Can we dispel this WiFi myth?

[mr-canada]

Quote:

Originally Posted by JRM

Lol. I hope you don't mind, but I have to send this to a few friends still in the biz. Priceless!!!

And I'd be a little less cavalier about bragging illegal activity, if you want a decent job in security.

Lol, I dont mind if you pass that along. I tried to stay out of this wifi post but I was bored because I knew I would end up going off. Building 4096 bit dhparams CA, server and client keys taught me enough about encryption that I dont trust it worth a damn. Once you learn how it works you realize that the NSA can probably tap *anything* with all those uber geeks and massive processing power.

Im not at all worried about bragging "illegal" activity. Slamming through your neighbor's wifi so you can get their phone number (their password) seems like the hard way of going about things... but I am a network engineer who now works in sales. Gotta keep sharp, lol. I used to crack the copy protection on games, not for redistribution but just so I wouldnt have to wait for all the fricking loading screens so I could just launch straight to the game. Ahh.. nobody programs in Assembly/ML anymore these days, makes me feel outmoded.

Quote:

Originally Posted by JRM

But again, to the OP: it boils down to "don't be stupid." You wouldn't walk down a dark alley in Calcutta, so why would you enter a password into a computer in a random Internet cafe?

Thats precisely it. In a place like Calcutta, I wouldnt doubt if they offer free wifi and one of the staff has a laptop under the desk collecting gigabytes of snort files, burning them to DVD and dropping them off at a friends house. If they know the WPA password they dont need to be sitting on a bumboat somewhere trying to crack all this encryption using the battery power coming from a 120V inverter off a car battery, they just sit and listen.

But even a Starbucks in Seattle invites the same activity, and the malicious nerds have a lot more money (ie. computing power). Woe is the man who underestimates the pimpled face geek who is so introverted he is terrified of actually asking someone for a real job. (lol) Programmers and hackers will work for hour after hour to do something other than get off their backside drinking cans of coke drinking pizza. Really its less work to just go to work... But to each their own I guess.

[zboss]

Quote:

Originally Posted by shanedennis

Absolutely, this is a legitimate, specific purpose for VPNs. I would argue there are easier alternatives, but that is another subject.

In terms of Internet/WiFi security VPNs are only really useful for professionals like you and I who need to access corporate networks.

That is not true at all. I use a private VPN outside of my corporate connection on top of SSL, specifically witopia. SSL was cracked AGAIN back in March and quite a few websites are still using the cryptographic method that was cracked.

While it is quite possible that the corporation you are connecting to can be cracked, as happen to banks pretty much everyday, the chances that they are updating their systems daily and actively monitoring the security situation is a whole lot better than what you could achieve on your laptop. They have access to technologies by companies like Mandiant which make you average McAfee corporate security look downright edsel-like.

[mr-canada]

Quote:

Originally Posted by goboatingnow

I'd have to call mr-Canada on his long post. Lots if half truths.

Firstly brute forcing anything anyway half decent is not easy and if you are the target of a sustained effort you have bigger problems then your banking access.

I can brute force a WPA connection in as little as 5 days. Two weeks if they have a great password, which most open wifi systems dont. Thats with a IBM Thinkpad with a Pentium III in it, because I was too lazy to transfer the file to my main computer.

The brute force crackability of a given encryption scheme gets easier with more computing power. Originally banks used 32 bit encryption, then 64 and then 128. It's only a matter of time before they go to 256 or 1024. An 8 core intel computer costs far less than the amount of money you could gain by draining one person's bank account and they wouldnt have to be rich, either. That is the capacity of probably 32 of the laptop that I used to crack a WPA in 5 days.

There are automated tools to do this stuff, you dont have to be a genius writing the code. Look around my man. You can download it for free.

AES is what banks use, it is far tougher to nail per bit of key than a lot of other ones. But algorhythms exist. Common password files exist and the brute force will try those first. Advancements in programming exist, and people come up with ways and algorhytms to crack even faster.

Quote:

Originally Posted by goboatingnow

Secondly if someone brute forces the banking system , its your banks problem not yours.

You're still out all your money until you can prove to the bank that it wasnt you that entered your password and that someone smashed their ultra secure system, which would cause their other customers to lose faith in their online banking security. I work for a bank. Good luck with that. Not that banks shouldn't take it more seriously, but IT guys working for banks figure they're invincible. It would take a lot of breaches before they bought that their perfect little system was busted by some Nigerian camped out by a marina in Calcutta. Until you do prove it, you're out your money.

Quote:

Originally Posted by goboatingnow

Furthermore VPNs are only secure from end point to end point. If you use a commercial VPN it isn't secure from the VPN exit point to the destination. End to end corporate VPNs are more secure at least https is end to end.

Yes, they are only secure from endpoint to endpoint. The point (pardon the pun) is that all traffic over the wifi is encrypted by another method than the wifi router's own encryption. If you can access that shared access point, whats to say someone else can't? Of course your proxy server connected to a wired connection somewhere in the first world could in theory be hacked. AT&T, Verizon, whoever your own provider could be hacked. But it's more secure than an open shared wireless connection, WEP, WPA or cleartext in some country filled with people in the poorhouse living on $40 a month. At least your using your own encryption and you are masking what you're doing so they cant cherry pick your banking traffic and focus all their energies on that.

Quote:

Originally Posted by goboatingnow

Saying someone can detect your banking ie www.mybank.con is nonsense. Sure my bank has that URL on its front web page.

Your post read like a bogey man story. Lol

In order to access your bank's webpage, your computer needs to send an HTTP request to that URL, requesting that the page be displayed. When you hit the login page, it redirects you using an HTTP-REDIRECT to their HTTPS page, this is also in the clear. Once you connect to HTTPS the handshake begins, which reveals the encrpytion method and starts the handshake to begin encrypting data. Then you type your password once the encrypted connection is open and start accessing your bank encrypted.

You can figure I'm the bogey man. Hey, if I was a black hat sort of guy maybe I would be the bogey man. Or.... You can realize that no encryption scheme is foolproof and accessing your personal financial information over some sketchy wifi connection opens you up to risk. Will you have your bank account drained every time you do it? Absolutely not.

But the question was, is this completely safe. The answer to that is absolutely no.

I could pop a laptop in my garage and snort all of my neighbor's traffic, bust their wifi routers encryption scheme and then snort cleartext off their wireless LAN. Then I could identify what packets are going where and of what type, and if I found an encrypted connection following a bank HTTP request I could find the software to bash that traffic, devote as much computing resources as I could to it, and wait until the computer found the answer. Depending on the available computing resources, it may not be fast, and depending on the sample size it may not work. But if I was sitting doing that 24 hours a day for years I'd have a pretty good chance at getting through before the computer I was doing it on went obsolete.

[mr-canada]

Quote:

Originally Posted by zboss

That is not true at all. I use a private VPN outside of my corporate connection on top of SSL

True. There are user friendly VPN solutions available, or if you know some nut job like me you can build your own using OpenVPN. Then you tunnel from your hardened promiscuous roadwarrior machine (laptop on your boat for example connecting to wifi of dubious quality) straight to your own connection and basically use that instead.

Of course... You could always just take my suggestion and use your phone's data plan and skip past the 98% of would be identity theives who can't afford all the gear and antennae to snort that type of traffic (hideously expensive)

[Teknav]

Hiya Mr. Canada! I used to work for an engineering company with an unusual login methodology. To remotely access their website, I had to login/password as usual, then terminate the process. In less than 3 minutes, the company's main frame would contact me back on-line requesting me to re-connect. The login/user ID was the same as in my initial contact, but the password included a Chinese character that was copy/pasted from a list that was provided to us; a Chinese character for every day of the month. An example of a password would be...Rx7yTo(Chinese character pasted)@. I believe that this was the best secure system, I ever worked with. If someone tried to sniff the password, an empty square would show up where the Chinese character is; can't copy it!

Mauritz

[mr-canada]

actually that does sound like a great login method. You login then the server contacts you inbound 3 minutes later. The handshake is broken from the process, although not completely separated, unless its coming from a totally different IP.

Although the Chinese character thing may have been a bit of a misnomer.. even when it shows an empty square, it is still showing an ISO-multilanguage character set in multibyte.

But it sure would fool a lot of brute force password crackers that would not try Chinese mixed in. The chinese have like what, 4000 characters to our 27 letter alphabet... that certainly would make brute force less effective.

[Palarran]

Quote:

Originally Posted by KneesintheBreez

What i do is use only one account for purchases -- one card. I keep a low balance in it to assuage just such fears. That way, my potential loss is limited to a certain "low" amount. Then, I monitor the activity in the account for anything "suspicious,"and (usually) finding nothing, I replenish the "active account" as necessary, over the phone (landline). My other, "real money-containing," accounts specifically have no cards or checks assigned, so nothing to steal. And, you are protected from credit card fraudulent activity for 30 days (review your statements! Not so with ATM/Debit charges, and if they get those numbers, you are liable for ALL fraudulent activity! AND, ALWAYS carry a gun. Sure, get a permit. Make them think twice!

I'm pretty similar to this. I also use a bank that has a "go id" dongle that produces a 6 digit number every minute to log in. Then I can transfer the money to the credit card accounts and debit card accounts. If traveling overseas you will most likely need a debit card as it's the easiest way to get cash in a local currency. It works pretty well, I have two credit cards and two debit cards all pulling off one different bank account.

[K_V_B]

Quote:

Originally Posted by mr-canada

Same goes with SSL blowfish and all the other encryption schemes. What is on your side is time. If you are only online to access your bank account using SSL for 5 minutes, they may not get enough of a sample to be able to brute force their way to cleartext. They can still try, but they will get all sorts of misses and likely have to sort the wheat from the chaff themselves because they will have to analyze the data with different attempts at brute force keys.

The main problem with "brute forcing" blowfish is with the nature of the cypher. Blowfish is a fast, bulk cypher (which is convenient for protecting a data stream) but it requires a non trivial time to set up all the necessary data structures in memory, once a key has been chosen.
This means that a brute force attempt needs a lot of time to get through the key space.

Quote:

4096-bit RSA can even be cracked, that is what I used to set up for VPNs that I would build for companies. Its just that the key size is so huge that it would take a very, very long time. Banks online often use 64 or 128 bit encryption which is a lot easier although they use a different method than RSA which is a bit tougher to nail per bit of key.

RSA is an asymmetric Cypher, it's a so called "public private key" system, and it is not used for bulk enciphering, as it is to slow. So in your VPN RSA will be used to exchange a session key, but this shorter session key is used with a bulk cipher, like Blowfish or Rijndael. Banks do the same thing.

Quote:

How do you think that your computer can decrypt what the bank is sending you over HTTPS? Its because the bank sent you the keys and then you unlocked the door using the keys they gave you.

Session keys are never send in the clear. The way it really works is like this:

1) Bank sends its public key. This key is part of the HTTPS certificate it sends, and is usually a RSA key, and can be quite long.
2) You computer then generates a shorter session key (128 bits for example) and encrypts this with the banks' public key.
3) The bank receives this, and uses it's private key to decrypt your message, and so gets the session key.
4) The session key is used to encrypt all traffic.
(Ok, it's actually a lot more complex, but I won't get in to details...)

The beauty of RSA is that a message encrypted with the public key can only be decrypted using the private key and vice versa. So this allows secure communication without ever having to divulge anything in the clear that would allow eavesdropping. It is theoretically possible to derive the private key from the public key, but in practice this is not.

So eavesdropping on well implemented SSL is not practically possible.
(I say well implemented, because in the past implementations did exist that didn't choose their session keys randomly enough...)

Quote:

Putting faith that the bank has made their encryption unbreakable is as stupid as putting faith that the designer of your boat made it unsinkable.

Some banks don't put their faith in encryption as well. They in stead use mechanisms that authenticate each transaction. So even if someone were able to eavesdrop he would find out what I was doing, but never manage to get enough information to steal money...

[Sailor g]

Quote:

Originally Posted by mr-canada

Of course... You could always just take my suggestion and use your phone's data plan and skip past the 98% of would be identity theives who can't afford all the gear and antennae to snort that type of traffic (hideously expensive)

I wouldn't even trust a phone. The bad guys have found a way to take the info off of your SIM card just by calling your phone. The data is encrypted but that could be cracked. So far all the crooks have done is make long distance calls-but who knows whats next...

[svseachange]

K_V_B is the voice of reason.

Think about it. If SSL was inherently insecure then Internet commerce would cease. No Amazon, no eBay, no banking online, no credit card transactions etc. The Internet would fall apart. The systems most businesses have developed to take advantage of Internet technologies would be worthless. The world economy would fall into a deep depression. It's doomsday talk, and unnecessarily alarmist.

The truth of the matter is conducting business using SSL over an open wireless network is many times more secure than the alternatives. It is many times more secure than conducting business in person at a bank. It is many times more secure than handing over your credit card at a restaurant or store. It is many times more secure than conducting business via fax. It is more many times more secure than conducting business using the mail. And, of course, it is many times more secure than keeping wads of cash on your boat.

[Albro359]

Paranoia...in overdrive !!!

[K_V_B]

Quote:

Originally Posted by shanedennis

The truth of the matter is conducting business using SSL over an open wireless network is many times more secure than the alternatives. It is many times more secure than conducting business in person at a bank. It is many times more secure than handing over your credit card at a restaurant or store. It is many times more secure than conducting business via fax. It is more many times more secure than conducting business using the mail. And, of course, it is many times more secure than keeping wads of cash on your boat.

In the end what matters is not security but reputation. We deal with Amazon not because Amazon has good security (although it does) but because Amazon cares about it's reputation. We give our credit card to the waiter in a restaurant because we know the restaurant cares about it's reputation.
The restaurant stands to lose a lot more than they can potentially gain from abusing my trust in them. So they don't.

[svseachange]

Quote:

Originally Posted by K_V_B

In the end what matters is not security but reputation.

Excellent point. There is no difference between giving a disreputable entity your credit card information in person or online.

The current news regarding about the US NSA deliberately inserting backdoors and blocking even stronger encryption is troubling (see: NSA uses supercomputers to crack Web encryption, files show) but it also shows how strong encryption can be. Even the NSA finds it difficult to crack strong encryption.

You don't need to worry about Joe Blow sitting in the chair next to you at the picnic table cracking your encryption. Worry about him watching or manually filming your keystrokes instead.

[goboatingnow]

Quote:

Originally Posted by shanedennis

Excellent point. There is no difference between giving a disreputable entity your credit card information in person or online.

The current news regarding about the US NSA deliberately inserting backdoors and blocking even stronger encryption is troubling (see: NSA uses supercomputers to crack Web encryption, files show) but it also shows how strong encryption can be. Even the NSA finds it difficult to crack strong encryption.

You don't need to worry about Joe Blow sitting in the chair next to you at the picnic table cracking your encryption. Worry about him watching or manually filming your keystrokes instead.

Exactly, little real cipher breaking actually goes on, most use exploits that are weaknesses either user or system.

worrying about the NSA is just stupid.

A bus may also run you over

Dave

[Lake-Effect]

Quote:

Originally Posted by K_V_B

In the end what matters is not security but reputation. We deal with Amazon not because Amazon has good security (although it does) but because Amazon cares about it's reputation. We give our credit card to the waiter in a restaurant because we know the restaurant cares about it's reputation.
The restaurant stands to lose a lot more than they can potentially gain from abusing my trust in them. So they don't.

I agree with the above, and it underscores another reason why the bigger banks, cards and online stores are relatively safe to deal with: they usually step up and reimburse the user if a provable fraud has occurred.

This is both reassuring and a bit disturbing; it means that the real extent of online fraud is masked because the vendors quickly make good and the actual crime goes uncounted (banks, etc don't release this info) or unreported to the authorities.

It's apparently more cost-effective to have reasonable security, and quick resolution of some fraud, rather than more solid security and less fraud. Probably because the fraud from social engineering still outstrips fraud from technical exploits.