For those of you that don't know, Dartmouth College is the first college
to go totally wireless. I'm sure many of you have been to a coffee shop
/book store (Barns and Noble) and have seen that they offer public
access wifi hotspots. This means that you don't have to have a password
or pay anything to get connected.
Most of these places probably do not have any way of preventing
hijacking attempts. If I decided to go to my local starbucks and setup
a fake wifi, theres nothing stopping me.
But I don't even have to do that to get your passwords. All I have to
do is throw up a packet sniffer and bam I have all of your email
passwords/website passwords. POP3 is an unencrypted protocol. WIFI
access points act as hubs. Unless everything is running SSL all of your
passwords are being sent out to everyone connected to that WIFI access
point.
I'm telling you this to inform those of yall who don't already know, and
to ask a question to those of you who are in the profession and know
everything there is to know about wifi.
What is stopping me from going to Barns and Noble, firing up Ethereal,
and getting everyones passwords for email/websites? Is there a way to
disconnect a computer that shows signs of running a packet sniffer? Is
there even a way to tell that a computer is running a packet sniffer?
This is something you might expect to see at Defcon or Blackhat but
probably not in your local Starbucks. Next time you are there, think
about the security risks and don't check your email or visit a site that
requires you to have a password unless you send it via SSL (Gmail,
banking sites, etc).
I am cross-posting to get as many opinions/answers as possible.
> For those of you that don't know, Dartmouth College is the first college
> to go totally wireless. I'm sure many of you have been to a coffee shop
> /book store (Barns and Noble) and have seen that they offer public
> access wifi hotspots. This means that you don't have to have a password
> or pay anything to get connected.
>
> Most of these places probably do not have any way of preventing
> hijacking attempts. If I decided to go to my local starbucks and setup
> a fake wifi, theres nothing stopping me.
>
> But I don't even have to do that to get your passwords. All I have to
> do is throw up a packet sniffer and bam I have all of your email
> passwords/website passwords. POP3 is an unencrypted protocol. WIFI
> access points act as hubs. Unless everything is running SSL all of your
> passwords are being sent out to everyone connected to that WIFI access
> point.
>
> I'm telling you this to inform those of yall who don't already know, and
> to ask a question to those of you who are in the profession and know
> everything there is to know about wifi.
>
> What is stopping me from going to Barns and Noble, firing up Ethereal,
> and getting everyones passwords for email/websites? Is there a way to
> disconnect a computer that shows signs of running a packet sniffer? Is
> there even a way to tell that a computer is running a packet sniffer?
>
> This is something you might expect to see at Defcon or Blackhat but
> probably not in your local Starbucks. Next time you are there, think
> about the security risks and don't check your email or visit a site that
> requires you to have a password unless you send it via SSL (Gmail,
> banking sites, etc).
>
> I am cross-posting to get as many opinions/answers as possible.
>
> Thank you for your time
Pretty much common knowledge (at least in this news group)....
On Thu, 29 Sep 2005 01:06:19 GMT, teh Mephisto <dont.worry@bout.it>
wrote:
>Unless everything is running SSL all of your
>passwords are being sent out to everyone connected to that WIFI access
>point.
Most sane users do not poll for email with pop3. They use a VPN
tunnel provided by their ISP, a VPN tunnel provided by the hot spot
service company (i.e. Boingo), TLS (transport layer security), or web
mail using SSL encryption.
>... those of you who are in the profession and know
>everything there is to know about wifi.
Anyone in the profession that claims to know everything, doesn't.
>What is stopping me from going to Barns and Noble, firing up Ethereal,
>and getting everyones passwords for email/websites?
Not much. It's a well know problem. Just about any web site the
mumbles about wireless security mentions that polling for email via an
unencrypted wireless link is asking for trouble.
>Is there a way to
>disconnect a computer that shows signs of running a packet sniffer? Is
>there even a way to tell that a computer is running a packet sniffer?
Users can be blocked by MAC address or IP address at the wireless
router. There are IDS (intrusion detection systems) that look for
abuse and automagically isolate the offenders. For example: http://snort-wireless.org
It is fairly easy to detect if a user is sniffing. I have a trick
that detects if a wireless device is in promiscuous mode (required for
sniffing), but it's marginally reliable and does not work with every
client. Search Google for "detect promiscuous mode" for how others
are doing the same thing. For example, a free and commercial
promiscuous mode scanner: http://www.securityfriday.com/products/promiscan.html
I've used the free version to detect wireless sniffers.
Jeff Liebermann wrote:
> Most sane users do not poll for email with pop3. They use a VPN
> tunnel provided by their ISP, a VPN tunnel provided by the hot spot
> service company (i.e. Boingo), TLS (transport layer security), or web
> mail using SSL encryption.
I think you give people too much credit. From what I have seen, most
people see "Wireless hotspot here" and go woopee i can get my email and
surf the web. I will guarentee you that you can go into any starbucks,
ask how many people know what VPN or SSL are and probably about 1/4 of
them would be able to tell you, if that. Then they probably don't even
realize that everyone can see what they are doing on a wireless network.
"teh Mephisto" <dont.worry@bout.it> wrote in message
news:iTI_e.11399$ua.515214@twister.southeast.rr.co m...
> Jeff Liebermann wrote:
> > Most sane users do not poll for email with pop3. They use a VPN
> > tunnel provided by their ISP, a VPN tunnel provided by the hot spot
> > service company (i.e. Boingo), TLS (transport layer security), or web
> > mail using SSL encryption.
>
> I think you give people too much credit. From what I have seen, most
> people see "Wireless hotspot here" and go woopee i can get my email and
> surf the web. I will guarentee you that you can go into any starbucks,
> ask how many people know what VPN or SSL are and probably about 1/4 of
> them would be able to tell you, if that. Then they probably don't even
> realize that everyone can see what they are doing on a wireless network.
Um.
In what way is this different that using any other publicly shared service?
Incidentally, and in case you hadn't noticed, the Internet itself is.. um..
a shared public service. Any privacy you happen to gain from someone else's
routing table is pretty much a side-benefit.
Coming up next.. blutooth it am teh sc4ry!!!1!!!
;o)
--
Hairy One Kenobi
Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!
could you please provide some reference material (websites or groups
messages) describing HOW to set up a secure wireless connection and
more secure ways of using public hotspots.
teh Mephisto wrote:
> For those of you that don't know, Dartmouth College is the first college
> to go totally wireless.
Wossat mean? Every single computer in every lab connected with wifi (
are they stupid? ) or just total wifi coverage?
I'm sure many of you have been to a coffee shop
> /book store (Barns and Noble) and have seen that they offer public
> access wifi hotspots. This means that you don't have to have a password
> or pay anything to get connected.
[snip]
> But I don't even have to do that to get your passwords. All I have to
> do is throw up a packet sniffer and bam I have all of your email
[snip]
Leo Fellmann wrote:
> teh Mephisto wrote:
>
>> For those of you that don't know, Dartmouth College is the first
>> college to go totally wireless.
>
>
> Wossat mean? Every single computer in every lab connected with wifi (
> are they stupid? ) or just total wifi coverage?
I don't know about every single computer in every lab but I do know they
are completely wireless.
Hairy One Kenobi wrote:
> "teh Mephisto" <dont.worry@bout.it> wrote in message
> news:iTI_e.11399$ua.515214@twister.southeast.rr.co m...
>
>>Jeff Liebermann wrote:
>>
>>>Most sane users do not poll for email with pop3. They use a VPN
>>>tunnel provided by their ISP, a VPN tunnel provided by the hot spot
>>>service company (i.e. Boingo), TLS (transport layer security), or web
>>>mail using SSL encryption.
>>
>>I think you give people too much credit. From what I have seen, most
>>people see "Wireless hotspot here" and go woopee i can get my email and
>>surf the web. I will guarentee you that you can go into any starbucks,
>>ask how many people know what VPN or SSL are and probably about 1/4 of
>>them would be able to tell you, if that. Then they probably don't even
>>realize that everyone can see what they are doing on a wireless network.
>
>
> Um.
>
> In what way is this different that using any other publicly shared service?
>
> Incidentally, and in case you hadn't noticed, the Internet itself is.. um..
> a shared public service. Any privacy you happen to gain from someone else's
> routing table is pretty much a side-benefit.
>
> Coming up next.. blutooth it am teh sc4ry!!!1!!!
>
> ;o)
>
Now that everyone uses switches, its a lot better than it used to be.
WIFI is still ran just like a hub, where everyone connected can see
everything you are doing.
Sure there are still some hubs around but noones stupid enough to put
them up where it really matters.
On Thu, 29 Sep 2005 15:42:35 GMT, teh Mephisto <dont.worry@bout.it>
wrote:
>Now that everyone uses switches, its a lot better than it used to be.
>WIFI is still ran just like a hub, where everyone connected can see
>everything you are doing.
Not exactly. Wireless 802.11 is bridging. A bridge is a 2 port
switch. It only lets traffic across the bridge that has a destination
MAC address that's known to be on the other side of the bridge. Also,
broadcasts go everywhere. With a hub, access to one port gave me
access to all the traffic since the hub was just a repeater. With a
switch, sniffing one port only gives access to that ports traffic.
It's the same with wireless except that wireless shares a common
medium (air space) and allows all the bridged/switched connections to
be simultaneously sniffed. I guess one could say this is like
something like a hub, but it's still bridging.
>Sure there are still some hubs around but noones stupid enough to put
>them up where it really matters.
You'll be suprised what I find floating around some networks. The old
hubs just don't seem to completely disappear and are often more
conenvenient to use than to purchase a proper switch. I use hubs for
sniffing ethernet, but that's not a common application.
Doc. wrote:
> teh Mephisto <dont.worry@bout.it> wrote in news:iUT_e.76499$Jp.2279820
> @twister.southeast.rr.com:
>
>
>>I don't know about every single computer in every lab but I do know they
>>are completely wireless.
>
>
> Even the monitors?
>
> SCNR :-)
>
>
> Doc.
Shrugs, wireless using something like http://www.cranite.com seems to be
a relatively secure solution. Tends to defeat intruders and listeners
fairly effectively. When coupled with wireless IDS to detect attack
attempts you can secure the network about as well as you can on a wired
connection.
"teh Mephisto" <dont.worry@bout.it> wrote in message
news:LXT_e.76500$Jp.2279820@twister.southeast.rr.c om...
> Hairy One Kenobi wrote:
> > "teh Mephisto" <dont.worry@bout.it> wrote in message
> > news:iTI_e.11399$ua.515214@twister.southeast.rr.co m...
<snip>
> > Incidentally, and in case you hadn't noticed, the Internet itself is..
um..
> > a shared public service. Any privacy you happen to gain from someone
else's
> > routing table is pretty much a side-benefit.
> >
> > Coming up next.. blutooth it am teh sc4ry!!!1!!!
> >
> > ;o)
> >
>
> Now that everyone uses switches, its a lot better than it used to be.
> WIFI is still ran just like a hub, where everyone connected can see
> everything you are doing.
>
> Sure there are still some hubs around but noones stupid enough to put
> them up where it really matters.
Erm, actually "they" do. Both genuine hubs and switches configured
for-a-purpose.
The purpose is usually the same sort of load balancing used by Windows
(NLBS, or WLBS as it used to be called). It uses MAC spoofing (MS borged a
company); this doesn't always work on particular Cisco switches, even when
they've been set to bridge ports (which is the other case you'll commonly
see. Damned hard to sniff or run an IDS without this sort of facility -
although you have to be careful that it can handle the sort of traffic that
you're likely to see, particularly if you're on/near the backbone.).
I have a military customer that ended up doing this - it was cheaper to
recycle an old hub than to buy a new switch that actually did what it was
supposed to (bearing in mind that the selected switch /should/ have had the
capabilities, but might have broken one of their other security rules.
They're a customer; they get to do it they was they want <shrug>)
These sort of configs tend to be where you *really* need load-balancing
(i.e. at the very heart of "where it really matters")
In my case, I just have the two hubs - one sits on the Cable Modem
connection at home (so that I can simply plug-in a sniffer or firewall
tester); the other is my "network in a bag" that travels with me on-site. UK
companies generally don't let you plug into their networks, these days, so
it's a useful last resort for data transfer if we already have someone
there. Or if I end up running software that's licensed by MAC address -
modern laptops switch you between different NICs, which buggers all that up.
Must get around to making one of those "key" thingummies that you used to be
able to buy.
teh Mephisto wrote:
> For those of you that don't know, Dartmouth College is the first college
> to go totally wireless. I'm sure many of you have been to a coffee shop
> /book store (Barns and Noble) and have seen that they offer public
> access wifi hotspots. This means that you don't have to have a password
> or pay anything to get connected.
<snip>
That's why you always want to use VPN to connect via an unknown wireless
network.
Google now offers a free VPN service. Supposedly it's slightly less
secure than some of the paid VPN services but this is according to the
paid VPN services.
Some ISPs offer VPN as part of their plans. One reason I chose the ISP
that I chose is because they offer VPN at no extra charge.
SMS wrote:
> teh Mephisto wrote:
>
>> For those of you that don't know, Dartmouth College is the first
>> college to go totally wireless. I'm sure many of you have been to a
>> coffee shop /book store (Barns and Noble) and have seen that they
>> offer public access wifi hotspots. This means that you don't have to
>> have a password or pay anything to get connected.
>
>
> <snip>
>
> That's why you always want to use VPN to connect via an unknown wireless
> network.
>
> Google now offers a free VPN service. Supposedly it's slightly less
> secure than some of the paid VPN services but this is according to the
> paid VPN services.
There's also nothing except lack of free time stopping you using, say,
openvpn to connect through a computer at home :)
> Some ISPs offer VPN as part of their plans. One reason I chose the ISP
> that I chose is because they offer VPN at no extra charge.
> You are, I take it, talking about wireless ISPs?
No. Some ISPs offers VPN into their server whenever you are at a
wireless hot spot (and you can use it with wired as well, if you want).
For example, see: "http://www.sonic.net/features/vpn/". Most ISPs offer
this only to their business customers, at extra cost, but a few of the
better regional ISPs include it with every account.
There are some private companies offering VPN for a fee
(typically around $40-75 per year), but Google now offers it for free,
see "http://wifi.google.com/download.html". I guess the question is
whether or not you trust Google (or trust your ISP or the private VPN
services for that matter). Google offers it because they are rolling out
their own free wireless across the country, but it works with any hot spot.
>I guess the question is whether or not you trust Google
iPig comes with the iPig SERVER (also freeware), so you can set up your
own VPN server very easily. Thus the traffic is NOT routed via the
company's server.
>There's also nothing except lack of free time stopping you using, say,
>openvpn to connect through a computer at home :)
iPig Server is MUCH easier to install then OpenVPN, basically you just
start the installer, add the user name and password you want to use,
and your private VPN server is ready to go.
On 30 Sep 2005 13:33:31 -0700, in alt.internet.wireless you wrote:
>>There are some private companies offering VPN for a fee
>
>Another company offering VPN for free is iPig, see
>http://www.net-security.org/article.php?id=827
>
>>I guess the question is whether or not you trust Google
>
>iPig comes with the iPig SERVER (also freeware), so you can set up your
>own VPN server very easily. Thus the traffic is NOT routed via the
>company's server.
>
>>There's also nothing except lack of free time stopping you using, say,
>>openvpn to connect through a computer at home :)
>
>iPig Server is MUCH easier to install then OpenVPN, basically you just
>start the installer, add the user name and password you want to use,
>and your private VPN server is ready to go.
Would somebody mind explaining a bit about these services to me? I'm
somewhat confused. It seems to me that if you are using, for example,
IPig's company's servers, you are sending information between the two
of you (between your computer and the IPig server) in an encrypted
manner. But once it gets there, it is decrypted and sent on its way
to its final destination. Hence, folks can still get your information
because it travels a part of the way in an unencrypted manner. Are
the Ipig servers clever enough to continue the encryption if the
eventual destination is also running an IPig server?
Obviously, the first 1/2 of the data's journey is much more vulnerable
when it travels over a wireless connection (wifi, 802.11g, etc.). So
for that purpose, using the company's servers (or Google's) makes a
lot of sense.
As for openVPN and, I would imagine, setting up an IPig server, one
can establish their own VPN with a minimum of hassle, it seems. But
I've got a funny situation and I'm wondering if I'm precluded from
doing this. And that is that my wifi provider uses private IP
addresses, not public ones. So, everybody from my wifi ISP appears to
be coming from the IP address that shows up in the headers of this
message. My router is set to a WAN address that begins with
192.168.x.x. (My LAN addresses are 192.168.y.x) If I have 3 computers
here, would setting up an IPig server at another location that is
permanently connected to the internet even work? It would seem I have
to be sending information to the IPig server saying that my address is
the public IP address and once it gets back to my ISP won't know who
to send it to. Obviously, the routers automatically take care regular
HTTP: type communication. But as I understand the IPig configuration
file, my outbound communication includes my IP address.
>Would somebody mind explaining a bit about these services to me? I'm
>somewhat confused.
Sure. In order to insure wireless security, you're introducing a
middleman into the system. The typical wireless hot spot is not going
to terminate your VPN for you. The administrative overhead for
passwords and authentication is just too much. So, you hire a 3rd
party to do it for you.
A VPN encrypted "tunnel" is established between your wireless laptop
and the 3rd party VPN service. Everything that goes between your
laptop and this 3rd party is encrypted inside the tunnel. Anyone
sniffing the wireless traffic at the hot spot will see only encrypted
packets.
The 3rd party VPN service provider the decrypts the traffic and
shovels it to a proxy server (which regenerates the connections) and
relays the traffic on its way to wherever your mail servers are
located. This traffic is NOT encrypted and can be sniffed.
Note that this arrangement does NOT offer end to end encryption as is
therefore still at risk from anyone sniffing the wired part of the
connection. This constitutes a substantial improvement in security,
but end to end encryption by the mail service provider would be much
better.
Public Access WIFI Security 
Linear Mode
