Fox news ran this story on August 8th, 2008 on how a company uses the iPhone to hack into corporate networks.

The company mails the phone in a package with a long-life battery where it sits in the mail room and eventually gets returned. While in the company premises it scans all available wireless networks for vulnerabilities. Although it may stay in the mail room for several days they say it only needs a few minutes to gather all the information needed for them to further break into that company.

You can read the article here, and we’ve included the full text below in case Fox news decides to take it off of their site:

LAS VEGAS — Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone’s computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks. It’s an area once defined by Dumpster diving and crude social-engineering ruses, like phony phone calls, that are probably easier to detect or avoid.

As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it’s enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics.

Consider Apple Inc.’s iPhone, a gadget whose processing horsepower and cellular and wireless Internet connections make it an ideal double agent.

Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.

Graham and Maynor programmed the phone to check in with their computers over the cellular network. Once inside the target company and connected, a program they had written scanned the wireless network for security holes.

They didn’t find any, but the exercise demonstrated an inexpensive way to perform penetration testing and the danger of unexpected devices being used in attacks. If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.

To keep the phone running, the researchers latched on an extended-life battery that lasts days on end. But they only really need a few minutes inside a building to test the network’s security.

“It’s like saying, once you get into Willy Wonka’s Chocolate Factory, and you’re in the garden where everything’s edible, you have it all,” Graham said in an interview.

The attack won’t work, of course, if a company’s wireless network is properly secured. In that case, Graham and Maynor said there’s likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them so they could try it again elsewhere.

Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.

Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.

For example, Schmiedl said even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.

If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.

“We’re burning the candle at both ends,” he said. “The technology is becoming easier and cheaper and anybody can do it. And at the same time there’s more incentive now to do it. These are two trains on a collision course. The question is when they’re going to collide.”

Check out the logos that our marketing company just produced.

Let me know which one you like the most, and use the comment section below to tell me your impression of the logos!

I scanned them in (I don’t have the source images yet), so they are a little grainy, but I think you get the idea!

#1:

#2:

#3:

#4:

#5:

#6:

#7:

#8:

#9:

#10:

#11: (these are for when your wireless is (a) unsecured, (b) securing, and (c) secured)

Whether you’re an old affiliate or just started, this document is the starting point for any action you’ll take as an affiliate.

1. First Things First

If you’re just starting, take the following two actions:

1. Bookmark this page. Anytime you’re wondering what to do next or looking for new afilate ideas, remember, this page is your road map. It will have all the instructions necessary for you to become a successful affiliate.
2. Subscribe to this article. Scroll down to the bottom of this page and click “subscribe” and fill out your information. That will keep you notified of any updates or changes that are made to this page. This is important because as we get feedback from affiliates on what works well and what under-performs we will be passing that information on to you right here on this page. We want you to succeed so we’re always going to keep you informed.
3. Memorize your affiliate number. Your affiliate number is how the site knows who you send to it as compared to anyone else that just happens to come to the site. If you send someone to the site without your affiliate number and they sign up there’s no way for us to know you sent them. When you login to the affiliate area take note of the URL in the top right box labeled “Standard Linking Code”. Notice it’s the full website name (www.WifiSecurityGuy.com) with your affiliate number and “.html” added to the end. If you send that URL to people in an email and they click it the system knows you sent them and credits you for the sale when they sign up - and you get credited every month thereafter.

Now that you’ve got that out of the way, follow the rest of this page basically from top to bottom. The steps listed at the top are important learning steps for you to do first. They’ll teach you the basics of using the affiliate program and lay a foundation for more advanced things as you go along.

2. Overall Strategy.

There are two main ways you can build your list of accounts that pay you ever month. The first is by starting with inviting people you know to the website using special URLs you will create (more on that in a minute). The second is by increasing that list of people you know. The second way is the advanced way, but don’t let it scare you. Once you go through some of the simple strategies with the people you already know you’ll see how easy the second way really is. And don’t think you have to be super computer-literate to do it. Anyone with a basic knowledge of computers and the Internet can do everything listed here.

3. Make Your List.

We have to start with making a list of prospective people to send to the site. Your email address book is a good place to start. I have well over 2,000 email addresses in my address book. I got them all by never deleting any addresses, no matter how “unimportant” they were. In marketing it all comes down to numbers. The more contacts you have the greater the chances of your success. Don’t worry if you have a small address book (I admit mine is huge compared to most people’s), we have ways of expanding your list. But the first thing you have to do is create a list of people you’re going to email. As you meet more people in life, business, through friendship, etc, remember to get their email address and add them to the list. This list is going to be the key to your affiliate success.

You may want to save this list in a separate document, like by copying all the emails out to a word or text document, but this isn’t necessary. The bottom line is you need to have these addresses in one place that’s easy for you to manage. If you use your address book you may be able to sort your addresses by category, or by adding the addresses to a special “new” address book you can create, or by even creating an address “list” in your address book.

Another way to track your list is to create your own mailing list. I’m not going to spend a lot of time on mailing lists here, here’s a brief overview. A mailing list is something that “lives” on a mail server. It has a list of all of the email addresses “subscribed” to that list. Whenever you send an email to that mailing list, the server in turn copies that email out to every address in the list. If people no longer want to receive email from you, or the server has problems delivering email to certain addresses, it automatically “cleans” the list by taking those addresses off of the list. As you meet new people you go to the server and add those emails to the list and the next time you send out an email the new people will automatically receive it. It’s a simple way to track all of your email addresses, and it keeps you from having to send out hundreds of emails to all your contacts, you just send out one email to the email list address and it does all the rest. If you’re interested in your own mailing list, use the contact form and let me know so we can help you get that setup.

4. What To Email.

One thing I’ve learned in today’s fast-paced and interruption-filled world is people can’t take long advertisements. And most people will be turned off by an advertisement right away.

The best way to get people to purchase any service or product is by warming them up to it in small pieces. For example, let’s say you have a 10-minute long “ad” for a service. You can’t send that entire “ad” to them all at one time. Most people will read the first paragraph or so, realize it’s really long and they don’t have time for it now so they stop right there. Since you sent them the entire ad already you would be shooting yourself in the foot by sending the entire ad all over again. As soon as they see it’s the same ad they quit reading again. Eventually they just ignore your emails altogether.

A better approach would be to break that 10 minute ad into 20 small 30-second chunks. There are several reasons for this. The first is they don’t get the feeling they are being sold something. A small chunk can be made to look “informative” not “intrusive”. Notice by sending the long 10-minute ad above they gave it 30 seconds or so and then diverted their attention to something else. Well by sending them only 30 seconds your email probably wont be interrupted. They see the small email, it plants an idea in their mind, and they move on.

Another advantage is if they ignore one or two emails (or don’t have time to read them) they won’t miss much. If they only catch 8 minutes of your total 10 minutes of small ads they will still get enough information for them to make an informed decision about the product or service you are bringing to their attention.

The best things to put in an email are a couple sentences encouraging them to look at this article, listen to this audio, or watch this video, and a link to that content. And always ask them for their feedback or ideas. If you can get them into a conversation you’re well on your way to selling them.

Here’s an email I used to let people know about the first radio ad:

Hello everyone.

Just dropping you a quick note. You’ve probably already heard about this radio ad, but just in case you’ve missed it I wanted to make sure you get it. You can listen to the ad on this page:

link to the radio ad

And of course for more information, go here:

link to the home page

You can personalize that by putting in their first name instead of “everyone”. Notice how short it is, and how it assumes they may have already heard about it - that gives the impression that there’s a “buzz” about the ad already (and there was - putting that radio ad up on the website doubled the website activity in just one day).

Sending the user to the site is very important. The site “sells” the product for you. If they get curious they will look around and learn more about the service. If you had the radio ad in the email you send them there’s very little chance they’ll go to the site.

5. How To Create A URL.

Don’t just copy and paste URLs from the site to your email list. It’s great that you’re going to send them to the site, but unless you send them using special URLs you wont get the credit for signing them up. And with all the advertising that’s going on, and all the other affiliates already promoting the service it would be impossible for us to know you sent them to the site and not someone else, or that they didn’t hear or see a radio/TV/newspaper ad and come on their own.

So, you need to create your own special links to send them. When they come to the site using your special links the site does two things to remember them as having come from you: (1) it sets a cookie on their computer and (2) it records their IP address just in case their browser doesn’t save cookies. When they sign up for the service the site will remember them by either their cookie or their IP address (or both) and give you the credit.

Now that you know the importance of creating your own links to send in emails, you can read this step-by-step article on how to create a link to any page on the site: Creating Your Own URLs. The page even gives a sample email you would send out.

6. How Frequently To Email.

Just like sending a full 10-minute ad in one email would be over-kill, sending too many emails close together will have the same effect.

You should send one email to your list once a week. If you email more frequently you run the risk of people getting irritated by your emails, if you email less frequently you run the risk of people forgetting what you sent them last time. You want the emails to “chain” together into one “long ad” over a period of time until they realize they need to buy.

Marketing research has found that it can take up to 17 exposures to a product before people make a choice to buy. Something like the first 7-11 times a person hears a regular ad, it doesn’t even register in their mind. So be patient and just consistently send an email on a regular basis.

7. You Got A Sale!

Once they come and buy take them off your list and start a second list: “convert to affiliate”. Now that they are using the service you want to get them to recommend the service to their friends. You’ll make $1.50 for each of those recommendations, and $1 for everyone their friends recommend. The incentive for them is if they just get 3 to sign up, their service is free.

Now you work the “convert to affiliate” list of emails the same way you did your prospect list. Send an email every week with a link to another affiliate-type page (not this one). They don’t need to know what to do after they are an affiliate until after they become an affiliate. Create links to the affiliate information pages that explain how they can (a) get a free account and (b) make money, as well as the different affiliate testimonial pages as they get added.

8. Coming Soon…

• How to operate your own mailing list.
• Getting large numbers of emails for your mailing list dirt-cheap.
• Creating your own website to promote Wifi Security Guy - why you need it to become a super affiliate and how easy it is to do.
• Tips and tricks from the most successful affiliates.

This article addresses a number of so-called security measures that “experts” say will help secure your wireless network from illegal access and Identity Theft. We list why these security measures don’t work and what you should really be doing to secure your wireless networks.

Before you read any further, note that Wireless Personal Secure (Wifi Security Guy’s wireless security service) completely protects you and if you were using it you wouldn’t have to worry about any of the following “security measures” (although you could do them if you wanted - even though as you’ll see, they don’t work). Click here to get this amazing protection or to learn more about it.

With Identity Theft being the fastest growing crime (according to the FBI), the growth of Identity Theft by wireless networks (millions reported in the past few years), and the ubiquity of wireless networking, there’s a lot of mis-information floating around out there where so-called “experts” give advice on how to secure wireless networks. A lot of the advice gives only a false-sense of security and since the average wifi user is not technically proficient enough to know what advice works and what doesn’t, we list the gambit of advice here, tell you if it doesn’t work (and why), and what action you should take in each case.

1. Change the default SSID.

The SSID (Service Set Identifier) gives the name of a particular wireless network. When someone comes over to your house and is going to use your wireless network you tell them the name (SSID) of the network and the password (I hope you have a password on it!!).

Every wireless access points come with a “factory default” SSID, usually the name of the manufacturer (LINKSYS, NETGEAR, D-LINK, etc), and it is good advice to change the SSID, but it doesn’t increase your security at all. Wireless networks with SSIDs that you generate are just as easy to break into as the SSIDs that came on the wireless access point from the factory.

Action: Change your SSID to something that’s more appropriate, but don’t think that changing the SSID adds any security to your network. Don’t change the SSID to your name, your address, your phone number, etc. - The problem with doing that is you let any passerby know exactly which wireless network they see in their scan is yours.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

2. Setting up MAC filtering.

Every network device (access point, laptop, computer, etc) has a MAC address (Media Access Control address). Without diving down into a lot of network theory, let me just say that your MAC address is hard coded into your computer’s wireless card. When you are using your home network you may have one IP address, and when you go to your local cafe you will more than likely get a different IP address. But your MAC never changed - it uniquely identifies you on the wireless network, no matter where you go.

MAC filtering is where you configure your wireless router to only allow certain MACs on the network, and it ignores all the rest. At first this may seem like a really good idea - a hacker driving by can’t use your network now, right? WRONG!

A hacker driving by will be using a sniffer tool like kismet, and kismet will tell the hacker all the MAC addresses in use on your wireless network (read the article to learn how). The hacker then sets his network card to use your MAC instead of the MAC that came on it. From that point forward your wireless router can’t tell the difference between your computer and the hacker’s computer.

MAC filtering is easily bypassed by a hacker. Additionally, every time a friend comes over who wants to legitimately use your wireless network you have to add their MAC to your filter list. It’s just not worth your time.

Action: None, MAC filtering adds no benefit to securing your network, it just adds an administrative burden to you every time a visitor drops by.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

3. Disable SSID broadcast.

Wireless routers ordinarily broadcast their SSID (name) every few seconds. Your computer uses that broadcast to know which wireless networks are in the area and join them (if you’ve configured that wireless network in the past, usually your computer will automatically join that network when it sees it). When you turn off the SSID broadcast your wireless router will not announce the network every few seconds. Now every time you want to connect to that wireless network, since it’s hidden, your computer won’t automatically connect to it. Instead you have to manually tell it “connect to my wireless network”. When you do that your computer broadcasts a message like “hey, is network XYZ around here?” The wireless router then says “yes, I’m here” and your computer then joins the network.

I hope you saw the flaw(s). A minor flaw is that you have to manually join the network any time you want to use it. A major flaw is the SSID is broadcast anyway, every time your computer goes to join. All a hacker has to do is wait around for your computer to join the network to pick up the SSID, then he can join the network too. And there are ways that he can “jam” your network so your computer “drops off” of the wireless network, then when you rejoin within a few minutes he’ll see the SSID. He bascially “forced” you into telling him the SSID.

Action: None. Not broadcasting the SSID only complicates your use of the wireless network without adding any security.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

4. Hard-code IP addresses instead of using DHCP.

DHCP stands for Dynamic Host Configuration Protocol. It’s a network administrator’s dream, and sometimes also their nightmare. Basically every computer on the network has to have an IP address. In the “old” days (pre DHCP) an administrator had to manually assign every computer on the network an IP address and make sure that none of the IP addresses overlapped (two computers with the same address). Most computers can’t handle having the same IP address that another computer has (more on this in a bit).

DHCP allows a computer to “ask” the network for an IP address whenever it connects. So when a computer joins the network it “asks” “hey, I’m new around here, can I get an IP address?” A DHCP server then says back “yes, you can have this IP: XXX.XXX.XXX.XXX”. This saves the network administrator the irritation of having to assign IPs to every computer, the DHCP server does it for him.

By turning off DHCP, the computers all have to be manually configured with different IP addresses. The idea behind turning off DHCP on a wireless network is that a hacker’s computer that connects to the network now won’t be automatically given an IP and then “can’t access the network”.

A hacker’s approach to this “problem” is to do similar to the MAC address hack. He just watches the network, sees what IPs are in use and then assigns himself one manually. If he uses a new IP but still can’t use the wireless network, he can assume it’s because the router also blocks any IPs that aren’t in it’s list, just like the MAC filtering. So he can do the same as he did for the MAC filtering hack, he just assigns the same MAC and IP of a computer that is on the network to his own computer. He can also setup his computer to not have a problem with there being another computer on the network with the same IP and now the network is wide-open to him.

Action: None. Turning off DHCP and doing IP filtering is just going to give you a headache every time a friend comes over, you have to walk him through all the steps of manually configuring his own IP as well as set up your router to now allow that IP to access the network. And all that trouble for a hacker to just side-step this “security” measure just isn’t worth it.

Additional Note: This measure wouldn’t protect you from Identity Theft on your wireless network. You need the protection of a service like our Wireless Personal Secure.

5. WEP Encryption.

OK, this and WPA encryption are going to be the biggies. Everybody just assumes “oh, they work, they’ll secure me.” Bad news - the final analysis is they don’t ensure your security. WEP stands for Wired Equivalent Privacy - it’s name means “WEP is just as secured as using a wired network”. But don’t believe it’s name, it’s far from being as secured as a wired network.

I’m not going to get into all the complexities of explaining how WEP is insecure. Let me summarize with a layman’s-terms approach to WEP. With WEP you basically have a pre-shared key that everyone on the network uses. Whenever data is going to be sent on the wireless network the computer will take this pre-shared key and an IV (Initialization Vector) and use them to encrypt the data. The IV is basically an “offset” that tells which part of the pre-shared key is going to be used. The IV is constantly changed with every packet - the down side is the IV is sent along with the data! There are only 16 million possible IVs, once they are used up they begin to repeat. Once a hacker has enough IVs (either duplicates or “weak” IVs the pre-shared key can be “cryptographically calculated” in a matter of seconds. A busy network using WEP can be broken into within a matter of minutes.

Action: Turn on WEP if that’s all you have, better yet if that’s all you have - upgrade your router.

Additional Note: Since WEP doesn’t protect you from Identity Theft on your wireless network, you need the protection of a service like our Wireless Personal Secure.

6. WPA Encryption.

WPA (Wifi Protected Access) was created to answer the vulnerabilities in WEP. I’ll try to keep this as simple as possible, suffice it to say WPA has some strengths over WEP but in the end can still be broken and shouldn’t be trusted alone.

The full standard couldn’t be implemented with older network cards, and in their “rush” to secure wireless WPA was released without implementing all the security methods. WPA2 is the full implementation of the official WPA standard (802.11i). For the purposes of this article WPA will refer to both WPA and WPA2 from this point forward, we don’t want to muddy the waters with always pointing out their differences and we don’t think for the high-level view of WPA security it’s necessary.

WPA basically starts out as WEP with a larger pre-shared key and a larger IV. There are some other low-level differences between WEP and WPA, and they added EAP (Extensible Authentication Protocol) which allows different manufacturers and cryptography companies to add their own authentication methods to WPA. The problem the general public has with EAP is it takes an additional EAP server to secure the network, so the general public ends up using “standard” WPA.

WPA also suffers from one other weakness that WEP doesn’t have. When the router receives two packets that don’t pass integrity checks (like a hacker just blasting out packets that obviously don’t have the right pre-shared key). This is significant because it (a) causes the wireless router to shut the network down while it “resets” and (b) causes every client to re-join the wireless network. The weakest point of the WPA usage is when clients are connecting. This means a hacker can force a WPA network to continue sending the weakest packets until he’s able to break it.

Action: Use WPA2, and if possible invest in a more secured EAP-based solution.

Additional Note: Since WPA2 can be broken and leaves you vulnerable to Identity Theft on your wireless network, you need the protection of a service like our Wireless Personal Secure.

Hey, have some other security “advice” you’ve been given? Want to run it by the real experts and see if it’s good or not? Drop me a line and we’ll add it to this article!