WiFi security onboard?

[elf]

I have read a lot of posts here about cruisers using open WiFi connections in various marinas, anchorages, and so forth. What is to prevent someone from stealing your email password and other personal information over such an insecure connection? I realize that some sites, say financial institutions, should encrypt the information sent, and I know that https: sites are used for most e-commerce whenever credit cards are entered, but I'm not sure that userid/passwords are encrypted in all cases; for instance, when using Outlook Express to access email. And I've heard about people being able to steal information by sniffing WiFi connections, but I am not sure how this works.

How secure is it out there? Are there precautions that can be taken to minimize the chance of my information being stolen if I use a WiFi connection at sea? What do you all do to practice safe computing while cruising?

Thanks!
Elf

[knottybuoyz]

Hi Elf

Any unsecured wireless connection can be "sniffed" by anyone with a computer and a wireless card. The technology isn't overly sophisticated and easy to obtain from any number of "hacker" bulletin boards. Because your connection to any open (unprotected) wireless network you're allowing your security credentials (usernames & password) to flow across from the client (your computer) to a server in clear text. These sniffer programs look for telltale combinations which could result in your e-mail account being hijacked. Secure encrypted sites, such as your bank, that employ Public/Private Key encryption technology will scramble your logon credentials and should adequately protect them. Look for the little padlock icon on your browsers toolbar to be sure or as you've noted the "https" prefix to the server URL. Can this type of encryption be "cracked"? Yes but it's highly unlikely a "hacker" would stumble across and be able to identify an encrypted username/password combination in the data stream and be able to decrypt it unless they were specifically targeting you.

The Internet is certainly a different place than it was just a few short years ago. A proliferation of "sniffers" and "port" scanning bots roam the Internet hammering servers looking for open doors. I've personally learned more about Internet Security in the past week than I ever cared to due to a server hack at work.

If you're using a Microsoft browser here's a few tips...

Windows XP: Improve the security of your wireless home network

Common sense would also suggest that you:

Don't conduct your financial, private or sensitive transactions over an open access public network.

Change your passwords regularily

Use a password that doesn't relate to you such as Social Insurance Numbers, Birthdates, Childrens names, Address's etc. Use a minimum of 6 characters with a combination of capitalized and lowercase letters and numbers and at least one special character (@#$%^&*) etc.

So I've heard some marina's require logging into their network to gain access. Select a different username/password combination from that of your everyday username/password for your home network. If their server gets hacked your username/password credentials and other personal information could be compromised.

Talk to your Internet Service Provider about what method or technology you can use to better secure your e-mail while away from home. PK encryption can probably be setup with minimal cost.

Hope that helps.

Rick

[FrankZ]

If you truely want to be secure the answer is plain and simple. Do not connect to a network that you don't know or you don't know you can trust. If it is WIFI and all you need to do is click connect to connect to it then you can't trust it.

HTTPS and other secure tunneling protocols can help prevent sniffing in transit, they may not stop someone who owns the equipment that is doing the encryption/decryption.

[ssullivan]

And to add a little bit of human behavior to the thread... (I have driven this point home before).

The media has us paranoid about "hackers" everywhere, especially on WiFi networks trying to steal our personal information. The reality is that your personal informaiton, by itself is of little or no value. Sorry, you (and anyone reading this post) just aren't as important as the media likes to make you think you are.

Online criminials (not hackers, like Steve Jobs, etc... but online criminals) are looking to download thousands of credentials and/or credit card #'s, etc... at a time. They could care less about your "important" little email account. Trust me... nobody cares what's in your Outlook inbox. Put yourself in the shoes of a criminal (online or otherwise). Would you spend hours sniffing around a WiFi network to get somebody's password to their Outlook account? What use is it? You could read their email and send some emails out? Not a very bright or profitable crime ring.

Now, another important fact is that ALL data sent across the internet is just as vulnerable as data on a WiFi network. I can't stress this enough! The media has fooled many into thinking that a wired network is so much more secure than a wireless network. Absolute garbage. Sniffers were orginally developed to work on wired networks because WiFi didn't exist yet. They watch IP traffic on a network. I've used them. They're interesting. Using one on a WiFi network isn't any different from using one on a wired network. There are even some that you can use via the principles of induction, meaning you put a loop around a network cable (to put it simply) and just read everything going by on the wire. So... NO DATA sent on the internet is any more secure than it is on a WiFi network.

But... the main point is nobody cares what's in your Outlook inbox.

The way criminals *will* get your info is by breaking into servers where your info is stored ie:

*Banks
*e-Commerce sites that store your info
*Third party credit card processors
*The US Govt
*State, County, Town computers
*Your employer's HR records
etc... etc...

Now, none of this is meant to be offensive, even if it sounds a little that way. It's just a passionate topic for me, since I used to play around with this stuff back in the early 90's when there weren't penalties for it and hackers were people having fun and not robbing people. It's just troublesome to me to have everyone walking around thinking they are so important that if they use WiFi, there will be people sitting in the marina next to them trying to access their info. It's not the popluations fault for thinking that, the media put it in your heads. There are stories about "illegal WiFi access, etc..." every day. Take it with a grain of salt. It's probably a wired ISP company like a Time Warner (who also owns CNN?) sponsoring that story.

Bottom line: Your info is no safer on a wired connection than it is on a wireless connection. Also, your Outlook account and your Cruiser's Forum password are of no value, so criminals won't be looking for them.

Side note about safe computing at sea:

Use the same rules as you would at home -

1) Keep your operating system updated
2) Keep your Norton Anti-Virus subscription current and dowload all updates immediately
3) Goes without saying, but stay off of shady areas on the internet like porn sites
4) Visit only reputable sites or sites linked to off reputable sites.
5) Don't open any email attachments that aren't .pdf, .jpg and if you are opening a .doc or whatever, scan it with Norton AV before opening it. Also, beware of files with double extensions such as .doc.bat. Don't even go near .exe .bat, etc...
6) If you're running any server componenets or your computer is listening to any ports for any reason, make sure you have all of that set up correctly and securely.
7) It's not a bad idea to have a firewall installed between you and the WiFi network. I do, even though my computers are set up properly and securely behind the firewall as well.

I'm sure there are more points, but those are the basics.

[elf]

Thanks to all who replied! I actually know about sniffing on wired networks as I'm a software engineer and use Ethereal (a packet sniffer) at work in our lab to check SIP messaging on VoIP telephone calls, so what Sean is saying makes a lot of sense. Sean's post makes me feel better, actually, since internet access is one of my "bottom lines" in the decision to cruise or not. I just have to have it to communicate with family and friends, post pictures, blog, and occasionally do a bit of e-commerce. I am very careful to keep my system patched, use firewalls, spam blockers, spyware blockers, etc. at home on both my laptop and wired computer and have never been hacked in years of use, so hopefully the same will be the case on the water. If someone gets pleasure out of reading my email, that's fine, but I sincerely doubt it's that interesting!

Elf

[FrankZ]

Quote:

Originally Posted by ssullivan

Use the same rules as you would at home -

1) Keep your operating system updated
2) Keep your Norton Anti-Virus subscription current and dowload all updates immediately
3) Goes without saying, but stay off of shady areas on the internet like porn sites
4) Visit only reputable sites or sites linked to off reputable sites.
5) Don't open any email attachments that aren't .pdf, .jpg and if you are opening a .doc or whatever, scan it with Norton AV before opening it. Also, beware of files with double extensions such as .doc.bat. Don't even go near .exe .bat, etc...
6) If you're running any server componenets or your computer is listening to any ports for any reason, make sure you have all of that set up correctly and securely.
7) It's not a bad idea to have a firewall installed between you and the WiFi network. I do, even though my computers are set up properly and securely behind the firewall as well.

I'm sure there are more points, but those are the basics.

These are very good points. One needs to be wary of relying on extension for determining content. More and more applications are using the actual content and file headers to determine how to open them instead of the extension. Makes it more idiot proof I suppose.

And as far as firewalls go:
1) Hardware firewalls are better than software based. It is an additional layer.
2) Most people only consider inbound filtering. Outbound filtering is just as important. For instance some worms that will take control of your system rely on IRC to advertise themselves back to the scumbag who wrote it. You may recieve this as an email which is allowed inbound by your filters. If you are filtering IRC outbound it can not report home.

I use a deny all traffic then set up exceptions. I believe in being as specific as possible. If only one machine inside needs to access NTP, for example, then that is the only one that is allowed out in the filter. And I narrow it further if I know what outside host it needs to talk to.

The bad guys are out there. Some of it is media hype. Some of it is real. Most people that are attacked are attacked as targets of opportunity, not specifically.

[ssullivan]

I agree with what FrankZ says as well. Also, I may not have been clear about firewalls. Frank is right. Use a physical firewall. I have one between my boat's network and the WiFi network. I hadn't thought about software firewalls, since I value them so little.

[Fishspearit]

Ok, what is a good physical firewall, I was only aware of the software type.
It still seems a little gray to me. Is accessing bank accounts a big no-no on wifi or do some of you consider it safe enough? Right now I'm used to doing a lot of my banking and bills online, I update my commercial website, etc. Are these safe things to do while cruising using wifi networks?

[markpj23]

To my knowledge a hardware firewall buys you better performance over the software version - and not much else. Especially true for the "home" firewall which is not as likely to perform stateful packet inspection. Most basic firewalls are simply rules that allow/deny specific ports, source/destination, etc... ANY firewall is better than no firewall and is a MUST in my view..

And before you get too cocky thinking that your cable modem or DSL connection is more secure than WiFi... try clicking on "Network Neighborhood" sometime and see who else shows up on YOUR connection. By design these are SHARED networks connecting you and your neighbors. Want to see more?? Just take Ethereal and sniff all traffic coming into your PC. Yowsa! Who are these people????

The best way to avoid people snooping your connection is through the use of a VPN connection that encrypts all traffic to/from your PC. Soon SSL VPN will be commonplace and perhaps your ISP will offer it as an option.

I recommend using ZoneAlarm or the Windows XP Firewall as a minimum... but you have to understand what you're doing each time you 'Allow' a program to pass through. Consult a knowledgeable friend if necessary...

Oh and one last thing - when you bring home that new wireless access point / router from Best Buy, be SURE to just take it out of the box and plug it in!! The rest of us rely upon you doing that so we can get our free internet access in your neighborhood...

[hellosailor]

Mark-
"cable modem or DSL connection is more secure than WiFi... try clicking on "Network Neighborhood" sometime " Unless something has changed, that's not quite right. Cable connections run into shared hubs, but DSL connections are each a single end-run to the DSL equipment at the exchange, and nothing is accessible as user shared information. It's a different hardware configuration, or it was.

Sean-
When you say "no one is interested" you forget, there's always some kiddie with time and a computer who is trying to hack just to see what he can do. And if he gains the access password to your email account, that's all he needs to send 100,000 spams from your account--leaving him with any profits and YOU to clean up the mess. Even if he hasn't "stolen" anything else from you. Of course, if he's clever, he'll leave a trojan in your system that will check for online tax preparation or other software and then send out your SSN and other information, which he can sell.

The bad guys have been winning this year, getting past a lot of the "normal" precautions that too many sloppy web site designers have required us to use. (Like allowing active technologies in browsers.)

So, a firewall is a must. And https or other secured connections are a must. Without known and effective security, you've got to ask "Would I be willing to write this on a post-it note, and have it passed off by hand all the way to the other party? Through Indian Territory?"

It's bad enough if there's no "value" and all someone steals is your valid email address, that gets sold to the spam lists and then you're stuck changing it and sending out notices. Nuh-uh, no thanks. Too many low-lifes out there who figure they can make a buck from hacking.

Elf, if you really want decent security regardless of the local connection, you might want to look into VPN connections. Your computer establishes a secured VPN connection to the internet server you are using--and everything that leaves your computer is encrypted, even if the link you are connecting with normally isn't. You can use a private VPN service, or one "for hire" commercially. Overkill? Maybe, but they said that about ignition keys on cars once, too.<G>

[ssullivan]

Mark, I actually do share out my WiFi connection to others when it is appropriate (ie: I have enough bandwidth). I leave it wide open and chage the SSID to "Use Me"

People should be more helpful about things like that when they can and step back from the culture of greed. Help your fellow human out.

[ssullivan]

Hellosailor, I hate to disagree with you since I agree with you on a lot of other points. But... I feel the idea of a kiddie playing around with sniffers sending out a torrent of spam from your computer is pretty unlikely since a kiddie isn't an organization that sends out spams. Who woulds a kiddie's marketing client be? Playschool? Crayola?

Again pointing to your example, who is going to spend hours getting into your computer in order to get your email address to sell it? What is that worth to the person who spent hours getting in? .0000001 of a cent? Not a likely scenario.

Elf can't have a VPN from her computer to whatever she's going to do on the web, as you need to set that up on the "server" side of things. It's not an approach that will work at all in the real world.

Anyway, I welcome all of you to try and steal my info... ha ha ha. Not only is it worthless, it's also hard to get. Spend hours getting into the PC I'm on now, or my Mac. Get in. Find all the great info I have on how I put together my boat's electrical system, how I did the plumbing, various photos of things I'm eBaying, etc...

Not even close to worth your time, or any "hacker's" time. See, when I started using computers, hackers were people who did things like phone phreaking. We did stuff for fun, not to gain money. These new people are cyber criminals. They do it for profit. They aren't looking at some bozo's personal computer to break into. They are looking at money, fame and glory.

Quote:

Originally Posted by hellosailor

Sean-
When you say "no one is interested" you forget, there's always some kiddie with time and a computer who is trying to hack just to see what he can do. And if he gains the access password to your email account, that's all he needs to send 100,000 spams from your account--leaving him with any profits and YOU to clean up the mess. Even if he hasn't "stolen" anything else from you. Of course, if he's clever, he'll leave a trojan in your system that will check for online tax preparation or other software and then send out your SSN and other information, which he can sell.

The bad guys have been winning this year, getting past a lot of the "normal" precautions that too many sloppy web site designers have required us to use. (Like allowing active technologies in browsers.)

So, a firewall is a must. And https or other secured connections are a must. Without known and effective security, you've got to ask "Would I be willing to write this on a post-it note, and have it passed off by hand all the way to the other party? Through Indian Territory?"

It's bad enough if there's no "value" and all someone steals is your valid email address, that gets sold to the spam lists and then you're stuck changing it and sending out notices. Nuh-uh, no thanks. Too many low-lifes out there who figure they can make a buck from hacking.

Elf, if you really want decent security regardless of the local connection, you might want to look into VPN connections. Your computer establishes a secured VPN connection to the internet server you are using--and everything that leaves your computer is encrypted, even if the link you are connecting with normally isn't. You can use a private VPN service, or one "for hire" commercially. Overkill? Maybe, but they said that about ignition keys on cars once, too.<G>

[hellosailor]

Sean-
"Who woulds a kiddie's marketing client be?" In hacking or security circles, they refer to "script kiddies" meaning usually junior high school or hs kids who run malware scripts against all sorts of targets. They poke around on home networks, and now also poke around at WiFi access points (like cafe's, burger places, and airport terminals) that are target-rich environments. Set up a script, let it run a few hours, massage it back home with another script...Hey, if you can get a dozen good email access points out of that, you can send out a lot of spam from a dozen good accounts. And--you can get paid for doing it. Credit card numbers? SSNs? Bank access? all are bought and sold, by the piece or by the thousand, on the open market. The FBI claims the Russian government refuses to prosecute the Russian mob, who operate openly buying and selling this information if you know where to look on the internet. But, there is reason to believe the Korean and Chinese governments (via their state ISPs) also sanction criminal activity. Among others.

"Again pointing to your example, who is going to spend hours getting into your computer in order to get your email address to sell it?" They aren't spending hours, they are letting scripts run for hours against hundreds of users. It's like asking "And did the Cruisersform folks spend hours putting my message up on the forum?" Of course not, you're just an invisible part of the traffic load.

"What is that worth to the person who spent hours getting in? .0000001 of a cent? Not a likely scenario." Run a script all day, harvest fifty accounts, sell each for five bucks. $250 a day seven days a week, that's nice money for a high school kid who only spends an hour or two compiling the data. And it scales up from there, which is why spam IS so successful. Give me a hundred valid email accounts to use, and I can send out a million spams--daily--and even if I get a 1/4% return on that million, that's money. Heck, I can sell "valid email addresses" for good money too. If I can find one AOL customer (they're usually totally oblivious about email) who has forwarded one message to one group, I can usually pick up 10-20 good email addresses from each "forward" step. I've picked up 100+ from one message with multiple forwards, these folks just don't know what they are doing. And it isn't just AOL users.

"Elf can't have a VPN from her computer to whatever she's going to do on the web" Last time I checked there were vendors selling VPN portal use for exactly that reason. Like the "anonymizers", you connect to their VPN server, and then all your traffic goes out via the VPN server, so your first link on the internet is always to it and through it--securing you from the local risks. You can do that with your own VPN server too of course, you just need to make sure it is set up as your gateway server.

"Anyway, I welcome all of you to try and steal my info... ha ha ha. Not only is it worthless, it's also hard to get. Spend hours getting into the PC I'm on now, or my Mac. Get in. Find ..."

Macs have been low priority targets because there have been very few of them (5% market share) with a separate OS. But, they have not been immune. CERT and SANS and others all carried reports of Mac security issues over the years, they've been there all along. Now that the Mac is "just" another UNIX box, running a Mac emulator on top of a UNIX system, it may actually be more vulnerable since UNIX also has had security problems from day one.<G> No system is immune. Get into your system? Hmmm...Some of the PC trade mags used to run security contests that way, inevitably they were hacked and someone won the contest in short order. Despite the systems being set up by security experts. Be careful what you wish for, there are folks who will see your wish (these forums get googled) and try to make it come true, simply because that's better entertainment than watching cable.

"We did stuff for fun, not to gain money. These new people are cyber criminals. They do it for profit. " The problem is, the tweens. They have time, they want fun, and whatever money they make is gravy. "Cybercrime: It isn't just for professionals any more!" Sadly.

The problem is not the problems that we know about--but the ones we don't know about "yet".

[markpj23]

Quote:

Originally Posted by hellosailor

Mark-
"cable modem or DSL connection is more secure than WiFi... try clicking on "Network Neighborhood" sometime " Unless something has changed, that's not quite right. Cable connections run into shared hubs, but DSL connections are each a single end-run to the DSL equipment at the exchange, and nothing is accessible as user shared information. It's a different hardware configuration, or it was.

Not entirely true. Different DSL schemes produce different topologies. PPPoA gives a dedicated connection, PPPoE usually gives a shared connection. (PPPoA = Point-to-Point-Protocol over ATM, PPPoE = PPP over Ethernet)

Bottom line: NEVER assume that you are alone on the Internet.

Sean - thanks for the free pass! Hope a sophisticated war driver never ruins your day. I agree with your philosophy.

[ssullivan]

Ok,

I have a few differing opinions, but I feel this thread is digressing into something that doesn't really pertain to security while sailing, so I'll stop.

Rather than continuing, I'll just stop with my personal and professional opinion that is it not likely for someone to break into your computer using WiFi at a marina. Well, it's not any more likely than someone breaking into your data using the internet. If you want perfect security, you will need to stop using computers that connect to the internet. Otherwise, you still run the same chances Hellosailor points out below. (which in my opinion are slim to none anyway)

Just one question Hellosailor, regarding those evil hackers out there that are Googling the Cruiser's Forum and will take on my computers:

How do they get my IP address from Googling this fourm?

PS: On a timely note, see how it's being done these days...

Hacker attack at UCLA affects 800,000 people - CNN.com

Quote:

Originally Posted by hellosailor

Sean-
"Who woulds a kiddie's marketing client be?" In hacking or security circles, they refer to "script kiddies" meaning usually junior high school or hs kids who run malware scripts against all sorts of targets. They poke around on home networks, and now also poke around at WiFi access points (like cafe's, burger places, and airport terminals) that are target-rich environments. Set up a script, let it run a few hours, massage it back home with another script...Hey, if you can get a dozen good email access points out of that, you can send out a lot of spam from a dozen good accounts. And--you can get paid for doing it. Credit card numbers? SSNs? Bank access? all are bought and sold, by the piece or by the thousand, on the open market. The FBI claims the Russian government refuses to prosecute the Russian mob, who operate openly buying and selling this information if you know where to look on the internet. But, there is reason to believe the Korean and Chinese governments (via their state ISPs) also sanction criminal activity. Among others.

"Again pointing to your example, who is going to spend hours getting into your computer in order to get your email address to sell it?" They aren't spending hours, they are letting scripts run for hours against hundreds of users. It's like asking "And did the Cruisersform folks spend hours putting my message up on the forum?" Of course not, you're just an invisible part of the traffic load.

"What is that worth to the person who spent hours getting in? .0000001 of a cent? Not a likely scenario." Run a script all day, harvest fifty accounts, sell each for five bucks. $250 a day seven days a week, that's nice money for a high school kid who only spends an hour or two compiling the data. And it scales up from there, which is why spam IS so successful. Give me a hundred valid email accounts to use, and I can send out a million spams--daily--and even if I get a 1/4% return on that million, that's money. Heck, I can sell "valid email addresses" for good money too. If I can find one AOL customer (they're usually totally oblivious about email) who has forwarded one message to one group, I can usually pick up 10-20 good email addresses from each "forward" step. I've picked up 100+ from one message with multiple forwards, these folks just don't know what they are doing. And it isn't just AOL users.

"Elf can't have a VPN from her computer to whatever she's going to do on the web" Last time I checked there were vendors selling VPN portal use for exactly that reason. Like the "anonymizers", you connect to their VPN server, and then all your traffic goes out via the VPN server, so your first link on the internet is always to it and through it--securing you from the local risks. You can do that with your own VPN server too of course, you just need to make sure it is set up as your gateway server.

"Anyway, I welcome all of you to try and steal my info... ha ha ha. Not only is it worthless, it's also hard to get. Spend hours getting into the PC I'm on now, or my Mac. Get in. Find ..."

Macs have been low priority targets because there have been very few of them (5% market share) with a separate OS. But, they have not been immune. CERT and SANS and others all carried reports of Mac security issues over the years, they've been there all along. Now that the Mac is "just" another UNIX box, running a Mac emulator on top of a UNIX system, it may actually be more vulnerable since UNIX also has had security problems from day one.<G> No system is immune. Get into your system? Hmmm...Some of the PC trade mags used to run security contests that way, inevitably they were hacked and someone won the contest in short order. Despite the systems being set up by security experts. Be careful what you wish for, there are folks who will see your wish (these forums get googled) and try to make it come true, simply because that's better entertainment than watching cable.

"We did stuff for fun, not to gain money. These new people are cyber criminals. They do it for profit. " The problem is, the tweens. They have time, they want fun, and whatever money they make is gravy. "Cybercrime: It isn't just for professionals any more!" Sadly.

The problem is not the problems that we know about--but the ones we don't know about "yet".