For those of you that don't know, Dartmouth College is the first college
to go totally wireless. I'm sure many of you have been to a coffee shop
/book store (Barns and Noble) and have seen that they offer public
access wifi hotspots. This means that you don't have to have a password
or pay anything to get connected.

Most of these places probably do not have any way of preventing
hijacking attempts. If I decided to go to my local starbucks and setup
a fake wifi, theres nothing stopping me.

But I don't even have to do that to get your passwords. All I have to
do is throw up a packet sniffer and bam I have all of your email
passwords/website passwords. POP3 is an unencrypted protocol. WIFI
access points act as hubs. Unless everything is running SSL all of your
passwords are being sent out to everyone connected to that WIFI access
point.

I'm telling you this to inform those of yall who don't already know, and
to ask a question to those of you who are in the profession and know
everything there is to know about wifi.

What is stopping me from going to Barns and Noble, firing up Ethereal,
and getting everyones passwords for email/websites? Is there a way to
disconnect a computer that shows signs of running a packet sniffer? Is
there even a way to tell that a computer is running a packet sniffer?

This is something you might expect to see at Defcon or Blackhat but
probably not in your local Starbucks. Next time you are there, think
about the security risks and don't check your email or visit a site that
requires you to have a password unless you send it via SSL (Gmail,
banking sites, etc).

I am cross-posting to get as many opinions/answers as possible.

Thank you for your time
--
Meph

teh Mephisto wrote:

Pretty much common knowledge (at least in this news group)....

Im

On Thu, 29 Sep 2005 01:06:19 GMT, teh Mephisto <dont.worry@bout.it>
wrote:

Most sane users do not poll for email with pop3. They use a VPN
tunnel provided by their ISP, a VPN tunnel provided by the hot spot
service company (i.e. Boingo), TLS (transport layer security), or web
mail using SSL encryption.

Anyone in the profession that claims to know everything, doesn't.

Not much. It's a well know problem. Just about any web site the
mumbles about wireless security mentions that polling for email via an
unencrypted wireless link is asking for trouble.

Users can be blocked by MAC address or IP address at the wireless
router. There are IDS (intrusion detection systems) that look for
abuse and automagically isolate the offenders. For example:
http://snort-wireless.org

It is fairly easy to detect if a user is sniffing. I have a trick
that detects if a wireless device is in promiscuous mode (required for
sniffing), but it's marginally reliable and does not work with every
client. Search Google for "detect promiscuous mode" for how others
are doing the same thing. For example, a free and commercial
promiscuous mode scanner:
http://www.securityfriday.com/products/promiscan.html
I've used the free version to detect wireless sniffers.



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com

Jeff Liebermann wrote:
I think you give people too much credit. From what I have seen, most
people see "Wireless hotspot here" and go woopee i can get my email and
surf the web. I will guarentee you that you can go into any starbucks,
ask how many people know what VPN or SSL are and probably about 1/4 of
them would be able to tell you, if that. Then they probably don't even
realize that everyone can see what they are doing on a wireless network.

--
Meph

"teh Mephisto" <dont.worry@bout.it> wrote in message
news:iTI_e.11399$ua.515214@twister.southeast.rr.co m...
Um.

In what way is this different that using any other publicly shared service?

Incidentally, and in case you hadn't noticed, the Internet itself is.. um..
a shared public service. Any privacy you happen to gain from someone else's
routing table is pretty much a side-benefit.

Coming up next.. blutooth it am teh sc4ry!!!1!!!

;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hi

could you please provide some reference material (websites or groups
messages) describing HOW to set up a secure wireless connection and
more secure ways of using public hotspots.

Thank you

teh Mephisto wrote:
Wossat mean? Every single computer in every lab connected with wifi (
are they stupid? ) or just total wifi coverage?

I'm sure many of you have been to a coffee shop

VPN. VPN is how you do wireless security.

Leo Fellmann wrote:
I don't know about every single computer in every lab but I do know they
are completely wireless.

--
Meph

Hairy One Kenobi wrote:
Now that everyone uses switches, its a lot better than it used to be.
WIFI is still ran just like a hub, where everyone connected can see
everything you are doing.

Sure there are still some hubs around but noones stupid enough to put
them up where it really matters.

--
Meph

On Thu, 29 Sep 2005 15:42:35 GMT, teh Mephisto <dont.worry@bout.it>
wrote:

Not exactly. Wireless 802.11 is bridging. A bridge is a 2 port
switch. It only lets traffic across the bridge that has a destination
MAC address that's known to be on the other side of the bridge. Also,
broadcasts go everywhere. With a hub, access to one port gave me
access to all the traffic since the hub was just a repeater. With a
switch, sniffing one port only gives access to that ports traffic.
It's the same with wireless except that wireless shares a common
medium (air space) and allows all the bridged/switched connections to
be simultaneously sniffed. I guess one could say this is like
something like a hub, but it's still bridging.

You'll be suprised what I find floating around some networks. The old
hubs just don't seem to completely disappear and are often more
conenvenient to use than to purchase a proper switch. I use hubs for
sniffing ethernet, but that's not a common application.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

teh Mephisto <dont.worry@bout.it> wrote in news:iUT_e.76499$Jp.2279820
@twister.southeast.rr.com:

Even the monitors?

SCNR :-)


Doc.

Doc. wrote:
a relatively secure solution. Tends to defeat intruders and listeners
fairly effectively. When coupled with wireless IDS to detect attack
attempts you can secure the network about as well as you can on a wired
connection.

Winged

"teh Mephisto" <dont.worry@bout.it> wrote in message
news:LXT_e.76500$Jp.2279820@twister.southeast.rr.c om...
<snip>

Erm, actually "they" do. Both genuine hubs and switches configured
for-a-purpose.

The purpose is usually the same sort of load balancing used by Windows
(NLBS, or WLBS as it used to be called). It uses MAC spoofing (MS borged a
company); this doesn't always work on particular Cisco switches, even when
they've been set to bridge ports (which is the other case you'll commonly
see. Damned hard to sniff or run an IDS without this sort of facility -
although you have to be careful that it can handle the sort of traffic that
you're likely to see, particularly if you're on/near the backbone.).

I have a military customer that ended up doing this - it was cheaper to
recycle an old hub than to buy a new switch that actually did what it was
supposed to (bearing in mind that the selected switch /should/ have had the
capabilities, but might have broken one of their other security rules.
They're a customer; they get to do it they was they want <shrug>)

These sort of configs tend to be where you *really* need load-balancing
(i.e. at the very heart of "where it really matters")

In my case, I just have the two hubs - one sits on the Cable Modem
connection at home (so that I can simply plug-in a sniffer or firewall
tester); the other is my "network in a bag" that travels with me on-site. UK
companies generally don't let you plug into their networks, these days, so
it's a useful last resort for data transfer if we already have someone
there. Or if I end up running software that's licensed by MAC address -
modern laptops switch you between different NICs, which buggers all that up.
Must get around to making one of those "key" thingummies that you used to be
able to buy.

H1K

teh Mephisto wrote:
<snip>

That's why you always want to use VPN to connect via an unknown wireless
network.

Google now offers a free VPN service. Supposedly it's slightly less
secure than some of the paid VPN services but this is according to the
paid VPN services.

Some ISPs offer VPN as part of their plans. One reason I chose the ISP
that I chose is because they offer VPN at no extra charge.

SMS wrote:
There's also nothing except lack of free time stopping you using, say,
openvpn to connect through a computer at home

You are, I take it, talking about wireless ISPs?

Leo Fellmann wrote:

<snip>

No. Some ISPs offers VPN into their server whenever you are at a
wireless hot spot (and you can use it with wired as well, if you want).
For example, see: "http://www.sonic.net/features/vpn/". Most ISPs offer
this only to their business customers, at extra cost, but a few of the
better regional ISPs include it with every account.

There are some private companies offering VPN for a fee
(typically around $40-75 per year), but Google now offers it for free,
see "http://wifi.google.com/download.html". I guess the question is
whether or not you trust Google (or trust your ISP or the private VPN
services for that matter). Google offers it because they are rolling out
their own free wireless across the country, but it works with any hot spot.

Another company offering VPN for free is iPig, see
http://www.net-security.org/article.php?id=827

iPig comes with the iPig SERVER (also freeware), so you can set up your
own VPN server very easily. Thus the traffic is NOT routed via the
company's server.

iPig Server is MUCH easier to install then OpenVPN, basically you just
start the installer, add the user name and password you want to use,
and your private VPN server is ready to go.

On 30 Sep 2005 13:33:31 -0700, in alt.internet.wireless you wrote:

Would somebody mind explaining a bit about these services to me? I'm
somewhat confused. It seems to me that if you are using, for example,
IPig's company's servers, you are sending information between the two
of you (between your computer and the IPig server) in an encrypted
manner. But once it gets there, it is decrypted and sent on its way
to its final destination. Hence, folks can still get your information
because it travels a part of the way in an unencrypted manner. Are
the Ipig servers clever enough to continue the encryption if the
eventual destination is also running an IPig server?

Obviously, the first 1/2 of the data's journey is much more vulnerable
when it travels over a wireless connection (wifi, 802.11g, etc.). So
for that purpose, using the company's servers (or Google's) makes a
lot of sense.

As for openVPN and, I would imagine, setting up an IPig server, one
can establish their own VPN with a minimum of hassle, it seems. But
I've got a funny situation and I'm wondering if I'm precluded from
doing this. And that is that my wifi provider uses private IP
addresses, not public ones. So, everybody from my wifi ISP appears to
be coming from the IP address that shows up in the headers of this
message. My router is set to a WAN address that begins with
192.168.x.x. (My LAN addresses are 192.168.y.x) If I have 3 computers
here, would setting up an IPig server at another location that is
permanently connected to the internet even work? It would seem I have
to be sending information to the IPig server saying that my address is
the public IP address and once it gets back to my ISP won't know who
to send it to. Obviously, the routers automatically take care regular
HTTP: type communication. But as I understand the IPig configuration
file, my outbound communication includes my IP address.

So, I'm a bit confused.

Thanks

mike

On Fri, 30 Sep 2005 22:00:54 GMT, mbpatpas@pacbell.net.invalid (Mike
Preston) wrote:

Sure. In order to insure wireless security, you're introducing a
middleman into the system. The typical wireless hot spot is not going
to terminate your VPN for you. The administrative overhead for
passwords and authentication is just too much. So, you hire a 3rd
party to do it for you.

A VPN encrypted "tunnel" is established between your wireless laptop
and the 3rd party VPN service. Everything that goes between your
laptop and this 3rd party is encrypted inside the tunnel. Anyone
sniffing the wireless traffic at the hot spot will see only encrypted
packets.

The 3rd party VPN service provider the decrypts the traffic and
shovels it to a proxy server (which regenerates the connections) and
relays the traffic on its way to wherever your mail servers are
located. This traffic is NOT encrypted and can be sniffed.

Note that this arrangement does NOT offer end to end encryption as is
therefore still at risk from anyone sniffing the wired part of the
connection. This constitutes a substantial improvement in security,
but end to end encryption by the mail service provider would be much
better.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jim Watt wrote:

Right, but we are also reminded almost daily that many people tend not
to think, especially when it comes to computers. ;-)

--
The difference between intelligence and stupidity is that intelligence
has its limits.