Can we dispel this WiFi myth?

[bdbcat]

Hi...

Unsecure WiFi: The data from the radio on-the-air is not encrypted. Plaintext data can be easily snooped.

Secure Wifi: The data itself on the air is encrypted. Encryption strengths vary based on WEP/WPA settings. Some are quite easily cracked.

So, the worst case is using unsecured WiFi, and transmitting/receiving sensitive info on an un-encrypted connection. (i.e. generic http://...)
The solution, as mentioned, is to be very sure that you access sensitive sites using https://, so that all traffic on the radio air is always strongly encrypted, whether or not the WiFi access point is secure or not.

Look at your browser bar showing the address connected to before typing any password, etc. , and pay attention to the little lock symbol if available.

And, don't give your Gold card to the wait staff. Pay at the door, and watch with eagle eyes.

Dave

[o_q]

Let's break it down

Public Wifi

• Open WiFi: Anyone can get on the network and see your network traffic (bad)
• Protected (encrypted) Wifi: You need a password to get on, but other people with the password will be on the network too, and can still see your network traffic (still bad).

Some wifi access points can isolate everyone so that no one can spy on your traffic. Chances are that even if the AP is capable (which I doubt), the owner will not be savvy enough to implement this. Worse is that you can't be absolutely sure this is implemented.

The bottom line is that you should always use a VPN on public wifi whether open or protected.

Private Wifi (using your own AP)
Protected WiFi is encrypted in one of two possible ways: WEP or WPA. WEP is easily crackable, so you should use WPA with a good password.

If you're an advanced user, use DDWRT on your AP instead of the manufacturer's shitty firmware. Chances are the UI sucks, and it has security holes that will never get patched because the manufacturer really doesn't give a damn. They only exist to push countless models of routers (that aren't really much better than the last) as fast as they can. They're not in the business of making good software.

[jongleur]

In plain English, if possible:

Cruising, away from home, and I need
to transfer funds from one bank to
another, what is the best method?

Use my laptop at McDonalds, an internet
cafe, other?

How does one minimize risk?

Again, in English, if possible. I really
don't understand any of the acronyms.

Thanks.

[o_q]

Quote:

Originally Posted by jongleur

In plain English, if possible:

Cruising, away from home, and I need
to transfer funds from one bank to
another, what is the best method?

Use my laptop at McDonalds, an internet
cafe, other?

How does one minimize risk?

Again, in English, if possible. I really
don't understand any of the acronyms.

Thanks.

Use a VPN. Yes, an acronym, but you still need it. Google it, and you'll find plenty of VPN services. BTW, it's not free.

[senormechanico]

Quote:

Originally Posted by fstbttms

Well, while I have no idea what you just said, the story I related is what was told to me by the restaurant and what was reported in the media. As I said, it was an ongoing issue for several days, affected many patrons and was enough of a story that the local TV news came out and reported it.

Basically, the shop owner said "It's Bush's Fault".

[Liltttzr]

Even with VPN and with very cheap tools one can attain the info (if one knows how). I did not believe it until my son (Network sec geek) proved it to me. He took me around and showed me that any info that went over the network could be caught and looked at. We were at secure and un secure networks. So the information is never really safe, like he told me "he never uses debit cards" and always perfers cash????. He works with banks and other busn to deter these types of things. One of his banks avg about 170 to 200 breaches a week!!!!! His firm also works with goverment. He tells me they have much much more

[o_q]

Quote:

Originally Posted by Liltttzr

Even with VPN and with very cheap tools one can attain the info (if one knows how). I did not believe it until my son (Network sec geek) proved it to me. He took me around and showed me that any info that went over the network could be caught and looked at. We were at secure and un secure networks. So the information is never really safe, like he told me "he never uses debit cards" and always perfers cash????. He works with banks and other busn to deter these types of things. One of his banks avg about 170 to 200 breaches a week!!!!! His firm also works with goverment. He tells me they have much much more

I don't really trust what you're saying because I don't know the details of what your son is doing. I hear the PPTP protocol is not recommended anymore, so maybe PPTP is involved. I'm also assuming that your PC isn't already compromised nor any other unreasonable condition.

[Sea Frog]

Quote:

Originally Posted by rebel heart

Regarding SSL man-in-the-middle attacks, your browser will spot the difference. If you're dumb enough to keep entering your banking account info when the green SSL bar flashes red, that's your own business. Most browsers will give you a warning and try to get you to exit the page as well, alerting you that your connection is no longer secure.

That's exactly what a page I posted a link to, says However, it is very easy to lose common sinse on known sites. Like, I log in to my bank several times daily and after 1000 of logins I may simply get so much used to it that I won't even notice whether the lock is green or not.

The potential problem of using any network is sniffing. Even if you are using "secure wi-fi", as Rebel Heart correctly noted, the rest of network is out of your control and potentially data can be sniffed. Are you using POP3/smtp protocols for mail? Well, they transmit your login/password from your account in open form. FTP? Surely enough, the same problem. Having that info, attacker can do a lot of harm, so the ideal would be not only to use VPN to secure the data in transit, but to use only secure connection protocols. SSL/TLS for mail, sftp, etc that will guarantee a secure channel the whole way up to destination server. This will drastically reduce a risk of data leakage.

So, for transferring 5 million bucks while eating your burger in McDac in Lagos, yes, use VPN and make sure that lock is green in your browser

If you want to get as paranoid as I am, you may try a completely separate laptop with extremely restricted network access only to few sites you do your monies with. Never access any other sites from it (and make sure it doesn't even allow you). Use the most restrictive firewall, add VPN, use hardware disk encryption, use hardware tokens that if removed, kill the current Windows incl. temp files, keep all passwords on hardware encrypted tokens, use double hardware authentication via SMS and/or one-time password generating tokens, errr... Did I miss anything? Oh, yes, restrictive narrow angle viewing film on the screen is a must! (and then, drop the whole thing accidentally in the water! )

[o_q]

Quote:

Originally Posted by Sea Frog

Did I miss anything?

Yeah. Use OpenBSD instead of Windows

[K_V_B]

Quote:

Originally Posted by Sea Frog

That's exactly what a page I posted a link to, says However, it is very easy to lose common sinse on known sites. Like, I log in to my bank several times daily and after 1000 of logins I may simply get so much used to it that I won't even notice whether the lock is green or not.

My bank uses a custom (Firefox based) browser that you get on an USB stick. This browser will only connect with the bank, and uses a SIM card in the USB stick to authenticate every transaction. Works quite well, and tells me that they do up some thought in their clients security...
(And they're considerate enough to not only provide a Windows version, but a Linux and a Mac version as well...)

[Liltttzr]

Quote:

Originally Posted by o_q

I don't really trust what you're saying because I don't know the details of what your son is doing. I hear the PPTP protocol is not recommended anymore, so maybe PPTP is involved. I'm also assuming that your PC isn't already compromised nor any other unreasonable condition.

I am not a computer person, Coal miner (UG) by trade. My son works in network security and was showing me as he said " you old timers just do not know the risk you take". I still use a debit card and on-line banking, even though he is really against it. When he was tring to enlighten me on the "ways of the world" his words. He went to public hot spots and started to " dreg" a term that he used. Information. Then he showed me " secure networks with protection out the $## and with the same results. With this being said. He was very respectfull and would only look at the packet it self not the contence. He stated that thier are groups out there that can find the slightest opening and get in. Most of the protection that is out thier already has a way around it. But that is what I was shown and told..

[Sea Frog]

Quote:

Originally Posted by o_q

Yeah. Use OpenBSD instead of Windows

That's too hardcore for me Plus, configuring all the above using BSD (or any other nix) would require an Einstein I guess, while for Windoze it is all readily available and usable by relatively dumb users like me

[JRM]

This has been an enjoyable thread. Full of misinformation. For a while I had out my own shingle in the information security line. I was lucky to sit at the knee of one of the best for a couple years, and while I'm not nearly as paranoid as he was (he was all cash, boss paid him every two weeks in cash, he even paid his mortgage at the bank in cash), a bit rubbed off on me.

There is no such thing as absolutely secure. It's a spectrum based on time. With enough time and effort, *everything* can be compromised. The weakest part of the link is the human, most really successful targeted exploits are based on social engineering. A few good habits will go a long way... Use good passwords, change them every so often, and don't use the same one twice. For US based folks, never use a debit card outside of a marked branch ATM for your bank. Credit cards for all transactions. It isn't any more secure, but with the debit card, you're fighting with the bank to get your money back, while with the credit card you're fighting not to pay the bill. Big difference. Even then , there's a $50 liability limit with the credit card.

As far as wireless goes, there's various levels of "secured" access points. Just like a door lock, it's more to keep honest people honest. Again, it's a time thing. One can easily sniff enough packets to determine a WEP key, which is why WPA emerged. It's still breakable, it just rotates the key faster than you hope someone can grab packets, and if they do break it, they won't have long before the key changes. Ideally.

At this point, you basically do your due diligence and hope for the best. It's unlikely that someone is going to man in the middle your SSL connection for a few bucks. That's not script kiddie level activity (yet), and someone with that ability and nefarious aims will most likely be after bigger fish.

Again, most successful compromises are social engineering. Phishing is a great example. You click, you lose. As long as you avoid things like IE and outlook, most email compromises (anymore) require active clicking on your part. Why would I spend hours trying to guess your password when I can often times just contact you in the guise of IT and ask you for it. Shocking how many people will just give it to you over the phone...

I have had my debit card compromised. I broke my own rule once because I was at a big box store buying something and was too lazy to make a stop at the bank, and wanted cash. Unfortunately, they stored my number and PIN in their corporate database, which was worth the time and effort for someone to compromise. They cloned my card and took it to a casino in Las Vegas. There they bought $2 worth of gum and took $900 cash back (with my PIN). It took me almost two weeks to prove to the bank that it wasn't me (I was on shift that day), but the whole time they had my $902. A few weeks later I read in a trade rag about the compromise. Thousands of other folks were in the same boat.

This is a long winded way to say that I wouldn't lose sleep at night using an "unsecured" wireless network for my banking.

JRM

[El Rubio]

Quote:

Originally Posted by fstbttms

Well, while I have no idea what you just said, the story I related is what was told to me by the restaurant and what was reported in the media. As I said, it was an ongoing issue for several days, affected many patrons and was enough of a story that the local TV news came out and reported it.

Did it stop when Ed Snowden left the country?

[o_q]

Quote:

Originally Posted by Liltttzr

He was very respectfull and would only look at the packet it self not the contence. He stated that thier are groups out there that can find the slightest opening and get in. Most of the protection that is out thier already has a way around it. But that is what I was shown and told..

What this sounds like to me is that he knows at least how to sniff packets, and he reads websites like metasploit. However, this is besides the point, and means nothing if the bottom line is that your VPN traffic is encrypted. Going on about the possibilities of what hackers can do, comes off as someone whose intention is to scare you. Did he specifically say that VPNs aren't secure? Or did he just show you that he caught a packet while you were using VPN, and you assumed it wasn't safe?