I would still disagree.

Why go through the hassle to pretend to be a hotspot?

1) Its not as difficult as it seems to create that hack, especially if the end users are using IE and didn't apply the latest security fixes.

2) You're response is basically asking "Why do criminals phish?"

3) Stealing a laptop may get you the data on the laptop, it doesn't allow you to create a trojan that will give you access behind the corporate or ISP's firewall.

4) Brute strength is easier, but you'll know that you've been hit right away. Stealth gives you time and also makes it harder for the victim to know where and when he's been hit.

5) Its harder to catch someone than you think. ;-)

The point I'm trying to make is that there are valid reasons why a criminal would phish or create a phony hotspot.

Questioning the "risk vs reward" is a difficult task. You could easily overstate the risk and underestimate the reward.

Just because you don't see the value in it, doesn't mean the value doesn't exist. ;-)

The bottom line: As a good network admin / system admin, you can protect your fixed assets via your firewall. Its your mobile assets that pose a risk and represent vunerabilities.

Ian,
You said: Stealing credit card info is only one potential bad thing. Stealing your list of e-mail contacts for a spam run... Setting up a trojan so that your machine becomes a zombie for either a DDos attack or a potential way to get around a corporation's firewall.

And you're quite right! But the question I'm asking isn't "why would someone want to compromise my machine?" - instead, (read the original article!) "Why would a bad person use a hotspot to compromise my machine?"

To compromise a machine, steal emails, or discover a way around a firewall, there's an easy way, and there's a hard way.

The hard way is to set up a public wireless LAN access point of your own, disguised as a genuine hotspot, then access a couple of dozen machines, none of which may be the ones you want, while running a severe risk of being physically arrested.

The easy way is to use the wide array of Web bots, operating from an indetectable location in the Ukraine or Iraq by proxy, and scanning millions of PCs around the globe.

The only reason anybody would try the "hard" option, is if they had a specific target in mind. And even then, it would be far easier to hire a thug to steal that person's PC, than to go to all this trouble.

It's a bit like "bluesnarfing." Sure, it can be done, but the effort is completely out of proportion to the reward. You might as well fly to Colombia, hire a car, drive to a supermarket, buy a half pound of local coffee beans, then fly home again, in order to get "genuine colombian coffee" as fresh as possible.

Yes, it's perfectly possible, technically; but in reality, it's just not going to happen.

I think that you've missed the point.

Stealing credit card info is only one potential bad thing. Stealing your list of e-mail contacts for a spam run... Setting up a trojan so that your machine becomes a zombie for either a DDos attack or a potential way to get around a corporation's firewall.

I'm sure there are more things than just reading that your credit card account is maxed out from all those lattes and pints using your favorite hotspots, that would attract hackers.

Being one of the good guys means that we haven't taken the time to think of all of the potential bad exploits one can do...

You equate having an office mate politely tell you that you're left your machine wide open to getting hacked. Thats like equating a kiss on the cheek with rape.
You do attempt to salvage the article by making a minimum of common sense percautions, but you've clearly missed the boat.

Bad people are out there and if you don't make any attempts to secure your pc in a hotspot, or your private wifi home network, you're asking for trouble.

Edited by author 01-25-2005 03:07 AM
Folks, please read http://www.theregister.co.uk/2005/01/24/wi_fi_hotspot_security/

I know Brian Collins is a man to be taken seriously. If he's prepared to tell the London Evening Standard that "evil twin" hacking techniques are, genuinely, being used in London to steal passwords, then he's not making it up.

But I have to say, I think that most online banks are aware of the potential problem. I recently set up a business online banking account, and it was very well protected. Not only do you need cookies and passwords and IDS, but you also need a secure digital certificate. I don't think that a log of the transaction between the certifying agency and the PC would be enough to duplicate...