WLAN Security- Attack Yourself to Stay Sharp

Back in February of this year, I ran a “Deep Dive” session at the WLAN Professional’s Conference. The session description:
This session was well-attended, and we had a lot of fun getting through a number of attacks. Since then, I’ve had a few occasions to break out the Pineapple again. Just the other day I was monkeying with something…

Which inspired me to put together a blog at my OTHER site, IT Toolbox. Have a look here and see if you agree that hacking yourself once in a while is a prudent thing to do.

 

Oh Say Can You See- What’s Driving Up Your Small Site Data Costs?

One of my small rural customers was frustrated. A site I’d not yet been involved with has a single PC that runs a specific agricultural application that occasionally checks into a web database used by all of their sites. And since the problem location is in the boonies, they had no options beyond 4G for Internet service. The frustrations:

• Huge data bills that weren’t making sense for a single PC
• No sense of what was going on at the site over the network
• Getting to the site isn’t exactly a quick drive

I researched the agricultural application and found that it shouldn’t be using but a few MB at a time when it synchronized, yet usage was well into the GB per day. It was time to visit the site, and to do some sleuthing.

More Than Just One PC After All, Other Oddities

The notion of Network Policy can be hard to formalize in small businesses where everyone knows everyone, and it’s as much like family at times as it is a business. When I first  got to this site to do my investigation, I confirmed with the site chief that yes, there was only a single computer. And a time clock, behind the 4G connection. That was all that was officially in service operationally. When I got into the 4G modem though, I could see multiple Wi-Fi clients connected to the 4G hotspot… <the plot thickens>. It also turns out that the fairly lightweight application- the only reason the 4G link was being funded to begin with- had it’s own story.  And… the data plan itself was pretty pricey as it had not been freshened up in years.

The Fix(es)

To get the costs under control, and to remove all mystery about what was going on here, I did the following:

1. Calculated what the application should need, along with Windows updates, etc. then found a newer, more generous plan than what they were on. I recommended 12 GB/month plan for $80, which should provide fixed cost and at least 300% headroom on my estimated usage. (The bonus, Verizon throws in an extra 2 GB per month on this plan.)
2. Had the application vendor audit the application behavior. What was taking 600 MB per day was dialed down to around 60 MB by changing from continuous sync to a 4-hour interval (which still met the owner’s needs).
3. Reigned in the 4G rogue client use. On this modem, the Wi-Fi can’t be disabled. But I changed the SSID and password, lowered the number of allowed users to 1 (the minimum) and instructed the owner to tell the staff that this network is off-limits even if they can figure out how to get back on,  along with a message that “the IT guy monitors everything!”
4. Both eliminated any mystery and took control of the bad habits associated with the PC by installing a Meraki Z1 Teleworker appliance between the 4G modem and the PC and time clock. 

With the Z1, I was able to accomplish a number of things:

• Use traffic analysis to remotely see what else was going on with the PC, besides the ag application
• Use firewall rules and application controls to put an end to all non-authorized applications
• Provide a client VPN-endpoint so I can access the environment for troubleshooting if need be
• Monitor data usage and get automated reports on what’s going on in the small environment
• Get alerted should either the PC or time clock go offline
• Make myself the heavy in the situation, and take that title off of the owner

After the changes, I’m seeing total site usage of only around 80-90 MB per day in an operational paradigm where I’ve budgeted for around 400 MB per day. As I see recreational traffic pop up, I can quietly block it remotely, without the owner constantly needing to re-enforce the rules (staff here have specialized skills, they can’t just be replaced). And I’ve given the owners a 3rd-party they can turn into a bogey man if they need to should anyone complain (this in itself has value).

Bottom line- this was a fun one to solve. We were able to contain costs, remove any mystery, and provide remote monitoring and alerting. Also- by using the Z1, the time clock can benefit from site-to-site VPN back to the main site where another Meraki MX is in use with the Time and Attendance server.

Though I have used many Meraki wired and wireless products, this was my first outing with the Z1. It’s an impressive little gem, and very much “feels” like it’s big brothers, the MX line.

 

The Curious Case of Bogus Amazon Sellers

I’m sure I’m not alone in admitting that I generally love Amazon. The access to massive product variety, frequently great prices, the whole Prime feature, and a sense that you can really trust the entire framework just makes Amazon easy to appreciate. But that trust thing… well, lately I’ve had it rocked a little bit when it comes to Amazon. Here’s the executive summary:

• I have found multiple clearly fraudulent sellers in the “used” category
• I’ve engaged Amazon’s customer service and investigations staff, had my suspicions confirmed and told by Amazon they’d get rid of the bogus sellers
• The same sellers keep coming back, and they are pretty convincing if you don’t know better
• There seems to be no way for Amazon to keep them out
• Dealing with Amazon in this regard is kind of like talking with children who speak another language, and who also happen to be watching TV or something as you speak to them

Now let’s look at a real-world example.

Please note the instructions for how to engage this seller- you have to leave the Amazon framework and communicate through Gmail. We’ll go there in a bit, but also note the seller’s name “Lin.Martone”. This one has also shown up as:

• LI N Martone
• LinMartone

and each variant has a different gmail account to go with it. On this item, there have been NUMEROUS bogus sellers that come and go, all with the same “email me if you want this” and all with a price that’s too good to be true (hence the draw). All of this has been shared with Amazon via emails and calls. In each case, Amazon agrees fraud is in play, yet it it keeps coming back.

Being a veteran of many an investigation, I decided to follow one of these out before enaging Amazon for the first time. Here we go… bogus seller here is ter.kansey@gmail.com (you’ll love the spoofed Amazon page that’s coming):

Realize- we’ve already broken Amazon’s rules here, by leaving the web framework and communicating directly. The response- a sloppy cut and paste of a reply to somebody named Shane.

Here is where it gets good- sent in my inbox, a very official looking “Amazon page” complete with bogus order number.  I have to think that at this point, many shoppers might be fooled.

This person was trying to get me to buy an Amazon gift card, and read them the number as payment for an item that would most assuredly never come. When I called Amazon and shared this all with them, I found a number of challenges in dealing with customer service.

• You can’t share any of these sorts of screenshots- only email headers (which I did)
• When I mentioned fake order numbers and well-crafted fake phishing style pages being provided via email, I don’t know if it even registered with the person I was speaking with
• I pointed out over multiple calls and online reports at least half a dozen bogus “sellers” on this item alone, all with same methodology
•  You get the general feeling that Amazon could really care less, and that you are a bit of a bother when you engage them on this over the phone
• The same “sellers” keep coming back
• That anyone can join the Amazon used market as seller and then be allowed to tell customers to go through email and break Amazon’s rules WITHOUT AMAZON THEMSELVES CATCHING IT is bewildering

And that’s it. I’ll still use Amazon for new items, but am thoroughly spooked at how loose and sloppy this end of their used market is. I hope this blog can help even one person not to get scammed by what seems to be pretty common on Amazon.

Cheers!

ADDENDUM- Thanks, Stephen Foskett for taking this issue up on your own blog, and summarizing what to watch out for: (lifted from Stephen):

Here are the hallmarks:

1. Too-low round-number prices roughly half the retail cost
2. Items sold as used but with specific notes that they’re actually new
3. Instructions to email to begin the transaction rather than using the Amazon site, including obviously obfuscated gmail addresses with spaces between letters
4. “Just Launched” seller profiles with no ratings

Be careful out there!