Unencrypted wi-fi links

[whiteoaks7]

Being a programmer means I get asked questions about IT all the time. Explaining that the two things are really distinct disciplines doesn't help. The lastest question is about using unencrypted wi-fi to do your banking on line - is it safe because the bank site is encrypted?

I think not - as I understand it the bank website cannot begin its encyption handshaking until after the user name and password have been sent by you - over the unencrypted link. So anyone watching can capture the logon details.

But am I right?

Incidentally, McAfee are now suggesting that even WPA is crackable unless strong passwords are used (at least 6 characters and a jumble of upper and lower case letters and numbers); and WEP is now easy to crack with software you can download from the web.

 

[rickp]

[ QUOTE ]
I think not - as I understand it the bank website cannot begin its encyption handshaking until after the user name and password have been sent by you - over the unencrypted link. So anyone watching can capture the logon details.

But am I right?

[/ QUOTE ]

If the website is using SSL (ie. https:// with the padlock shown) then the encryption is negotiated before any details are passed to the website. In that instance, the username and password are encrypted as they are sent. SSL encryption is pretty strong, cryptographically speaking but there is an albeit very very small risk of a 'man in the middle' attack.

Rick

 

[whiteoaks7]

Thanks - interestingly the more I read up on wireless vulnerability the more nervous I get. Suddenly end to end encryption like you say the banks are using seems the least likely to successfully attacked - general unencrypted transactions seem far more vulnerable!!!!!

 

[wooslehunter]

I'm no expert either but WEP can be cracked.

I saw a program on TV a year ago or so where the crew sat outside someone's house with a laptop. After a while they had received enough data packets from the guys wifi to crack the WEP key. Soon after, the knocked on the door & presented the guy with a whole load of info, incluing his credit card & bank details. They'd had to search around for a wi-fi that was active enough though.

WEP is not secure.

But, it does take someone intent on cracking it and enough data traffic to do so.

 

[Marsupial]

my understanding is that if you run on linux then most microsoft security is invisible, plus there are now sharewares that will break 128wep in minutes - this has all been demonstrated to my satisfaction by colleagues and students engaged in our network essentials course - so IMHO wifi security is very suspect.

 

[shmoo]

There really is no secure and practical encryption for long, formulaic and structured messages. Really secure encryption raises difficult key distribution issues and so is seldom used by ordinary folks.

For long, formulaic and structured messages (such as between people and banks) it is just a matter of how well resourced the bad people are. Well resourced bad people, such as a government, with lots of time, and a what they perceive as a good reason to read your messages, will read them.

The Internet is a post card, not a letter.

 

[MikeBz]

You'd be daft to send critically private data (like passwords for your bank account) unencrypted over WiFi (whether WEP is on or not IMHO), and you'd also be daft to send the same critical stuff unencrypted across a wired connection - who's to say that there's noone else on the wired network with a packet sniffer? That's the point of SSL/https, the encryption is completely end-to-end.

Mike

 

[Steve Clayton]

[ QUOTE ]
Suddenly end to end encryption like you say the banks are using seems the least likely to successfully attacked

[/ QUOTE ]
Banks, Goverment Agencies, etc use accredited (tested kit); just do a google on common criteria and you'll see what I mean; as a minimum double, and sometimes triple firewall systems are employed, 2 different AV systems. spyware analysis etc. Security criteria are normally to CESG and the Manual of Protective Security (MoPS) standards - but can go a lot higher.

 

[oughtoc]

There is no safe way, the trick is to be slightly harder to crack than your near neighbours, bad guys will take the easy targets and script kiddies go for open targets. You can never be secure, no matter what you try, if someone really wants your data rather than anyboady's data, they will get it - there are inventions galore to grab your traffic for later analysis and anything can be cracked with enough power. You take the same risk every time you do a credit card transaction, enter your pin number into a machine etc. Convenience makes the risk worth taking for most people

 

[stevebrassett]

My wi-fi is set up to only allow access from certain MAC addresses, and I believe that this is extremely secure - am I deluding myself?

 

[shmoo]

Snoop the data link level exchanges or the arp packets, learn an authorized MAC address and spoof that. 5 minutes.

 

[Marsupial]

YES - but it would take a determined attack to succeed

 

[oughtoc]

Yep, deluded sorry. I can spoof a mac address on my laptop in about two minutes - it's how we replace LAN cards without having to clear the cached networking route information (arpcache for the techies). But again, makes the script kiddies and bored types look somewhere else.

 

[shmoo]

if you need to do it. this wireless packet sniffer is free...

http://www.tamos.com/products/commwifi/wifi-sniffer.htm

(notice the MAC addresses in the display)

 

[stevebrassett]

B*gg*r. Still, it stops the casual user nicking my broadband.

 

[Phoenix of Hamble]

yup...

Two guys running barefoot through the jungle, being chased by a tiger....

One stops and starts putting his trainers on.... his mate says "don't be stupid... you'll never outrun a tiger..."

He replies... " I don't need to.... just need to outrun you......"

Moral.... as Grub says.. there is no such things as foolproof security.... but you don't need it... all you need is enough security to make the baddies go try somewhere easier....

If you do the basics like hide your SSID, encrypt your traffic properly between your device and wireless router, only use SSL secured sites for any credit card transaction... never send details such as card numbers, pin numbers etc etc via e-mail, keep your AV up to date, along with regular system scans, avoiding the dodgier sites, and keep your machine patched, you'll probably be 'not worth the hassle' and they'll go try the guy next door that hasn't even heard of WEP....

 

[st599]

[ QUOTE ]
My wi-fi is set up to only allow access from certain MAC addresses, and I believe that this is extremely secure - am I deluding myself?

[/ QUOTE ]

You can get the MAC addresses on a network using a network analyzer (e.g. Wireshark: http://www.wireshark.org/).

Plenty of programs will crack WEP in minutes - I test my networks with wxWEPLAB:

As for the MarineWiFi link - very nice - if you happen to be in the US where 400mW is allowed - illegal in the UK and EU.

 

[gandy]

For enterprise wireless LANs we typically use schemes that issue separate encryption keys for each station, and change them every few minutes (along with some other attributes).

For home wireless LANs, I had understood that WPA was significantly better than static WEP. Anyone able to comment on that?

 

[rickp]

Yes, WPA is far better than WEP and WPA2 is better than WPA.

Rick

 

[shmoo]

[ QUOTE ]

For enterprise wireless LANs we typically use schemes that issue separate encryption keys for each station, and change them every few minutes (along with some other attributes).


[/ QUOTE ]

This effectively lengthens the key, which makes it harder to break. By no means computationally intractable though.

Just need to find the the flaws in the algorithm that selects the changed keys. If you are changing a lot of keys quite frequently the flaws will emerge quite quickly.