Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 19-11-2010, 04:01   #1
Marine Service Provider

Join Date: Oct 2007
Boat: Endeavour 42CC
Posts: 1,182
Firesheep - WiFi Security Issue

All you wifi users need to read this...

Panbo: The Marine Electronics Weblog: Firesheep cometh; is open WiFi safe anymore?

and this...

Why Firesheep’s Time Has Come | Steve*(GRC) Gibson's Blog

And consider this:

Free VPN Solutions for Securing Your Public Wi-Fi Sessions: Business Collaboration News «
__________________

__________________
gettinthere is offline   Reply With Quote
Old 19-11-2010, 04:07   #2
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
yeap , been known all along, and remember most "CLOSED" publicly accessable networks use a browser long on to authenicate, rather then WPA or other excryption. These are also effectivly opne Wifi networks.

Dave
__________________

__________________
goboatingnow is offline   Reply With Quote
Old 19-11-2010, 04:48   #3
Registered User

Join Date: Feb 2008
Posts: 2,061
Quote:
Originally Posted by goboatingnow View Post
yeap , been known all along, and remember most "CLOSED" publicly accessable networks use a browser long on to authenicate, rather then WPA or other excryption. These are also effectivly opne Wifi networks.

Dave
Not accurate. Your login is encrypted and once your session is established, so is everything else about your session info between you and the hot-spot. That doesn't mean your data is encrypted though, unless you have an SSL connection. It would be safe to do online banking or to use any other secure site.
__________________
SailFastTri is offline   Reply With Quote
Old 19-11-2010, 07:20   #4
cruiser

Join Date: Oct 2007
Posts: 751
The problem is that you don't can't always tell if your secure data is being transmitted with SSL or not. And many people are still using POP email where passwords are sent in the open. The example screen shot on Panbo of doing exactly that was created by me.

Our newsletter on Wednesday was what sparked the Panbo posting. We're very concerned about the use of free WiFi by cruisers because I've looked - there is a lot of open data available at any marina and anchorage. The things shooting by are incredible to watch - better than TV!

For example, every web page you visit - totally open. Any POP email account - totally open. Anything you enter into a form (like this posting) - totally open. And literally thousands of other transactions.

Are some secure - definitely. Still, you'd be shocked to know what others can see.

OK, all of that has existed for years - nothing new. So why is the storm flag being raised now? That's easy. For whatever reason, one guy, Eric Butler, decided to create a very simple, user-friendly tool that my mother can use to get Facebook, Twitter, and other site's data to the point where the account can be compromised. An ABC News reporter was able to do it at a Starbucks. Surely there are 14 year olds doing it right now.

Eric's Firesheep was released 3 weeks ago. Right now the enormous publicity has generated extreme interest in all hackers to create other easy-to-use tools to compromise WiFi. Multiple new "tools" have already been released. I call publicity, "catnip to hackers" because it's what they want.

So right now, at this moment, the word needs to get out to stop using open WiFi. We're mounting a campaign to the 20,000 marinas we work with to inform them to turn on WPA or WPA2 locking of their routers. That alone will eliminate the practical potential for sniffing by the teenager in the condo next to the marina. It isn't a total solution but is a good enough one for now.

The ultimate solution is using a VPN. There are some trust issues with that and I'm doing some investigation to come up with good solutions for cruisers along with describing the risks that VPN's introduce to the cruising boater.

Our original newsletter posting can be found here:
http://www.activecaptain.com/newsletters/2010-11-17.php

Future newsletters will discuss the different VPN issues and provide some solutions.

There will be people who will try to show how this potential has always existed and that WPA isn't a perfect solution. They are all correct. Remember that the publicity and new tools were released just 3 weeks ago. This is new and it's not important to eliminate the theoretical risks right now. Now's the time to eliminate the practical ones and give cruisers who might not understand all the nuances one message: Don't use open WiFi.
__________________
ActiveCaptain is offline   Reply With Quote
Old 19-11-2010, 08:06   #5
Registered User

Join Date: Feb 2008
Posts: 2,061
Yes this potential has always existed. Anything you put out unencrypted on the public Internet (or wireless airwaves) should always have been considered public, and especially email. The US government has been doing this for years, as have (probably all) other governments. http://en.wikipedia.org/wiki/Carnivore_(software)
__________________
SailFastTri is offline   Reply With Quote
Old 19-11-2010, 08:16   #6
Registered User

Join Date: Feb 2008
Posts: 2,061
Quote:
Originally Posted by ActiveCaptain View Post
The problem is that you don't can't always tell if your secure data is being transmitted with SSL or not. And many people are still using POP email where passwords are sent in the open. The example screen shot on Panbo of doing exactly that was created by me.

Our newsletter on Wednesday was what sparked the Panbo posting. We're very concerned about the use of free WiFi by cruisers because I've looked - there is a lot of open data available at any marina and anchorage. The things shooting by are incredible to watch - better than TV!

For example, every web page you visit - totally open. Any POP email account - totally open. Anything you enter into a form (like this posting) - totally open. And literally thousands of other transactions.

Are some secure - definitely. Still, you'd be shocked to know what others can see.

OK, all of that has existed for years - nothing new. So why is the storm flag being raised now? That's easy. For whatever reason, one guy, Eric Butler, decided to create a very simple, user-friendly tool that my mother can use to get Facebook, Twitter, and other site's data to the point where the account can be compromised. An ABC News reporter was able to do it at a Starbucks. Surely there are 14 year olds doing it right now.

Eric's Firesheep was released 3 weeks ago. Right now the enormous publicity has generated extreme interest in all hackers to create other easy-to-use tools to compromise WiFi. Multiple new "tools" have already been released. I call publicity, "catnip to hackers" because it's what they want.

So right now, at this moment, the word needs to get out to stop using open WiFi. We're mounting a campaign to the 20,000 marinas we work with to inform them to turn on WPA or WPA2 locking of their routers. That alone will eliminate the practical potential for sniffing by the teenager in the condo next to the marina. It isn't a total solution but is a good enough one for now.

The ultimate solution is using a VPN. There are some trust issues with that and I'm doing some investigation to come up with good solutions for cruisers along with describing the risks that VPN's introduce to the cruising boater.

Our original newsletter posting can be found here:
ActiveCaptain - The Interactive Cruising Guidebook - Newsletter - November 17, 2010

Future newsletters will discuss the different VPN issues and provide some solutions.

There will be people who will try to show how this potential has always existed and that WPA isn't a perfect solution. They are all correct. Remember that the publicity and new tools were released just 3 weeks ago. This is new and it's not important to eliminate the theoretical risks right now. Now's the time to eliminate the practical ones and give cruisers who might not understand all the nuances one message: Don't use open WiFi.
Jeffrey I think your single-handed campaign is doing a great disservice to the people who occasionally need to use open WiFi.

Your efforts would be much better placed on educating about solutions. After all, once it hits the Internet anything can be intercepted anywhere along the points between the user and server, and the server could also be compromised (web servers are the most frequently hacked type of servers). If it's not encrypted it's open and public. That simple.

All you're going to accomplish (if anything) is to increase inconvenience and cost to users.

If you'd like I'll tell you how to make the Active Captain site totally secure: Shut it off.
__________________
SailFastTri is offline   Reply With Quote
Old 19-11-2010, 08:32   #7
Marine Service Provider

Join Date: Nov 2008
Posts: 1,249
What about simply using HTTPS everywhere?

From what I understand, from the articles I've been reading, sites using https after login vs. http is the only real secure solution.

This plugin seems like the quickest, easiest, cheapest (free) fix to the problem.

You can also use Blacksheep, which will let you know if anyone on the same network is using Firesheep, and their IP. Would be nice if it showed an actually picture, like Firesheep does. That way you'd know has ass to kick.

May not be a great solution, and may not detect Firesheep fast enough before someone could potentially change a password. But imagine if in Starbucks all over the world you started seeing people stand up and yelling at the top of their lungs, "Some ***hole in here is using Firesheep right now!"

Or...what about connecting to an open network with your phone (I know just as vulnerable), but tethering it and doing all the surfing on your laptop? Safe(er)?
__________________
off-the-grid is offline   Reply With Quote
Old 19-11-2010, 08:50   #8
Marine Service Provider

Join Date: Nov 2008
Posts: 1,249
Quote:
Originally Posted by SailFastTri View Post
Jeffrey I think your single-handed campaign is doing a great disservice to the people who occasionally need to use open WiFi.
I completely disagree!

Yes, this has always been an issue, yes turning everything off is the only way to be completely secure.

But the fact is it just got WAY easier, for even the technically inept to access your info now. I appreciate actually knowing about this, which I didn't until I saw the AC newsletter.
__________________
off-the-grid is offline   Reply With Quote
Old 19-11-2010, 08:54   #9
cruiser

Join Date: Oct 2007
Posts: 751
Quote:
Originally Posted by SailFastTri View Post
Quote:
Originally Posted by ActiveCaptain
This is new and it's not important to eliminate the theoretical risks right now. Now's the time to eliminate the practical ones and give cruisers who might not understand all the nuances one message: Don't use open WiFi.
Jeffrey I think your single-handed campaign is doing a great disservice to the people who occasionally need to use open WiFi.

Your efforts would be much better placed on educating about solutions. After all, once it hits the Internet anything can be intercepted anywhere along the points between the user and server, and the server could also be compromised (web servers are the most frequently hacked type of servers). If it's not encrypted it's open and public. That simple.

All you're going to accomplish (if anything) is to increase inconvenience and cost to users.
Just like I said, there will be people who will try to muddy the waters and cause confusion by showing that there are theoretical holes in WiFi no matter what you do. What I'm trying to do, and it is the education you're proposing, is to make quick fixes to the practical holes that exist right now.

I think that the 45 emails I received yesterday thanking me for the warning from normal cruisers tell me that there's no disservice at all. I'd also question that my campaign is single-handed considering the thousands of blogs, web sites, and articles written about this exact subject by many people who are just as concerned about it, including some of the real experts in the industry. I'm just someone who's involved with the internet and sees the new issue evolving with direct potential effects on cruisers. I'm proud that I'm raising the flag on this and will continue to do so from the highest mountains I can find.

If you think that adding WPA to a marina's WiFi router is going to cause cost and inconvenience, just wait until cruisers start having their credit cards, email accounts, and other sensitive information compromised while out cruising. I've been contacted by multiple boating users groups who have seen their private networks violated by stolen emails in the last 2 weeks. Yeah, I'm sure that's just a coincidence.
__________________
ActiveCaptain is offline   Reply With Quote
Old 19-11-2010, 09:03   #10
cruiser

Join Date: Oct 2007
Posts: 751
Quote:
Originally Posted by grunzster View Post
What about simply using HTTPS everywhere?
It might represent a great solution. VPN's are another excellent solution. But it's important to uncover the issues before just jumping to something else. If there's anything good with respect to this issue it's that it has nothing to do with cruising. We're just more effected because we hit many more WiFi spots while moving than the average person who might go to a Starbucks every now and then. The huge industry behind this will help to provide the answer. And there is an answer.
__________________
ActiveCaptain is offline   Reply With Quote
Old 19-11-2010, 09:17   #11
Senior Cruiser
 
S/V Antares's Avatar

Cruisers Forum Supporter

Join Date: Sep 2007
Location: Annapolis, Bahamas
Boat: 1983 Gulfstar 36
Posts: 1,249
Images: 1
If you can identify them in a starbucks then perhaps spilling a double tall cappacino with extra sugar on their laptop is warranted.

Personally ... thank you Jeffery. A reasonable heads up.
__________________
Will & Muffin
Lucy the dog

"Yes, well.. perhaps some more wine" (Julia Child)
S/V Antares is offline   Reply With Quote
Old 19-11-2010, 09:40   #12
Registered User

Join Date: Dec 2009
Location: Ontario
Boat: 5 m Bolger runabout, plus a Starwind 860 power tri under construction
Posts: 248
There are a few issues at play here, at many points along the connection.

At the server end, there's cheapness, laziness and stupidity. Firesheep sniffs out cookies set by Facebook, etc. that contain session ID data. Facebook, Twitter and many other popular sites are so cheap and lazy that they set this session data in a plain text, unencrypted HTTP cookie. Doing so is tantamount to screaming "hey, we have no security here and we don't care, come in and mess stuff up". Doing it properly- with a fully encrypted connection- uses a bit more server power, thus costs a bit more, thus isn't done by companies that don't care about privacy or security. (Note that there are browser add-ons that let you force full encryption with many such sites.)

At the marina, we have the issue of encryption on the WiFi connection itself. Unencrypted signals should be used only to broadcast the "here's our marina, here's how to contact us" page with no external connection. WEP is useless. WPA2, with passwords rotated regularly, is secure enough that the local kids can't steal bandwidth or eavesdrop on packets as they fly by. If the network isn't WPA or WPA2 encrypted with regularly changing passwords, you should assume an eavesdropper is logging every packet you send and receive.

The most important link in the chain is the end user. The problem here isn't technical, it's behavioural. People who are supposedly technically literate ask me "WTF is this?" when they see the PGP signature on my emails, then log in to some webmail service over an unencrypted HTTP connection on open WiFi. Security and privacy just aren't big thinking points for many people.

Also: Remember "I don't have to out-run the hungry bear, I just have to out-run you"? You don't need military-grade encryption on everything. You just need to be a bit more careful than average, and the vast majority of bad guys will ignore you and move to easier targets- you know, the ones who send credit card data over HTTP on open networks.
__________________
Matt Marsh
marshmat is offline   Reply With Quote
Old 19-11-2010, 09:47   #13
Registered User
 
doug86's Avatar

Join Date: Nov 2009
Location: Between Block Island and Bahamas
Boat: Marine Trader 40' Sedan Trawler, 1978. WATER TORTURE
Posts: 715
Quote:
Originally Posted by SailFastTri View Post
After all, once it hits the Internet anything can be intercepted anywhere along the points between the user and server, and the server could also be compromise
Yeah, and a meteor could fall on my boat tonight, but the odds of that are far less than the chance that another boat will drag into me and hit my boat. So, I pick my anchoring spots carefully with regards to other boats, but not so much with other celestial bodies in mind...

You're right, everything on the internet is a possible target, but the threat from unsophisticated and casual hackers is now greater than it was before Firesheep. My bank info is certainly more secure on the bank's server than it is on my laptop. It's not all the same risk just because it's moves over the internet.

I fail to see how pointing that fact out is a dis-service. A cease & desist for open WiFi will help the most vulnerable: the folks that don't fully understand all this technology (and frankly don't want to). The more sophisticated users know how to protect themselves and are not going to just blindly heed Jeff's advice.
__________________
"When one is willing to go without, then one is free to go." - doug86
doug86 is offline   Reply With Quote
Old 19-11-2010, 10:31   #14
Registered User

Join Date: Feb 2008
Posts: 2,061
Quote:
Originally Posted by doug86 View Post
Yeah, and a meteor could fall on my boat tonight, .
My point was that it is even more likely your traffic will be intercepted over other points in the Internet than your local WiFi hot-spot, especially by someone with malicious intent to use your information (professional hackers and governments).

Google the following words for a real eye opener: china diverted Internet traffic

The local WiFi with less than a mile range is less of a target than millions of spyware-infected computers, or hacked firmware in an Internet backbone router, or the web server itself.

People are acting like someone just came out with free x-ray glasses for peeping Toms. Big deal. The truth is they aren't really x-ray glasses -- they're truth glasses. Firesheep just revealed that everyone's been running around naked all-along and didn't realize it until now. Computer geeks knew it.

PS -- Jeffrey for the record I was making a point above and don't want you to shut down your site. I think it's brilliant and love it. But I think it's wrong to yell "the sky is falling" when you're worried about just one link in a very long chain. Security has a cost in user inconvenience and encryption overhead, maintenance and cost of certificates, etc. One needs to start with the servers and applications that run on them. Please tell us about the security for your site, or why it is or isn't needed.
__________________
SailFastTri is offline   Reply With Quote
Old 19-11-2010, 11:20   #15
Do… or do not
 
s/v Jedi's Avatar

Cruisers Forum Supporter

Join Date: Feb 2009
Location: in paradise
Boat: Sundeer 64
Posts: 9,198
WiFi encryption is a weak attempt to cover big mistakes elsewhere, like unencrypted POP3 traffic etc.

What you all forget is that when you switch to WPA, everybody who knows the password (key).. i.e. every legitimate user of the system, can still intercept all your traffic. It just protects you against nearby hackers who do NOT know the WPA key in use.

I do not believe that there are any banks left that use insecure Internet banking. So the best thing for everybody to check is your email provider: find their support pages and how to switch to encrypted email login/exchange.

Also, for sites like this one, use a different password than for your email/bank etc. Measures like that tackle the problem at the source instead of trying to fix them partly.

cheers,
Nick.
__________________

__________________
s/v Jedi is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security While Away from Your Boat betachz Liveaboard's Forum 108 15-10-2010 05:31
WiFi Antenna Installation Issue Zydeco Marine Electronics 30 12-08-2010 18:13
WiFi Security nhschneider Marine Electronics 6 08-12-2009 18:43
boatyard security shellback Off Topic Forum 18 23-05-2007 11:01
WiFi security onboard? elf Marine Electronics 31 14-12-2006 09:24



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 11:17.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.