Security and open wifi hotspots

A friend asked me something but as I know nothing about wifi I couldn't
answer it. I'm hoping someone here can )

If he takes his laptop into a cafe or a bar where there is an open wifi
hotspot (presumably these are called access points??) and say, for instance,
he logs on to his ISPs mail server to pick up his email through that access
point, how secure is that connection? Would the login info for his email
server be cached anywhere for the owner of the access point (or anyone else
for that matter) to see after he's left the cafe?

Sorry if these are really basic questions but as they say on "Who Wants to
be a Millionaire?" the questions are only easy if you know the answers )

Cheers,

Mogweed

"Mogweed" <(E-Mail Removed)> wrote in
news:cfq4ck$j5q$(E-Mail Removed):

> A friend asked me something but as I know nothing about wifi I
> couldn't answer it. I'm hoping someone here can )
>
> If he takes his laptop into a cafe or a bar where there is an open
> wifi hotspot (presumably these are called access points??) and say,
> for instance, he logs on to his ISPs mail server to pick up his email
> through that access point, how secure is that connection? Would the
> login info for his email server be cached anywhere for the owner of
> the access point (or anyone else for that matter) to see after he's
> left the cafe?
>
> Sorry if these are really basic questions but as they say on "Who
> Wants to be a Millionaire?" the questions are only easy if you know
> the answers )
>

It's not secure at all from what I understand. They do have ISP(s) that
provide a VPN solution for user who use wireless hot spots or cafes. The
VPN client software is installed on the user's computer allowing the
computer to make a VPN secure connection between the wireless computer
and the VPN server software on the ISP's server. A secure and encrypted
connection VPN end point to VPN end point prevents someone from
eavesdropping on the traffic on the wireless. You'll have to search
Google for those VPN ISP(s) as they are out there.

Duane

On Mon, 16 Aug 2004, Duane Arnold wrote:
> "Mogweed" <(E-Mail Removed)> wrote in
> news:cfq4ck$j5q$(E-Mail Removed):
> > A friend asked me something but as I know nothing about wifi I
> > couldn't answer it. I'm hoping someone here can )
> >
> > If he takes his laptop into a cafe or a bar where there is an open
> > wifi hotspot (presumably these are called access points??) and say,
> > for instance, he logs on to his ISPs mail server to pick up his email
> > through that access point, how secure is that connection? Would the
> > login info for his email server be cached anywhere for the owner of
> > the access point (or anyone else for that matter) to see after he's
> > left the cafe?
> >
> > Sorry if these are really basic questions but as they say on "Who
> > Wants to be a Millionaire?" the questions are only easy if you know
> > the answers )
> >
>
> It's not secure at all from what I understand. They do have ISP(s) that
> provide a VPN solution for user who use wireless hot spots or cafes. The
> VPN client software is installed on the user's computer allowing the
> computer to make a VPN secure connection between the wireless computer
> and the VPN server software on the ISP's server. A secure and encrypted
> connection VPN end point to VPN end point prevents someone from
> eavesdropping on the traffic on the wireless. You'll have to search
> Google for those VPN ISP(s) as they are out there.

Unless he's using an SSL or TLS connection to his home ISP, he probably
shouldn't even try to connect.

For other things like general web browsing that ANYONE has access to, it's
probably not a problem - no "state secrets" there.

If the ISP is a standard cable/ADSL provider, then connecting to the POP
mail server is typically *not* encrypted. Login to the ISP's web service,
which may use the same userid/password, often is secured. My SBC ADSL
service appears to always encrypt the userid/password during web login, and
offers a secure login button on the splash page which causes the entire
transaction to be encrypted. However, whenever I read email from the pop
server, the same userid/password are sent in the clear to the POP server.

I try to use web email from hotspots, since the web login that permits this
is encrypted. Also, I try to remember to log off the ISP before
disconnecting at the hotspot. Not logging off may permit an eavesdropper to
spoof your identity after you've left by using your MAC address.

And, of course, unless you are using a VPN or an https web page, you should
always assume that everything is completely readable to anyone who wants to
eavesdrop.

"Mogweed" <(E-Mail Removed)> wrote in message
news:cfq4ck$j5q$(E-Mail Removed)...
> A friend asked me something but as I know nothing about wifi I couldn't
> answer it. I'm hoping someone here can )
>
> If he takes his laptop into a cafe or a bar where there is an open wifi
> hotspot (presumably these are called access points??) and say, for
instance,
> he logs on to his ISPs mail server to pick up his email through that
access
> point, how secure is that connection? Would the login info for his email
> server be cached anywhere for the owner of the access point (or anyone
else
> for that matter) to see after he's left the cafe?
>
> Sorry if these are really basic questions but as they say on "Who Wants to
> be a Millionaire?" the questions are only easy if you know the answers
)
>
> Cheers,
>
> Mogweed
>
>

"Mogweed" <(E-Mail Removed)> wrote in message
news:cfq4ck$j5q$(E-Mail Removed)...
> A friend asked me something but as I know nothing about wifi I couldn't
> answer it. I'm hoping someone here can )
>
> If he takes his laptop into a cafe or a bar where there is an open wifi
> hotspot (presumably these are called access points??) and say, for
instance,
> he logs on to his ISPs mail server to pick up his email through that
access
> point, how secure is that connection? Would the login info for his email
> server be cached anywhere for the owner of the access point (or anyone
else
> for that matter) to see after he's left the cafe?

The radio connection from his laptop to the Access Point is insecure; anyone
can eavesdrop. The wire connection from the Access Point to the cloud is
also insecure: anyone with minimal skill can eavesdrop there, too. The
connection from the cloud to the originating computer the email was sent
from ...

If your friend has any secrets to keep and wants to send them via email,
tell him to go to http://www.thawte.com/email/index.html and get a (free)
email certificate so his friends can encrypt email they send him. His
friends, of course, will need to do the same, and then he can send them
encrypted replies.

Once that system is in place, the end points will be the only insecure
nodes: everything between them will be secure. Securing the originating and
terminating computers is left as an excercise for the reader.

HTH.

William
(Filter noise from my address for direct replies.)

"Mogweed" <(E-Mail Removed)> wrote in message
news:cfq4ck$j5q$(E-Mail Removed)...
> A friend asked me something but as I know nothing about wifi I couldn't
> answer it. I'm hoping someone here can )
>
> If he takes his laptop into a cafe or a bar where there is an open wifi
> hotspot (presumably these are called access points??) and say, for
instance,
> he logs on to his ISPs mail server to pick up his email through that
access
> point, how secure is that connection?

ZIP, NADA, ZERO, ZILCH, IT ISN'T

>Would the login info for his email
> server be cached anywhere for the owner of the access point (or anyone
else
> for that matter) to see after he's left the cafe?
>
> Sorry if these are really basic questions but as they say on "Who Wants to
> be a Millionaire?" the questions are only easy if you know the answers
)
>
> Cheers,
>
> Mogweed
>
>

"D. Stussy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) rg...
> On Mon, 16 Aug 2004, Duane Arnold wrote:
> > "Mogweed" <(E-Mail Removed)> wrote in
> > news:cfq4ck$j5q$(E-Mail Removed):
> > > A friend asked me something but as I know nothing about wifi I
> > > couldn't answer it. I'm hoping someone here can )
> > >
> > > If he takes his laptop into a cafe or a bar where there is an open
> > > wifi hotspot (presumably these are called access points??) and say,
> > > for instance, he logs on to his ISPs mail server to pick up his email
> > > through that access point, how secure is that connection? Would the
> > > login info for his email server be cached anywhere for the owner of
> > > the access point (or anyone else for that matter) to see after he's
> > > left the cafe?
> > >
> > > Sorry if these are really basic questions but as they say on "Who
> > > Wants to be a Millionaire?" the questions are only easy if you know
> > > the answers )
> > >
> >
> > It's not secure at all from what I understand. They do have ISP(s) that
> > provide a VPN solution for user who use wireless hot spots or cafes. The
> > VPN client software is installed on the user's computer allowing the
> > computer to make a VPN secure connection between the wireless computer
> > and the VPN server software on the ISP's server. A secure and encrypted
> > connection VPN end point to VPN end point prevents someone from
> > eavesdropping on the traffic on the wireless. You'll have to search
> > Google for those VPN ISP(s) as they are out there.
>
> Unless he's using an SSL or TLS connection to his home ISP, he probably
> shouldn't even try to connect.
>
> For other things like general web browsing that ANYONE has access to, it's
> probably not a problem - no "state secrets" there.

Thanks to both Duane Arnold and to D. Stussy. Cheers guys, I'll pass the
messages on to my mate.

Mogweed.

On Mon, 16 Aug 2004 11:04:52 +0000 (UTC), "Mogweed"
<(E-Mail Removed)> wrote:

>If he takes his laptop into a cafe or a bar where there is an open wifi
>hotspot (presumably these are called access points??) and say, for instance,
>he logs on to his ISPs mail server to pick up his email through that access
>point, how secure is that connection?

Totally insecure. Anyone can "sniff" the traffic. There are
applications to re-assemble email messages (both POP3 and SMTP) from
sniffed packets. Worse, his POP3 and SMTP authentication logins and
passwords are normally sent unencrypted and can be easily extracted
from the sniffed packets. Very few hot spots use any form of RF
security (WEP, WPA, VPN) and are therefore completely insecure.

Methinks that the best way to check your mail is through a secure web
server using SSL, or through a VPN provided by the ISP. These cannot
be sniffed. However, most users screw up badly by setting their email
clients to "check mail on startup" or "check mail every xx minutes"
which are usually the default. Same with cute little system tray
applications or IM clients that inform you that there is mail waiting.
These send the POP3 login and password when the computer boots, and
BEFORE a secure tunnel can be established. The only thing worth
sniffing from these is the login and password, but that's all I'm
usually interested in collecting. Anyway, I suggest you turn OFF
automatic mail checking on laptops.

One of the fun things to do is fire up a sniffer in areas where there
are a suitable number of wireless users and run a JPG sniffer:
http://ntkernelhacker.tripod.com/wireless/Pikachu.html
http://www.etherpeg.org
You get to see what everyone else is browsing. Amazing how much porno
comes across the wireless (usually from spyware) in the least expected
places. It also captures email, but that's usually boring.

List of WinPcap based wireless sniffer tools:
http://winpcap.polito.it/misc/links.htm
Most are legitimate, but there are some interesting tools mixed in.

>Would the login info for his email
>server be cached anywhere for the owner of the access point (or anyone else
>for that matter) to see after he's left the cafe?

No. It would be cached on my laptop, that I left running with a
wireless sniffer, in my parked car, near the hot spot. Capturing
passwords is not a desireable feature and besides most hot spots are
rather unsophisticated.

>Sorry if these are really basic questions but as they say on "Who Wants to
>be a Millionaire?" the questions are only easy if you know the answers )

Intelligence is largely the ability to ask the right questions.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

> Methinks that the best way to check your mail is through a secure web
> server using SSL, or through a VPN provided by the ISP. These cannot

What's wrong with IMAP/SSL (which has been either the recommended or the
only way to read mail at my work for the last several years).

> be sniffed. However, most users screw up badly by setting their email
> clients to "check mail on startup" or "check mail every xx minutes"
> which are usually the default. Same with cute little system tray

I don't see in what way such settings affect security.


Stefan

On Mon, 16 Aug 2004 15:50:52 GMT, "William Warren"
<(E-Mail Removed)> wrote:

>If your friend has any secrets to keep and wants to send them via email,
>tell him to go to http://www.thawte.com/email/index.html and get a (free)
>email certificate so his friends can encrypt email they send him. His
>friends, of course, will need to do the same, and then he can send them
>encrypted replies.

One small problem... no self respecting hacker is interested in the
contents of your email one message at a time. It's the login and
password that is important and encrypting the payload does nothing for
protecting the login and password. It's a variation on identity theft
and here's how it works. I sniff your login and password. I would
immediately login to your ISP's account admin page and change your
password. You're now locked out of your own account. I would then
snoop around and extract some personal info (name, phone number,
address, zip code, address book, bank numbers, SSI, etc). I would
then go to various accounts (ebay, paypal, banks) and select "forgot
my password" which will email back the current or a new password.
They will ask some kind of mundane authentication question that can
usually be extracted from the personal info (i.e. acct number, zip
code). If successful, I would login to PayPal or your bank and start
spending wildly using your account. When done, I would erase the new
email messages, and reset the password back to the original. You
would not know what hit you until the bill arrives.

Never mind the payload, protect the passwords.

Note: I've never actually done this, but I've dealt with situations
where it has happened.

>Once that system is in place, the end points will be the only insecure
>nodes: everything between them will be secure. Securing the originating and
>terminating computers is left as an excercise for the reader.

Umm... Sniffing the ethernet connection, or even the tapping the DSL
line is possible, but not very sporting.

Having your own SSL certificate is kinda nice, but for my business
communications and HIPAA, I use various PGP mutations.
http://web.mit.edu/network/pgp.html
http://www.pgp.net
http://www.gnupg.org
http://www.pgp.com/products/
Actually, I've been getting lazy lately and using ROT-13 and UUCP over
TCP to my own servers, which most sniffing hackers don't have a clue
how it works. Security by obscurity is not at all secure, but I
figure it's better than nothing.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558