Wifi security in Hotels?

I was looking around researching wifi security and saw that somebody can
read somebody else's cookies when they hook up to his LAN via a wireless
access point. He says he can view passwords to all sorts of accounts
and routinely goes into people's accounts but "doesn't do anything bad."

Anyway, what prevents somebody at a hotel from doing the same thing?
Could any jackass on a hotel network set up a sniffer and get pretty
much everyone info?

Justin wrote:

> Could any jackass on a hotel network set up a sniffer and get pretty
> much everyone info?

A couple of Premier Inns that I've stayed in have outsourced their wireless
to Swisscom. Both of them were unencrypted, so yes, anyone could sniff the
traffic if they were in the right place.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
17:06:52 up 59 days, 1:51, 1 user, load average: 0.10, 0.17, 0.11
A few flakes working together can unleash an avalanche of destruction

John Navas wrote:
> On Fri, 03 Jul 2009 18:01:59 -0400, Justin
> <(E-Mail Removed)> wrote in
> <h2lvbg$u63$(E-Mail Removed)>:
>
>> I was looking around researching wifi security and saw that somebody can
>> read somebody else's cookies when they hook up to his LAN via a wireless
>> access point. He says he can view passwords to all sorts of accounts
>> and routinely goes into people's accounts but "doesn't do anything bad."
>>
>> Anyway, what prevents somebody at a hotel from doing the same thing?
>> Could any jackass on a hotel network set up a sniffer and get pretty
>> much everyone info?
>
> WIRELESS TRAFFIC SNIFFING:
>
> When there is no wireless encryption, all traffic can be sniffed by
> anyone. Even with WPA, traffic can be sniffed if the same PSK is used
> for everyone. And WEP is hopelessly insecure.
>
> What hotspots should be doing is using Enterprise (not PSK) WPA/WPA2
> with unique credentials handed out by a RADIUS server, but few do that.
>
> To protect your wireless traffic, use VPN. Some VPN service providers:
> <http://wireless.navas.us/wiki/Wi-Fi#VPN_Service_Providers>
>
> WIRELESS NETWORK SECURITY
>
> If there is no wireless-to-wireless isolation, all too often the case,
> anyone on the wireless can network to anyone else on the wireless, and
> potentially compromise any computer that isn't properly protected.
>
> You can protect yourself is to use a good software/personal firewall,
> properly configured, and to close or protect (with strong passwords) all
> network sharing. (I use wireless management software that allows me to
> disable all network sharing when on an insecure network.)
>


I understand network shares and securing that.
But what about wireless and paying my bills online? Can somebody see
all that information even if the page is encrypted?

Jeff Liebermann wrote:
> On Sat, 04 Jul 2009 20:37:44 -0400, Justin
> <(E-Mail Removed)> wrote:
>
>> I understand network shares and securing that.
>> But what about wireless and paying my bills online? Can somebody see
>> all that information even if the page is encrypted?
>
> Most financial and banking web sites offer SSL (secure socket layer)
> encryption between your browser and the bank. The degree of
> encryption varies among banks. Some encrypt the entire session.
> Others only encrypt logins and specific sessions.
>
> Despite SSL and authentication, there are still problems:
> <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652>
> These problems are not unique to wireless and can also ocurr with a
> wired internet connection. All I can offer is the usual "be careful"
> warning.
>
> The one that worries me is where banks place a secure login box in the
> middle of an unencrypted web page. That's an open invitation to a
> man-in-the-middle exploit. Wells Fargo, my bank, is a prime culprit.
>
> A real danger in wireless online banking using Wi-Fi is a spoofed or
> faked web site designed to trick you into logging in with your login
> and password. Banks use various measures to avoid fraudulent web
> sites, but all rely on the user recognizing the difference between the
> real site and the fake. That's not really reliable.
>
> If you're paranoid, discuss using x.509 certificates and a one time
> password generator (S/key) dongle with your bank. They may not do
> anything, but they might recognize that there's a problem and
> therefore a demand for such devices. For example:
> <http://www.aladdin.com/etoken/devices/pass.aspx>
> <http://www.rsa.com/node.aspx?id=1158>
> Most banks already use these for their employees and inside
> transactions.
>
> Despite SSL and authentication, there are still problems:
> <http://www.ns.umich.edu/htdocs/releases/story.php?id=6652>
> These problems are not unique to wireless and can also ocurr with a
> wired internet connection. All I can offer is the usual "be careful"
> warning.
>
> You could also use a VPN service, which would encrypt everything
> between your laptop and the proxy server. Sniffing would be
> impossible.
> <http://wireless.navas.us/wiki/Wi-Fi#VPN_Service_Providers>
>


OK, I think I understand.
I use Citizens Bank
https://www.citizensbankonline.com/

does that look OK to you?

Jeff Liebermann wrote:
> On Sun, 05 Jul 2009 00:14:18 -0400, Justin
> <(E-Mail Removed)> wrote:
>
>> OK, I think I understand.
>> I use Citizens Bank
>> https://www.citizensbankonline.com/
>> does that look OK to you?
>
> Yep. SSL on all pages. Certificate issued and verified by VeriSign.
> Yeah, looks good enough. I can't tell if there are additional
> anti-spoofing features because I can't login.
>
> Be advised that it is still possible to perform a man in the middle
> attack with SSL.
> <http://www.sans.org/reading_room/whitepapers/threats/ssl_maninthemiddle_attacks_480>
> Note that IE 6.0 and before have a problem handling SSL properly. I
> consider this exploit unlikely, but still possible.
>


I think I understand. If I'm on a unverified network, or one I know can
possibly be compromised (college?) do my banking from the computer lab...

In message <h2osru$lvl$(E-Mail Removed)> Justin
<(E-Mail Removed)> was claimed to have wrote:

>But what about wireless and paying my bills online? Can somebody see
>all that information even if the page is encrypted?

If the session is encrypted with a modern version of SSL (HTTPS) and you
don't do anything silly like ignore a certificate warning and accept an
invalid certificate, then you're safe using SSL.

Assume that anything that doesn't use SSL is completely publicly
accessible (and not just in hotels, this goes for any wifi connection
regardless of encryption)

I know odd question but has anyone seen or run across an wifi (g)
thermometer that can be accessed via a LAN or for that mater an IP
thermometer? Plenty of wireless ones via Google but have a need to place
one outside and have it readable from the LAN if possible.

Thanks for hints or suggestions

fundamentalism, fundamentally wrong.

Rico wrote:

> I know odd question but has anyone seen or run across an wifi (g)
> thermometer that can be accessed via a LAN or for that mater an IP
> thermometer? Plenty of wireless ones via Google but have a need to place
> one outside and have it readable from the LAN if possible.

It's not Wifi and I'm sure there are more polished products out there, but
if you enjoy building stuff look at these:

http://www.microelemente.ro/produse-si-servicii/

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
14:35:22 up 61 days, 23:58, 2 users, load average: 0.21, 0.09, 0.06
A few flakes working together can unleash an avalanche of destruction

In article <(E-Mail Removed)>, John Navas <(E-Mail Removed)> wrote:
>On Tue, 07 Jul 2009 13:28:18 GMT, (E-Mail Removed) (Rico) wrote in
><(E-Mail Removed)>:
>
>>I know odd question but has anyone seen or run across an wifi (g)
>>thermometer that can be accessed via a LAN or for that mater an IP
>>thermometer? Plenty of wireless ones via Google but have a need to place
>>one outside and have it readable from the LAN if possible.
>
><http://www.ambientweather.com/wiwest3.html>
><http://wifiweatherstations.com/wifi-weather-stations-buying-faq/>
>

Thank you, John

fundamentalism, fundamentally wrong.

In article <(E-Mail Removed)>, Jeff Liebermann <(E-Mail Removed)> wrote:
>On Tue, 07 Jul 2009 09:20:47 -0700, Jeff Liebermann <(E-Mail Removed)>
>wrote:
>
>>On Tue, 07 Jul 2009 13:28:18 GMT, (E-Mail Removed) (Rico) wrote:
>>
>>>I know odd question but has anyone seen or run across an wifi (g)
>>>thermometer that can be accessed via a LAN or for that mater an IP
>>>thermometer? Plenty of wireless ones via Google but have a need to place
>>>one outside and have it readable from the LAN if possible.
>>
>>Expensive:
>><http://www.omega.com/toc_asp/subsectionsc.asp?book=DAS&subsection=K01>
>>
>>Only one temperature? If so, then it's much easier to communicate the
>>temperature using one of the cheap consumer 49MHz wireless sensors to
>
>Argh. I meant 433.925MHz.

Thanks for the suggestion

>
>>a base unit that has ethernet, than to do all the processing outdoors,
>>and communicate the results via wireless. For example, the typical
>>wireless thermometer runs on two AA batteries and runs for 2 years. A
>>Wi-Fi link will require far more power to operate. Search for
>>wireless weather stations with ethernet:
>>
>>If you really want to get crude, just get a decent hand held optical
>>IR thermometer
>><http://www.ambientweather.com/inth.html>
>>and point it outside to a fixed object to get its temperature. Then
>>read the display or connect it to something that does ethernet. Some
>>such IR thermometers have a serial output for a data logger.
>
>Ooops, that won't work. The IR thermometer give the surface
>temperature of some object. You probably want the air temperature.

Yeah, looking for the outside air temp.

Thanks though

fundamentalism, fundamentally wrong.