Unencrypted wi-fi links

whiteoaks7

New member
Joined
29 Nov 2002
Messages
570
Location
South Wales, UK
www.seasolutions.co.uk
Being a programmer means I get asked questions about IT all the time. Explaining that the two things are really distinct disciplines doesn't help. The lastest question is about using unencrypted wi-fi to do your banking on line - is it safe because the bank site is encrypted?

I think not - as I understand it the bank website cannot begin its encyption handshaking until after the user name and password have been sent by you - over the unencrypted link. So anyone watching can capture the logon details.

But am I right?

Incidentally, McAfee are now suggesting that even WPA is crackable unless strong passwords are used (at least 6 characters and a jumble of upper and lower case letters and numbers); and WEP is now easy to crack with software you can download from the web.
 

rickp

Active member
Joined
10 Nov 2002
Messages
5,913
Location
New Zealand
Visit site
[ QUOTE ]
I think not - as I understand it the bank website cannot begin its encyption handshaking until after the user name and password have been sent by you - over the unencrypted link. So anyone watching can capture the logon details.

But am I right?

[/ QUOTE ]

If the website is using SSL (ie. https:// with the padlock shown) then the encryption is negotiated before any details are passed to the website. In that instance, the username and password are encrypted as they are sent. SSL encryption is pretty strong, cryptographically speaking but there is an albeit very very small risk of a 'man in the middle' attack.

Rick
 

whiteoaks7

New member
Joined
29 Nov 2002
Messages
570
Location
South Wales, UK
www.seasolutions.co.uk
Thanks - interestingly the more I read up on wireless vulnerability the more nervous I get. Suddenly end to end encryption like you say the banks are using seems the least likely to successfully attacked - general unencrypted transactions seem far more vulnerable!!!!!
 

wooslehunter

Active member
Joined
31 Oct 2002
Messages
1,959
Location
Hants, UK
Visit site
I'm no expert either but WEP can be cracked.

I saw a program on TV a year ago or so where the crew sat outside someone's house with a laptop. After a while they had received enough data packets from the guys wifi to crack the WEP key. Soon after, the knocked on the door & presented the guy with a whole load of info, incluing his credit card & bank details. They'd had to search around for a wi-fi that was active enough though.

WEP is not secure.

But, it does take someone intent on cracking it and enough data traffic to do so.
 

Marsupial

New member
Joined
5 Jul 2004
Messages
2,025
Visit site
my understanding is that if you run on linux then most microsoft security is invisible, plus there are now sharewares that will break 128wep in minutes - this has all been demonstrated to my satisfaction by colleagues and students engaged in our network essentials course - so IMHO wifi security is very suspect.
 

shmoo

New member
Joined
23 May 2005
Messages
2,136
Location
West Cornwall
Visit site
There really is no secure and practical encryption for long, formulaic and structured messages. Really secure encryption raises difficult key distribution issues and so is seldom used by ordinary folks.

For long, formulaic and structured messages (such as between people and banks) it is just a matter of how well resourced the bad people are. Well resourced bad people, such as a government, with lots of time, and a what they perceive as a good reason to read your messages, will read them.

The Internet is a post card, not a letter.
 

MikeBz

Well-known member
Joined
22 Aug 2005
Messages
1,560
Location
East Anglia
Visit site
You'd be daft to send critically private data (like passwords for your bank account) unencrypted over WiFi (whether WEP is on or not IMHO), and you'd also be daft to send the same critical stuff unencrypted across a wired connection - who's to say that there's noone else on the wired network with a packet sniffer? That's the point of SSL/https, the encryption is completely end-to-end.

Mike
 

Steve Clayton

New member
Joined
22 May 2003
Messages
7,478
Location
Benitachell - Spain
www.aloeland.co.uk
[ QUOTE ]
Suddenly end to end encryption like you say the banks are using seems the least likely to successfully attacked

[/ QUOTE ]
Banks, Goverment Agencies, etc use accredited (tested kit); just do a google on common criteria and you'll see what I mean; as a minimum double, and sometimes triple firewall systems are employed, 2 different AV systems. spyware analysis etc. Security criteria are normally to CESG and the Manual of Protective Security (MoPS) standards - but can go a lot higher.
 

oughtoc

New member
Joined
25 Feb 2007
Messages
223
Location
Cheshire, UK
Visit site
There is no safe way, the trick is to be slightly harder to crack than your near neighbours, bad guys will take the easy targets and script kiddies go for open targets. You can never be secure, no matter what you try, if someone really wants your data rather than anyboady's data, they will get it - there are inventions galore to grab your traffic for later analysis and anything can be cracked with enough power. You take the same risk every time you do a credit card transaction, enter your pin number into a machine etc. Convenience makes the risk worth taking for most people
 

stevebrassett

Well-known member
Joined
26 Jul 2004
Messages
3,573
Location
Herts
Visit site
My wi-fi is set up to only allow access from certain MAC addresses, and I believe that this is extremely secure - am I deluding myself?
 

oughtoc

New member
Joined
25 Feb 2007
Messages
223
Location
Cheshire, UK
Visit site
Yep, deluded sorry. I can spoof a mac address on my laptop in about two minutes - it's how we replace LAN cards without having to clear the cached networking route information (arpcache for the techies). But again, makes the script kiddies and bored types look somewhere else.
 

Phoenix of Hamble

Active member
Joined
28 Aug 2003
Messages
20,968
Location
East Coast
mishapsandmemories.blogspot.com
yup...

Two guys running barefoot through the jungle, being chased by a tiger....

One stops and starts putting his trainers on.... his mate says "don't be stupid... you'll never outrun a tiger..."

He replies... " I don't need to.... just need to outrun you......"

Moral.... as Grub says.. there is no such things as foolproof security.... but you don't need it... all you need is enough security to make the baddies go try somewhere easier....

If you do the basics like hide your SSID, encrypt your traffic properly between your device and wireless router, only use SSL secured sites for any credit card transaction... never send details such as card numbers, pin numbers etc etc via e-mail, keep your AV up to date, along with regular system scans, avoiding the dodgier sites, and keep your machine patched, you'll probably be 'not worth the hassle' and they'll go try the guy next door that hasn't even heard of WEP....
 

st599

Well-known member
Joined
9 Jan 2006
Messages
7,530
Visit site
[ QUOTE ]
My wi-fi is set up to only allow access from certain MAC addresses, and I believe that this is extremely secure - am I deluding myself?

[/ QUOTE ]

You can get the MAC addresses on a network using a network analyzer (e.g. Wireshark: http://www.wireshark.org/).

Plenty of programs will crack WEP in minutes - I test my networks with wxWEPLAB:
wxWepLab02.jpg


As for the MarineWiFi link - very nice - if you happen to be in the US where 400mW is allowed - illegal in the UK and EU.
 

gandy

Active member
Joined
24 Aug 2004
Messages
3,404
Location
Aberdeenshire (quite far from the Solent)
Visit site
For enterprise wireless LANs we typically use schemes that issue separate encryption keys for each station, and change them every few minutes (along with some other attributes).

For home wireless LANs, I had understood that WPA was significantly better than static WEP. Anyone able to comment on that?
 

shmoo

New member
Joined
23 May 2005
Messages
2,136
Location
West Cornwall
Visit site
[ QUOTE ]

For enterprise wireless LANs we typically use schemes that issue separate encryption keys for each station, and change them every few minutes (along with some other attributes).


[/ QUOTE ]

This effectively lengthens the key, which makes it harder to break. By no means computationally intractable though.

Just need to find the the flaws in the algorithm that selects the changed keys. If you are changing a lot of keys quite frequently the flaws will emerge quite quickly.
 
Top