Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 03-09-2013, 18:57   #61
Registered User
 
zboss's Avatar

Join Date: Sep 2011
Location: On a boat
Boat: Cabo Rico 38
Posts: 3,426
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by captain58sailin View Post
Does using a VPN keep you anymore secure on a unsecured public Wi Fi network?
Yes, it helps prevent man-in-the-middle attacks. This occurs when a hacker uses his computer to impersonate the wifi access point (proxy), passing data between you and the WAP, meanwhile recording the whole conversation.

A VPN will use a pre-shared key between yourself and the provider, not a negotiated one. Therefore, all data, even when intercepted, remains encrypted.
__________________

__________________
zboss is offline   Reply With Quote
Old 03-09-2013, 19:35   #62
Registered User
 
svseachange's Avatar

Join Date: Aug 2012
Location: East Coast of Australia
Boat: Custom Steel 43 ft
Posts: 781
Quote:
Originally Posted by zboss View Post
Yes, it helps prevent man-in-the-middle attacks.
Not at all. It's quite possible for the server hosting your VPN to be less secure. For example, if the destination server is further away ( in terms of hops) from your VPN than your computer then there are more opportunities for the (extremely rare, almost non-existent with https/SSL) man in the middle attacks.

If you are in the BVI amd you use a US based VPN to access your BVI bank then you are taking a less secure path.

You are better off spending the time and/or money to make sure your own computer is a hard target. Again, if you use https then there is practically zero chance your communication will be intercepted using with a man in the middle attack. The whole purpose of SSL (https) is eliminate hem.

The whole point of VPNs is to secure communications within a private wide area network. They only have practical application to cruisers who need secure access to private corporate networks. 90% of the cruisers I meet are retired and as such have virtually no use for them.
__________________

__________________
svseachange is offline   Reply With Quote
Old 03-09-2013, 19:45   #63
Senior Cruiser
 
rebel heart's Avatar

Cruisers Forum Supporter

Join Date: Oct 2005
Posts: 6,190
Images: 3
Re: Can we dispel this WiFi myth?

Another huge benefit to the VPN providers is that you can change your geographic origin. There are people right now on the Puddle Jump Yahoo Group signing up for OpenVPN because their banks don't allow traffic from the Cook Islands.
__________________
rebel heart is offline   Reply With Quote
Old 03-09-2013, 20:00   #64
Registered User
 
svseachange's Avatar

Join Date: Aug 2012
Location: East Coast of Australia
Boat: Custom Steel 43 ft
Posts: 781
Quote:
Originally Posted by rebel heart View Post
Another huge benefit to the VPN providers is that you can change your geographic origin. There are people right now on the Puddle Jump Yahoo Group signing up for OpenVPN because their banks don't allow traffic from the Cook Islands.
Absolutely, this is a legitimate, specific purpose for VPNs. I would argue there are easier alternatives, but that is another subject.

In terms of Internet/WiFi security VPNs are only really useful for professionals like you and I who need to access corporate networks.
__________________
svseachange is offline   Reply With Quote
Old 03-09-2013, 20:06   #65
Registered User

Join Date: Aug 2009
Location: Boston, MA
Boat: Beneteau Oceanis 43 & S2 6.9
Posts: 963
Re: Can we dispel this WiFi myth?

Everything we do is all about weighing the risks, right? Well, in general the risks of being on an unsecured wifi connection are probably less than the risks of cruising.

The biggest risk of an unsecured wifi network is whether or not it is a legit network or a network designed to steal data. If I host an unsecured wifi network and you connect to it and try to access your bank, I could redirect your connection to my own site that looks just like your bank. That's the real risk - the likelihood of someone capturing your data and decrypting it is very unlikely - takes too much time for the unknown. To avoid the above, you simply want to ensure your connection is using https and that you don't get any certificate errors. An error could indicate your were redirected to a fake site.

As far as banking, the simplest way to ensure you don't have your bank account accessed is to choose a bank that uses two-factor authentication. This means that it takes more than just a password to access it. Maybe not every time, but the first time you connect from a new computer for example, it should require extra steps. My bank sends me a text to my phone and I'd have to enter it. Without that, someone can't get on my account from an unauthorized computer. Steps like this ensure no one can access your account.
__________________
maytrix is offline   Reply With Quote
Old 03-09-2013, 20:16   #66
Registered User
 
svseachange's Avatar

Join Date: Aug 2012
Location: East Coast of Australia
Boat: Custom Steel 43 ft
Posts: 781
Quote:
Originally Posted by maytrix View Post
If I host an unsecured wifi network and you connect to it and try to access your bank, I could redirect your connection to my own site that looks just like your bank.
Again , an extremely low risk. And if you are silly enough to ignore the big fat security warning your browser gives you when you navigate to the fake site using https then no amount of security is going to help you.
__________________
svseachange is offline   Reply With Quote
Old 03-09-2013, 20:31   #67
o_q
Registered User
 
o_q's Avatar

Join Date: Apr 2012
Posts: 291
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by jongleur View Post
o_q:

Thanks for that, but upon googling VPN
I'm now more confused than ever. After
spending time looking at just one VPN
provider site (AT&T), the choices are
mindboggling. And there's no reference
to cost. Would it be $1/month? or $1000/
month? Does one need new hardware?

My guess is that the posters on this
thread that are using the acronyms
already understand what they need
to do. Those of us who don't, well,
we're the ones who are screwed.
From your previous post, it seemed you wanted right action instead of further explanation that would confuse you more. I assumed that googling VPN, and my wording implying there are VPN providers, would lead you to conclude that you should get a VPN provider. I don't have a VPN provider because I don't frequent public wifi access. So naturally I did not lead you to a specific provider with instructions.

check here:
http://proxpn.com/#how
http://proxpn.com/#pricing
__________________
o_q is offline   Reply With Quote
Old 03-09-2013, 20:56   #68
o_q
Registered User
 
o_q's Avatar

Join Date: Apr 2012
Posts: 291
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by shanedennis View Post
there is no practical difference in security in security between a browsers SSL connection and a VPN connection.
Yes there is. Most people aren't going to check to see if there's an "https" on every url they go to. They're not going to check for invalid or expired certs. They are going to dismiss warnings such as sending unencrypted content. Sure, most people aren't going to use a VPN either, but if they are worried about security, using a VPN is the end of their concern, whereas being considerate of sites using SSL is a constant struggle. That is practical.

Quote:
Originally Posted by shanedennis View Post
Again , an extremely low risk. And if you are silly enough to ignore the big fat security warning your browser gives you when you navigate to the fake site using https then no amount of security is going to help you.
You forget that this warning can be suppressed by the fake host simply not using https.
__________________
o_q is offline   Reply With Quote
Old 03-09-2013, 22:20   #69
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

All wifi traffic can be "snorted". Encrypted or not. I play around as a former network engineer and crack people's wireless routers for fun just to keep my skills sharp around my house, just to see what their passwords are. WEP is the easiest, takes half a day. WPA takes forever, could be weeks. But eventually they can all be cracked.

Same goes with SSL blowfish and all the other encryption schemes. What is on your side is time. If you are only online to access your bank account using SSL for 5 minutes, they may not get enough of a sample to be able to brute force their way to cleartext. They can still try, but they will get all sorts of misses and likely have to sort the wheat from the chaff themselves because they will have to analyze the data with different attempts at brute force keys.

4096-bit RSA can even be cracked, that is what I used to set up for VPNs that I would build for companies. Its just that the key size is so huge that it would take a very, very long time. Banks online often use 64 or 128 bit encryption which is a lot easier although they use a different method than RSA which is a bit tougher to nail per bit of key.

Most people access their bank website as follows:

1. open browser
2. type in www.bank.com
3. bank.com will redirect them to a HTTPS site and swap keys with them
4. they will connect using HTTPS on the encrypted connection

step 2 and step 3 provide the most vulnerability. Suddenly snorting traffic when someone is already connected to 128bit encryption is going to lead to a very long brute force attempt to figure out not only what is being transmitted, but what encryption method is used and at how many bits. But watching all the traffic and seeing that initial request of step 2 is half the battle- they can simply connect to that site and find out the encryption menthod.

Step 3 where the encryption handshake takes place is also a big weakness if someone is snorting long term over wifi. It doesn't exactly give away the keys to the gate but it does reveal excellent information which can be used to decrypt the message much quicker. How do you think that your computer can decrypt what the bank is sending you over HTTPS? Its because the bank sent you the keys and then you unlocked the door using the keys they gave you.

People place far too much trust in encryption schemes. The best way to protect yourself over wifi is to have a VPN built and setup with your own CA (certification authority). You connect via wifi and the first thing your system does is connect to the VPN (secret keys). Then all of your traffic to every website is encrypted because on the other end of that VPN is a proxy server of some sort sending everything to you encrypted to the maximum possible with the biggest key available. Nobody snorting will know that you did anything but request a connection on some nonstandard port to some nondescript IP or domain name, then everything turns to garble. There's no key exchange and most good VPN software will encrypt with your main overarching encryption scheme and will encrypt the handshake using a non pre shared key with something good like blowfish until it knows that the tunnel is open. While this traffic could be snorted and eventually decrypted, as far as the snorter is concerned you could have just opened a media connection and were watching TV because until they brute force through it its all static.

However just connecting even to a WPA access point, connecting to your bank and then typing your password is actually hideously insecure. How did you get the WPA password? They could probably get it just as easily as you did. Then they wouldnt even have to bust the WPA password, they just snort all traffic and see what they can dig up in the clear. Your request for www.bank.com and then the https traffic afterwards means they can attempt to bruteforce their way through that particular encryption scheme knowing it's probably worth something to them. Even if it takes them a week they could still drain your bank account, and if they're doing this as an income source... they could make a killing by snorting everything.

Luckily however, most criminals who would sit around at a marina snorting traffic do not have the kind of computing power available to them to do more than one or two brute force attempts at a time and they arent using the kind of computing power to do it at all fast. An 8-core intel can do the job pretty good, but if you were in the business of cracking bank passwords over wifi you'd want a massively multiprocessor PC, say something Cell based normally used by companies like Pixar to make high definition animated movies. Criminals can make use of botnets to increase computing power but then they're dealing with the Russian mob who will extract enough of a cut that it might not be worth it, and it still doesnt guarantee success, but the Russian Mob certainly will ensure payment is guaranteed.

That said it is not without risks. A snorted file can be uploaded to someone who does have better computing capacity, or sold on the black market as network traffic made by rich people (boat owners are rich to criminals looking to get into this sort of game).

The safest method to do online banking on board is to use the data off your cell phone. It's always encrypted with a pre-shared key (in the SIM card) and a phone call looks the same to someone sniffing it as web data because they transport the packets in the same way. The sniffing gear is not as easily available (snorting wifi is as simple as having a wireless network card in your laptop or desktop, which everyone has) and different providers operate on different frequencies futher complicating matters for the would be identity theif.

So use your cell phone's roaming plan for your banking browse your porn off the marina wifi connection. Then if the identity theif does manage to decrypt your traffic all he'll get is a free woodie.

Putting faith that the bank has made their encryption unbreakable is as stupid as putting faith that the designer of your boat made it unsinkable.
__________________
mr-canada is offline   Reply With Quote
Old 03-09-2013, 22:45   #70
Registered User
 
Teknav's Avatar

Join Date: Jul 2012
Location: Texas - USA
Boat: Twin Otter de Havilland Floatplane
Posts: 1,838
Re: Can we dispel this WiFi myth?

My banks, in addition to logging-in, require me to correctly answer changing security questions prior to allowing me access to my accounts; 3 questions that randomly change every time I access my accounts. It's another layer of security besides using HTTPS. Questions like...Where were you born...South Pole...Your first plane...Concorde...Your first pet...Mule named Zanzibar.

Mauritz
Knows and sees all...Mule is not for sale!
__________________
Retired - Don't Ask Me To Do A Damn Thing!
Teknav is offline   Reply With Quote
Old 03-09-2013, 22:54   #71
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

not much help if they watch you type in one successfully. try, try again eventually it will ask one of the right questions. plus most banks ask those questions when you access your account from a new computer. having the entire TCP packets allows them to exactly clone your computer and browser type.

those passwords dont alter the encryption they only give the bank one more layer of security

heres what every webserver sees when you hit any image or page:


Code:
2008-06-23 00:03:34 W3SVC1 70.71.0.218 GET /jaffe/modules/xgallery/dasara/laliga/repution/repution/bankofamerica/account/updates/platinum/foot_lock.gif - 80 - 82.128.4.183 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.14)+Gecko/20080404+Firefox/2.0.0.14 304 0 0
Its also been done before:
http://fraudpractice.com/fraudblog/?page_id=422
__________________
mr-canada is offline   Reply With Quote
Old 04-09-2013, 09:20   #72
Registered User

Join Date: May 2012
Location: Central California
Boat: Catalina 30
Posts: 873
Re: Can we dispel this WiFi myth?

...still confused...

But I like the phone access idea from
mr-canada. Thanks.
__________________
Bill
...........................................
You can't buy happiness, but you can buy ribeye.
jongleur is offline   Reply With Quote
Old 04-09-2013, 09:41   #73
JRM
Registered User

Join Date: Aug 2009
Location: Santa Barbara
Boat: Valiant 40
Posts: 416
Images: 2
Quote:
Originally Posted by mr-canada View Post
All wifi traffic can be "snorted". Encrypted or not. I play around as a former network engineer and crack people's wireless routers for fun just to keep my skills sharp around my house, just to see what their passwords are. WEP is the easiest, takes half a day. WPA takes forever, could be weeks. But eventually they can all be cracked.

Same goes with SSL blowfish and all the other encryption schemes. What is on your side is time. If you are only online to access your bank account using SSL for 5 minutes, they may not get enough of a sample to be able to brute force their way to cleartext. They can still try, but they will get all sorts of misses and likely have to sort the wheat from the chaff themselves because they will have to analyze the data with different attempts at brute force keys.

4096-bit RSA can even be cracked, that is what I used to set up for VPNs that I would build for companies. Its just that the key size is so huge that it would take a very, very long time. Banks online often use 64 or 128 bit encryption which is a lot easier although they use a different method than RSA which is a bit tougher to nail per bit of key.

Most people access their bank website as follows:

1. open browser
2. type in www.bank.com
3. bank.com will redirect them to a HTTPS site and swap keys with them
4. they will connect using HTTPS on the encrypted connection

step 2 and step 3 provide the most vulnerability. Suddenly snorting traffic when someone is already connected to 128bit encryption is going to lead to a very long brute force attempt to figure out not only what is being transmitted, but what encryption method is used and at how many bits. But watching all the traffic and seeing that initial request of step 2 is half the battle- they can simply connect to that site and find out the encryption menthod.

Step 3 where the encryption handshake takes place is also a big weakness if someone is snorting long term over wifi. It doesn't exactly give away the keys to the gate but it does reveal excellent information which can be used to decrypt the message much quicker. How do you think that your computer can decrypt what the bank is sending you over HTTPS? Its because the bank sent you the keys and then you unlocked the door using the keys they gave you.

People place far too much trust in encryption schemes. The best way to protect yourself over wifi is to have a VPN built and setup with your own CA (certification authority). You connect via wifi and the first thing your system does is connect to the VPN (secret keys). Then all of your traffic to every website is encrypted because on the other end of that VPN is a proxy server of some sort sending everything to you encrypted to the maximum possible with the biggest key available. Nobody snorting will know that you did anything but request a connection on some nonstandard port to some nondescript IP or domain name, then everything turns to garble. There's no key exchange and most good VPN software will encrypt with your main overarching encryption scheme and will encrypt the handshake using a non pre shared key with something good like blowfish until it knows that the tunnel is open. While this traffic could be snorted and eventually decrypted, as far as the snorter is concerned you could have just opened a media connection and were watching TV because until they brute force through it its all static.

However just connecting even to a WPA access point, connecting to your bank and then typing your password is actually hideously insecure. How did you get the WPA password? They could probably get it just as easily as you did. Then they wouldnt even have to bust the WPA password, they just snort all traffic and see what they can dig up in the clear. Your request for www.bank.com and then the https traffic afterwards means they can attempt to bruteforce their way through that particular encryption scheme knowing it's probably worth something to them. Even if it takes them a week they could still drain your bank account, and if they're doing this as an income source... they could make a killing by snorting everything.

Luckily however, most criminals who would sit around at a marina snorting traffic do not have the kind of computing power available to them to do more than one or two brute force attempts at a time and they arent using the kind of computing power to do it at all fast. An 8-core intel can do the job pretty good, but if you were in the business of cracking bank passwords over wifi you'd want a massively multiprocessor PC, say something Cell based normally used by companies like Pixar to make high definition animated movies. Criminals can make use of botnets to increase computing power but then they're dealing with the Russian mob who will extract enough of a cut that it might not be worth it, and it still doesnt guarantee success, but the Russian Mob certainly will ensure payment is guaranteed.

That said it is not without risks. A snorted file can be uploaded to someone who does have better computing capacity, or sold on the black market as network traffic made by rich people (boat owners are rich to criminals looking to get into this sort of game).

The safest method to do online banking on board is to use the data off your cell phone. It's always encrypted with a pre-shared key (in the SIM card) and a phone call looks the same to someone sniffing it as web data because they transport the packets in the same way. The sniffing gear is not as easily available (snorting wifi is as simple as having a wireless network card in your laptop or desktop, which everyone has) and different providers operate on different frequencies futher complicating matters for the would be identity theif.

So use your cell phone's roaming plan for your banking browse your porn off the marina wifi connection. Then if the identity theif does manage to decrypt your traffic all he'll get is a free woodie.

Putting faith that the bank has made their encryption unbreakable is as stupid as putting faith that the designer of your boat made it unsinkable.
Lol. I hope you don't mind, but I have to send this to a few friends still in the biz. Priceless!!!

And I'd be a little less cavalier about bragging illegal activity, if you want a decent job in security. When I worked for a defense contractor part of the background investigation was previously illegal cracking activity. Automatic DQ. We missed out on talent that way, but security is really all about trust management. They'll get you on the polygraph anyway, but no reason to DQ yourself early.

But again, to the OP: it boils down to "don't be stupid." You wouldn't walk down a dark alley in Calcutta, so why would you enter a password into a computer in a random Internet cafe? You would pay attention to your surroundings in Tijuana, why would you ignore the obvious info your browser would be giving you? Just because it's a computer doesn't change the rules of common sense. Even then, just like you wouldn't carry a bunch of cash in a single spot on your person, don't put all your digital financial eggs in one basket.

A computer/smartphone/tablet is just a tool. You do your due diligence and hope for the best. I'd rather do online banking in Mombasa than use my debit card at the average US gas station...

JRM
__________________
JRM is offline   Reply With Quote
Old 04-09-2013, 10:01   #74
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
I'd have to call mr-Canada on his long post. Lots if half truths.

Firstly brute forcing anything anyway half decent is not easy and if you are the target of a sustained effort you have bigger problems then your banking access.

Secondly if someone brute forces the banking system , its your banks problem not yours.

Furthermore VPNs are only secure from end point to end point. If you use a commercial VPN it isn't secure from the VPN exit point to the destination. End to end corporate VPNs are more secure at least https is end to end.

Saying someone can detect your banking ie www.mybank.con is nonsense. Sure my bank has that URL on its front web page.

Your post read like a bogey man story. Lol

Dave
__________________
Check out my new blog on smart boat technology, networking and gadgets for the connected sailor! - http://smartboats.tumblr.com
goboatingnow is offline   Reply With Quote
Old 04-09-2013, 11:38   #75
Registered User

Join Date: May 2012
Location: Central California
Boat: Catalina 30
Posts: 873
Re: Can we dispel this WiFi myth?

goboatingnow:

Did you really mean "www.mybank.con" ?

Freudian slip?
__________________

__________________
Bill
...........................................
You can't buy happiness, but you can buy ribeye.
jongleur is offline   Reply With Quote
Reply

Tags
paracelle

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 17:59.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.