Can we dispel this WiFi myth?

[zboss]

Quote:

Originally Posted by mr-canada

Of course... You could always just take my suggestion and use your phone's data plan and skip past the 98% of would be identity theives who can't afford all the gear and antennae to snort that type of traffic (hideously expensive)

Now THAT is true.

When I was in Africa, pretty much all banking is done by mobile phone. You send someone money by phone and then call them with the unlock code. You go to their version of a western union, and give them your phone and the code and they hand you the money.

The phone alone or the code alone does you no good.

[hellosailor]

"Does anyone have a first hand example of their bank details being stolen over an unsecured wifi connection and then funds being withdrawn from their account????"

There have been any number of reports of massive thefts and frauds against major retailers (offhand I think Home Depot was one) going back around 5? 8? years ago. Folks would just pull up in the parking lot, skim the credit card information from the unsecured internal wifi networks in the stores, and have a field day. So yes, commercial organized theft of data from unsecured Wifi is common, or has been.

Which is also why WEP has been obsoleted, it was at least five years ago that tools to crack WEP in under five minutes were published.

If you can pick a public location where folks use free WiFi, the odds are someone was, is, or will be sniffing for information.

Now, if you are using only HTTPS secured web pages, or you are using some other "end to end" security scheme like a VPN, you can probably use unsecured wifi without any risk because--by definition--you have now secured it.

The easy alternative used to be using a cellular connection, but as was proven at one of the hacker conventions this year, all it takes is a $300 picocell (now commonly sold as home cell boosters) and a little work, and you can capture and decrypt any cellular connection in the immediate area as well.

There are plenty of white papers online. Security is only necessary if you have something to lose. Or if you use one same username and password in multiple places, which led to weeks in hell for one of the authors at Wired after he got hacked by social engineering, and the clever hackers went to likely places and chased down his other accounts.

[s/v Jedi]

Don't worry if you loose your password that you only used over encrypted SSL links. The NSA decrypts it all so just give them a call and ask for your password

Seriously, it has come up last week that the NSA has backdoors into all the encryption protocols. They basically paid millions to the programmers to convince them to agree to this. All our traffic is unsafe unless program sources are published for peer review. When this happens, like with PGP, it is often declared illegal to use it. Says it all IMHO.

[Tomm0]

The main risk is that you're connecting to someone's wifi pineapple (it's a kind of honey trap) and not to a real router.
If the website you access is using HTTPS you don't really have a problem connecting to the internet via any connection.
- Network Engineer.

[goboatingnow]

Quote:

"you have no privacy, get over it." Scott McNealy, ex-CEO of Sun Microsystems

Get out the TIN Hats
dave

[goboatingnow]

actually its worth point out that PGP with 2048 bits keys have not been cracked, nor has GNU Privacy platform. Both of these are open source, so backdoor access isnt possible

Of course endpoint hacking is possible.

dave

[vtsailguy]

What a great thread.


I you sift through the posts of the network guys here, past the technical terms, there IS a basic consensus. I am in this field myself. I once showed a coffee house owner how I could sit with free tools and show all the Facebook images his customers were browsing to get him to put a simple password on his wifi.

So, in a nutshell.

Nothing is 100% secure
It's very easy to be about 99.9% secure
It's very hard to be 99.9999% secure.

The easy way to get that easy, yet robust security is to NEVER combine these three things

1. A wifi network with no password
2. An http connection for important transactions (use https)
3. The same password for banking and other sites

I am surprised no one mentioned #3. One of the most common exploits it to snag your password when you are logging into Facebook or something, and then go use it on your bank because you were too lazy to have a different one.

Personally, I just focus on these three simple steps. I would never use a VPN. If some dude can still crack me he isn't going to be messing around breaking into my bank account in some bar in the BVI. There is no distance on the Internet, he'll be at home hacking something far more fruitful.

[svseachange]

Quote:

Originally Posted by vtsailguy

Personally, I just focus on these three simple steps.

Darn good advice.

[hellosailor]

"I am surprised no one mentioned #3."
See msg #92, that information was in fact hidden in plain sight and further obfusticated by not specifically saying "banking".