Public Access WIFI Security

For those of you that don't know, Dartmouth College is the first college
to go totally wireless. I'm sure many of you have been to a coffee shop
/book store (Barns and Noble) and have seen that they offer public
access wifi hotspots. This means that you don't have to have a password
or pay anything to get connected.

Most of these places probably do not have any way of preventing
hijacking attempts. If I decided to go to my local starbucks and setup
a fake wifi, theres nothing stopping me.

But I don't even have to do that to get your passwords. All I have to
do is throw up a packet sniffer and bam I have all of your email
passwords/website passwords. POP3 is an unencrypted protocol. WIFI
access points act as hubs. Unless everything is running SSL all of your
passwords are being sent out to everyone connected to that WIFI access
point.

I'm telling you this to inform those of yall who don't already know, and
to ask a question to those of you who are in the profession and know
everything there is to know about wifi.

What is stopping me from going to Barns and Noble, firing up Ethereal,
and getting everyones passwords for email/websites? Is there a way to
disconnect a computer that shows signs of running a packet sniffer? Is
there even a way to tell that a computer is running a packet sniffer?

This is something you might expect to see at Defcon or Blackhat but
probably not in your local Starbucks. Next time you are there, think
about the security risks and don't check your email or visit a site that
requires you to have a password unless you send it via SSL (Gmail,
banking sites, etc).

I am cross-posting to get as many opinions/answers as possible.

Thank you for your time
--
Meph

teh Mephisto wrote:

> For those of you that don't know, Dartmouth College is the first college
> to go totally wireless. I'm sure many of you have been to a coffee shop
> /book store (Barns and Noble) and have seen that they offer public
> access wifi hotspots. This means that you don't have to have a password
> or pay anything to get connected.
>
> Most of these places probably do not have any way of preventing
> hijacking attempts. If I decided to go to my local starbucks and setup
> a fake wifi, theres nothing stopping me.
>
> But I don't even have to do that to get your passwords. All I have to
> do is throw up a packet sniffer and bam I have all of your email
> passwords/website passwords. POP3 is an unencrypted protocol. WIFI
> access points act as hubs. Unless everything is running SSL all of your
> passwords are being sent out to everyone connected to that WIFI access
> point.
>
> I'm telling you this to inform those of yall who don't already know, and
> to ask a question to those of you who are in the profession and know
> everything there is to know about wifi.
>
> What is stopping me from going to Barns and Noble, firing up Ethereal,
> and getting everyones passwords for email/websites? Is there a way to
> disconnect a computer that shows signs of running a packet sniffer? Is
> there even a way to tell that a computer is running a packet sniffer?
>
> This is something you might expect to see at Defcon or Blackhat but
> probably not in your local Starbucks. Next time you are there, think
> about the security risks and don't check your email or visit a site that
> requires you to have a password unless you send it via SSL (Gmail,
> banking sites, etc).
>
> I am cross-posting to get as many opinions/answers as possible.
>
> Thank you for your time

Pretty much common knowledge (at least in this news group)....

Im

Imhotep wrote:
>
>
> Pretty much common knowledge (at least in this news group)....
>
> Im
To those of you that know all about it yes, but for those casual
internet goers that sometimes frequent at least the
alt.internet.wireless news group they probably won't even think about it.

So is there anyway to combat it on the access point side or just
vigilance and knowledge by the users?

--
Meph

On Thu, 29 Sep 2005 01:06:19 GMT, teh Mephisto <(E-Mail Removed)>
wrote:

>Unless everything is running SSL all of your
>passwords are being sent out to everyone connected to that WIFI access
>point.

Most sane users do not poll for email with pop3. They use a VPN
tunnel provided by their ISP, a VPN tunnel provided by the hot spot
service company (i.e. Boingo), TLS (transport layer security), or web
mail using SSL encryption.

>... those of you who are in the profession and know
>everything there is to know about wifi.

Anyone in the profession that claims to know everything, doesn't.

>What is stopping me from going to Barns and Noble, firing up Ethereal,
>and getting everyones passwords for email/websites?

Not much. It's a well know problem. Just about any web site the
mumbles about wireless security mentions that polling for email via an
unencrypted wireless link is asking for trouble.

>Is there a way to
>disconnect a computer that shows signs of running a packet sniffer? Is
>there even a way to tell that a computer is running a packet sniffer?

Users can be blocked by MAC address or IP address at the wireless
router. There are IDS (intrusion detection systems) that look for
abuse and automagically isolate the offenders. For example:
http://snort-wireless.org

It is fairly easy to detect if a user is sniffing. I have a trick
that detects if a wireless device is in promiscuous mode (required for
sniffing), but it's marginally reliable and does not work with every
client. Search Google for "detect promiscuous mode" for how others
are doing the same thing. For example, a free and commercial
promiscuous mode scanner:
http://www.securityfriday.com/products/promiscan.html
I've used the free version to detect wireless sniffers.



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# (E-Mail Removed)
# (E-Mail Removed)

teh Mephisto wrote:
> Imhotep wrote:
>>
>>
>> Pretty much common knowledge (at least in this news group)....
>>
>> Im
> To those of you that know all about it yes, but for those casual
> internet goers that sometimes frequent at least the
> alt.internet.wireless news group they probably won't even think about it.
>
> So is there anyway to combat it on the access point side or just
> vigilance and knowledge by the users?

Banking sites are secure sites. Use secure SSL webmail and not your pop3/SMTP
program.

Jeff Liebermann wrote:
> Most sane users do not poll for email with pop3. They use a VPN
> tunnel provided by their ISP, a VPN tunnel provided by the hot spot
> service company (i.e. Boingo), TLS (transport layer security), or web
> mail using SSL encryption.

I think you give people too much credit. From what I have seen, most
people see "Wireless hotspot here" and go woopee i can get my email and
surf the web. I will guarentee you that you can go into any starbucks,
ask how many people know what VPN or SSL are and probably about 1/4 of
them would be able to tell you, if that. Then they probably don't even
realize that everyone can see what they are doing on a wireless network.

--
Meph

On Thu, 29 Sep 2005 03:06:54 GMT, teh Mephisto <(E-Mail Removed)>
wrote:

>I think you give people too much credit.

Hey this is a security group, we tend to think.

>From what I have seen, most people see "Wireless hotspot here"
>and go woopee i can get my email and surf the web.

Surfing the web is fine, webmail is fine, providing its on SSL

>I will guarentee you that you can go into any starbucks,

We don't all live in the evil empire.

--
Jim Watt
http://www.gibnet.com

teh Mephisto wrote:

> For those of you that don't know, Dartmouth College is the first college
> to go totally wireless. I'm sure many of you have been to a coffee shop
> /book store (Barns and Noble) and have seen that they offer public
> access wifi hotspots. This means that you don't have to have a password
> or pay anything to get connected.
<SNIP>

Gee,
I run such a hotspot here at home (different subnet and attached to a
hardware firewall).

all my other machines are hard wired to a primary switch. the only reason
for the hotspot, in case any of my neighbors want on (I have 3 wireless).

once in a while, I start up a linux box and take a sniff at things....


oh yeah, one last thing, I use the firewall hooked to the wireless box to
limit BW to 10K/sec both ways per IP on wireless. it is amazing how well
that shuts down filesharing.

TMH

--
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or
numbered!
My life is my own - No. 6

"teh Mephisto" <(E-Mail Removed)> wrote in message
news:iTI_e.11399$(E-Mail Removed) m...
> Jeff Liebermann wrote:
> > Most sane users do not poll for email with pop3. They use a VPN
> > tunnel provided by their ISP, a VPN tunnel provided by the hot spot
> > service company (i.e. Boingo), TLS (transport layer security), or web
> > mail using SSL encryption.
>
> I think you give people too much credit. From what I have seen, most
> people see "Wireless hotspot here" and go woopee i can get my email and
> surf the web. I will guarentee you that you can go into any starbucks,
> ask how many people know what VPN or SSL are and probably about 1/4 of
> them would be able to tell you, if that. Then they probably don't even
> realize that everyone can see what they are doing on a wireless network.

Um.

In what way is this different that using any other publicly shared service?

Incidentally, and in case you hadn't noticed, the Internet itself is.. um..
a shared public service. Any privacy you happen to gain from someone else's
routing table is pretty much a side-benefit.

Coming up next.. blutooth it am teh sc4ry!!!1!!!

;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hi

could you please provide some reference material (websites or groups
messages) describing HOW to set up a secure wireless connection and
more secure ways of using public hotspots.

Thank you