The whole Starbucks thing seems to be getting me on a role in the wifi security arena. The recent deluge of free wifi security articles reminded me of an article Brian Krebbs wrote a while back called “Wi-Fi Street Smarts, iPhone Edition” about hotspot security. One of the pieces of advice was to remove known networks from your iPhone. Here are the instructions he posted.

“To force your iPhone to forget a wireless network after you’re done using it, click “Settings,” “Wi-Fi Networks,” select the wireless network’s name, and then ‘Forget this Network.’“

The problem back then was that there was no way to “Forget this Network” unless you were currently in the same location where you initially connected to the access point. I was hoping the iOS 4 would have fixed this problem but unfortunately it doesn’t. I know on Macs and Windows PCs you can get a list of previously connected networks through their advanced network properties options. From this list you can delete the networks completely and/or just deselect the ones that you don’t want to automatically connect to. Up to this point, the iPhone doesn’t seem to support a similar option.

The Googles have not turned up anything yet for me as well. The only solution seems to be to rename a spare access point to the SSID of the network you want to forget, connect to it with the iPhone, and choose the option to forget the network. This kludge seems like a lot of work and something that an average user probably doesn’t know how or want to do. Apple usability anyone?

Controlling the wifi networks you automatically connect to is very important. If you don’t clean up this list periodically, you are more at risk of becoming the victim of evil-twin or Karmetasploit-type attacks. Additionally, it seems that wifi device makers and the OSs that connect to them (including the iPhone) need to go a step further. For example, there needs to be some type of secured handshake between the “linksys” you normally connect to and the rouge “linksys” down the street. Maybe some sort of certificate or fingerprint acceptance process similar to how you trust SSH server signatures would be an option.

How are you getting the iPhone to “forget” networks? What type of handshake do you recommend between different devices with the same SSID? Let us know in the comments below.

Well thanks for listening to this little rant. See ya!

It’s time for one of our favorite posts of the week… the post where we get to spotlight some great bloggers who are involved in the local infosec community.

If you, or someone you know should be added to the list of bloggers we consider each week, please contact us or send us a tweet.

#3 – iPhone Apps: We’re always looking for good apps for the iPhone (especially with the release of 3.0) so luckily for us, @geminisecurity had a post that covered 4 of the best apps for the iPhone. But @geminisecurity didn’t just cover regular iPhone apps; no, they covered security apps for the iPhone, which is definitely needed if all the recent rumors swirling around Apple’s security are true. You can check out the full post for more information.

#2 – Security for a Million: Writer and speaker Richard Bejtlich posed an interesting question this week, asking what a black hat could do with a $1 million budget. But instead of just leaving it as a question, Bejtlich actually wrote out a tentative breakdown of what a black hat organization could do with a $1 million budget.  I’m not sure what was scarier; the fact that he created a potential financial plan for a black hat organization to follow, or that $1 million could go a lot further in a black hat organization than it could in most of the organizations we work for. Really makes you question how much money is wasted on unimportant things. Definitely read the post for yourself and let me know what you think.

#1 – Cyberwarfare and the Spanish Civil War: According to guest poster ian99 of the The Guerilla CISO, “Perhaps the most interesting model of development and Cyberwarfare activity today would be based on the pre-WW II example of the Spanish Civil War.” Tracing the historical origins of cyberwarfare, ian99′s post is like attending a ShmooCon talk and a history lesson all in one. Check out the full post here.

Well, that’s all for this week. Be sure to follow me @grecs during the week for more great posts from local bloggers.

o o o o o

Speaking of great local bloggers… we’re looking for some great guest bloggers to feature on NovaInfosecPortal. If you’re interested, feel free to contact us or send us a tweet.