WiFi internet hacking warning - always use ADSL instead!

[el_jefe]

I don't think you understand what I am saying. I am talking about making it so that unautorised machines can not log onto the router. It doesn't matter if they have cracked your code. It is a setting on the router that you need to be able to log on to change. If you can connect to the router you can't log on to change the settings. Maybe not all routers have the setting but mine does. Only 3 computers are able to log onto my network and this is defined by their MAC addresses not a secret code. MAC addresses are hard-wired into your wireless network card.

 

mac addresses can be spoofed pretty easily.

[Scumbag]

http://blog.wired.com/27bstroke6/2009/03/u...litary-con.html

Some people don't deserve to live!!!!

[el_jefe]

Some people don't deserve to live!!!!

 

Your harsh! why not be more humane and let him work 2 gloryholes in boyztown for a while first?

[noodles]

I've found that TK2234 hypo-tech and PVV7 via script are the new methods used by hackers. WPSCCR and KLP099F are out dated now although 2f hoofla woofla viruses still exist. KPN in S6 and S7 versions will also be available shortly along with ZZ256L arriving mid 2010 in NDDQ3 form.

 

 

I believe the ZZ256L has already arrived.

[prak]

Can the guys who clearly know about this get back to the original statement - Id like to know, not being "moddy"

 

Is it specifically WiFi that is the risk (as the OP claims) or it is possible/improbable on all connections.

All internet connections can be subject to the "man in the middle" attack. Anyone with access to the cables, routers, switches, etc in between your computer and the web server you're connecting to could possibly setup this type of attack.

 

For example at a hotel that has wired connections, you have to have trust that the hotel employees are not setting up computers that listen in, or redirect your internet traffic. This is unlikely being that someone would have to have a computer physically connected the hotel's network to do so.

 

Wifi connections however, offer no such physical boundaries. A wifi connection with no encryption, or easily breakable WEP encryption can be easily hijacked by a person with a laptop nearby. They will be able to pass all your internet traffic through their laptop, then onto the internet and back. They can both listen in, and change traffic on-the-fly, all with easily installed, freely downloadable tools that require only moderate technical knowledge. A person could be doing this to many connections at one time, without ever having to touch the laptop, just sit and wait for passwords to be collected.

 

You should be able to protect yourself, though, with a little knowledge. AFAIK, SSL encrypted connections (a url that start with https://, the little lock in your browser, etc) cannot be easily broken, but can be easily faked, which is how this attack works.

 

1 - Make sure your windows (or whatever) is updated.

 

2 - Make sure you are using an up-to-date browser. IE has had some notorious SSL exploits in the past that make life easy for hackers.

 

3 - Don't ignore browser warnings! Don't just click "OK" if your browser says that the name on the security certificate doesn't match, or the signing authority isn't recognized, or something like that. This means that you could be being spoofed. If you see any warnings when going to a secure page - don't log in. Go find a different internet connection.

 

4 - Don't trust the little lock on your screen. That just tells you that your talking securely, but it doesn't tell you who your talking to. Look at the certificate (click on the little lock, or view certificate, etc) before you log in. View the certificate for your bank from your home computer (or trusted location), the information should be the same wherever you view it in the world, if its different, find another internet connection.

 

The above only applies to secure web pages, any non-secure web pages can be easily read on most wifi connections.

 

If any tech gurus know of something that can forge certificates with proper common names and trusted CA's, or if SSL can be on-the-fly decrypted, then please let me know. AFAIK, neither is feasible at the moment.

[SmellyFarang]

As I understand it they could only get the public key. You need the private key to decrypt anything that you send. Once encrypted not even the computer that encrypted it can decrypt it. Are you saying the the gateway encrypts the data?

 

Plus there have been issues in the past with bugs in the various encryption software packages. For example, the venerable Pretty Good Privacy (PGP) software had a bug from 1997-2000 that allowed hackers to "read any encrypted messages they intercepted"

http://www.out-law.com/page-944

-Smelly

[SmellyFarang]

A lot of great info from a lot of good sources. Thanks to everyone for fleshing out this thread, and especially for the clarifications regarding various security & hacking techniques versus the actual connection type (wired vs wireless).

 

I still feel that an ADSL wired connection is a smarter way to go instead of Wi-Fi when you can, especially if you're dealing with more sensitive business or personal data. But I didn't mean to imply that a wired connection made all the risks go away or was a substitute for other protection like VPNs, etc.

 

The bottom line, at least from my perspective, is the same as we often see forum members warning other readers:

"be careful out there"

-Smelly

[Grumpy]

Cool/weird hacks: There have been proof of concept keystroke recording hacks using both the SOUND of the keys on your keyboard being pressed (long range parabolic mic), and using a laser beam bounced off the lid of a laptop- it bounces slightly differently depending which key you press.

 

So yeah, you are pretty much screwed in the future

 

Yessir I agree, that's why I'm up to my eyeballs in tech right now...so when it all comes crashing down I'll not feel like I missed out on anything.

 

In other news, I've seriously started researching survival methods and ways to thrive if and when technology breaks down...it's a hobby...that's what I tell those paranoid voices I keep hearing.

[layow]

Plus there have been issues in the past with bugs in the various encryption software packages. For example, the venerable Pretty Good Privacy (PGP) software had a bug from 1997-2000 that allowed hackers to "read any encrypted messages they intercepted"

 

97-00!!!!! you know its 09?

its been a good thread sm

but really clutching at straws there.

[waterboo]

My first trip I stayed in one of Dancewatcher's condos for four months and used his ADSL and brought my own computer. I did all my online banking. Second trip only had WiFi but didn't trust it. I stayed five months and used the connection in the internet shop downstairs. Never had any problems.

[gogo dog]

Cool/weird hacks: There have been proof of concept keystroke recording hacks using both the SOUND of the keys on your keyboard being pressed (long range parabolic mic), and using a laser beam bounced off the lid of a laptop- it bounces slightly differently depending which key you press.

 

So yeah, you are pretty much screwed in the future

Just set up a mobile discotheque in your room. The flashing lights & thumping bass beats will easily defeat this kind of attack.

[gogo dog]

My first trip I stayed in one of Dancewatcher's condos for four months and used his ADSL and brought my own computer. I did all my online banking. Second trip only had WiFi but didn't trust it. I stayed five months and used the connection in the internet shop downstairs. Never had any problems.

Do the View Talay condos use open WiFi, WEP or WPA?

[SmellyFarang]

97-00!!!!! you know its 09?

its been a good thread sm

but really clutching at straws there.

 

Not clutching, just providing a real-world example of how easy it is to have a false sense of security (like Prak's great example of IE's history of SSL exploits).

 

Of course since it is '09, I guess we can safely assume all the bugs have been fixed by now ;)

-Smelly

[SmellyFarang]

A final tidbit of trivia to retire this thread:

 

The latest video cards from ATI & NVIDIA have GPUs that deliver near-supercomputer performance, especially when used in parallel - a fact that caught the attention of some zaney, crafty Russians at ElcomSoft. They now sell a $599 "password recovery" product that uses those GPUs to crack even the newer WiFi encryption standards 10,000% faster (hours instead of months).

 

"WiFi is no longer a viable secure connection"

http://www.scmagazineuk.com/WiFi-is-no-lon...article/119294/

 

Or just Google ElcomSoft for lots more interesting reading.

 

Sleep tight everyone

-Smelly

[el_jefe]

A final tidbit of trivia to retire this thread:

 

The latest video cards from ATI & NVIDIA have GPUs that deliver near-supercomputer performance, especially when used in parallel - a fact that caught the attention of some zaney, crafty Russians at ElcomSoft. They now sell a $599 "password recovery" product that uses those GPUs to crack even the newer WiFi encryption standards 10,000% faster (hours instead of months).

 

"WiFi is no longer a viable secure connection"

http://www.scmagazineuk.com/WiFi-is-no-lon...article/119294/

 

Or just Google ElcomSoft for lots more interesting reading.

 

Sleep tight everyone

-Smelly

 

up to 1,000 x faster? where does it say that? it says on their website you can use up to something like 10,000 machines with 64 cores and 4 nvidia cores each. Do you know how much that would cost? Even google uses only about 100,000 cores to create their web indexes (more precisely to invert their webmap). 64 core machines are not commodity so are expensive.

 

but here they are talking about dictionary attacks anyway.

 

This is clearly some kind of PR.

Edited April 11, 2009 by el_jefe

[Grumpy]

A final tidbit of trivia to retire this thread:

 

The latest video cards from ATI & NVIDIA have GPUs that deliver near-supercomputer performance, especially when used in parallel - a fact that caught the attention of some zaney, crafty Russians at ElcomSoft. They now sell a $599 "password recovery" product that uses those GPUs to crack even the newer WiFi encryption standards 10,000% faster (hours instead of months).

 

"WiFi is no longer a viable secure connection"

http://www.scmagazineuk.com/WiFi-is-no-lon...article/119294/

 

Or just Google ElcomSoft for lots more interesting reading.

 

Sleep tight everyone

-Smelly

 

Oh Jeez AGAIN? You read an article or two and now it's time to scare us with the news.

 

It's just a Brute Force attack using commercial software.

 

This is the same method that most would use against hard wired routers, VPNs, etc. Whether it is 10-100-1000X faster or not, it is not simply a turn key solution to destroying the worlds computer security. It simply isn't reasonable to expect anyone to attack an individual with this level of sophistication/amount of time needed unless there was a relative assurance of something lucrative to gain.

 

The use of GPUs don't deliver anything near-supercomputer performance (We talkin' CRAY-II or somethin'?) and the speeds they're claiming, especially when concerning breaking wireless passwords would be SEVERELY RETARDED by the speed at which the router would be able to deal with these new client requests. The claim of '2000' password attempts per second (re their website) would simply not be possible through a consumer wireless router...even with the correct passwords, MANY routers take a few seconds to acknowledge and reply...which totally defeats ANY ADVANTAGE such software would have, really.

 

Live in fear if you want...or download the programs and play with them:

 

http://thepiratebay.org/torrent/3700056/El...t_-_All-In-One_

 

Maybe I've already got your password, Smelly...OooOOoooo

Edited April 11, 2009 by Grumpy

[SmellyFarang]

Maybe I've already got your password, Smelly...OooOOoooo

 

Me thinks somebody needs a hug. Come're big guy! Don't fight it ... you know you want it!