Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 04-09-2013, 18:56   #76
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by JRM View Post
Lol. I hope you don't mind, but I have to send this to a few friends still in the biz. Priceless!!!

And I'd be a little less cavalier about bragging illegal activity, if you want a decent job in security.
Lol, I dont mind if you pass that along. I tried to stay out of this wifi post but I was bored because I knew I would end up going off. Building 4096 bit dhparams CA, server and client keys taught me enough about encryption that I dont trust it worth a damn. Once you learn how it works you realize that the NSA can probably tap *anything* with all those uber geeks and massive processing power.

Im not at all worried about bragging "illegal" activity. Slamming through your neighbor's wifi so you can get their phone number (their password) seems like the hard way of going about things... but I am a network engineer who now works in sales. Gotta keep sharp, lol. I used to crack the copy protection on games, not for redistribution but just so I wouldnt have to wait for all the fricking loading screens so I could just launch straight to the game. Ahh.. nobody programs in Assembly/ML anymore these days, makes me feel outmoded.

Quote:
Originally Posted by JRM View Post
But again, to the OP: it boils down to "don't be stupid." You wouldn't walk down a dark alley in Calcutta, so why would you enter a password into a computer in a random Internet cafe?
Thats precisely it. In a place like Calcutta, I wouldnt doubt if they offer free wifi and one of the staff has a laptop under the desk collecting gigabytes of snort files, burning them to DVD and dropping them off at a friends house. If they know the WPA password they dont need to be sitting on a bumboat somewhere trying to crack all this encryption using the battery power coming from a 120V inverter off a car battery, they just sit and listen.

But even a Starbucks in Seattle invites the same activity, and the malicious nerds have a lot more money (ie. computing power). Woe is the man who underestimates the pimpled face geek who is so introverted he is terrified of actually asking someone for a real job. (lol) Programmers and hackers will work for hour after hour to do something other than get off their backside drinking cans of coke drinking pizza. Really its less work to just go to work... But to each their own I guess.
__________________

__________________
mr-canada is offline   Reply With Quote
Old 04-09-2013, 19:17   #77
Registered User
 
zboss's Avatar

Join Date: Sep 2011
Location: On a boat
Boat: Cabo Rico 38
Posts: 3,426
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by shanedennis View Post
Absolutely, this is a legitimate, specific purpose for VPNs. I would argue there are easier alternatives, but that is another subject.

In terms of Internet/WiFi security VPNs are only really useful for professionals like you and I who need to access corporate networks.
That is not true at all. I use a private VPN outside of my corporate connection on top of SSL, specifically witopia. SSL was cracked AGAIN back in March and quite a few websites are still using the cryptographic method that was cracked.

While it is quite possible that the corporation you are connecting to can be cracked, as happen to banks pretty much everyday, the chances that they are updating their systems daily and actively monitoring the security situation is a whole lot better than what you could achieve on your laptop. They have access to technologies by companies like Mandiant which make you average McAfee corporate security look downright edsel-like.
__________________

__________________
zboss is offline   Reply With Quote
Old 04-09-2013, 19:17   #78
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by goboatingnow View Post
I'd have to call mr-Canada on his long post. Lots if half truths.

Firstly brute forcing anything anyway half decent is not easy and if you are the target of a sustained effort you have bigger problems then your banking access.
I can brute force a WPA connection in as little as 5 days. Two weeks if they have a great password, which most open wifi systems dont. Thats with a IBM Thinkpad with a Pentium III in it, because I was too lazy to transfer the file to my main computer.

The brute force crackability of a given encryption scheme gets easier with more computing power. Originally banks used 32 bit encryption, then 64 and then 128. It's only a matter of time before they go to 256 or 1024. An 8 core intel computer costs far less than the amount of money you could gain by draining one person's bank account and they wouldnt have to be rich, either. That is the capacity of probably 32 of the laptop that I used to crack a WPA in 5 days.

There are automated tools to do this stuff, you dont have to be a genius writing the code. Look around my man. You can download it for free.

AES is what banks use, it is far tougher to nail per bit of key than a lot of other ones. But algorhythms exist. Common password files exist and the brute force will try those first. Advancements in programming exist, and people come up with ways and algorhytms to crack even faster.

Quote:
Originally Posted by goboatingnow View Post
Secondly if someone brute forces the banking system , its your banks problem not yours.
You're still out all your money until you can prove to the bank that it wasnt you that entered your password and that someone smashed their ultra secure system, which would cause their other customers to lose faith in their online banking security. I work for a bank. Good luck with that. Not that banks shouldn't take it more seriously, but IT guys working for banks figure they're invincible. It would take a lot of breaches before they bought that their perfect little system was busted by some Nigerian camped out by a marina in Calcutta. Until you do prove it, you're out your money.

Quote:
Originally Posted by goboatingnow View Post
Furthermore VPNs are only secure from end point to end point. If you use a commercial VPN it isn't secure from the VPN exit point to the destination. End to end corporate VPNs are more secure at least https is end to end.
Yes, they are only secure from endpoint to endpoint. The point (pardon the pun) is that all traffic over the wifi is encrypted by another method than the wifi router's own encryption. If you can access that shared access point, whats to say someone else can't? Of course your proxy server connected to a wired connection somewhere in the first world could in theory be hacked. AT&T, Verizon, whoever your own provider could be hacked. But it's more secure than an open shared wireless connection, WEP, WPA or cleartext in some country filled with people in the poorhouse living on $40 a month. At least your using your own encryption and you are masking what you're doing so they cant cherry pick your banking traffic and focus all their energies on that.

Quote:
Originally Posted by goboatingnow View Post
Saying someone can detect your banking ie www.mybank.con is nonsense. Sure my bank has that URL on its front web page.

Your post read like a bogey man story. Lol
In order to access your bank's webpage, your computer needs to send an HTTP request to that URL, requesting that the page be displayed. When you hit the login page, it redirects you using an HTTP-REDIRECT to their HTTPS page, this is also in the clear. Once you connect to HTTPS the handshake begins, which reveals the encrpytion method and starts the handshake to begin encrypting data. Then you type your password once the encrypted connection is open and start accessing your bank encrypted.

You can figure I'm the bogey man. Hey, if I was a black hat sort of guy maybe I would be the bogey man. Or.... You can realize that no encryption scheme is foolproof and accessing your personal financial information over some sketchy wifi connection opens you up to risk. Will you have your bank account drained every time you do it? Absolutely not.

But the question was, is this completely safe. The answer to that is absolutely no.

I could pop a laptop in my garage and snort all of my neighbor's traffic, bust their wifi routers encryption scheme and then snort cleartext off their wireless LAN. Then I could identify what packets are going where and of what type, and if I found an encrypted connection following a bank HTTP request I could find the software to bash that traffic, devote as much computing resources as I could to it, and wait until the computer found the answer. Depending on the available computing resources, it may not be fast, and depending on the sample size it may not work. But if I was sitting doing that 24 hours a day for years I'd have a pretty good chance at getting through before the computer I was doing it on went obsolete.
__________________
mr-canada is offline   Reply With Quote
Old 04-09-2013, 19:29   #79
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by zboss View Post
That is not true at all. I use a private VPN outside of my corporate connection on top of SSL
True. There are user friendly VPN solutions available, or if you know some nut job like me you can build your own using OpenVPN. Then you tunnel from your hardened promiscuous roadwarrior machine (laptop on your boat for example connecting to wifi of dubious quality) straight to your own connection and basically use that instead.

Of course... You could always just take my suggestion and use your phone's data plan and skip past the 98% of would be identity theives who can't afford all the gear and antennae to snort that type of traffic (hideously expensive)
__________________
mr-canada is offline   Reply With Quote
Old 04-09-2013, 19:57   #80
Registered User
 
Teknav's Avatar

Join Date: Jul 2012
Location: Texas - USA
Boat: Twin Otter de Havilland Floatplane
Posts: 1,838
Re: Can we dispel this WiFi myth?

Hiya Mr. Canada! I used to work for an engineering company with an unusual login methodology. To remotely access their website, I had to login/password as usual, then terminate the process. In less than 3 minutes, the company's main frame would contact me back on-line requesting me to re-connect. The login/user ID was the same as in my initial contact, but the password included a Chinese character that was copy/pasted from a list that was provided to us; a Chinese character for every day of the month. An example of a password would be...Rx7yTo(Chinese character pasted)@. I believe that this was the best secure system, I ever worked with. If someone tried to sniff the password, an empty square would show up where the Chinese character is; can't copy it!

Mauritz
__________________
Retired - Don't Ask Me To Do A Damn Thing!
Teknav is offline   Reply With Quote
Old 04-09-2013, 21:38   #81
Registered User

Join Date: Jun 2012
Posts: 294
Re: Can we dispel this WiFi myth?

actually that does sound like a great login method. You login then the server contacts you inbound 3 minutes later. The handshake is broken from the process, although not completely separated, unless its coming from a totally different IP.

Although the Chinese character thing may have been a bit of a misnomer.. even when it shows an empty square, it is still showing an ISO-multilanguage character set in multibyte.

But it sure would fool a lot of brute force password crackers that would not try Chinese mixed in. The chinese have like what, 4000 characters to our 27 letter alphabet... that certainly would make brute force less effective.
__________________
mr-canada is offline   Reply With Quote
Old 04-09-2013, 22:40   #82
Elvish meaning 'Far-Wanderer'
 
Palarran's Avatar

Cruisers Forum Supporter

Join Date: Jan 2008
Location: Me - Michigan / Boat - Tenerife
Boat: 56' Fountaine Pajot Marquises
Posts: 2,641
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by KneesintheBreez View Post
What i do is use only one account for purchases -- one card. I keep a low balance in it to assuage just such fears. That way, my potential loss is limited to a certain "low" amount. Then, I monitor the activity in the account for anything "suspicious,"and (usually) finding nothing, I replenish the "active account" as necessary, over the phone (landline). My other, "real money-containing," accounts specifically have no cards or checks assigned, so nothing to steal. And, you are protected from credit card fraudulent activity for 30 days (review your statements! Not so with ATM/Debit charges, and if they get those numbers, you are liable for ALL fraudulent activity! AND, ALWAYS carry a gun. Sure, get a permit. Make them think twice!
I'm pretty similar to this. I also use a bank that has a "go id" dongle that produces a 6 digit number every minute to log in. Then I can transfer the money to the credit card accounts and debit card accounts. If traveling overseas you will most likely need a debit card as it's the easiest way to get cash in a local currency. It works pretty well, I have two credit cards and two debit cards all pulling off one different bank account.
__________________
Not all who wander are lost

http://www.sailblogs.com/member/palarran/
Palarran is offline   Reply With Quote
Old 05-09-2013, 01:39   #83
Registered User

Join Date: Jul 2012
Location: Switzerland
Boat: So many boats to choose from. Would prefer something that is not an AWB, and that is beachable...
Posts: 1,242
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by mr-canada View Post
Same goes with SSL blowfish and all the other encryption schemes. What is on your side is time. If you are only online to access your bank account using SSL for 5 minutes, they may not get enough of a sample to be able to brute force their way to cleartext. They can still try, but they will get all sorts of misses and likely have to sort the wheat from the chaff themselves because they will have to analyze the data with different attempts at brute force keys.
The main problem with "brute forcing" blowfish is with the nature of the cypher. Blowfish is a fast, bulk cypher (which is convenient for protecting a data stream) but it requires a non trivial time to set up all the necessary data structures in memory, once a key has been chosen.
This means that a brute force attempt needs a lot of time to get through the key space.

Quote:
4096-bit RSA can even be cracked, that is what I used to set up for VPNs that I would build for companies. Its just that the key size is so huge that it would take a very, very long time. Banks online often use 64 or 128 bit encryption which is a lot easier although they use a different method than RSA which is a bit tougher to nail per bit of key.
RSA is an asymmetric Cypher, it's a so called "public private key" system, and it is not used for bulk enciphering, as it is to slow. So in your VPN RSA will be used to exchange a session key, but this shorter session key is used with a bulk cipher, like Blowfish or Rijndael. Banks do the same thing.

Quote:
How do you think that your computer can decrypt what the bank is sending you over HTTPS? Its because the bank sent you the keys and then you unlocked the door using the keys they gave you.
Session keys are never send in the clear. The way it really works is like this:

1) Bank sends its public key. This key is part of the HTTPS certificate it sends, and is usually a RSA key, and can be quite long.
2) You computer then generates a shorter session key (128 bits for example) and encrypts this with the banks' public key.
3) The bank receives this, and uses it's private key to decrypt your message, and so gets the session key.
4) The session key is used to encrypt all traffic.
(Ok, it's actually a lot more complex, but I won't get in to details...)

The beauty of RSA is that a message encrypted with the public key can only be decrypted using the private key and vice versa. So this allows secure communication without ever having to divulge anything in the clear that would allow eavesdropping. It is theoretically possible to derive the private key from the public key, but in practice this is not.

So eavesdropping on well implemented SSL is not practically possible.
(I say well implemented, because in the past implementations did exist that didn't choose their session keys randomly enough...)


Quote:
Putting faith that the bank has made their encryption unbreakable is as stupid as putting faith that the designer of your boat made it unsinkable.
Some banks don't put their faith in encryption as well. They in stead use mechanisms that authenticate each transaction. So even if someone were able to eavesdrop he would find out what I was doing, but never manage to get enough information to steal money...
__________________
K_V_B is offline   Reply With Quote
Old 07-09-2013, 23:48   #84
Registered User
 
Sailor g's Avatar

Join Date: Jan 2011
Location: Southern California
Posts: 1,137
Quote:
Originally Posted by mr-canada View Post


Of course... You could always just take my suggestion and use your phone's data plan and skip past the 98% of would be identity theives who can't afford all the gear and antennae to snort that type of traffic (hideously expensive)


I wouldn't even trust a phone. The bad guys have found a way to take the info off of your SIM card just by calling your phone. The data is encrypted but that could be cracked. So far all the crooks have done is make long distance calls-but who knows whats next...
__________________
Sailor g is offline   Reply With Quote
Old 08-09-2013, 01:08   #85
Registered User
 
svseachange's Avatar

Join Date: Aug 2012
Location: East Coast of Australia
Boat: Custom Steel 43 ft
Posts: 781
K_V_B is the voice of reason.

Think about it. If SSL was inherently insecure then Internet commerce would cease. No Amazon, no eBay, no banking online, no credit card transactions etc. The Internet would fall apart. The systems most businesses have developed to take advantage of Internet technologies would be worthless. The world economy would fall into a deep depression. It's doomsday talk, and unnecessarily alarmist.

The truth of the matter is conducting business using SSL over an open wireless network is many times more secure than the alternatives. It is many times more secure than conducting business in person at a bank. It is many times more secure than handing over your credit card at a restaurant or store. It is many times more secure than conducting business via fax. It is more many times more secure than conducting business using the mail. And, of course, it is many times more secure than keeping wads of cash on your boat.
__________________
svseachange is offline   Reply With Quote
Old 08-09-2013, 03:48   #86
Registered User
 
Albro359's Avatar

Join Date: Jun 2009
Location: Elyse is in Fiji
Boat: Amel Super Maramu 2000
Posts: 510
Re: Can we dispel this WiFi myth?

Paranoia...in overdrive !!!
__________________
See you out there ....... Alan S.V. Elyse
now http://svelyse.weebly.com
older http://voyagesofDIVA.weebly.com
Albro359 is offline   Reply With Quote
Old 08-09-2013, 04:08   #87
Registered User

Join Date: Jul 2012
Location: Switzerland
Boat: So many boats to choose from. Would prefer something that is not an AWB, and that is beachable...
Posts: 1,242
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by shanedennis View Post
The truth of the matter is conducting business using SSL over an open wireless network is many times more secure than the alternatives. It is many times more secure than conducting business in person at a bank. It is many times more secure than handing over your credit card at a restaurant or store. It is many times more secure than conducting business via fax. It is more many times more secure than conducting business using the mail. And, of course, it is many times more secure than keeping wads of cash on your boat.
In the end what matters is not security but reputation. We deal with Amazon not because Amazon has good security (although it does) but because Amazon cares about it's reputation. We give our credit card to the waiter in a restaurant because we know the restaurant cares about it's reputation.
The restaurant stands to lose a lot more than they can potentially gain from abusing my trust in them. So they don't.
__________________
K_V_B is offline   Reply With Quote
Old 08-09-2013, 06:10   #88
Registered User
 
svseachange's Avatar

Join Date: Aug 2012
Location: East Coast of Australia
Boat: Custom Steel 43 ft
Posts: 781
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by K_V_B View Post
In the end what matters is not security but reputation.
Excellent point. There is no difference between giving a disreputable entity your credit card information in person or online.

The current news regarding about the US NSA deliberately inserting backdoors and blocking even stronger encryption is troubling (see: NSA uses supercomputers to crack Web encryption, files show) but it also shows how strong encryption can be. Even the NSA finds it difficult to crack strong encryption.

You don't need to worry about Joe Blow sitting in the chair next to you at the picnic table cracking your encryption. Worry about him watching or manually filming your keystrokes instead.
__________________
svseachange is offline   Reply With Quote
Old 08-09-2013, 14:49   #89
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
Quote:
Originally Posted by shanedennis View Post

Excellent point. There is no difference between giving a disreputable entity your credit card information in person or online.

The current news regarding about the US NSA deliberately inserting backdoors and blocking even stronger encryption is troubling (see: NSA uses supercomputers to crack Web encryption, files show) but it also shows how strong encryption can be. Even the NSA finds it difficult to crack strong encryption.

You don't need to worry about Joe Blow sitting in the chair next to you at the picnic table cracking your encryption. Worry about him watching or manually filming your keystrokes instead.
Exactly, little real cipher breaking actually goes on, most use exploits that are weaknesses either user or system.

worrying about the NSA is just stupid.

A bus may also run you over

Dave
__________________
Check out my new blog on smart boat technology, networking and gadgets for the connected sailor! - http://smartboats.tumblr.com
goboatingnow is offline   Reply With Quote
Old 12-09-2013, 08:58   #90
Registered User

Join Date: May 2011
Location: Toronto
Boat: Sandpiper 565
Posts: 2,943
Re: Can we dispel this WiFi myth?

Quote:
Originally Posted by K_V_B View Post
In the end what matters is not security but reputation. We deal with Amazon not because Amazon has good security (although it does) but because Amazon cares about it's reputation. We give our credit card to the waiter in a restaurant because we know the restaurant cares about it's reputation.
The restaurant stands to lose a lot more than they can potentially gain from abusing my trust in them. So they don't.
I agree with the above, and it underscores another reason why the bigger banks, cards and online stores are relatively safe to deal with: they usually step up and reimburse the user if a provable fraud has occurred.

This is both reassuring and a bit disturbing; it means that the real extent of online fraud is masked because the vendors quickly make good and the actual crime goes uncounted (banks, etc don't release this info) or unreported to the authorities.

It's apparently more cost-effective to have reasonable security, and quick resolution of some fraud, rather than more solid security and less fraud. Probably because the fraud from social engineering still outstrips fraud from technical exploits.
__________________

__________________
Lake-Effect is offline   Reply With Quote
Reply

Tags
paracelle

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 03:01.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.