“I always think everything could be a trap. Which is why I’m still alive.”

inviolet on May 6, 2008 at 9:37 PM

Coincidence alert…that movie was on AMC last night well after you posted this.

I’ve been telling customers for years that you shouldn’t be doing business over open hotspots/networks. If you won’t take my word how about the FBI’s? …there are 68,000 Wi-Fi “hot spots” in the U.S. (see the graphic below for the……

Firewall or not, the hacker would have to exploit the laptop, via the network to attempt to break into it. The ability of the laptop to accept this is not as easy as this is being presented as. With a simple firewall that would stop any inbound data accept that which was requested would hold off many methods of attack. It would not be impossible to attack but much harder. The presentation of just connecting to the hot-spot would cause a rampant exchange of data to take place is actually fear-mongering in its extent.

First, it would take a very good hacker to attack another computer and succeed in a few minutes, working on multiple avenues of attack simulaneously.

Second, it would make the assumption that every hot-spot has such a hacker on staff or in the immediate area wating for your computer to login.

Third, it makes the further assumption that you have NO protection on your system. Because many exploits have been protected by anti-virus software (not ALL, but many) which would help, and that there is no firewall at all…

This is just absurd.

As for the guy that found the files on the wifi system, if you just found them chances are that they were shared with the ‘Everyone’ group. That doesnt constitute your ability or the ability of Wi-fi to be hackable, but the ability of the user that setup the share to be an idiot.

As for the Rogue network, that is a DEFINITE possibility. That could provide you with a huge volume of information, but it would have to be unencrypted data. Most of those networks are setup to be proxy systems, which are like middlemen in a transaction. They can monitor your traffic and data, but if you go to a store that uses SSL, the data stream is encrypted, and not even a proxy can see the data in plain form. So, your encryption is between the client (your machine) and the server (store of your choosing) anything in between sees only encrypted data.

Now, if they knew what site you were going to go to, and could build a duplicate, then they could harvest the data as it would be on their systems. But, think about that, do you think that someone would duplicate all the possible stores that you could shop at, or even one or two of them. What are their chances to have you pick that one, two or ten stores they have duplicated out of the tens of thousands of stores out there…?

ErikTheRed is correct, but also the kicker to the equation is that Plain Text Surfing, or NON Encrypted data is visible only.

For all of the rest of you that are talking about the AES or RC4 or even WEP, all that is irrelvant. These are needed to crack into a network that is protected. The hot-spot is not protected, once you are connected to the network and another person is connected you dont have to break the AES, WEP or anything else to see their computer, your in the same network. The use of a VPN is also irrelevant, unless you are connecting to a machine like your company and then using their network to browse the internet.

Get a live Linux CD, for instance at
http://www.kubuntu.org/download.php
and use the live CD to surf the web. Unless you do deliberately tell the live CD to touch your hard drive, it won’t even touch the hard drive. Thus, you are surfing without even the possibility of revealing anything more than what you send over the wi-fi.

Most live CDs (including Kubuntu’s, I belive) auto-mount the hard drive when they start up, so even though you’re not booting from the hard disk, any hacker that breaks into your live CD session would, I would think, have full access to your hard drive.

Even if you were using a live CD that didn’t automatically mount your hard drive, you’d still have to watch your traffic over the internet – it doesn’t matter if a hacker can’t access your drive if you’re emailing someone your bank password (email traffic going from one email provider to another is always unencrypted).

The average person can and will make life difficult for hackers with a fairly small amount of effort, and that’s good enough. They just need to know the facts.

ErikTheRed on May 6, 2008 at 6:28 PM

Right. A few easy steps at home will make you harder to hack. Disable SSID broadcast. Enable WPA with a lengthy key. Use a router with firewall. Get and use good virus and malware software. KEEP THEM UPDATED.

EriktheRed is correct. You don’t have to be invincible, just harder to hack than your idiot neighbor who has an unsecured network which broadcasts its address.

You shouldn’t have to worry about someone logging your keystrokes over a VPN connection, because the information leaving your computer isn’t your keystrokes, it’s your login info (hopefully encrypted). Additionally, on a wired network, somebody who wants to listen in has the additional problem of somehow fitting themselves into your network – they’d have to be connected somewhere inbetween you and your internet destination.

When you use public WiFi, most of the stuff you send or view can be seen or changed by other people, pretty much as they see fit. When you use private WiFi, 99% of people aren’t much better off.

ErikTheRed on May 6, 2008 at 6:04 PM

Care to elaborate on that last sentence?

And what about wired networks? I have disabled the wireless on our home router, but I am on the Internet all day, and my wife is, too, when she’s here. We also connect to her office network via a SonicWall VPN connection, but the process of connecting involves simply typing user name and password on the client, so theoretically anyone who has access to our network could log the keystrokes—right? Same with on-line purchases, bank access, etc., access to accountant via LogMeIn, etc. I run a Mac, and she uses a Windows PC.

ErikTheRed on May 6, 2008 at 6:14 PM

Thank you. It’s a personal one, and if we’re using it in public, we don’t buy anything or check the bank account. I feel a bit better now.

Off-topic: I just finished reading Starship Troopers (bought it this afternoon). It was frakking awesome. I got the recommend to read it from someone on this site – don’t know who, but thank you!

Social engineering does not require a wireless connection. If the FBI really put out this “warning”, then the agency is in competition for “Homeland Security” for the Lettuce Head award.

Unless you do deliberately tell the live CD to touch your hard drive, it won’t even touch the hard drive. Thus, you are surfing without even the possibility of revealing anything more than what you send over the wi-fi.

What’s on the harddrive isn’t an issue here… the concern is that people will send confidential information across a “honey pot” type hotspot setup by a hacker.

ED-off topic but…..GO VOLS!!!

DCJeff on May 6, 2008 at 5:43 PM

OT: Best post in this thread!

Dead Hand Control on May 6, 2008 at 6:29 PM

I took Hamachi off, when I found it was easily hacked. Plus you end up sharing folders which is a no no, it lasted about 5 minutes on my computers.

So do my next door neighbors.

Utter nonsense – there’s this thing called a firewall on my computer that prevents any information from being transmitted without my knowledge.

That’s entirely unrelated to this story.

What they are saying is that I might be a hacker. I might go to Starbucks and set up a wireless network that I helpfully name “StarbucksWiFi”. You might log into it and go check your bank accounts. I then might intercept your username, password, and the URL of your banks website.

A firewall simply acts as a middle man and/or prevents unwanted requests on various ports. It has nothing to do with what other people on other machines on a network can do with the data after you’ve sent it.

I

Those aren’t the networks that the FBI is warning people about.

Ed Morrissey on May 6, 2008 at 5:40 PM

I’m sorry. I misunderstood you.

Those aren’t the networks that the FBI is warning people about.

Ed Morrissey on May 6, 2008 at 5:40 PM

Actually, yeah it is. All I’d have to do is set up a router on my laptop and if you connect to me instead of the real one . . .

Either that or have one in a van outside.

This is a variation on the fake ATMs.

- The Cat

P.S.

1. Don’t do banking or anthing that should be secure unless you know for sure where you’re connected.

2. Don’t let your computer auto connect. I’d ask someone at customer service what the router’s named.

3. Don’t have any drives shared.

4. If the FBI knows about it, they’ve already moved on to something better.