Perhaps if you explain what information is in a certificate, how it is signed, and how it is validated you’d realize your attack wont work. TLS was designed under the assumption that mitm had complete control over the dialog and your attack is among the ones covered.
WiFi Security
- Thread starter COZICAN
- Start date
Perhaps if you explain what information is in a certificate, how it is signed, and how it is validated you’d realize your attack wont work. TLS was designed under the assumption that mitm had complete control over the dialog and your attack is among the ones covered.
- Joined
- Oct 13, 2010
- Messages
- 10,735
I agree with what you say, but only IF the user realizes that the domain hasn't changed from what they typed (which I contend, it can).
Let's say that (1) the evil site "B0fA.com" got a CA to sign the cert for that domain. Let's say the user typed "B0fA.com" (which is the evil site, which of course they wouldn't, but if they did), (2) they would establish a TLS session without any alerts?
I contend that both 1 and 2, above are easy to set up. If you think 1 or 2 is "impossible", then ok, that's where we differ.
If you think that 1 and 2 are possible, then the only other bit is to accept that the user can type "https:\BofA.com" (the legit site), and that request gets intercepted before the TLS handshake and the browser ends-up on any site the the evil hotspot wants. Maybe you think that is impossible. If so, you might consider researching "dns spoofing".
I just did a quick search and found this discussion of some person who's trying to push traffic to a phishing site.
If using https alone was sufficient, there wouldn't be so many "evil twin" hot spots and wouldn't be people compelled to use VPN's when they use hotspots. But if you think you're safe from tampering on hotspots simply by making sure you have an https connection, that's up to you. You probably are not on an evil hotspot anyway, and you'll probably be fine.
Last edited:
FWIW. I bumped into out IT guy here at w%#k and asked him about wifi security. He said he personally would never enter one of his financial passwords on any wifi other than his home wifi. Told me he could sit in Starbucks and watch your every keystroke on his cell phone if he wanted to. Truth? Who knows.
BigNick
Thinks s/he gets paid by the post
On-device encryption has been described as like two winos sitting opposite each other in the park and using a security guard to pass the bottle from one bench to the other. I'm still waiting for a confirmed report of anyone actually having their bank details stolen by someone who was sitting in Starbucks watching the WiFi while the security cameras filmed them from all angles. Meanwhile, working credit card numbers, with expiry date and CVC code, go for a couple of bucks per hundred on the dark web (stolen from badly secured web sites), and phishing e-mails get more and more sophisticated every day. (I don't check under my car for IEDs before I drive it in the morning, either.)
mpeirce
Thinks s/he gets paid by the post
Sure he can use his cell phone's camera to zoom in to see what you type ;-)
- Joined
- Oct 13, 2010
- Messages
- 10,735
I was considering doing that at one point, but was shy from an earlier experience where I had my router configured with an obscure port open and somebody found it and started pounding on it. Although they didn't succeed, I was put-off by it. What solution do you employ for that...I might want to revisit the idea.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Add me to the list of folks who would like to know how you did that.
I don't have a static IP, so that presents a problem for me.
Car-Guy
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Just be sure you have a HTTPS connection before entering your password on a public wifi and you should be good to go. As someone already pointed out, unless someone is shoulder surfing, you should be okay. BTW, many people think that HTTPS means a "website or system" is secure, but that's not true. However, it is "reasonable" to say that your transmission of info between your client (PC) and their server over a network is secure. Nothing is 100% in network security but HTTPS is pretty good for securing the communications over a network.
- Joined
- Oct 13, 2010
- Messages
- 10,735
"https is pretty good" is an appropriate level of trust for a "lock" wifi hotspot (one where you need to get the password from one of the wait staff). Open WiFi is a bit more problematical; https still protects you, but there are more attacks available. A simple and common one is with sites like this one, where not everything is over https. For instance, if you logged on here using https on an open WiFi, another person at the coffee shop could easily make a post under your ID without having access to the hotspot. Facebook was subject to this attack until "FireSheep" forced https all the time (no dropping back to http after authentication).
copyright1997reloaded
Thinks s/he gets paid by the post
1) Make sure your home wi-fi isn't non-secure. Also don't use WEP, it can be broken easily. (WEP is a security protocol used on older 802.11a & 802.11b setups).
2) If in public wi-fi, if you don't want your destinations known to snoopers, use a VPN. Why? With https, the data portion of the IP (Internet Protocol) packet is encrypted, but the source IP and destination IP addresses are not (nor are the flag data). They can't be because each node in the network uses the target IP to determine which network hop to send the packet to to move it towards the destination system. With a VPN, your destination IP is the VPN server, which then acts as a proxy and establishes a connection to the actual destination.
To the people asking about connecting to your own VPN at home, it is pretty simple. You need to be running a server (i.e. a computer) which acts as a VPN server, and your away at home laptop would use a VPN client that utilizes that server. It does require that the VPN server be reachable from outside your home, which requires it be w/i the router or reachable via port forwarding or (don't do this DMZ).
Little known fact: SSL/TLS (i.e. HTTPS) uses two types of encryption. Public key/Private key is used to establish the session, i.e. the client uses the servers public key to encrypt a shared secret (symmetric key) that it generates which is sent to the server. The server uses its private key to decrypt the shared secret. After that is done, the client (browser) and server can communicate using symmetric key encryption, which is faster than public key/private key and has the advantage that each client/server connection is using its own shared secret.
Thanks for taking the time to explain that. Good info I'll go back over this weekend.
- Joined
- Oct 13, 2010
- Messages
- 10,735
Good info CR1997.
The specifics of the VPN software the hardware is kind of why I was curious about. I have an edge router, but would need a "cook book" style set of instructions since I don't have the skills nor patience to learn it all.
The specifics of the VPN software the hardware is kind of why I was curious about. I have an edge router, but would need a "cook book" style set of instructions since I don't have the skills nor patience to learn it all.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I use TightVNC on the local network to occasionally attach to an older computer. I've never considered punching a hole in the router to allow external connections. Quite a while back I experimented with that with a trusted friend. I know he uses similar software on a regular basis, as his job requires it.
copyright1997reloaded
Thinks s/he gets paid by the post
Disclaimer: I am not running a VPN server at home.
1. Router: A router running DD-WRT can be configured as a VPN server. This requires that the router support PPTP (point to point tunneling protocol). Here is a how to guide on setting one up as a VPN server: https://www.howtogeek.com/51772/how-to-setup-a-vpn-server-using-a-dd-wrt-router/
Some routers that support DD-WRT: https://www.technadu.com/best-dd-wrt-routers/8914/. You will need to investigate that these support PPTP and that they have sufficient capacity to act as a VPN client or server.
2. Run it on your computer at home. For example, on a Windows 10 system: https://pureinfotech.com/setup-vpn-server-windows-10/. This wou
3. Instead of #2 which would require that the system used be up and running when you are away from home, I would rather dedicate a system or device for this purpose. If you want to play, you could even run it on a Raspberry pi: PiVPN: Simplest setup of OpenVPN. Alternatively, use a older system running Linux or even Windows (just make sure it is set to run and not suspend etc.)
For #2 and #3, I would want to make sure the system is not wireless connected, i.e. use a Ethernet connection to your router.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
From now on that will be my excuse, if you see a stupid post by "me" , you can assume someone used my cookie token to fake being me
I worked in cybersecurity before I retired.
At home, yes. BUT have a looong password for your personal router (mine is 19 characters) plus a long password/passphrase for all financial accounts and social website accounts. Also ensure your router is set up for the most stringent encryption algorithm (Pretty much all passwords under 14 characters have been hacked for years and some cyber experts are not recommending at least 16 characters for a password/passphrase).
On public WIFI - no. Although some say it's okay if you have a VPN, check to see where that software originated. Many of the VPN SW apps originated in China. So for me, I NEVER log onto any public WiFi for any financial website (and kiddi hackers seem to abound in airports while waiting for their next flight).
At home, yes. BUT have a looong password for your personal router (mine is 19 characters) plus a long password/passphrase for all financial accounts and social website accounts. Also ensure your router is set up for the most stringent encryption algorithm (Pretty much all passwords under 14 characters have been hacked for years and some cyber experts are not recommending at least 16 characters for a password/passphrase).
On public WIFI - no. Although some say it's okay if you have a VPN, check to see where that software originated. Many of the VPN SW apps originated in China. So for me, I NEVER log onto any public WiFi for any financial website (and kiddi hackers seem to abound in airports while waiting for their next flight).
Last edited:
Kroeran
Full time employment: Posting here.
I was told apple products are more secure.
I recommend reading a few articles on password construction and changing passwords now on sensitive accounts, especially email and financial accounts.
No password exactly the same
And having a password revision schedule.
I recommend reading a few articles on password construction and changing passwords now on sensitive accounts, especially email and financial accounts.
No password exactly the same
And having a password revision schedule.
Last edited:
NXR7
Recycles dryer sheets
Having spent 20+ years on the operational side of IT security for a large bank and insurance company I can assure you that nothing is as "secure" as you would hope it to be. For Wi-Fi and even a wired home network, once the traffic leaves the router and hits the Internet it's no different than when it leaves the cellular network and hits the Internet.
Your home network has little to nothing to do with the security of the "in transit" traffic (the data communications with the destination) to Internet sites using HTTPS. Why? Because as was just noted it really depends on the configuration and security of the web site you're connecting to and the security of the connecting device whether it be your PC, phone, tablet or whatever.
Cessna152 is technically correct but the problem is that many installed apps do not validate HTTPS certificates as they should. The USA FTC has handed out several large penalties and 20-year consent decrees to large and small companies whose apps failed to validate HTTPS certificates properly. CreditKarma was one of them. Unless you know what you're doing, never accept a warning for an invalid certificate.
Your home network security has everything to do with security for direct access to all of your PCs and devices.
One of the best things you can do is set up multi-factor authentication at your financial institution. Banks in the US have required it for over a decade. Retirement companies have not but it usually is optional.
Another thing that is great to do is to set up both email and text alerts for every single thing that happens on your account. Set the dollar limit to zero dollars if possible or the lowest that will be accepted. You should know about everything that happens in your account, be it a bank account, retirement account, credit card account or whatever because nothing should be happening without your knowledge (because you're the only one who normally performs transactions).
If you have any financial accounts that you have not set up online access for yet, stop and do it right now. ALL financial institutions automatically enable online access by default. If you fail to register your online account there is a chance that a miscreant will do it for you and you may never know until it's too late.
NEVER have a debit card tied to your primary bank account, the one that accepts direct deposits and pays your bills. Get the bank to shut it off. if you need a debit card have a second account created with a debit card and electronically transfer money to it as needed to handle those transactions. If a debit card fraud hits you the entire account can be wiped out and it usually takes ten business days to get it resolved. That's ten days without cash. I have no debit cards and just rely on credit cards.
HTH,
Ray
Your home network has little to nothing to do with the security of the "in transit" traffic (the data communications with the destination) to Internet sites using HTTPS. Why? Because as was just noted it really depends on the configuration and security of the web site you're connecting to and the security of the connecting device whether it be your PC, phone, tablet or whatever.
Cessna152 is technically correct but the problem is that many installed apps do not validate HTTPS certificates as they should. The USA FTC has handed out several large penalties and 20-year consent decrees to large and small companies whose apps failed to validate HTTPS certificates properly. CreditKarma was one of them. Unless you know what you're doing, never accept a warning for an invalid certificate.
Your home network security has everything to do with security for direct access to all of your PCs and devices.
One of the best things you can do is set up multi-factor authentication at your financial institution. Banks in the US have required it for over a decade. Retirement companies have not but it usually is optional.
Another thing that is great to do is to set up both email and text alerts for every single thing that happens on your account. Set the dollar limit to zero dollars if possible or the lowest that will be accepted. You should know about everything that happens in your account, be it a bank account, retirement account, credit card account or whatever because nothing should be happening without your knowledge (because you're the only one who normally performs transactions).
If you have any financial accounts that you have not set up online access for yet, stop and do it right now. ALL financial institutions automatically enable online access by default. If you fail to register your online account there is a chance that a miscreant will do it for you and you may never know until it's too late.
NEVER have a debit card tied to your primary bank account, the one that accepts direct deposits and pays your bills. Get the bank to shut it off. if you need a debit card have a second account created with a debit card and electronically transfer money to it as needed to handle those transactions. If a debit card fraud hits you the entire account can be wiped out and it usually takes ten business days to get it resolved. That's ten days without cash. I have no debit cards and just rely on credit cards.
HTH,
Ray
Kroeran
Full time employment: Posting here.
Indeed, my advisor said Apple was “effectively” more secure as it was relatively uneconomic to target, as you say. While it may be becoming less secure, i see no reason to believe that it is no longer <relatively> secure.
I assume all sensitive accounts lockout after a handful of attempts. I don’t understand how this could be broken by brute force permutations.
I assume all sensitive accounts lockout after a handful of attempts. I don’t understand how this could be broken by brute force permutations.
NXR7
Recycles dryer sheets
It's because the theft of an entire database is not uncommon. In many, many cases the web sites simply left the online databases entirely exposed to everyone in the world who happened to stumble across it. Databases are just files and have no inherent lockout mechanism.
Current password brute-forcing systems run at several billion attempts per second. No, not a typo. They rely on multiple computer graphics cards to achieve that speed. Most people do not know it but your video card is way, way faster than your PC's CPU. This also is why Nvidia's stock popped a while ago; people were using their graphics cards for cryptocurrency.
"Longer" always trumps "complexity" as far as passwords go. Get up into the thirties or more and you may have a fighting chance of keeping it from getting brute-forced.
"Forgot your password" functions are also a favorite target, especially ones that use "security questions". Ever answered a Facebook or other social media quiz about "your favorite" whatever? You may have leaked the answer to a so-called security question.
The site below is run by Troy Hunt, a highly reputable person. Pop your email addresses in it and you'll see how many companies have lost it along with who knows what other data. If you click Passwords at the top try your favorite password (but not a current one) and you'll see how many times someone else (or you) had it lost in a data breach.
https://haveibeenpwned.com/
As far as Apple goes, if you are not keeping up on every app and iOS update as they come out, which carries its own risk, you're still at an elevated risk.
Android is still a mess unless you use an actual Google phone because the telecoms do not patch their phones for more than two years, unlike Apple and Microsoft. That being said I do use a current Android phone but I don't do much on it and certainly no financial account access. Why not? Because it's where I get the text codes and where Google Authenticator and Symantec VIP are installed. Putting all of your eggs in the one phone basket is not a good idea.
Ray
Current password brute-forcing systems run at several billion attempts per second. No, not a typo. They rely on multiple computer graphics cards to achieve that speed. Most people do not know it but your video card is way, way faster than your PC's CPU. This also is why Nvidia's stock popped a while ago; people were using their graphics cards for cryptocurrency.
"Longer" always trumps "complexity" as far as passwords go. Get up into the thirties or more and you may have a fighting chance of keeping it from getting brute-forced.
"Forgot your password" functions are also a favorite target, especially ones that use "security questions". Ever answered a Facebook or other social media quiz about "your favorite" whatever? You may have leaked the answer to a so-called security question.
The site below is run by Troy Hunt, a highly reputable person. Pop your email addresses in it and you'll see how many companies have lost it along with who knows what other data. If you click Passwords at the top try your favorite password (but not a current one) and you'll see how many times someone else (or you) had it lost in a data breach.
https://haveibeenpwned.com/
As far as Apple goes, if you are not keeping up on every app and iOS update as they come out, which carries its own risk, you're still at an elevated risk.
Android is still a mess unless you use an actual Google phone because the telecoms do not patch their phones for more than two years, unlike Apple and Microsoft. That being said I do use a current Android phone but I don't do much on it and certainly no financial account access. Why not? Because it's where I get the text codes and where Google Authenticator and Symantec VIP are installed. Putting all of your eggs in the one phone basket is not a good idea.
Ray
Lockout is set at the OS level - and not all organizations/system administrators do this. But the idea of brute force attacks is decades old - before the lockout feature existed. Now hackers try to get administrator access and then copy over any password files that they use to crack offline with hacker dictionaries, brute force, and rainbow tables.
However, this feature creates another problem for the legitimate user. It creates a "Denial of Service" attack. If it happens more than once, there is a probability that the user will cancel their account and go to another company. Many financial institutions are now going to two-factor identification, especially when someone is trying to log on with a device that does not have an authentication cookie.
However, this feature creates another problem for the legitimate user. It creates a "Denial of Service" attack. If it happens more than once, there is a probability that the user will cancel their account and go to another company. Many financial institutions are now going to two-factor identification, especially when someone is trying to log on with a device that does not have an authentication cookie.
Kroeran
Full time employment: Posting here.
ok, I had posted before reading the entire thread through. I understand now the need to focus on password length and opt in for two factor when offered.
