Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: WI FI hotspots NOT secure  (Read 8235 times)

jeffbb

  • Kitizen
  • ****
  • Posts: 2329
WI FI hotspots NOT secure
« on: October 30, 2009, 06:38:53 PM »

Hi
Wi fi hot spots are generally unsecure . !!
For those who did not see it . Last nights  watchdog  story .
http://www.bbc.co.uk/blogs/watchdog/2009/10/wifi_hot_spots_not_secure.html

Regards Jeff
Logged
zen user

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: WI FI hotspots NOT secure
« Reply #1 on: October 30, 2009, 07:03:51 PM »

I didn't see the program but it doesn't surprise me they found plenty to be alarmed about.  However, maybe somebody will correct me if I'm wrong but, as long as I make sure secure http is in use before filling out any forms with personal details, am I not safe from any such 'hackers'?

For me, the biggest no-no for wi fi hotspots is when a hotel hotspot asks me for credit card to buy time.  It might be the genuine hotspot that I'm giving my credit card, or it might be a bunch of crooks with a cheap wireless access point in the room next door.
Logged

oldfogy

  • Helpful
  • Kitizen
  • *
  • Posts: 3568
  • If it ain't broke....... I'll soon fix it.
Re: WI FI hotspots NOT secure
« Reply #2 on: October 30, 2009, 08:04:04 PM »


However, maybe somebody will correct me if I'm wrong but, as long as I make sure secure http is in use before filling out any forms with personal details, am I not safe from any such 'hackers'?

No not really.

But the main point from the program was that once the hacker got into your email account (because that's where you are at the time the hacker logs into you) they can then read your emails and see any CC, Bank or Password that you have written or received in a email.
Plus not only being able to stop you from logging out,  but also use your account to send further emails supposedly from you.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: WI FI hotspots NOT secure
« Reply #3 on: October 30, 2009, 08:16:57 PM »

No not really.

Thanks, oldfogy.  I'm surprised as I thought https used end-to-end encryption  :-\

I quss I'll just need to watch the programme on iplayer  :)
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: WI FI hotspots NOT secure
« Reply #4 on: November 07, 2009, 11:49:40 AM »

Quote
He's got a bit of kit that anyone can get hold of on the internet
.../snip/....

We're not going to show you how its done, but....
thanks to that special bit of kit, not only can he see everything daniel is up to online....

{what they didnt say}
... "but we will show a few screen shots of the 'kit' that he is using"!


which and no doubt countless others immediately recognised which bit of kit it was that he was using.

Mind you anyone who has used it before (for valid purposes) will likely know what packet sniffers are capable of.

Quote
You dont have to be a super-hacker to get this sort of information

I wonder if a certain piece of software got additional downloads this week by certain people/kids wanting to "play with it".
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: WI FI hotspots NOT secure
« Reply #5 on: November 07, 2009, 12:04:48 PM »

Now I'm not expert, and nothing is completely foolproof... but like 7LM rightly points out isnt SSL supposed to encrypt the data making it pretty difficult to get that password?

This got me thinking, because stuff like bank logins etc use SSL to protect against these types of incidents..  
So just what is it that the hacker was doing in that program that allowed him to get into those email accounts.

Looking again at the vid.. it would appear the hacker is getting into gmail accounts?  
But gmail login is surely https right???  So whats happening?

So armed with tiny bit of googling and this is what comes up.... (it wasnt hard to find)
The gmail login uses is SSL, but after that its not...  this is what I found.
http://www.webmonkey.com/blog/Why_You_Should_Turn_Gmail_s_SSL_Feature_On_Now

Read the bit about the interaction between gmail and your browser and what happens next

Quote

 I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.

and this is what happens with SSL
Quote
SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.

Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?

It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive.



Yep... its true... Ive just checked..  by default gmail doesnt use https when your view your mail.
If I log in to my gmail accountt it starts off using https...  but once you have logged in, then gmail switches to straight forward http.
So this is how the hacker is then able to view their emails and do anything from that point onwards because youre on the same lan and with the same external IP.
If youve any personal details such as financial details or passwords in those mails then youre stuffed.

Solution.

Make sure your gmail account is set to "Always use https" by ticking the relevant radio button from the gmail general settings.
Ive just done this and the next time I logged in its now using https for everything.

------------

Why didnt Watchdog mention https/SSL in any shape or form...
... or even how to make sure its switched on permanently for gmail.
Surely that would be a public service?

So just why didnt watchdog tell users this... or does it then not make as much interesting journalism?
« Last Edit: November 07, 2009, 01:19:17 PM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: WI FI hotspots NOT secure
« Reply #6 on: November 07, 2009, 12:22:41 PM »

Actually if Im right, and this is the case..  then my estimation of watchdog has gone down another few notches

~ As a result of watching that program how many kiddies are now going to be playing with packet sniffers.

~ Why was there no mention of SSL and https?

~ If it is the case that they were attacking a certain web based email that didnt use full https..  and they knew which one it was..  why didnt they tell the general public how to make a simple setting change to gmail to ensure that in future their mail would be a damn site more secure.

The way they've done this sucks of hype and unprofessional journalism.
IMHO all its now done is expose more users of gmail to a load of wanna be 'script kiddies'. :mad:
The outcome could have been so different.
« Last Edit: November 07, 2009, 01:22:18 PM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: WI FI hotspots NOT secure
« Reply #7 on: November 07, 2009, 12:59:12 PM »

Quote
Solution.

Make sure your gmail account is set to "Always use https" by ticking the relevant radio button from the gmail general settings.
Ive just done this and the next time I logged in its now using https for everything.

Thanks for that very good tip. I was in the same position as you were, but no longer.
Logged
  Eric

camallison

  • Kitizen
  • ****
  • Posts: 1357
Re: WI FI hotspots NOT secure
« Reply #8 on: November 07, 2009, 01:26:33 PM »

Come on guys (and gals) ... responsible journalism ... most definitely an oxymoron!

Colin
Logged

tonyappuk

  • Reg Member
  • ***
  • Posts: 589
Re: WI FI hotspots NOT secure
« Reply #9 on: November 07, 2009, 02:02:04 PM »

Thanks for that expose Kitz. You have done your usual stirling job and as a result users of Gmail (not me) on this forum are made aware of a serious lapse in security and, even better, how to combat it. I wonder if it deserves a wider audience.
Tony
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: WI FI hotspots NOT secure
« Reply #10 on: November 07, 2009, 03:05:06 PM »

They appear to be attacking the providers of the hotspot such as BT or TheCloud rather than the application that is actually being hacked.

They mention VPN - which is going to be pretty damn difficult for your average user to set up.. But they fail to mention SSL which is specifically " cryptographic protocols that provide security for communications over networks such as the Internet."

The real exploit in these attacks is because of gmails failure to use https for webmail by default.  Theres plenty of articles on the net that tell you how get into someones gmail if they are on the same LAN using the packet sniffing technique and something that apparently was made public over a year ago.

Most ISP webmail and if you have proper hosting email will use SSL/https for webmail..  as do financial institutions and others.

So why arent Watchdog pointing out where the flaw is and in this particular instance - its with g-mail, for not using SSL by default, leaving many users with mail accounts that can easily be sniffed.

Its not just g-mail - as Ive just found out hotmail is also vulnerable and does exactly the same thing once you have logged in and redirects to bog standard http, leaving you with a session that could be utilised by anyone else on the same LAN.

Hotmail does have a "Use enhance security" feature, but yet again its not default.
Before today I wasnt really aware of this, nor had I ever noticed that the SSL terminated after the login page.

IMHO Watchdog should be notifying the public of the fact that its gmail and hotmail security that is the root cause... not scaremongering the general public about wi-fi hotspots.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: WI FI hotspots NOT secure
« Reply #11 on: November 07, 2009, 03:09:59 PM »

Quote
IMHO Watchdog should be notifying the public of the fact that its gmail and hotmail security that is the root cause... not scaremongering the general public about wi-fi hotspots.

I absolutely agree, but unfortunately Watchdog seems to be more interested in entertainment than serious investigation.
Logged
  Eric

oldfogy

  • Helpful
  • Kitizen
  • *
  • Posts: 3568
  • If it ain't broke....... I'll soon fix it.
Re: WI FI hotspots NOT secure
« Reply #12 on: November 07, 2009, 03:16:32 PM »


The way they've done this sucks of hype and unprofessional journalism.
....
The outcome could have been so different.
I think you all know my opinion of the press/media.

Because bad news travels faster than good news and lots of people are probably talking about the show and what happened.
However, if the solution had been broadcast, then most people may have considered it as being something good, rectified their own account and then forgotten about the show.

Call me sceptical if you want, but if you have ever been on the receiving end of the media you would understand why I am of this frame of mind.

***************************
Part of the information taken from the "Browser connection: Learn more" tab

Quote
If you sign in to Gmail via a non-secure Internet connection, like a public wireless or non-encrypted network, your Google account may be more vulnerable to hijacking. Non-secure networks make it easier for someone to impersonate you and gain full access to your Google account, including any sensitive data it may contain like bank statements or online log-in credentials. We recommend selecting the 'Always use https' option in Gmail any time your network may be non-secure. HTTPS, or Hypertext Transfer Protocol Secure, is a secure protocol that provides authenticated and encrypted communication.

To enable this feature in Gmail:

   1. Sign in to Gmail.
   2. Click Settings at the top of any Gmail page.
   3. Set 'Browser Connection' to 'Always use https.'
   4. Click Save Changes.
   5. Reload Gmail.

Please note that selecting 'Always use https' will prevent you from accessing Gmail via HTTP (Hypertext Transfer Protocol). In addition, it may make Gmail a bit slower. If you trust the security of your network, you can turn this feature off at any time.
« Last Edit: November 07, 2009, 03:27:10 PM by oldfogy »
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: WI FI hotspots NOT secure
« Reply #13 on: November 08, 2009, 12:29:30 AM »

A lot of you have probably seen my post on 'Networking'  http://forum.kitz.co.uk/index.php?topic=6033.0

Well this all comes from me watching that same tv program and all week in the evening I have been using some Linux test computers to try and set up this VPN to wifi link, I think I have it working but I'm trying to hack into my own access point to test it.
Ans yes my Linux distro comes with depository and it has about 10 types of packet sniffer including the one that was used on the tv show  ;).
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: WI FI hotspots NOT secure
« Reply #14 on: November 08, 2009, 08:40:17 PM »

Interesting to see how this thread has moved on, I've been away for a few days so haven't been following it.  Actually, I've been at the spectacularly art-deco Midland Hotel at Morecambe among other places.   I strongly recommend Morecambe and the Midland, but any more details really ought to be the subject of a new thread.  :)

As for https email, it's not often I've a good word to say for demon these days, but their webmail access does seem to stick with https all the way through (assuming you select it for login).  Even so, I very rarely use the webmail interface, it's normally downloaded daily to my own systems, at which point it's deleted from the demon servers.

I don't use gmail, though I do use yahoo email (don't know if they suffer this weakness as well?).  But speaking purely for myself I'd be mistrustful of any web-based email, and I really only use it for social things like reunions of old pals and colleagues.  If somebody wants to hack into my email and turn up uninvited at a drinks & curry event then good luck to them, they might even brighten things up a bit. :D
Logged
Pages: [1] 2