Help about public wireless access and security

[MJ]

Regarding public wireless access (which I am currently on), I am still confused about security. I googled for more info but could not find the answers to my questions.
I have the freebie ZA firewall and netscape 7.x 128 encryp. I always hear warnings about not entering sensitive (financial) information but what about when I am doing through my browser. I thought that with encryp protection and acessing protected sites, hackers would be prevented from getting my information.

Can anyone shed some light?

Thanks

[cube_rat]

Quote:

Originally Posted by vagabond Regarding public wireless access (which I am currently on), I am still confused about security. I googled for more info but could not find the answers to my questions. I have the freebie ZA firewall and netscape 7.x 128 encryp. I always hear warnings about not entering sensitive (financial) information but what about when I am doing through my browser. I thought that with encryp protection and acessing protected sites, hackers would be prevented from getting my information. Can anyone shed some light? Thanks* *

After reading details about the advent of RSA encrpytion technology, I have absolutely no qualms about using protected sites.* *Any would be hacker would have figure out the distance between two prime numbers 166 (I believe it's up to 166?) digit long in order to figure out the encryption key.

I'm modifying my orginal post to state again -->protected sites only using RSA which is the gold standard. Wireless encryption is whole other story and some methods can be easily hacked with downloadable tools from the internet.

[Marshac]

Quote:

Originally Posted by cube_rat After reading details about the advent of RSA encrpytion technology, I have absolutely no qualms about using protected sites.* *Any would be hacker would have figure out the distance between two prime numbers 166 (I believe it's up to 166?) digit long in order to figure out the encryption key. I'm modifying my orginal post to state again -->protected sites only using RSA which is the gold standard.* Wireless encryption is whole other story and some methods can be easily hacked with downloadable tools from the internet.

I wouldn't be so trusting. It's really easy to poison the ARP, and then do a man-in-the-middle attack. Software packages such as Cain & Able make this uncomfortably easy to do..... and make for some hilarious fun at work.

[cube_rat]

Quote:

Originally Posted by Marshac I wouldn't be so trusting. It's really easy to poison the ARP, and then do a man-in-the-middle attack. Software packages such as Cain & Able make this uncomfortably easy to do..... and make for some hilarious fun at work.

I wasn't referring to desktop or network sniffing. Wireless network, desktop protection is a whole different ball game, IMHO and is still considered the wild west. Now try and factorize RSA-704, that's far more entertaining than sniffing and exploiting desktop and network passwords

http://www.rsasecurity.com/rsalabs/node.asp?id=2093

Very good point though!

[eridanus]

1) Key loggers
2) Modified/hacked browser
3) Modified/hacked TCP (communication) stack
4) Remote site hack (i.e., someone has access to the bank website)
5) Remote site DNS spoof (redirecting "chase.com" to a spoofed site)
6) Lengthy HTTPS (SSL) session

The first 3 can be attenuated with good virus/worm protection and ZA. #4 is out of your control. #5 is out of your control but pay attention to any oddities on the site. For #6, just don't stay connected to a secure site for a lengthy period of time.

For your UNsecure communication (posting to this site, cnn.com, etc.), assume you're being sniffed. Don't use the same passwords. Even on encrypted wireless networks, the encryption can be hacked with a downloadable tool, as cube mentioned. It just takes enough traffic.

[Marshac]

Quote:

Originally Posted by cube_rat I wasn't referring to desktop or network sniffing.*

No, but with a man-in-the-middle attack, I can take your https request, issue you my own cert (so you still get the little lock thing in your browser), and then contact the webserver myself. Everything between you and I would be encrypted, and between myself and the server... you would have very little warning this was going on, and I would have access to everything you submit. This same attack can be used for telnet, SSH, etc... almost anything. It's quite a different animal than simply observing passing network traffic.

Edit: What do you know, wiki has an article on it too-

http://en.wikipedia.org/wiki/Man_in_the_middle_attack

[eridanus]

Quote:

Originally Posted by Marshac No, but with a man-in-the-middle attack, I can take your https request, issue you my own cert (so you still get the little lock thing in your browser), and then contact the webserver myself.

There's very little an end user can do to prevent this. If a sophisticated hacker owns the proxy through which all traffic passes, it's game over, man. The vast majority of net users do not use public key servers (are there any left?), nor do they trade public keys with their friends or banks through secure channels.

[Martha]

I have no idea what you guys are saying.

My worry is someone being able to find out brokerage or bank account passwords to steal money. Bottom line, should you or should you not conduct financial transactions on the Internet? What do you need to make sure that no one steals data from you in the course of that transaction?

[cube_rat]

Quote:

Originally Posted by Martha I have no idea what you guys are saying.* My worry is someone being able to find out brokerage or bank account passwords to steal money.* Bottom line, should you or should you not conduct financial transactions on the Internet?* What do you need to make sure that no one steals data from you in the course of that transaction?

Marshac and I were discussing two slightly different things.* I'm a RSA technology fan (within the RSA realm ONLY), which works quite differently from what he's pointed out.* He makes excellent points that should be duly noted by all.

Sorry Martha, I know I didn't answer your concerns.* I'm babbling again and need to move on* *

[eridanus]

Quote:

Originally Posted by Martha I have no idea what you guys are saying. My worry is someone being able to find out brokerage or bank account passwords to steal money. Bottom line, should you or should you not conduct financial transactions on the Internet? What do you need to make sure that no one steals data from you in the course of that transaction?

There's always a risk given current technology.

1) Secure your PC.
2) Don't use the same usernames/passwords for your secure accounts as you do for your non-secure accounts. E.g., your bank password shouldn't be the same as your forum password.

+ all the other things you shouldn't do, including avoiding phishing emails and phone calls.

Quote:

Originally Posted by Martha I have no idea what you guys are saying. My worry is someone being able to find out brokerage or bank account passwords to steal money. Bottom line, should you or should you not conduct financial transactions on the Internet? What do you need to make sure that no one steals data from you in the course of that transaction?

Most identity theft today is still accomplished by Low Tech methods. (They steal the statement from your bank or Brokerage company out of your mailbox) - This is one reason why I don't have statements mailed to me.

If they are sophisticated users they will hack the bank or brokerage company computer - Because as Wille Sutton said 'That's where the money is'

[JB]

Quote:

should you or should you not conduct financial transactions on the Internet?

It all depends on your risk tolerance -- nothing is 100% secure. If you keep your computer reasonably secure there's little risk with internet transactions from your home. Your risk increases if you let others (especially kids) use the computer, conduct transactions over a public wifi network (as Marshac explained), or use a computer that isn't trusted.

To keep your computer secure:
- Don't open e-mail attachments that you're not expecting to receive.
- Don't download and install questionable software from the internet.
- Run anti-virus software and scan and update regularly.
- Use a NAT router on your home network.
+ Use 'strong' passwords
+ For wireless networks, use WPA with a strong passphrase.