Unsecured WiFi

Skawn · 24 Jul 2006 at 14:05

Here's an interesting question someone asked me the other day - my networking knowledge isn't sufficient to answer...

A friend was in the park with his WiFi enabled laptop and notices he can get a connection so is happily browsing away. He's just about to log into his online banking when he thinks a very valid point - who else may be able to see his user details?

I'm not sure how much control a network administrator may have in terms of the ability to check whats going on - I guess it would be trival for someone with the right logging software running to see what sites my friend had visited, how long he was there etc. Would it also have been possible to have e.g. put a key logger onto his PC?

Just wondering if the next evolution of 'phishing' emails is going to be people deliberately leaving unsecured WiFi open to obtain peoples details?

Phemo · 24 Jul 2006 at 14:20

Installing a key logger onto his PC isn't possible without his interaction. However, since the traffic is unsecured, anyone could be sitting around with a laptop or whatever sniffing the traffic. Anything between the client computer and the AP is unsecured, so any traffic passed would technically be visible for anyone to see.

In short, browsing on an unsecured network is ok, but don't risk using anything that requires a logon because it's possible for anyone to sniff that traffic. Whether they are or not is another matter, but it is possible.

Skawn · 24 Jul 2006 at 14:25

I'd have thought the login details would be encryped before they leave the client PC no?

Imy · 24 Jul 2006 at 14:30

No even SSL becomes useless if there's the possibility of someone being able to sniff the local network.

Phemo · 24 Jul 2006 at 14:30

Skawn said:
I'd have thought the login details would be encryped before they leave the client PC no?

Well yes, obviously only if it's a HTTPS site though. Online banking would be ok as it'll be SSL secured but other things like (some) web-based email services, forums, etc. I wouldn't risk.

mike1210 · 24 Jul 2006 at 14:31

online banking goes out on port 443 (at least it should do) so the info is encrypted however it could pass through another party.....it would been encrypted. Other things like msn messenger and the like would be in plain text

bitslice · 24 Jul 2006 at 15:30

Phemo said:
Installing a key logger onto his PC isn't possible without his interaction.

yes it is,
given that a number of laptops I see that have blank admin passwords, it's no problem to copy the required files across.

there are a number of ways to then activate the payload.

Phemo · 24 Jul 2006 at 15:32

bitslice said:
yes it is,
given that a number of laptops I see that have blank admin passwords, it's no problem to copy the required files across.

there are a number of ways to then activate the payload.

Fair point, but that's relying on user stupidity rather than because of being connected to someone's unsecured network. I realise the two sort of go together in a way, but it's still relying on stupidity.

bitslice · 24 Jul 2006 at 15:37

Skawn said:
I guess it would be trival for someone with the right logging software running to see what sites my friend had visited, how long he was there etc.

yes, many admins would log this traffic for the sake of it (but probably wouldn't look at it)
By comparing his log against the banks access log would reveal who the person was.

Skawn said:
Just wondering if the next evolution of 'phishing' emails is going to be people deliberately leaving unsecured WiFi open to obtain peoples details?

'tis already possible, (I forget the name of the program that does this.)

.

Phemo · 24 Jul 2006 at 15:40

bitslice said:
'tis already possible, (I forget the name of the program that does this.)

Yeah there are tools that will allow a fake hotspot (eg. T-Mobile) to be created. Pretty clever and reasonably easy to get sucked in. Especially as for a T-Mobile hotspot you have to pay for a login - people can just hijack logins if they set one up in the right place.

bitslice · 24 Jul 2006 at 15:42

Phemo said:
Fair point, but that's relying on user stupidity rather than because of being connected to someone's unsecured network.

Agreed, 'tis not likely to happen in real life.

An even more obscure way is to let the wi-fi user use your DNS.
then check the web site he is currently browsing
replace your DNS entry for that website with one of your own
user then is redirected to a web page with an exploit installed.
.

Eddietop · 24 Jul 2006 at 15:45

His banking details will be encrypted with SSL, but it would be trivial for someone to do a man in middle attack with a fake SSL certificate then sniff up the details. If he wanted to cover him self best way is to log into his home pc via vpn and browse that way, or if he has a linux box SSH tunnels.