Be careful managing assets, accounts, money, over the internet on wireless

[chinaco]

As technology is leveraged in different (and new ways), new security threats emerge. Wireless technology has introduced a new form of threat that you might expose yourself to at home, and definitely on the road.

At home if you use a wireless router, harden the configuration and use WPA or WPA2 for an encrypted connection.

Your notebook, you had better secure it with proper access control. Windows Vista is (can be made) more secure technology than previous versions of windows.

On the road, always only use a connection that uses WPA or WPA2 (today... more secure will emerge). Also with wireless, you had better make sure you know the network that you use and that it is trusted! DO NOT just connect on an unknown net and use it. There is a technique called man in the middle where someone can (basically wiretap). Even if you use SSL, there are ways to fool you if you are not on guard (with man in the middle). Criminals will soon be trolling near hot spots to try to get into you laptop and/or put out an alternate network to attempt to get in the middle and gather information. You can see where businesses are being targeted. This is what happened to TJX (i.e. Marshalls) according to the Wall Street Journal.

This is real. Protect yourself! Wireless networks are convenient, but unless everything in the chain is secure and you laptop is secure... you could be compromised. The threats seems to be a shifting landscape as new technology and capabilities are employed. Often the people that setup the networks are not security specialist and are not aware of emerging threats. They can setup the technology, but do not employ security in depth.

Sorry about the scare... but better to be safe than sorry.

 

[kcowan]

Even if you use SSL, there are ways to fool you if you are not on guard (with man in the middle)...

I have always believed that, as long as the site I am accessing is https (SSL), then the information that passes is encrypted and would require a high-level of espionage to crack the code. Such is the case for all my financial sites.

I know that emails are often in the clear but the crooks are welcome to see that stuff. I know they steal email addresss and sell them for Spam but I consider that to be one of the costs of WiFi convenience.

 

[chinaco]

I have always believed that, as long as the site I am accessing is https (SSL), then the information that passes is encrypted and would require a high-level of espionage to crack the code. Such is the case for all my financial sites.

I know that emails are often in the clear but the crooks are welcome to see that stuff. I know they steal email addresss and sell them for Spam but I consider that to be one of the costs of WiFi convenience.

What you stated is true... If the scenario played out as you stated it.

It is possible for someone to trick you and get in the middle between you and the intended site. If they control the network you are on, they could setup an ssl session with their proxy and terminate your SSL session with the proxy, sniff the traffic, establish an ssl session with the target site via the proxy and send your original request along. See this link: http://en.wikipedia.org/wiki/Man_in_the_middle_attack

Or if the criminal is on the network, they can attempt to gain access to your laptop, download a key logger and have it send back the raw key strokes you enter over the wireless network to a site that just captures the stream.

There are many other techniques to attack you PC and steal information... It is scary.

So yes, if you have everything bolted down absolutely tight and are very very careful, you might ward off an attempt. But most people are fairly careless (or ignorant or both) and do not have their computer properly secured.

 

[Freein05]

Two of the financial institutions I deal with have went to a new security program that IDs the computer you are using. If the computer ID is different from the one in their system you have to answer some security questions. At the end of the security questions they give a warning to you on the use of internet cafe computers. We also have an account with a German bank that requires the standard stuff ID and password but also the input of a group of numbers. They send you the numbers in the mail and they can only be used once. It is a hassle but secure.

 

[WM]

So when you're not at home, and out using your wireless connection at a coffee shop or wherever, is it ok as long as you're doing generic web surfing (nothing requiring passwords)?

 

[mja]

It is possible for someone to trick you and get in the middle between you and the intended site. If they control the network you are on, they could setup an ssl session with their proxy and terminate your SSL session with the proxy, sniff the traffic, establish an ssl session with the target site via the proxy and send your original request along. See this link: http://en.wikipedia.org/wiki/Man_in_the_middle_attack

Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.

I suppose it's still good to remind folks not to blithely ignore certificate warnings.

 

[chinaco]

So when you're not at home, and out using your wireless connection at a coffee shop or wherever, is it ok as long as you're doing generic web surfing (nothing requiring passwords)?

Forget man the man in the middle attack for a minute. If you computer is not properly secured on that network or for that matter on the internet someone can break in. I am not sure you are any more at risk on a wifi link than the internet. But, if you happen to be in an area where someone is trolling, they could focus on you since you are a refined target (rather than just casting a broad net).

Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.

I suppose it's still good to remind folks not to blithely ignore certificate warnings.

You are mistaken if you think the general public has the least understanding of the vulnerabilities of the technology. On the cert warning... yes if an attacker approached it that way, you would see the warning. Hopefully the victim is aware and understands what it means in the days of blocking popups and other crap (it is wasy to get distracted). People make mistakes!

There are sophisitcated ways to have a valid cert that will not throw a warning! You would really have to be watching to catch it. Here is an example. An overseas location where expats gather for coffee and social chat. It has a wifi hotspot. Many people do their money transfers there. If the connection to that router is not secured, someone could target people for an attack on the network and compromise your computer and just wait for phone home messages. A more sophisticated approach, would be to get next door and create a second wifi signal. Hopefully some people will select it. Now that person is on their network before the onramp to the internet. They can employ a variety of technologies to trick you and get in the middle.

This is an area where it pays to be paranoid. Do not assume the network is safe!

It would be more safe if the cafe owner issued you a temporary key to get on their network and it was encrypted using WPA2. At least then if owner was not corrupt, you would have some assurance of a safe onramp to the internet.

 

[teejayevans]

Only if you're willing to ignore warnings about unverified certificates. sslmitm presents a self-signed certificate; though it does have the proper address in it, you'll still get a warning in your browser.
I suppose it's still good to remind folks not to blithely ignore certificate warnings.

Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.
How would you know you ask? Because you would get a fake error telling you to try
later, obviously it can't actually log you in. Run to another internet spot and login
and change your password. You can also run pathping before you try to login to
the site, example: pathping -q 1 google.com
Save the routing in a file, when at a hotspot, rerun, check the route, especially the
last couple of hops.
TJ

 

[mja]

If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.

 

[figner]

If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

mja, that is my understanding as well, provided that Fidelity's servers have not been compromised. Unless there's a new weakness in the encryption protocols I haven't heard about yet. (The Early Retirement Forum, home of 0day exploits...)

 

[kcowan]

Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.

I am pretty sure that IE7 has a phishing alert that pops up on any site that is not what the URL was initially aimed at. I have seen it work for bogus Paypal requests.

 

[teejayevans]

I am pretty sure that IE7 has a phishing alert that pops up on any site that is not what the URL was initially aimed at. I have seen it work for bogus Paypal requests.

Won't work...
When attach to the network, the network gives you DNS servers, those DNS servers
are not root servers, they are local to that network/domain.
So now I create a DNS server that returns 1.1.1.1 for www.fidelity.com
IE doesn't know what the real address is and doesn't care. 1.1.1.1 is a fake
fidelity site, when the secure connection is made, its to 1.1.1.1, so no one will
see what your are sending to 1.1.1.1, but that doesn't matter much does it?

The phishing is when you have a link, which has the title that you see and the
actual link you don't, like this:
<a href="http://www.google.com">http://www.ask.com</a>

if you create a file called tst.html with that line it and open it with
IE you'll see what I mean (IE 6 doesn't complain BTW)
Understand?
TJ

 

[teejayevans]

If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.

see append above, you don't directly go to www.fidelity.com
The gateway can route you to a bogus server
The DNS server can give you the wrong address, see my other append

Its like if you make a phone call to a friend's home, but they have autoforwarding
on and it ends up at work. You think you are talking to your friend at home, but they
are at work. Now imagine they have a twin who sounds just like him/her, unless
you ask some personal questions, you would not know who you are talking to?
For example, what's my account balance? Your real friend will know, your friends
twin will not. The security only prevents other people from listening to the
conversation.
TJ

 

[mja]

see append above, you don't directly go to www.fidelity.com
The gateway can route you to a bogus server
The DNS server can give you the wrong address, see my other append

Yes, DNS can give you the wrong IP address, but the certificate still wont verify, because the MITM doesn't have fidelity's private key.

 

[loosechickens]

Heavens knows, I am barely computer literate, knowing only enough to have a firewall, anti-virus software up to date, stay off of porn sites, etc. And I never put sensitive info into an email, etc. But I do access the secured sites for our brokerage and bank accounts, etc.

But some of this discussion reminds me of the time I helped our local food coop get a mortgage way back when. They didn't have what the bank wanted for a downpayment, so I handed over a CD of mine to the bank to hold and the bank held it for collateral. The inevitable happened, the food coop went belly up and the building went into foreclosure.

My attorney was full of gloom and doom, relating to me all the liability danger I faced, all the bank could do to get money out of me, etc., until it looked like we'd be out in the street with the shirts on our backs.

So I said to him, " I recognize that the bank CAN do all that, and I recognize that I am in a dangerous position and that you need to warn me of all the negative possibilities. But what do you think will ACTUALLY happen? What will the bank ACTUALLY do?". And he said, "oh, they will just keep your CD". And that is what happened.

I realize that all these dangers exist, but of any given transactions done over wireless using your own laptop in an internet cafe or other location in Europe or anywhere else, what percentage risk is there of interception and compromising of your financial accounts?

Are we talking getting struck by lightning here? Mugged on the street in daylight? or are we talking about taking a stroll outside the Green Zone in Iraq, or deciding on walking out for pizza late at night in a gang infested neighborhood?

I'm willing to take limited risk, but not risk that is likely I'll lose. Before we leave for Europe, I expect to talk to our broker, let him know where we'll be, and that I'll let him know if we intend any unusual spending. So if he sees any unusual activity, he can email us and ask. Wouldn't that be sufficient?

I don't want to go two months without checking on finances, and since internet cafes and wireless will be probably our only access, how much should I worry? I know this stuff happens, but how prevalent is it? Not what somebody COULD do, but what someone is likely TO do. Thanks.

LooseChickens

 

[teejayevans]

Yes, DNS can give you the wrong IP address, but the certificate still wont verify, because the MITM doesn't have fidelity's private key.

Its not Man in the middle attack, its the man on the other end is not who you
think it is.
TJ

 

[teejayevans]

Are we talking getting struck by lightning here? Mugged on the street in daylight? or are we talking about taking a stroll outside the Green Zone in Iraq, or deciding on walking out for pizza late at night in a gang infested neighborhood?

Chances are extremely low if you stick to internet cafes.
Chances are much higher if you just attach to a random hot spots.
Like I said before, a simple pathping command will let you know if
this is the case. If you login you are fine, if you get an error message
like "system unavailable try again later", double check with pathping,
if its just a couple of hops, find another hotspot and change your
password. Thats all.
TJ
TJ

 

[loosechickens]

thanks, TJ......sometimes it's hard to discern between the real and present danger and the danger that "might" happen or "did" happen to somebody, sometime. Especially when you're not any kind of a computer expert. much appreciated.

LooseChickens

 

[chinaco]

Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.

And then, they could issue a redirect to send you to the real home page after they capture the info. This is part of the reason the VG split the login id and the PW page apart. But, I think some newer browser can be set to warn on the redirect to a different site

If I'm at a hotspot, and I directly access https://www.fidelity.com and don't get a certificate warning,
I know there's no MITM. Provided I've kept my own machine secure to begin with, and that none of the root CAs have been compromised, of course.

If you disagree with that, please provide some proof.

If it is their cert, I would think you would be OK. As someone said earlier unless they were compromised.

My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?



---------------------------

My point on the topic was: Do not take security for granted. There are ever emerging threats and cleaver techniques to trick people and/or compromise you computer.

 

[Freein05]

Actually it's worst, they can setup a entirely fake home page to capture user/pwds,
and route traffic to that site. Easy to do because there are tools that will you can
run to download the site html, just need to fill in some software to provide the
user/pw function.
How would you know you ask? Because you would get a fake error telling you to try
later, obviously it can't actually log you in. Run to another internet spot and login
and change your password. You can also run pathping before you try to login to
the site, example: pathping -q 1 google.com
Save the routing in a file, when at a hotspot, rerun, check the route, especially the
last couple of hops.
TJ

My credit union has on the page where you put your password a box that has an additional phrase you have gave them. If you don't see this phrase you are not on their web site. This helps to prevent you from loging on to a false web page.

 

[figner]

My point on MITM is that a different cert could be used to terminate your connection/ssl session at a proxy and the proxy could establish a different ssl connection with the real site. In otherwords, you might not be using their cert. How often do you check (actually look) to validate the cert on your side?

Your browser validates the cert based on the internal list of root CA's it ships with. If the fake cert has not been validly signed by one of the root CA certs (which would only be possible to forge if you had compromised one of the root CA systems), the browser will pop up an error.

Granted, it's possible that if you downloaded and installed new web browser software via an unencrypted connection (and didn't verify the checksum on it), your browser software itself might be compromised. I tend to be careful about things like that, though most casual computer users probably aren't. Even so, I wouldn't recommend that folks like my mom stop accessing their financial data online. I recommend that she take the appropriate precautions:

Turn off all unnecessary services on your computer.
Keep patches up to date at all times.
When online, use an account without administrator privileges as much as possible.
Don't use Internet Explorer or MS Outlook unless absolutely necessary.
Run anti-virus and firewalling software.

If you do this, accessing your online accounts isn't much more of a risk on public wifi than on your home network. In either case, your traffic will be routed through multiple networks until it reaches its destination, and any one of those could have people sniffing traffic on it. Encrypted (SSL) connections are pretty good security, as long as you pay attention to certificate errors from your browser. For even better security, some sites (Etrade is one) offer the one-time-use login number generators so that you need to be looking at the gadget in addition to knowing your username and password.

 

[loosechickens]

I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.

If I'm going to be using my laptop in Europe in internet cafes, campgrounds, etc., are you saying to use some other browser?

I appreciate that you guys aren't laughing at me...... ;-)

LooseChickens

 

[teejayevans]

I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.

If I'm going to be using my laptop in Europe in internet cafes, campgrounds, etc., are you saying to use some other browser?

I appreciate that you guys aren't laughing at me...... ;-)

LooseChickens

Microsoft exec once claim they are the most secure OS because they
ship more security patches than any other OS. Does that
tell you something?
TJ

 

[figner]

I hate to sound so ignorant, but......when you say "don't use Internet Explorer", which is what I usually use, what do you suggest instead? Are you talking about things like Mozilla and Firefox (see how knowledgeable somebody who hasn't got an idea what they're talking about can sound?)......I've heard those names, but don't have the foggiest about them.

Yes, I prefer Firefox (produced by the Mozilla corp).
http://www.mozilla.com

They tend to fix any vulnerabilities quickly (you still need to make sure to keep it updated), and you can download extensions that will make it even safer (I like NoScript and FlashBlock). But even without the extensions, my opinion is it's much safer than using Internet Explorer, mostly because IE is so integrated into the operating system and has a history of more serious and slowly fixed bugs.

You may still run into the occasional web site that's been customized for IE and simply won't work well with Firefox. I wind up using IE a couple times a month, but I try to keep that to a minimum and visit only sites I trust (i.e. www.fidelity.com, but not www.funwithsheep.com )

 

[chinaco]

Your browser validates the cert based on the internal list of root CA's it ships with. If the fake cert has not been validly signed by one of the root CA certs (which would only be possible to forge if you had compromised one of the root CA systems), the browser will pop up an error.

True enough on the CA and the warning. Some exploits get complicated enough that they are theoretically possible... but would be complicated to attempted against individuals. Rather, the criminals go after the large data store by attacking the site.

The CA can check can be circumvented if the attacker can get control of the person's computer. For example, on a rogue WI-FI network (If someone accidentally selected it instead of the intended cafe connection)... The rogue network could employ an internal CA and proxy server. The Hacker could get on someone's computer, then import a new CA in the browser CA list. Then the browser could validate against the internal CA server and not through the warning. Most of this technology could be setup on a single laptop. It is a bit complicated.

Bottom line WIFI is becoming more prevalent. It will be exploited.


All in all (Today!), Phishing is probably a much larger threat to individuals. It is simpler. Many of the current exploits against individuals seem to apply some sort of social engineering to trick people.