Home office with WiFi: do I need Spotlock?

I have a small home office setup and connect to the net via a wireless
connection.

To be sure passwords (bank accounts, FTP, etc.) are safe, do I need a
utility such as JiWire's Spotlock? Or would McAfee's secruity or
something like it be enough?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I have a small home office setup and connect to the net via a wireless
> connection.

What sort of wireless connection?

802.11b/g, I think. A Dell router and on the laptop using a Dell
Wireless 1370 WLAN Mini-PCI Card. I know this setup only has WEP
encryption.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> 802.11b/g, I think. A Dell router and on the laptop using a Dell
> Wireless 1370 WLAN Mini-PCI Card. I know this setup only has WEP
> encryption.

In theory WEP 64 can be broken. Can it do WEP 128?

Other improvements would be to:

1) Change the SSID to something other than the default.
Turn off broadcast SSID and manually enter the same SSID at both ends.

2) Turn on MAC filtering and only enter the MAC address of your computers
WLAN card.

3) Change the password on the router to something other than the default.

But if I understand well, these steps still make it easy for someone to
scan in on the passwords I use when I logon to a site? Or does a https
connection already take care of that?

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> But if I understand well, these steps still make it easy for someone to
> scan in on the passwords I use when I logon to a site?

If you are very concerned then either don't use wireless or yes you could
use something like Spotlock.

I wouldn't use the word easy. You do need a certain level of knowledge and
skill to set up the equipment. Nobody will accidentally crack WEP.

http://www.tomsnetworking.com/2005/0...to_crack_wep_/

The above article suggests it takes about an hour to crack 128 bit WEP and
the program needs to generate and to record a lot of traffic to do so.

> Or does a https
> connection already take care of that?

It adds another layer. But can be broken by what's called a "man in the
middle attack".

http://en.wikipedia.org/wiki/HTTPS

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

http://blogs.ittoolbox.com/wireless/...k-part-ii-7421

again that not trivial to set up.

> In theory WEP 64 can be broken. Can it do WEP 128?

Theory? That's no theory, both 64 and 128 bit WEP crumble very quickly.

> 1) Change the SSID to something other than the default.
> Turn off broadcast SSID and manually enter the same SSID at both ends.

Turning off SSID introduces no security.

> 2) Turn on MAC filtering and only enter the MAC address of your computers
> WLAN card.

MAC filtering has no real security value either.

> 3) Change the password on the router to something other than the default.

That's a start!

David.

"CWatters" <(E-Mail Removed)> hath wroth:

>I wouldn't use the word easy. You do need a certain level of knowledge and
>skill to set up the equipment. Nobody will accidentally crack WEP.
>http://www.tomsnetworking.com/2005/0...to_crack_wep_/
>The above article suggests it takes about an hour to crack 128 bit WEP and
>the program needs to generate and to record a lot of traffic to do so.

It depends on the tool (program) used. The ones that require large
capture files, take well over an hour depending on traffic. The ones
that induce traffic using deauthenticate and deassociated packets, can
do it in about 10 minutes. When the FBI gave their demo, they
accidentally did it in 3 minutes.

>> Or does a https
>> connection already take care of that?

>It adds another layer. But can be broken by what's called a "man in the
>middle attack".
>http://en.wikipedia.org/wiki/HTTPS
>http://en.wikipedia.org/wiki/Man-in-the-middle_attack
>http://blogs.ittoolbox.com/wireless/...k-part-ii-7421
>again that not trivial to set up.

I've gotten into the habit of running traceroute (tracert) at coffee
shops after connecting. I do this more for curiosity than for
security. It will often show a "man in the middle" problem. I also
know the MAC address of most of the access points to which I usually
connect. Any changes are noted, again more for curiosity than
security. Only once did I catch what I thought was a spoofed SSID,
which turned out to be the someone at the hotel trying to add a new
access point and doing a very bad job of it. I've never seen a
wireless "man in the middle" or spoofed AP in the wild.

One difference between cracking a WEP key and a "man in the middle"
attack is that the "man in the middle" attack requires hearing both
sides of the traffic. To crack the WEP key, one only needs to hear
the access point traffic. For "man in the middle" both sides need to
be heard. This puts a rather difficult to achieve location
requirement on the attacker. It can probably be done in a crowded
cafe, airport, or public hot spot, but not easily in a hotel or from
nearby housing.

In my never humble opinion, HTTPS is good enough for most users and
applications. If a higher level of security is required, then VPN's
and more exotic key exchange mechanisms are available. There's also
end to end encryption with a better key exchange such as IPSec VPN's.

I don't know anything about Spotlock other than what I read on their
web pile. The example of sniffing email is for real. I have a packet
(sequence number) reassembler that can reconstruct email messages
fairly well.
http://www.jiwire.com/spotlock-sniffer.htm
The example is a bit far fetched, but possible. I do know some total
idiots that would conduct a financial transaction over an unsecured
wireless connection.

Reading between the lines, it appears that Spotlock is just a VPN
client that secures traffic between the wireless client computer and
the Spotlock VPN terminating servers. That works but only secures the
traffic between them. Once the traffic leaves the Spotlock VPN
servers, and goes to its intended destination, it's all in the clear
and can be sniffed on the wired network. See the FAQ at:
| http://en.wikibooks.org/wiki/Wireles...Wi-Fi_Security
for additional VPN services. Personally, I prefer end to end VPN
encryption as (sometimes) provided the email ISP.

The real danger with "man in the middle" and similar sniffing is
obtaining the email address and password. Most users recycle the same
password over and over for all their accounts. If the attacker gets
one, he also gets access to many other accounts. I have a friend that
leaked his over-used email password (his car license number), which
was then used to attack his eBay and PayPal accounts. Once one has
the password, there's no need to sniff the traffic to obtain
incriminating email. Just login and read someones email at the
attackers leisure. Try to think of security in terms of what one is
trying to protect. I have some rather unconventional opinions as to
the value of user operated security (i.e. passwords) which I won't
bore anyone today.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

"I have some rather unconventional opinions as to
the value of user operated security (i.e. passwords) which I won't
bore anyone today. "

Would be interesting to hear though...

Thanks for all the info everbody!

(E-Mail Removed) hath wroth:

>"I have some rather unconventional opinions as to
>the value of user operated security (i.e. passwords) which I won't
>bore anyone today. "

>Would be interesting to hear though...

I ranted on the topic or password security previously. This posting
should cover most of my points.
| http://groups.google.com/group/alt.i...d79384a8789c18
If the user is expected to generate, remember, and supply a password
on demand, that password is going to be compromised, hacked, or lost.
There are better ways to deal with authorization (and authentication).

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558