRYPTION
> NO MAC FILTERING
> DHCP ISSUED TO ANY MAC ADDRESS
>
> lots of other details, but I'm not listing them.
>
> and to my amazement, CREDIT CARD details, names and addresses of
> customers, across the LAN from sales systems, travelling across the
> network in CLEARTEXT!
>
> As for our client, it is currently difficult to support them, until
> something is done about this company, as they PC's seem to be
> accessing their network on occasion.
>
> I don't know why, because the SSIDs are completely different.
>
> Professionally, I think I should report this to the LARGE UK HIGH
> Street CHAIN, but they may feel, that we've been hacking their network
>
> what do other's think?
>
> What experience have others had?
>
> Andy Davies
>
>

In article <(E-Mail Removed)>,
David Taylor <(E-Mail Removed)> wrote:
:Just out of curiosity, how many people go around fishing CC carbons from
:bins and then finding the original owner to tell them that's not a good
:idea either?

Seven. I phished a list of their names from a garbage bin.
--
Suppose there was a test you could take that would report whether
you had Free Will or were Pre-Destined. Would you take the test?

In article <(E-Mail Removed)>,
Andy Davies <(E-Mail Removed)> wrote:
:We are currently documenting everything we have discovered and are
:talking to our Company Lawyers about the Legal Position.

:It will then be reported to "LARGE UK HIGH Street CHAIN HEAD OFFICE".

:The problem has become very sensitive

:BECAUSE OUR CLIENT HAS THREATEN TO GO TO THE PRESS because they want
:the problem fixing!

I can't think of a better way to ensure that your client gets sued.

It's basic psychology. Embarass a Big Chain in the press and
they aren't going to be happy. Word may well go down from The Top
to find the responsible party and sack them if they don't have
a Very Good Excuse. That gives the responsible party a lot of
motivation to say that it isn't their fault, that the only
way your company could have obtained this information was by
illegally monitoring the network and seeing the confidential traffic.
Big Chain is then likely going to pin the blame on you.


To turn it around a different way: how often does a Big Chain
call up and say, "This is Mr. X, CEO of Big Chain Plc., and
I'm just calling today to thank your company for embarassing
us nationally. We may have lost some money and a lot of
customers, but we deserved that. This incident has made us
realize that we were doing a bad job at information security,
and we feel strongly that we'll come out of this incident
a far better and wiser organization." ?

Not very likely, I'd say.

If, though, you report the problem through personal contacts,
a conversation that is plausible would go something like,
"This is Mr. X, CEO of Big Chain Plc.. Listen, thanks for the
quiet word in our ear about the security problem. That could have
been a major embarrassment if it had gotten out to the Sun. We
appreciate what you've done for us, and <bribe for continued
silence>."
--
Those were borogoves and the momerathsoutgrabe completely mimsy.

> The problem has become very sensitive
>
> BECAUSE OUR CLIENT HAS THREATEN TO GO TO THE PRESS because they want
> the problem fixing!

What your client might not appreciate is that if all the store does is
enable WEP and mabye IPSec, that will do *NOTHING* to cure the 2.4Ghz
interference which is the problem for them is it not?

(Of course I understand the CC issue but it's not curing the same thing)

David.