Cruisers Forum
 


Join CruisersForum Today

Reply
 
Thread Tools Rate Thread Display Modes
Old 03-03-2014, 15:27   #31
Registered User
 
denverd0n's Avatar

Join Date: Jun 2008
Location: Tampa, FL
Posts: 3,953
Images: 6
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by CaptForce View Post
I think that my earlier analogy of turning your car within someone's private driveway is a better analogy...
The argument that has been put forth when prosecuting people charged with "theft of services" is that the bandwidth is a limited resource. Hence, when you are using it, you are limiting what is available to the person who originally paid for it. So, rather than being like turning around in someone's driveway, it would be more like parking your car in their driveway when they want to get into the garage.

Now, of course, it's easy to see if someone is trying to get into the garage if you are parked in their driveway. Much more difficult to see if the legitimate owner of the wifi signal is having his streaming video slow down some because you are sending e-mails. Regardless, the courts have held that when you are using some of it, he can't use all of it, and "all of it" is what he paid for. Hence, theft of services.
__________________

__________________
denverd0n is offline   Reply With Quote
Old 03-03-2014, 15:28   #32
Registered User

Join Date: May 2008
Posts: 1,972
Re: Using an Unsecured WiFi System

This is the wrong week to feel safe about SSL

Apple just announced a jaw droopingly severe SSL vulnerability in both IOS and OSX (iphone, ipads, Macs) that allows the reading of SSL traffic without anyone knowing. This vulnerability has been out there for some time. No one knows if it's been exploited or not.


"I've confirmed full transparent interception of HTTPS traffic on both iOS (prior to 7.0.6) and OS X Mavericks. Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured," according to a blog post from Cortesi, who promised to not release his SSL-attack tweaks for mitmproxy until after Apple releases an OS X patch.

"It's difficult to over-state the seriousness of this issue. With a tool like mitmproxy in the right position, an attacker can intercept, view, and modify nearly all sensitive traffic. This extends to the software update mechanism itself, which uses HTTPS for deployment," Cortesi said. "It's safe to assume that this is now being exploited in the wild. Of course, intelligence agencies have no doubt been on top of this for some time."

Apple SSL Vulnerability: 6 Facts - InformationWeek

If you haven't updated your Apple products in the last few days - do so now!!!
__________________

__________________
CarlF is online now   Reply With Quote
Old 03-03-2014, 15:32   #33
Registered User

Join Date: Jun 2011
Location: Korea
Posts: 8
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by bdbcat View Post
TimR...

I'd like to understand technically how a spoofed Google page could install a keylogger, if you have "normal" browser security settings. Seems a stretch to me.

Any specific links you could send me to?

Thanks
Dave
Any hosted page or proxy provided by a malicious hotspot can serve up both the iframe and the exploits while loading something like google (or actually, any site) you send a GET for. Fiesta Exploit Pack is No Party for Drive-By Victims is a current campaign, but the tools have been publicly discussed for a very long time (Airpwn: Owning the Airwaves | Airpwn: Owning the Airwaves | InformIT).

SSL/VPNs only provide limited security for a user piggybacking on an unknown WiFi hotspot; it's semi-trivial to serve up a fake CA cert as part of the exploit kit and then MiTM the SSL connections out after that. If done with just a little bit of finesse, the user won't ever be aware of what's hit them (this is in essence what SSL proxy appliances have done forever, but usually the legit ones want enterprise IT to install the proxy's CA cert or have the user to explicitly set the proxy). There's probably even a way to populate an explicit SSL proxy using responses to a WPAD DNS query, but I haven't looked into it.

Does that mean that fiesta or any other exploit will get your fully patched box, the first time through, undetectably? Not so much, but it is possible and new exploits are released/sold underground frequently (and go unpatched for weeks or months).

Realistically, you probably have better odds of winning the lottery than getting hit by a malicious, unsecured WiFi access point, but all of the tech is there you just need someone with the knowledge and the motivation to do it.

__________________
stilldreamin is offline   Reply With Quote
Old 03-03-2014, 15:54   #34
Registered User
 
Celestialsailor's Avatar

Join Date: Nov 2006
Location: In Mexico, working on the boat
Boat: Hallberg Rassy 35. and 14ft.Whitehall pulling skiff.
Posts: 8,013
Images: 5
Re: Using an unsecured WiFi system

Quote:
Originally Posted by Dockhead View Post
When WiFi first became widespread, most people left their routers open. I thought it was great -- anyone who needs it who is passing by can use mine; I'll use others' when I'm roaming about. We all have unlimited data plans, so what does it cost me?

But then people started to have trouble with their systems slowing down as large numbers of freeloaders got on using massive amounts of data, downloading porn no doubt, and people started to lock their doors.

It's too bad! I think we should return to those days, and here is how I would propose to do it:

Let's have Guest Access which is open and free. It tracks the MAC addresses of users and will shut off users who are not people passing through, but just neighbors freeloading on your system. It will limit the amount of data you can use, and will limit the speed. Maybe it will block movie downloads, Youtube, etc.

If everybody would open Guest Access like that then the world would be a much better place.

As it is, I don't feel any qualms about occasionally using an open WiFi router. I think if it's left open, that's an invitation to use it. I don't abuse this -- don't use tons of data, and don't use such things for extended periods. Last few years this almost never happens, as open connections are almost non-existent, and I have mobile data now wherever I go anyway.

I would also never do it in places -- like some place in the Caribbean -- where unlimited data plans don't exist.
I like the idea of a Guest Access. Maybe a bandwidth, safety valve, preventing video downloads and a nanny program to boot.
__________________
"Life is not a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming: Wow - what a ride!"

http://wwwjolielle.blogspot.com/
Celestialsailor is offline   Reply With Quote
Old 03-03-2014, 16:34   #35
Registered User
 
Tim R.'s Avatar

Join Date: Jul 2012
Location: Portland, Maine
Boat: Caliber 40LRC
Posts: 604
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by bdbcat View Post
TimR...

I'd like to understand technically how a spoofed Google page could install a keylogger, if you have "normal" browser security settings. Seems a stretch to me.

Any specific links you could send me to?

Thanks
Dave

Without going into too many specifics, the hacker's router hands out IP address, DNS and gateway. He could set the DNS to his computer with an entry for Google.com which he has running as a website on his computer. You enter "anchor" as a search term and he displays a list of matches on his google website that appear to be legitimate but actually link to a key logger install. He could also be running a proxy to forward you through to any other website to make it look legitimate.

This does not guarantee that you would go through with the installation but some users are not as savvy as others.
__________________
Tim R.
Our Carina is sold
1997 Caliber 40LRC
TKR on a Boat Website
Tim R. is offline   Reply With Quote
Old 03-03-2014, 17:05   #36
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
Using an Unsecured WiFi System

Quote:
Originally Posted by gonesail View Post
as long as you are on a secure socket connection (known as https or SSL) then there is no way in hell your data can be decrypted by anyone anywhere in the world

Ssl has been broken

Apples but was more about the SSL certificate verification. process. To exploit the vulnerability a man-in-the-middle attacker would have to duplicate the receipent web site. As it is some many sites have non verified or out of date Certs anyway

Dave


Sent from my iPad using Tapatalk
__________________
Check out my new blog on smart boat technology, networking and gadgets for the connected sailor! - http://smartboats.tumblr.com
goboatingnow is offline   Reply With Quote
Old 03-03-2014, 19:03   #37
Registered User

Join Date: May 2011
Location: Toronto
Boat: Sandpiper 565
Posts: 2,943
Re: Using an Unsecured WiFi System

I had a bit more trust in SSL, but after articles like this, maybe I have to reconsider. I have used VPNs for work, haven't thought to have one personally, but I may in future.

There are a number of common-sense steps you can take to minimize your risks:
  • protect your $%^# computer. Don't let the older kids use your main computer. Nothing infects a computer faster than teenagers. My nieces' computers when they were at university? Fuggedaboudit.
  • To help keep your computer clean, understand what anti-virus and firewall programs do and use them.
  • The majority of successful attacks happen to people who install untrusted/cracked applications, which is essentially letting thieves in by the front door
  • Have a dedicated charge card with a lower limit that you use mainly for online transactions. It's easier to monitor and if it's ever intercepted, there's a cap on the maximum loss.
  • Use a VPN. I currently don't, but if I was cruising, i think I would.
  • If you're uncertain about the "safety" of a wifi connection, avoid using it to access critical things like banking. Hold off til you can get to somewhere you trust more.
Keeping the above in mind, I'm not especially afraid of doing some transactions over most wifi's and I haven't yet suffered a loss from online activity.
__________________
Lake-Effect is offline   Reply With Quote
Old 03-03-2014, 19:35   #38
Registered User

Join Date: Dec 2010
Location: W Carib
Boat: Wildcat 35, Hobie 33
Posts: 7,964
Re: Using an Unsecured WiFi System

Nothing is hack-proof, but I always run a VPN to make it more difficult to hack when doing important transactions.
__________________
belizesailor is offline   Reply With Quote
Old 04-03-2014, 03:09   #39
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
Using an Unsecured WiFi System

Quote:
Originally Posted by belizesailor View Post
Nothing is hack-proof, but I always run a VPN to make it more difficult to hack when doing important transactions.

VPNs are of little use in mainstream web applications mainly because the web sever is not accessible using a VPN. Simply running one to another endpoint defeats the whole purpose.

Security breaches are totally over hyped. Ive been buying online for more then a decade and a half now. I've had one attempt at fraud, which my credit card companies security software picked up. With chip and PIN and now contactless becoming common, most fraud is Card holder not present fraud and you are 100% protected there.

If someone is hacking SSL or some other serious encryption like AES /Wpa2 then you have far more serious problems then protecting your vintage 60s porn collection. The trucks parked outside with sat domes and men talking Into their wrists might also be a hint that all is not well.

The protection offered to online buyers by major credit cards is such that you are virtually 100% from fraud. In most cases it's actually the retailer who actually takes the hit, not you a the credit card company's just take the disputed amount out of the merchants account at the drop of a hat.

Nothing is hack proof , but many systems are" effectively " hack proof. By the way , but the main protection is the fact that you are inconsequential and nobodies interested

Dave


Sent from my iPad using Tapatalk
__________________
Check out my new blog on smart boat technology, networking and gadgets for the connected sailor! - http://smartboats.tumblr.com
goboatingnow is offline   Reply With Quote
Old 04-03-2014, 05:44   #40
Registered User

Join Date: Dec 2010
Location: W Carib
Boat: Wildcat 35, Hobie 33
Posts: 7,964
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by goboatingnow View Post
VPNs are of little use in mainstream web applications mainly because the web sever is not accessible using a VPN. ...
Huh? I use a VPN service with many "mainstream" sites/apps. About half a dozen financial institutions. Running a VPN now in fact.
__________________
belizesailor is offline   Reply With Quote
Old 04-03-2014, 05:54   #41
Don't ask if you can't handle it
 
sailorboy1's Avatar

Cruisers Forum Supporter

Join Date: Jul 2007
Location: On the boat somewhere
Boat: Hunter 410
Posts: 12,326
Re: Using an Unsecured WiFi System

I look at unsecured WiFi networks to be like talking on your phone in public places. Anyone around can hear it so be careful what you say.
__________________
jobless, houseless, clueless, living on a boat and cruising around somewhere
sailorboy1 is offline   Reply With Quote
Old 04-03-2014, 06:29   #42
Nearly an old salt
 
goboatingnow's Avatar

Cruisers Forum Supporter

Join Date: Jun 2009
Posts: 13,649
Images: 3
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by belizesailor View Post
Huh? I use a VPN service with many "mainstream" sites/apps. About half a dozen financial institutions. Running a VPN now in fact.
again very few public servers are accessible via VPN, most use HTTPS/SSL, which is in fact a VPN albeit a single session.


dave
__________________
Check out my new blog on smart boat technology, networking and gadgets for the connected sailor! - http://smartboats.tumblr.com
goboatingnow is offline   Reply With Quote
Old 04-03-2014, 06:54   #43
Registered User

Join Date: Jan 2011
Location: UK/France
Boat: Gib'Sea 402
Posts: 217
Re: Using an Unsecured WiFi System

In the UK BT ADSL routers have a guest access system they used to call Openzone, now called BT Wi-fi.
But it's only available to BT subscribers and the owner of the router has to enable the service.
It's a good concept but we've tried using it and it's pretty well impractical driving round looking for one of their hotspots. Better to use MacDonalds or whatever.
__________________
hoolie is offline   Reply With Quote
Old 04-03-2014, 07:15   #44
Registered User
 
tomfl's Avatar

Join Date: Apr 2012
Location: Florida
Boat: Seawind 1000xl
Posts: 1,959
Images: 10
Re: Using an Unsecured WiFi System

Easy solution to address your security issues. Can be run from a key drive and very hard to hack. Those linux boys are so cute

Damn Small Linux
__________________
tomfl is offline   Reply With Quote
Old 04-03-2014, 07:32   #45
Senior Cruiser
 
colemj's Avatar

Cruisers Forum Supporter

Join Date: Oct 2005
Location: Presently on US East Coast
Boat: Manta 40 "Reach"
Posts: 10,049
Images: 12
Re: Using an Unsecured WiFi System

Quote:
Originally Posted by goboatingnow View Post
Security breaches are totally over hyped. Ive been buying online for more then a decade and a half now. I've had one attempt at fraud, which my credit card companies security software picked up. With chip and PIN and now contactless becoming common, most fraud is Card holder not present fraud and you are 100% protected there.
I agree. I have had my CC taken 3 times because others have gained access to it from my use of it online.

Each time was because hackers gained access to the merchant's database (like the recent Target example in the US), not because they picked up my info directly from me using keyloggers, man-in-middle attacks, sniffers, etc.

While the big data breaches like the Target one sometimes get publicized, there seems to be almost daily breaches of smaller companies that do not. In the past couple of years, I must have received a dozen notices that "there may have been some irregularities with our data handling that may have exposed your credit card information". Right now, I have 3 subscriptions to credit monitoring services that were given to me by retailers who have been compromised.

IMO, that is where the big problem lies.

Mark
__________________

__________________
www.svreach.com

You do not need a parachute to skydive. You only need a parachute to skydive twice.
colemj is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best marine WiFi antenna? Blue Turtle Marine Electronics 148 09-11-2017 23:10
New Refrigeration System Plan skipmac Plumbing Systems and Fixtures 26 06-02-2013 16:11
Multiplexing: Digital Switching, E-Plex, C-Zone - Have it? Install it? Your Opinion ? Katiusha Electrical: Batteries, Generators & Solar 23 07-02-2012 07:49



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -7. The time now is 00:27.


Google+
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Social Knowledge Networks
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

ShowCase vBulletin Plugins by Drive Thru Online, Inc.