Firesheep - WiFi Security Issue

[ActiveCaptain]

Quote:

Originally Posted by SailFastTri

But I think it's wrong to yell "the sky is falling" when you're worried about just one link in a very long chain.

First, I'm happy for the debate. I'm not offended by it. I think it's a good thing and so far no one is saying, "ya mutha".

I think the risks in "the last mile" are much greater than any other part of the network chain because it's quite easy to sniff WiFi packets. It's really quite difficult to get into the internet backbone and swallow all of the data coming through. There are also physical issue of getting into the marina internet line to swipe data.

The issue to me is all about percentages. I lock my boat knowing full well that there are 20 ways someone could break into it (sledgehammer not withstanding). Still, I lock it because it's the casual "last mile" person I'm trying to keep out. The person who will go to the next boat if mine is locked. That's the way I look at this right now. Give me WPA because that will provide a quick fix. While not complete, it'll end the attack by the largest number of people capable of mounting one.

[ActiveCaptain]

Quote:

Originally Posted by s/v Jedi

What you all forget is that when you switch to WPA, everybody who knows the password (key).. i.e. every legitimate user of the system, can still intercept all your traffic. It just protects you against nearby hackers who do NOT know the WPA key in use.

That is technically not true. You're confusing WPA with WEP - that is the way WEP locking is implemented.

For all practical uses of WPA and WPA2 today, you could put a 10 foot sign up at the marina with the passcode allowing everyone to access the router and everyone's network traffic will have different encryption based on a different code. That's one of the reasons WPA was created. There is one WPA mode that doesn't work that way but no one uses it.

Again, I'm not saying that WPA is immune to attack. It's just really difficult and the tools aren't there right now. WPA is a pretty good quick-fix right now.

[marshmat]

WPA (or better yet, WPA2) is enough to deter the local kids from snooping around. If the government or a serious crook decides they want your data, it won't stop them.

But the average troublemaker is just out to sniff some packets, maybe catch a Facebook session cookie or an email login, and cause a bit of mischief. The next level up is the guy who's after your credit card details. Both are easily thwarted by being just careful enough that you're more trouble than you're worth, so they'll move on to easier targets. Don't send any login details over open connections, don't send any transaction details over HTTP (make sure it's HTTPS and that the certificates match) and you've deterred pretty much all the troublemakers and most of the thieves. If you're worried about confidential data in emails being intercepted, add a PGP encryption plug-in to your mail client (30 minutes of reading, 5 min of setup, many years for a crook to break into). All that's left is the serious spies, and if you have them on your tail, you need to hire a computer engineer and a lawyer, pronto.

[s/v Jedi]

Quote:

Originally Posted by ActiveCaptain

That is technically not true. You're confusing WPA with WEP - that is the way WEP locking is implemented.

I'm sorry but I'm not... For WEP, you can gain access without any knowledge of the key. I crack a WEP encrypted accesspoint with some active users typically within 10 minutes.

For WPA / WPA2, the big thing to crack is the pre-shared key. Once that is done (or you know it because you have access), decrypting the traffic is not so hard anymore because the specs are open / published and the tools are available.

See cracking_wpa [Aircrack-ng] for details.

cheers,
Nick.

[s/v 'Faith']

Quote:

Originally Posted by SailFastTri

Jeffrey I think your single-handed campaign is doing a great disservice to the people who occasionally need to use open WiFi.

Your efforts would be much better placed on educating about solutions. .....

Yup.

Transient cruisers (who do not like to stay in marina's) are not served by efforts to secure open networks. Let the user be responsible for their OWN security...

[ActiveCaptain]

Quote:

Originally Posted by s/v Jedi

I'm sorry but I'm not...

For WPA / WPA2, the big thing to crack is the pre-shared key. Once that is done (or you know it because you have access), decrypting the traffic is not so hard anymore because the specs are open / published and the tools are available.

See, I'm actually sorry on this one.

You simplified the work required and while aircrack-ng might help with the cracking, look at the directions required to actually do the cracking. Be honest - have you step-by-step gone through all of that?

WPA is a pretty slick protocol for encryption. When a connection is first established, the passkey is used to create a special encryption key for the individual user. Every user ends up with their own key. If you're able to view the initial handshake for the connection, you can uncover the user's modified key and then can decrypt the traffic. It's important to note that the connection handshake probably happened hours before the traffic was being sniffed.

Again, there are ways around all of this for someone willing to take the extended amount of time, effort, along with the knowledge to actually do it. That's no different than an expert locksmith with the tools that can get into my boat when locked in 30 seconds. I'm not worried about him. I can't stop him. But I can stop the punk who rattles the door to see if it's open. That's what is being protected with WPA and adding all of these "but what about..." scenarios that show how it's still not bullet proof with 3 pages of detailed instructions is way off base and just, well, sorry looking.

[gettinthere]

Thanks Jeff

I figured you'd chime in here. I missed your newsletter info when it came in.

[off-the-grid]

Quote:

Originally Posted by S/V Antares

If you can identify them in a starbucks then perhaps spilling a double tall cappacino with extra sugar on their laptop is warranted.

Yeah, but that would just embarrass them more than anything. And I don't want to waste my expensive coffee like that. I think what they really need is a good old fashioned public *** kicking.

Jeff and marshmat - Very good analogies, and very good points. It's like anything else software, music, DVD, iPhone OS. They keep coming out with update after update to encrypt, for copy protection, etc. And all they're really stopping is casual users. Because every time they come out with a new update, someone comes out with a new hack for it. Speaking of which is there a jailbreak for the latest iOS yet? I've been holding out.

Anyway, I was going to go with the, you just need to have a bigger chain than your neighbor analogy. Problem is Firesheep could be compared to new bolt cutters that would allow a grandma to chop through 1" chain like it was butter. Or like a bigger, faster, hungrier bear.

[doug86]

Quote:

Originally Posted by s/v 'Faith'

Transient cruisers (who do not like to stay in marina's) are not served by efforts to secure open networks. Let the user be responsible for their OWN security...

On the contrary, its the near and in marinas where a hacker will find the biggest concentration of unsuspecting open wifi cruising lambs ripe for picking. If open networks are subject to easy intrusion, who is served by that? If every marina who offers free wifi would just add WPA it would help.

The point is not to make all WiFi fee based, but to encourage the hotspot provider to at least make a basic attempt at security.

If the world is full of free, open but vulnerable connections, it helps no one; even the ones responsible for their own security. Nor can any of the users force it to be more secure on their own behalf if the WiFi provider insists on keeping it open and unsecured.

I think you are confusing free with secure, and they are not mutually exclusive. Marinas and others can offer free connections that would easily thwart the Firesheep threat. In most cases, its just a box to click on the router settings. In fact, as Jeff pointed out, you could even broadcast to all users the password, but each would have to log in and have their own browsing session at least.

[Therapy]

Well I guess I am just a sheep that will get slaughtered.

My email is pop3. I know squat about what you guys are talking about.

Quote:

…Don't send any login details over open connections, don't send any transaction details over HTTP (make sure it's HTTPS and that the certificates match)

Certificates??? HUH? I am going to look at what?

[s/v Jedi]

Quote:

Originally Posted by ActiveCaptain

See, I'm actually sorry on this one.

You simplified the work required and while aircrack-ng might help with the cracking, look at the directions required to actually do the cracking. Be honest - have you step-by-step gone through all of that?

All these complicated steps..... can be SKIPPED when you know the pre-shared key. You don't have to crack it anymore because the marina office gave it to you.

The only WPA that gives security against other authorized users on the network requires a 802.1X authentication server and private keys or certificates (each user's data gets encrypted with a different key) ... something that enterprises do most of the time but I've never seen it in use on public WiFi like operated for boaters.

The WPA-Personal security (as opposed to the "Business" variant with authentication server) is supposed to be used on an AP in the home, where the group of users is a family where only that family knows the pre-shared key. Now, if you want to decode that WiFi data from outside that family, you need to crack the pre-shared key which, like you say, isn't that easy.

Again I repeat: look up the support pages of your email provider and see if they support secure email exchange. Any decent provider should and this provides security end-to-end which is far superior than any encryption that uses pre-shared keys or passwords.

Switching on WPA with pre-shared keys on public access points is useless and it won't take long before the kiddie tools to capture this traffic are available too, while any decent hacker can already do it today (when he knows the key).

cheers,
Nick.

[gettinthere]

On my g-mail account, under 'Browser Connection', HTTPS is selected. Am I secure?

[s/v Jedi]

Quote:

Originally Posted by gettinthere

On my g-mail account, under 'Browser Connection', HTTPS is selected. Am I secure?

for webmail.. yes if you indeed use the https page (not the normal http:// page). Most webmail login's use encrypted password too, so if you login on a regular webpage (http://) which has a check-box for secure (https) email.. if you check that box, you should next get a https page which is visible in the address line of your browser.

I don't know the specifics of gmail, sorry.

ciao!
DeVerm.

[boatman61]

Quote:

Originally Posted by S/V Antares

If you can identify them in a starbucks then perhaps spilling a double tall cappacino with extra sugar on their laptop is warranted.

Personally ... thank you Jeffery. A reasonable heads up.

Thay're welcome to hook into me.... I got free worms that'll keep em amused for hours....Lmao

[SailFastTri]

Quote:

Originally Posted by SailFastTri

snip

PS -- Jeffrey for the record I was making a point above and don't want you to shut down your site. I think it's brilliant and love it. But I think it's wrong to yell "the sky is falling" when you're worried about just one link in a very long chain. Security has a cost in user inconvenience and encryption overhead, maintenance and cost of certificates, etc. One needs to start with the servers and applications that run on them. Please tell us about the security for your site, or why it is or isn't needed.

Jeffrey -
Some uses just don't need protection. Do I care whether someone intercepts a weather query? No.

When you decide to change the world you've got to think about your glass house. I've been hoping you would answer the bold portion above. It seems you're raising alarms about everyone else's connection but haven't addressed legitimate questions about what's under your direct control.