Public wifi security argument

  • Thread starter Thread starter ACW
  • Start date Start date
A

ACW

Suspended / Banned
Messages
2,635
Edit My Images
Yes
After a bit of research I wondered what anyone in the knows view was. My understand of the subject is limited. I'm arguing the point with a friend who works in retail.

Lets say shop A uses general public wifi (not based in store) to process transactions on an ipad.

Said transaction requires address name email password and all card details. They are on the stores website xxxxxxxxxx.com or whatever.

Could hacker B be sat in a nearby cafe and harvest any info?

The store website uses https so I understand it would be near impossible to intercept the data packets. There is no use of a VPN.

There must be ways for a wrong'un to get the data such as easily misdirecting the ipad to a cloned site of the original?

My point was that public wifi was far more insecure than if they had their own private password protected wifi?

I'm just struggling to get facts behind my argument.

Thanks to anyone that can help!
 
Last edited:
Wifi is the typical public shopping area / coffee shop free wifi worryingly.
 
neil_g said:
Depends if the data is encrypted
Click to expand...

Sorry hadn't finished whole post when I submitted it! Site uses https which if I understand right does that?
 
Wifi in general sucks for,security either way for the determined of hackers.

Why on earth would a bricks and mortar retailer be using an iPad for card payments. They'd lose my custom if they presented me with that in store.
 
neil_g said:
Wifi in general sucks for,security either way for the determined of hackers.

Why on earth would a bricks and mortar retailer be using an iPad for card payments. They'd lose my custom if they presented me with that in store.
Click to expand...

To order things to store or to a customers address when there things are out of stock etc. Its not there general payment taking system, they have normal tills and the like.

It just worries me that it would be pretty easy do someone to spot that a store was constantly accessing and ordering on their site it would be easy to exploit it.

Trying to convince them their own hub and everything would be safer as they are in a position to authorise that.
 
neil_g said:
hey'd lose my custom if they presented me with that in store.
Click to expand...

Me too, but I've been shown the figures and its processing a surprisingly large amount of orders.
 
ACW said:
The store website uses https so I understand it would be near impossible to intercept the data packets.
Click to expand...
The packets can be easily intercepted on an open wifi (and on many "secured" wifi networks as well), google aircrack-ng and frighten youself if you have wifi at home. Intercepting a bunch of public key encrypted packets exchanged with an https site will avail them little though.

Compared to 2048 bit RSA , password security on wifi is massively feeble.
 
onomatopoeia said:
The packets can be easily intercepted on an open wifi (and on many "secured" wifi networks as well), google aircrack-ng and frighten youself if you have wifi at home. Intercepting a bunch of public key encrypted packets exchanged with an https site will avail them little though.

Compared to 2048 bit RSA , password security on wifi is massively feeble.
Click to expand...

Thanks for the reply. This is where my limited knowledge shows as I believed the old "it would take 1000s of years to brute force into the data." As for 2048 bit RSA? I presume thats a form of super encrypted encryption? Will google that aircrack now, hadn't heard of it before.

Unfortunately it now looks as if my argument was wrong and actually you might as well use public or private wifi for these personal details as both are at risk.
 
Where's Hacker when you need him? :lol::lol::lol:
 
ACW said:
As for 2048 bit RSA? I presume thats a form of super encrypted encryption?
Click to expand...

2048 bit RSA is the public key encryption used on https websites. With the computing power available today it would take many universe lifetimes to break by brute force if you just sniff the data from a public wifi.
 
As long as the comms with the website is encrypted, you are probably OK. If I were going to attack this, I wouldn't try and brute force the data, I'd compromise the WiFi router and point xxxx.com at a server I controlled and duplicate the website. I'd check the certificate is what it claims to be. A major retailer will have a certificate that not only secures the communications but also identifies the website as belonging to the organisation that it claims to. Chrome at least displays the company name in green if the certificate belongs to the company name in question. Having said that, it's probably a lot easier to just buy a set of compromised credit card details than cracking your own.
 
If I have to use public wifi, I always VPN into our base to add a layer of security to my browsing.
 
if data is encrypted or not if someone with certain knowledge - programs etc can access the data on your screen or on the device you are using.
 
i caught part of a program a while ago - guy pulled up on a street in his car outside some houses and within minutes he had access to a persons network/computer - he knocks on the persons door and shows them what that person in the house was doing a few minutes earlier on their computer - the hackers laptop screen was also distorted so as not to reveal what program he was using- scary stuff
 
so how best can you protect your data when using a wifi connection?
 
Saw a similar program

The guy thought he was OK because the website he was using was secure, HTTPS etc. etc.

Turns out he was not as safe as he thought because his own wifi network was not secure and a guy was sat outside soaking up all the information he was transmitting over his network, they then knocked on the guys door and showed him print outs of the holiday he just booked and all of the details

If you are using an unprotected wifi network then your data is at risk
 
Keith W said:
Saw a similar program

The guy thought he was OK because the website he was using was secure, HTTPS etc. etc.

Turns out he was not as safe as he thought because his own wifi network was not secure and a guy was sat outside soaking up all the information he was transmitting over his network, they then knocked on the guys door and showed him print outs of the holiday he just booked and all of the details

If you are using an unprotected wifi network then your data is at risk
Click to expand...

when you say unprotected do you mean not having a password on the wifi?
 
1.2f said:
when you say unprotected do you mean not having a password on the wifi?
Click to expand...

Yes, or using weak, easily defeated security such as WEP or WPA. WPA 2 with a strong network key is better.
 
just out of interest ho do people overcome passwords and what constitutes a strong password?
 
Keith W said:
Saw a similar program

The guy thought he was OK because the website he was using was secure, HTTPS etc. etc.

Turns out he was not as safe as he thought because his own wifi network was not secure and a guy was sat outside soaking up all the information he was transmitting over his network, they then knocked on the guys door and showed him print outs of the holiday he just booked and all of the details

If you are using an unprotected wifi network then your data is at risk
Click to expand...

And I re-iterate, it is far, far easier to crack the security on a password protected wifi than to decrypt data exchanged using 2048 bit RSA with properly generated keys.

I expect that you also are familiar the mathematics involved in public key encryption and will be able to confirm this, as you write with a good deal of authority on the subject :thumbs:.
 
It is amazing what you can find out there. I was at a friends house a few years ago before they had wifi.. Managed to piggy back someone's unprotected wifi, figured out what the router password was by googling the make/model (it was part of the password challenge was). Quick look at the dhcp list and then browse the network... One machine had a complete C drive shared complete with their documents. I was only demonstrating why it was important to protect your data...
 
Well if people don't change the default password on a wifi router, what do they expect? :(
 
arad85 said:
It is amazing what you can find out there. I was at a friends house a few years ago before they had wifi.. Managed to piggy back someone's unprotected wifi, figured out what the router password was by googling the make/model (it was part of the password challenge was). Quick look at the dhcp list and then browse the network... One machine had a complete C drive shared complete with their documents. I was only demonstrating why it was important to protect your data...
Click to expand...

I remember using an unsecured network before, there was a printer shared on it as well. Gave them a nice message through it :D
Can't remember what I put as it was a while back, wasn't anything rude though.
 
1.2f said:
just out of interest ho do people overcome passwords and what constitutes a strong password?
Click to expand...

That would be a nice long post, a few different things you can try. Google it if you are interested.
As for secure password, WPA2, around 32 characters, upper, lowercase and numerical should do it for now :thumbs:
 
1.2f said:
just out of interest ho do people overcome passwords and what constitutes a strong password?
Click to expand...

1 make sure the password (or part of it), isnt in plan text somewhere on your computer
2 use different passwords for different sites. Especially, dont use your bank / email password for sites such as pinterest or linkedin.
3 dont use a pets name / nickname followed by a 2 digit number
4 use a string of letters (eg the first letters of the words of a phrase), followed by a mixture of numbers / numbers, followed by another string. capitalise some of the letters.

Alternatively, use a text document encrypted on an encrypted usb drive that you carry everywhere with you and have a unique, long and complicated password for each site.
 
dexter35yrs said:
if data is encrypted or not if someone with certain knowledge - programs etc can access the data on your screen or on the device you are using.
Click to expand...

Yes, not impossible, but with basic precautions such as never using an account with administrative rights to do day to day tasks, use good A/V with up-to-date definitions, have a good firewall, keep on top of O/S, browser and utility updates (e.g. Acrobat reader, Flash, Java etc), you should prevent all but the most determined hacker and he or she would rather put the effort into gaining access to a larger 'hit' in any case.

<<For the avoidance of doubt, my reply is in the context of using your own VPN for internet access whilst connected to a public WIFI hotspot>>
 
Last edited:
Rapscallion said:
1 make sure the password (or part of it), isnt in plan text somewhere on your computer
2 use different passwords for different sites. Especially, dont use your bank / email password for sites such as pinterest or linkedin.
3 dont use a pets name / nickname followed by a 2 digit number
4 use a string of letters (eg the first letters of the words of a phrase), followed by a mixture of numbers / numbers, followed by another string. capitalise some of the letters.

Alternatively, use a text document encrypted on an encrypted usb drive that you carry everywhere with you and have a unique, long and complicated password for each site.
Click to expand...

i dont understand what you mean by 1.
 
I'm very good friends with some people that work for an IT security company, and they know a lot about passwords (they get employed by companies to try and crack their systems).

The major problem with most passwords is that people can't remember them. So they use easy-to-remember passwords, or they write them down, or they use the same password everywhere. One problem is that 'experts' will tell them to use a random sequence of letters (upper and lower case), numbers and special characters. So they end up with something like sK*9nNb24&oP% - which is impossible to remember. It's also too short - making it very vulnerable to brute-force attacks.

You're better off by taking a line from a book, or song - all joined together with some extras?. Something like "HowManyRoadsMustAManWalkDown?42!TP". Virtually uncrackable by brute force. Easy to remember if you're a Bob Dylan/HHGTTG fan. And you can vary the bit on the end to fit the site you're using the password on.

But the best bit of advice - don't be like the 10% who use 'password', '123456' or '12345678'. See here for more on the worst passwords.
 
hollis_f said:
I'm very good friends with some people that work for an IT security company, and they know a lot about passwords (they get employed by companies to try and crack their systems).

The major problem with most passwords is that people can't remember them. So they use easy-to-remember passwords, or they write them down, or they use the same password everywhere. One problem is that 'experts' will tell them to use a random sequence of letters (upper and lower case), numbers and special characters. So they end up with something like sK*9nNb24&oP% - which is impossible to remember. It's also too short - making it very vulnerable to brute-force attacks.

You're better off by taking a line from a book, or song - all joined together with some extras?. Something like "HowManyRoadsMustAManWalkDown?42!TP". Virtually uncrackable by brute force. Easy to remember if you're a Bob Dylan/HHGTTG fan. And you can vary the bit on the end to fit the site you're using the password on.
Click to expand...

Or in cartoon form:
password_strength.png


Note, one should not actually use "Correct horse battery staple" as a password, it now appears in "dictionary" type scripts that try crack root logins over ssh using common words and combinations thereof.
 
If the site that the retailer is using is secured via HTTPS it is more secure than HTTP.

As someone said above you'd never brute force the crypto in good time.
So, if I was sat on the network with something like wireshark I wouldn't instantly be able to see what was going on.

However, HTTPS is not infallible. If the certificate for the root authority can be compromised you're in a whole world of trouble. This is not necessarily and easy thing to do, but it is possible. I found this link that describes a little of what goes on: https://www.eff.org/deeplinks/2011/10/how-secure-https-today
Some interesting links there.
Someone found a vulnerability in TLS this week too : http://www.theregister.co.uk/2013/02/04/unlucky_13_crypto_attack/


In the scenario that the OP gives I'd be more concerned about personal data that isn't being secured via HTTPS that could easily be sniffed and then used for other scams - name and address taken and used on bogus credit card/mobile phone contract/other credit applications for example.
 
Craft said:
Someone found a vulnerability in TLS this week too : http://www.theregister.co.uk/2013/02/04/unlucky_13_crypto_attack/
Click to expand...
That's a variant of a method used to probe crypto keys - basically sending variants of data at the server and seeing how long it takes to respond so you can get patterns from it. It's in the superleague of cracking - sort of in the "well, yes, it's technically possible" area - and not for the mere mortal criminal as he'd just use a phishing scam to get the info he can get from people who are unaware.


Craft said:
In the scenario that the OP gives I'd be more concerned about personal data that isn't being secured via HTTPS that could easily be sniffed and then used for other scams - name and address taken and used on bogus credit card/mobile phone contract/other credit applications for example.
Click to expand...
Yes, I tend to only enter my details into pages that are encrypted with https - but then my details are easily available from the electoral register....
 
Spot on Andy.

I guess you can equate HTTP to an unlocked car, keys in the ignition and HTTPS to a locked car with immobiliser and the keys elsewhere. Both cars could be nicked but the latter is going to be much harder!
 
1.2f said:
i dont understand what you mean by 1.
Click to expand...

Eg, you have an enencrypted document on your computer listing your old pets names, dont use one of those names in your password!
 
If you want some fun, grab yourself a high gain directional attena (Caravan TV arials are good), a pcmcia wifi card with external arial that lets you use monitor mode and harvest all the wifi passwords from houses up to 2 miles away.... will be slow as hell but fun none the less!
 
keety said:
If you want some fun, grab yourself a high gain directional attena (Caravan TV arials are good), a pcmcia wifi card with external arial that lets you use monitor mode and harvest all the wifi passwords from houses up to 2 miles away.... will be slow as hell but fun none the less!
Click to expand...

hmm.. where are you in southampton...

:suspect:

:p
 
Romsey :)

Its great if you're camping and there's no wifi..... used it in the past to "borrow" some bandwidth to upload some photos.... difficult to browse with because the response times are pretty poor...
 
You must log in or register to reply here.
Back
Top