BBC Watchdog has done shown a convincing demo. of the dangers of accessing an email accounts via WiFi.
They got someone to log into an email account using a WiFi service at a cafe. Someone else, acting as a hacker, monitored the WiFi traffic and managed to extract the username and password. This was enough to connect to the session and use the email account to send a fradulent email. The hacker could also have opened the emails to see if any had confidential information in them. If a shopping account had been used, credit card details could also have been extracted. Then the hacker locked the account so that the ownber couldn't close it himself. However the session remained alive for the hacker to use at will.
So my question is: is the Three MiFi aka mobile broadband with a dongle (containing a '3' SIM card) as insecure?
> BBC Watchdog has done shown a convincing demo. of the dangers of > accessing an email accounts via WiFi.
> They got someone to log into an email account using a WiFi service > at > a cafe. Someone else, acting as a hacker, monitored the WiFi traffic > and managed to extract the username and password. This was enough to > connect to the session and use the email account to send a fradulent > email. The hacker could also have opened the emails to see if any > had > confidential information in them. If a shopping account had been > used, > credit card details could also have been extracted. Then the hacker > locked the account so that the ownber couldn't close it himself. > However the session remained alive for the hacker to use at will.
> So my question is: is the Three MiFi aka mobile broadband with a > dongle (containing a '3' SIM card) as insecure?
> CJB.
You mean they missed the bit about being able to see everything which is on your screen using simple easy to source equipment, unless it is specially screened.
Leave it to Watchdog to grab a small piece of a much larger picture and then try and blind their viewer with sci fi goglygook.
Just keep a look out for the black helicopters.
Putting it simply if enough time and effort is put into it your PC and security can be breached not matter whether it is connected via the Lan, via wifi, via mobile usb mobile dongle or using networking over the mains. Your job, if you wish to do so, is to make it as complicated as you can so they pass on by looking for the next easy mark and there in lies the problem. Most don't, either because they don't know or can't be bothered but if you want total security the best thing for you to do is turn the dam thing off and even then your security can be breached in countless ways.
Paranoid enough yet, remember the black helicopters, they are out there, really...honest.
>> They got someone to log into an email account using a WiFi service at >> a cafe. Someone else, acting as a hacker, monitored the WiFi traffic >> and managed to extract the username and password. This was enough to >> connect to the session and use the email account to send a fradulent >> email. The hacker could also have opened the emails to see if any had >> confidential information in them. If a shopping account had been used, >> credit card details could also have been extracted. Then the hacker >> locked the account so that the ownber couldn't close it himself. >> However the session remained alive for the hacker to use at will.
>> So my question is: is the Three MiFi aka mobile broadband with a >> dongle (containing a '3' SIM card) as insecure?
>> CJB.
> You mean they missed the bit about being able to see everything which is on your screen using simple easy to source equipment, > unless it is specially screened.
> Leave it to Watchdog to grab a small piece of a much larger picture and then try and blind their viewer with sci fi goglygook.
> Just keep a look out for the black helicopters.
> Putting it simply if enough time and effort is put into it your PC and security can be breached not matter whether it is connected > via the Lan, via wifi, via mobile usb mobile dongle or using networking over the mains. Your job, if you wish to do so, is to > make it as complicated as you can so they pass on by looking for the next easy mark and there in lies the problem. Most don't, > either because they don't know or can't be bothered but if you want total security the best thing for you to do is turn the dam > thing off and even then your security can be breached in countless ways.
> Paranoid enough yet, remember the black helicopters, they are out there, really...honest.
I see your nemesis has been "outed", I'm surprised you aren't gloating with TOG et all.
On Thu, 29 Oct 2009 13:53:22 -0700 (PDT), CJB <chrisjbr...@gmail.com> wrote:
<snip> It wont be any less secure than the D100 Router they used to sell, as long as you set a decent password and use a strong level of encryption. -- He who hath many friends hath none. Aristotle
>> They got someone to log into an email account using a WiFi service >> at >> a cafe. Someone else, acting as a hacker, monitored the WiFi traffic >> and managed to extract the username and password. This was enough to >> connect to the session and use the email account to send a fradulent >> email. The hacker could also have opened the emails to see if any >> had >> confidential information in them. If a shopping account had been >> used, >> credit card details could also have been extracted. Then the hacker >> locked the account so that the ownber couldn't close it himself. >> However the session remained alive for the hacker to use at will.
>> So my question is: is the Three MiFi aka mobile broadband with a >> dongle (containing a '3' SIM card) as insecure?
>> CJB.
> You mean they missed the bit about being able to see everything which > is on your screen using simple easy to source equipment, unless it is > specially screened.
No, that wasn't it. I think at least, as they intentionally avoided telling 'us' how they did it.
What I think they were doing were scanning for new DHCP clients on the same wi-fi subnet/hotspot as the 'hacker' and then hijacking their web sessions by cloning their cookies.
All the examples they showed were for gmail, so not using a webmail account would solve that.
I'm no expert, but I wonder if properly signed https sessions would also be prone to this kind of attack i.e. banking sessions
I agree it was scaremongering to a degree, but it is useful to warn the public of potentially serious (to them) unsafe behaviour.
The only solution they gave was to use a VPN, but I think that's probably OTT.
-- The email address is a spam trap. I rarely use it.
>>> They got someone to log into an email account using a WiFi service >>> at >>> a cafe. Someone else, acting as a hacker, monitored the WiFi traffic >>> and managed to extract the username and password. This was enough to >>> connect to the session and use the email account to send a fradulent >>> email. The hacker could also have opened the emails to see if any >>> had >>> confidential information in them. If a shopping account had been >>> used, >>> credit card details could also have been extracted. Then the hacker >>> locked the account so that the ownber couldn't close it himself. >>> However the session remained alive for the hacker to use at will.
>>> So my question is: is the Three MiFi aka mobile broadband with a >>> dongle (containing a '3' SIM card) as insecure?
>>> CJB. >> You mean they missed the bit about being able to see everything which >> is on your screen using simple easy to source equipment, unless it is >> specially screened.
> No, that wasn't it. I think at least, as they intentionally avoided > telling 'us' how they did it.
> What I think they were doing were scanning for new DHCP clients on the same > wi-fi subnet/hotspot as the 'hacker' and then hijacking their web sessions > by cloning their cookies.
> All the examples they showed were for gmail, so not using a webmail account > would solve that.
> I'm no expert, but I wonder if properly signed https sessions would also be > prone to this kind of attack i.e. banking sessions
> I agree it was scaremongering to a degree, but it is useful to warn the > public of potentially serious (to them) unsafe behaviour.
> The only solution they gave was to use a VPN, but I think that's probably > OTT.
any wifi service that is essentially 'open' is fundamentally insecure.
In teh same way that you can in principle monitor all traffic on a hub based ethernet )(as opposed to s witched one, which is harder)
WiFi is esentially an open ethernet type scenario. All traffic by its very nature is being broadcast.
And any wifi card can pick it up.
I am not sure how 3G stuff works, but would say its better encrypted at the radio level.
On Fri, 30 Oct 2009 12:03:07 +0000, Chris ate alphabet spaghetti and shat out:
I could clearly see Wireshark grabbing packets on the fly. Nothing new about that. If you are hooked up to a shared network concentration point, it's going to be childs play to watch everything going by and filter what you want.
It's going to be trivial to make use of that information.
The easy way to break this insecurity is to use https from the outset and all the sniffer will see is mixed garbage.
-- political correctness: The safety net protecting deaf blind disabled ethnic minority gays & lesbians with odd religious beliefs from reality
> I see your nemesis has been "outed", I'm surprised you aren't > gloating with TOG et all.
They all slip up eventually, or someone trips them up, and the more people they upset, the more people there are about to seek retribution against them, not that I would advocate this of course
In article <hceo6b$vc...@news.eternal-september.org>, Spamtastic Spastic <n...@null.org> wrote:
>The easy way to break this insecurity is to use https from the outset and >all the sniffer will see is mixed garbage.
Maybe not. See the following (posted in Jan '08) for a set of circumstances that can blow a bit of a hole in https when used after plain http over unsecured WiFi:-
On Fri, 30 Oct 2009 17:27:09 +0000, Mike Civil ate alphabet spaghetti and shat out:
> In article <hceo6b$vc...@news.eternal-september.org>, Spamtastic Spastic > <n...@null.org> wrote: >>The easy way to break this insecurity is to use https from the outset >>and all the sniffer will see is mixed garbage.
> Maybe not. See the following (posted in Jan '08) for a set of > circumstances that can blow a bit of a hole in https when used after > plain http over unsecured WiFi:-
> BBC Watchdog has done shown a convincing demo. of the dangers of > accessing an email accounts via WiFi.
> They got someone to log into an email account using a WiFi service at > a cafe. Someone else, acting as a hacker, monitored the WiFi traffic > and managed to extract the username and password. This was enough to > connect to the session and use the email account to send a fradulent > email. The hacker could also have opened the emails to see if any had > confidential information in them. If a shopping account had been used, > credit card details could also have been extracted. Then the hacker > locked the account so that the ownber couldn't close it himself. > However the session remained alive for the hacker to use at will.
> So my question is: is the Three MiFi aka mobile broadband with a > dongle (containing a '3' SIM card) as insecure?
>>> They got someone to log into an email account using a WiFi service >>> at >>> a cafe. Someone else, acting as a hacker, monitored the WiFi >>> traffic >>> and managed to extract the username and password. This was enough >>> to >>> connect to the session and use the email account to send a >>> fradulent >>> email. The hacker could also have opened the emails to see if any >>> had >>> confidential information in them. If a shopping account had been >>> used, >>> credit card details could also have been extracted. Then the >>> hacker >>> locked the account so that the ownber couldn't close it himself. >>> However the session remained alive for the hacker to use at will.
>>> So my question is: is the Three MiFi aka mobile broadband with a >>> dongle (containing a '3' SIM card) as insecure?
>>> CJB.
>> You mean they missed the bit about being able to see everything >> which >> is on your screen using simple easy to source equipment, unless it >> is >> specially screened.
> No, that wasn't it. I think at least, as they intentionally avoided > telling 'us' how they did it.
> What I think they were doing were scanning for new DHCP clients on > the same > wi-fi subnet/hotspot as the 'hacker' and then hijacking their web > sessions > by cloning their cookies.
> All the examples they showed were for gmail, so not using a webmail > account > would solve that.
> I'm no expert, but I wonder if properly signed https sessions would > also be > prone to this kind of attack i.e. banking sessions
> I agree it was scaremongering to a degree, but it is useful to warn > the > public of potentially serious (to them) unsafe behaviour.
> The only solution they gave was to use a VPN, but I think that's > probably > OTT.
If the 'hacker' was getting his information from what was being sent by the laptop, connecting via a VPN wouldn't be a lot of good unless it's secured by a random security card at some stage in the login and he would still be able to get any other information which is passed, it's just the security login which wouldn't work. If they were that clever they would have got all that was needed without that anyway.
>>> They got someone to log into an email account using a WiFi service >>> at >>> a cafe. Someone else, acting as a hacker, monitored the WiFi >>> traffic >>> and managed to extract the username and password. This was enough >>> to >>> connect to the session and use the email account to send a >>> fradulent >>> email. The hacker could also have opened the emails to see if any >>> had >>> confidential information in them. If a shopping account had been >>> used, >>> credit card details could also have been extracted. Then the >>> hacker >>> locked the account so that the ownber couldn't close it himself. >>> However the session remained alive for the hacker to use at will.
>>> So my question is: is the Three MiFi aka mobile broadband with a >>> dongle (containing a '3' SIM card) as insecure?
>>> CJB.
>> You mean they missed the bit about being able to see everything >> which is on your screen using simple easy to source equipment, >> unless it is specially screened.
>> Leave it to Watchdog to grab a small piece of a much larger picture >> and then try and blind their viewer with sci fi goglygook.
>> Just keep a look out for the black helicopters.
>> Putting it simply if enough time and effort is put into it your PC >> and security can be breached not matter whether it is connected via >> the Lan, via wifi, via mobile usb mobile dongle or using networking >> over the mains. Your job, if you wish to do so, is to make it as >> complicated as you can so they pass on by looking for the next easy >> mark and there in lies the problem. Most don't, either because >> they don't know or can't be bothered but if you want total security >> the best thing for you to do is turn the dam thing off and even >> then your security can be breached in countless ways.
>> Paranoid enough yet, remember the black helicopters, they are out >> there, really...honest.
> I see your nemesis has been "outed", I'm surprised you aren't > gloating with TOG et all.
Probably because I recognized the signs of a very sick, one track mind slipping into the sewer and whilst I wouldn't try to pull it/him/her (you have to remember Fran, must not forget Fran) out I certainly wouldn't be jumping on it's fingers. It is strange though that it has got no real ideals or else despite the fact that they have come close to outing it, it wouldn't have shut up so quickly. Even the squeakies on amateur radio have more balls than what it's displayed.
Let's just sit back and see what happens, at least it's not stating the blatant untruths which it's been spouting for the the past several months and my kill file has been given a rest (for now)..
On Sat, 31 Oct 2009 06:02:45 -0000, "Steve Terry" <gfour...@tesco.net> wrote:
>I would find it absured if 3's MiFi doesn't include WPA2
As far as I can make out, the original question was about security of a public hotspot. Lots of these are unencrypted and use no security at all: the authentication is done in a web page where you log in.
I'd only ever use a VPN with one of these.
However the MiFi is probably offering at least rudimentary encryption.
Chris wrote: > What I think they were doing were scanning for new DHCP clients on the same > wi-fi subnet/hotspot as the 'hacker' and then hijacking their web sessions > by cloning their cookies.
> All the examples they showed were for gmail, so not using a webmail account > would solve that.
> I'm no expert, but I wonder if properly signed https sessions would also be > prone to this kind of attack i.e. banking sessions
I've just noticed that the G-Mail webmail portal now has an https option on its set up page. Has it always been there ?
-- Mark Please replace invalid and invalid with gmx and net to reply.
On Mon, 02 Nov 2009 19:22:48 +0000, Mark Carver wrote: > I've just noticed that the G-Mail webmail portal now has an https option on > its set up page. Has it always been there ?
No, they have introduced it a couple of months ago.
Christof
-- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org
|
