- Criminal goes to the victim’s workplace, and get the name and ID number of their work wifi.
- The criminal sets up a wifi hot spot with the same name and ID number. They also set up some fake web pages of popular bank web sites, and the victim’s work email web site.
- Then the criminal drives past the victim (or sits near them in the coffee shop), so that the victim’s phone or laptop detects the fake wifi hot spot, and auto-connects to it.
- The victim’s downloads are now going through the criminal’s laptop. In particular, the criminal can give a fake DNS answer.
- If the victim tries to connect to a web site (e.g., email, bank, anything web-based), the criminal can do a DNS redirect to a fake version of that website.
- If the victim types in their password on the fake web site, the criminal can collect it.
Note that Kali Linux has a piece of software that does all of this more or less automatically. Sounds pretty slick, doesn’t it?
B. But what might go wrong? Discuss for example, any 3 of the following, or anything else you can think of that might go wrong. (10 marks)
- Geo-fencing: if the victim was smart, they would disable the auto-connect to their work wifi hotspot when they are not at work. But few victims think of this.
- Did the criminal remember to change the MAC address of their laptop, which is providing the fake wifi hot spot? The victim’s phone will record the MAC address of the hot spot, and if it’s the criminal’s real MAC address, the police might use that to find the criminal.
- After the criminal has stolen the password, the victim might get suspicious, and tell the bank. The bank’s usual approach is to leave the password working on a fake account, and wait for the criminal to try and log in, and perhaps catch the criminal from their IP address.
- You might be thinking of using a VPN to log in to the bank with the stolen password? How many VPNs keep log files and other records, which can be seized by police?
- A weakness to this approach is that the criminal has to get within wifi range of the victim. If the criminal is known to the victim, they might see the criminal and recognize them.
- Similarly, public areas have a lot of surveillance cameras. If the criminal is near the victim, and the victim works out when and where they typed in the password to the fake web page, police might go through nearby video cameras, looking for anyone with a laptop.
- Police can also pull up a list of every phone in the area, and go through that list. Did the criminal remember to turn their phone off?
- Or anything else you can think of that might go wrong.
Problem 2 (20 marks)
Another way to steal a password is for the criminal to place a hidden camera near the victim’s PC, and record the victim as they type in their password (perhaps when they unlock it, or perhaps first thing in the morning). This works best if the victim types slowly, with only two fingers. Discuss how the criminal might do this?
Pick one type of hidden camera. It can be on the list below, but feel free to choose a hidden camera that’s not on the list.
Fixed cameras include a:
- Clock with a camera in it
- USB charger with a camera in it
- Mirror with a camera in it
- Hook with a camera in it (sticks tothe wall, or to a door)
- Smoke detector with a camera in it(sticks to the ceiling)
- Light bulb with a camera in it(plugs into a light bulb socket in the ceiling)
Mobile and wearable cameras include:
- Bottle of water with a camera in it
- Can of Coca-Cola with a camera init
- USB stick with a camera in it
- Wrist watch with a camera in it
- Tie clip with a camera in it
- Cigarette lighter with a camera init
- Pen with a camera in it (and it really writes, too)
- Car key fob with a camera in it
Your answer should cover:
1| Give the web link, or a screen shot, or similar.
2| How much does the camera cost?
3| In your answer, you might consider addressing some of these issues: (10 marks)
- Can the criminal retrieve the video data without being noticed? (Perhaps when they type their password to unlock the PC, while you are nearby, or perhaps first thing in the morning)
- Can the criminal install or move the camera, without being noticed, or looking suspicious?
- When the camera is in place and recording, does it look suspicious? Could the victim notice something odd?
4| Consider the technical specs of the camera. (10 marks)
- Does the camera give enough detail? Can it zoom in on the keyboard?
- Does the camera use a battery, or does it plug into a wall plug or USB plug? If it’s a battery, could the battery run flat before you can record the password?
- Does it record all the time, or is it motion sensitive? That is, does it only record video if there is movement? (This makes the battery last longer).
- If the criminal cannot retrieve the camera, can it be traced back to the criminal?