WiFi internet hacking warning - always use ADSL instead!

[SmellyFarang]

I've seen a lot of talk about Internet access on the forum with people specifically asking about Wi-Fi support at hotels.

 

I just wanted to pass along a quick head's up that even encrypted Wi-Fi connections (using the older WEP encryption standard) these days can be easily hacked in just a few minutes with "man in the middle" attacks. The video below shows a good demo:

http://video.google.com/videoplay?docid=63...eGxBQ&hl=en

 

This means that hackers can see everything you type: passwords, bank info, everything.

 

So you should only use Wi-Fi connections for casual internet access, not anything you need to keep secure. The alternative is to use a place that has an ADSL cable modem so you can plug in a physical network cable (or plug in your own wireless router that supports more modern, secure encryption tech).

 

When my buddy & I rented condos from Dancewatchers.com, the fact that many of their condos had ADSL connections was a major factor in our decision. I don't know of many hotels that provide ADSL, but have seen that the Whitehouse Condotel advertises ADSL connections:

http://www.whitehousecondotel.com

 

Does anyone else know of other hotels with true ADSL?

-Smelly

[Grumpy]

I wish you'd be better informed before you'd post trash like this.

 

It really doesn't matter if you're on Wifi, DSL, ADSL, Cable, or Dial-up if you have two braincells that don't fight.

 

Hackers still have to contend with the encryption between the secure websites and your machine (128bit SSL, etc.) If you're using ANY website with critical information on it that isn't encrypted, you're asking for it-and you're a moron, no matter the medium you're using.

 

These guys only managed to steal AIM, Yahoo, FTP logins, no mention of bank info...certainly not everything.

 

I suggest you get a little better informed before you start sounding the alarm.

[layow]

i would think they have to be very highly skilled to do that

 

then if they are

 

they aren't going after tourists in pattaya for relatively small change

[SmellyFarang]

I wish you'd be better informed before you'd post trash like this. ... I suggest you get a little better informed before you start sounding the alarm.

 

There's nothing more funny than the self-rightous "expert" who is so quick to insult others. Before you embarass yourself further, maybe you need to get more up to date yourself:

 

"Man-in-the-middle attack sidesteps SSL"

http://www.securityfocus.com/brief/910

 

... and about a zillion other references on the net.

 

There's always new tricks & traps to watch out for, and the whole point of a forum like this is raise awareness.

 

And even if you really, really do need to disagree with me, why on earth do you feel so compelled to be so mean spirited about it?

-Smelly

[layow]

if its that easy

 

then how come everyone who uses

it hasn't had there bank accs drained

and credit cards maxed out?

 

again if they're trying this then they are after big $

[bigjimslay]

I have went broke since I started using this website.

[Grumpy]

There's nothing more funny than the self-rightous "expert" who is so quick to insult others. Before you embarass yourself further, maybe you need to get more up to date yourself:

 

"Man-in-the-middle attack sidesteps SSL"

http://www.securityfocus.com/brief/910

 

Once again, not using an encrypted site by being duped, but this has nothing to do with WiFi, or any other medium for that matter, being so vulnerable to attack.

 

A more proper warning, and a more applicable one would be to ensure you are logging into the proper site, visually identifying the https/'lock' on the status bar/and not setting your default internet security settings too low.

 

Your response only agrees with my own statement, that SSL encryption is the issue, NOT the WiFi.

 

I'm not embarrassed (there is a double "r" in that word, better learn to spell before you attempt to return fire) at all, as YOU blamed WiFi for these security problems, but this 'spoofing' in particular can be accomplished through a hard-line just the same.

 

As a side note Smelly, I have the credentials, how about you? CCNA+, MCITP, A+ Computer Tech, Network +

[SmellyFarang]

Luckily there's this nifty invention called the Internet. So instead of relying on a couple posts from a couple guys, anyone interested can do a few minutes of research and decide for themselves.

 

Just be sure that you're using *current* information and not relying on out-of-date assumptions.

-Smelly

[Mr Unix]

So you should only use Wi-Fi connections for casual internet access, not anything you need to keep secure. The alternative is to use a place that has an ADSL cable modem so you can plug in a physical network cable (or plug in your own wireless router that supports more modern, secure encryption tech).

You could also build up a VPN connection via Wifi and route all your traffic over that connection.

 

BTW: Using a cable connection like 100Base-TX won't protect you. Anything in your broadcast domain will be avaible to all machines in that broadcast domain. I've never seen a secure setup in LOS before. Most of the switches there are working on layer 2 and the few layer 3 switches I've seen had a crappy fallback-to-hub-setup if somebody did something like ARP flooding.

 

There's only one way to be secure: Don't use a computer in LOS. Spend your time in Soi 6.

[Scumbag]

Hackers still have to contend with the encryption between the secure websites and your machine (128bit SSL, etc.) If you're using ANY website with critical information on it that isn't encrypted, you're asking for it-and you're a moron, no matter the medium you're using.

This is called public key encryption and you need a very very powerful computer to break the code in a reasaonable time. Not many people have access to such machines. If this wasn't the case the internet business would not be around.

[Me2995]

Concerning bank info, all of my online accounts use some kind of token. One generates a random code every 30 seconds and the others you need my bankcard to generate certain codes. No way there's an easy way someone can just steal them by hacking ssl.

Not even sure if it's that easy too hack a google or yahoo account, since they use ssl.

 

The only thing I advice is bring your own laptop and don't use public computers. There can be keyloggers on them and easily get access to your mail and other simple password protected sites (not bank acc though).

[Mr Unix]

This is called public key encryption and you need a very very powerful computer to break the code in a reasaonable time. Not many people have access to such machines. If this wasn't the case the internet business would not be around.

Well... Actually you don't need to go brute force on SSL. If you're able to access the gateway (or if you're able to make the victims machine access your machine instead of the gateway) then your gateway could be modified as a l7-firewall, which means that it is able to perform your certificate exchange. If the gateway is exchanging your certificates, everything you are sending encrypted can be decrypted by the gateway.

 

There's a reason why some things regarding "internet business" aren't shipped via internet. ;)

[Scumbag]

Well... Actually you don't need to go brute force on SSL. If you're able to access the gateway (or if you're able to make the victims machine access your machine instead of the gateway) then your gateway could be modified as a l7-firewall, which means that it is able to perform your certificate exchange. If the gateway is exchanging your certificates, everything you are sending encrypted can be decrypted by the gateway.

 

There's a reason why some things regarding "internet business" aren't shipped via internet. ;)

As I understand it they could only get the public key. You need the private key to decrypt anything that you send. Once encrypted not even the computer that encrypted it can decrypt it. Are you saying the the gateway encrypts the data?

[Mr Unix]

Yeah because any Thai's with the expertise and knowledge to mount this kind of attack are going to be sitting in Starbucks nickle and diming people with a packet sniffer instead of working as a high end pen-tester or at an office job in Bangkok.

Really? So they do have locals with that knowledge? Strange thing, because I have to work for companies in that area quite often. One would think that they'd rather hire locals than farangs...

 

Why must the "bad guys" always be the locals? ;) And have you ever thought about what the "good guys" are up to in their off time? ;)

 

Just because you are not paranoid, does not mean that they are not out to get you...

[Mr Unix]

As I understand it they could only get the public key. You need the private key to decrypt anything that you send. Once encrypted not even the computer that encrypted it can decrypt it.

Not in the case of (Open)SSL.

 

Are you saying the the gateway encrypts the data?

In the given scenario of SSL, the gateway could de- and encrypt your data. I remember some companies where this is the default behaviour, because they want to check for incoming viruses not only on HTTP, but also on HTTPS.

 

If you want to be sure, there is still IPSEC left. I haven't seen a l7 filter that gets past IPSEC, but that doesn't mean IPSEC would be secure. There are various thoughts about replay and attacks and weaknesses in the IKE implementation.

[lincslad]

I've found that TK2234 hypo-tech and PVV7 via script are the new methods used by hackers. WPSCCR and KLP099F are out dated now although 2f hoofla woofla viruses still exist. KPN in S6 and S7 versions will also be available shortly along with ZZ256L arriving mid 2010 in NDDQ3 form.

[caltexman]

Yep i agree.

 

Buggered if i understood all that stuff but it sure sounds good.

[whitespider - RIP]

Can the guys who clearly know about this get back to the original statement - Id like to know, not being "moddy"

 

Is it specifically WiFi that is the risk (as the OP claims) or it is possible/improbable on all connections.

[Scumbag]

If you are using a wireless network at home a good idea to to enter all the MAC addresses of the machines you want to be able to connect to the network into the router. That way no unauthorised computers can log onto your network.

[whitespider - RIP]

If you are using a wireless network at home a good idea to to enter all the MAC addresses of the machines you want to be able to connect to the network into the router. That way no unauthorised computers can log onto your network.

 

 

No, this does not help. Even script kiddies can deal with this.

 

At the moment my daughters machine is hardwired in and I am on Wifi to the same router.

 

Would it be (any) safer to switch this round? She only uses msn and Youtube basically.

[layow]

with banking or other important shit

you a supposed to write the full addy....

http.//.www.bankforyou.com.FO. into the addy box

not a bookmark as katandmilo mentioned

[Mr Unix]

Do you know anyone who would brush the cheetos off his lap long enough to actual GO OUT, sit in the field and do this? For what? That's what botnets are for.

I know some guys that are up to all kinds of weird experiments, like setting up a fully automated system, just to proof that it can be done. Actually two of them are located in south east asia. On the other hand: Those people aren't after your money...

 

The people that have the ability to launch the high end attacks are either A. White hat, or B. going after big enough fish to make the time and risk worth their while. ie. NOT your condo.

For LOS that is true indeed.

[Scumbag]

No, this does not help. Even script kiddies can deal with this. WPA2 can be cracked, but it's not that widespread yet.

I don't think you understand what I am saying. I am talking about making it so that unautorised machines can not log onto the router. It doesn't matter if they have cracked your code. It is a setting on the router that you need to be able to log on to change. If you can connect to the router you can't log on to change the settings. Maybe not all routers have the setting but mine does. Only 3 computers are able to log onto my network and this is defined by their MAC addresses not a secret code. MAC addresses are hard-wired into your wireless network card.

[el_jefe]

There's nothing more funny than the self-rightous "expert" who is so quick to insult others. Before you embarass yourself further, maybe you need to get more up to date yourself:

 

"Man-in-the-middle attack sidesteps SSL"

http://www.securityfocus.com/brief/910

 

... and about a zillion other references on the net.

 

There's always new tricks & traps to watch out for, and the whole point of a forum like this is raise awareness.

 

And even if you really, really do need to disagree with me, why on earth do you feel so compelled to be so mean spirited about it?

-Smelly

Man in the middle attacks like these are old old news - not saying a warning is not good but this is not something new.

 

 

Once again, not using an encrypted site by being duped, but this has nothing to do with WiFi, or any other medium for that matter, being so vulnerable to attack.

 

Your response only agrees with my own statement, that SSL encryption is the issue, NOT the WiFi.

 

To give an example, if someone on your wired network is able to convince you they are your gateway or able to provide DNS addresses to you, they can make you think their machine is the server and thereby get in "the middle"

 

Well... Actually you don't need to go brute force on SSL. If you're able to access the gateway (or if you're able to make the victims machine access your machine instead of the gateway) then your gateway could be modified as a l7-firewall, which means that it is able to perform your certificate exchange. If the gateway is exchanging your certificates, everything you are sending encrypted can be decrypted by the gateway.

 

I think if they are able to access the server's gateway, dirtbags like us have no need to worry - they will have bigger people to steal from

 

The other thing is no matter how these attacks pan out, either your browser will show you are using only 'http' or yes, for man in the middle will show https, but you will get a warning that either the server's certificate could not be verified or it's invalid or unknown certifying authority. Basically the server needs to present the browser with a certificate and the browser uses a set of well known certifying authorities to check the certificate is right. You cannot spoof these as you would need their private keys to spoof the browser since it has their public keys.

If you can get someone to install your browser, then it's all over because you seed the set of certifying authorities.

Edited April 9, 2009 by el_jefe

[Mr Unix]

Only 3 computers are able to log onto my network and this is defined by their MAC addresses not a secret code. MAC addresses are hard-wired into your wireless network card.

802.11 (wireless networks) are using MAC adresses indeed, but on a software layer. Even if you are restricted to Windows systems, you can change the MAC adress directly on your eeprom chip. On systems like Linux you are able to change the MAC address as you wish without having to access the eeprom chip at all.