Recently bought a used laptop with a WiFi card on eBay. We have a cable modem in the house that connects to a wireless router that broadcasts to my desktop PC upstairs. I set it up with WEP security, including a ten-digit encryption key, so people driving by the house can't poach my router's signal.

I set the laptop up to communicate with the router, using that encryption key. But while that encryption key protects the signal being broadcast from the router, does it protect the signal being broadcast from the laptop? In other words, if I have the laptop outside at some public hotspot, am I broadcasting my signal in clear, to anyone who wants to intercept it - along with my logon IDs and passwords?

If so, how do I deal with this? Additional software? Recommendations?

Thanks, all.

WEP is link layer encryption using a shared key, traffic to / from your router is an encrypted stream. WEP itself is pretty useless though, if someone actually wants to break in, they can do so in a few hours with easy to find tools. Switch to WPA2 if you can.

WEP is link layer encryption using a shared key, traffic to / from your router is an encrypted stream. WEP itself is pretty useless though, if someone actually wants to break in, they can do so in a few hours with easy to find tools. Switch to WPA2 if you can.Okay - not sure I can do that (older router, only does 11 MBPS), but assuming I could, would that secure data being sent from my laptop in a public place?

Yes, it secures communication in both directions.

if I have the laptop outside at some public hotspot, am I broadcasting my signal in clear, to anyone who wants to intercept it - along with my logon IDs and passwords?


If you log into a public hotspot & use their router then you are using their encryption. But even if it is encrypted & they give you the key it isn't encrypting your data.

Were you to log onto my wireless network and not have the appropriate safeguards in place I would be able to read the informaiton coming from your system as easily as you're reading this message.

Since most free hotspots don't have any security encryption enabled, so that means they're close to useless except for suicidal surfers? Or are there any ways for users to protect themselves when using these free hotspots?

If you log into a public hotspot & use their router then you are using their encryption. But even if it is encrypted & they give you the key it isn't encrypting your data.

Were you to log onto my wireless network and not have the appropriate safeguards in place I would be able to read the informaiton coming from your system as easily as you're reading this message.

Since most free hotspots don't have any security encryption enabled, so that means they're close to useless except for suicidal surfers? Or are there any ways for users to protect themselves when using these free hotspots?And that's my concern. I read an article the other day that said the guy sitting on the park bench across from you may be in fact intercepting your transmissions, including your logons and passwords. How do I prevent that, apart from never using the laptop to connect to the web outside an interior room of my house?

Actually, this really is a problem with the data being able to be read.

The only thing I try to do at a public hotspot is to surf the net - no online banking, no checking email (both webmail or downloaded), no logging on to the server I maintain, etc, etc. Basically, no logons or passwords.

Kind of really limits what I can do at a public hotspot. If I really need to make an internet connection when I am out and about, I'll use my mobile phone (ouch, not free) instead of a public hotspot.

Over here in Singapore, the government is planning to link the entire island state with free public access wifi from January 2007 in the hope to promote IT literacy in the citizenry. Since I often detect two neighbours on average (don't know if they're the same guys since the SSID for both are "LINKSYS" after their router) who don't have any encryption on their home wireless network, with the rest on WEP and only one other guy on WPA, I can just foresee trouble ahead.

That I can detect their networks is already cause for concern. One should always hide the SSID.

And that's my concern. I read an article the other day that said the guy sitting on the park bench across from you may be in fact intercepting your transmissions, including your logons and passwords. How do I prevent that, apart from never using the laptop to connect to the web outside an interior room of my house?

Its not a problem in your house, on your network, unless your WEP/WPA key has been compromised. If you are using a public access point, with no encryption then you might want to think about setting up a VPN or at least using an https proxy of some sort for web access.

This is an inexpensive hardware VPN solution (http://www.dsl-warehouse.co.uk/product.asp?pr=WRV54G). Not as inexpensive as when you could install a custom linux kernel on their earlier models though..

Its not a problem in your house, on your network, unless your WEP/WPA key has been compromised. If you are using a public access point, with no encryption then you might want to think about setting up a VPN or at least using an https proxy of some sort for web access.No, that's not my concern; I use WEP in the house, and I'm satisfied it hasn't been compromised. My concern is, what happens when I go outside, to a Starbucks, or an airport, or a hotel? Am I broadcasting my logons and passwords unencrypted to anyone who cares to intercept them? If so, how do I deal with that?

Yes, you are. The best way to deal with that is to set up a VPN server on your home router, so you can securely use your own connection - VPN protocols create an encrypted tunnel over the internet, so any man in the middle will not be able to sniff your connection.

Yes, you are. The best way to deal with that is to set up a VPN server on your home router, so you can securely use your own connection - VPN protocols create an encrypted tunnel over the internet, so any man in the middle will not be able to sniff your connection.You mean if I set up a VPN server at home in Virginia (the east coast) and I'm off in California or something, I can do my online banking securely?

Sounds weird. I think I need to check this out...

Over here in Singapore, the government is planning to link the entire island state with free public access wifi from January 2007 in the hope to promote IT literacy in the citizenry. Since I often detect two neighbours on average (don't know if they're the same guys since the SSID for both are "LINKSYS" after their router) who don't have any encryption on their home wireless network, with the rest on WEP and only one other guy on WPA, I can just foresee trouble ahead.

That I can detect their networks is already cause for concern. One should always hide the SSID.
Hiding the SSID won't help at all. Anyone who is really out to get into your network (recover your WEP key) is going to be able to locate your wifi network whether your SSID is hidden or not.

You mean if I set up a VPN server at home in Virginia (the east coast) and I'm off in California or something, I can do my online banking securely?

Sounds weird. I think I need to check this out...

In theory, yes. At least against the "man in the middle" attacks that RyanRoberts mentions.

It would be theoretically possible that someone could set up a wifi spot & set up network eyes to "watch" everything you do. A VPN would alleviate most, but not all of the risk.

A good firewall will help, as will a good antivirus solution and a good spyware solution. Each of these can scan your system as you're online to make certain nobody is watching you.

If someone gets a keystroke recorder on your system they can follow your keystrokes. If I were an incredibly evil pereson I would set up a free hotspot in which you had to download a "key" that would consist of everything you needed to connect, as well as a keystroke recorder.

Keep in mind I am hopelessly paranoid about such things. Someone would have to go through an awful lot of trouble to set up such a scenario, and most folks who are after your records are looking for far easier targets.

The only thing I try to do at a public hotspot is to surf the net - no online banking, no checking email (both webmail or downloaded), no logging on to the server I maintain, etc, etc. Basically, no logons or passwords.


For the most part, I do not care about cleartext communications over public access points -- all noncritical accounts use throwaway passwords, and I force IM clients etc. to use a secure protocol if one is available.

With respect to online banking, if your bank does not force you to use https when managing your accounts you should get a new bank.

If you use webmail services, most of them will allow you to check your email using HTTPS instead of HTTP.

If using POP3/IMAP/SMTP for email, your ISP should offer secure variants of those protocols (all of them support in-line TLS encryption, IIRC). Looking into how to configure your email to use those secure variants is a Good Thing in general.

As far as not remotely admin'ing your server, stormer, you should know that the best thing to do there is to install Secure Shell (if remotely adminning unixen), and install Secure Shell and tunnel RDP over it (if remotely admining Windows).

Link-layer security is no substitute for application-layer security.

Okay, I'm not sure I'm clear on the risk of using a public wireless hotspot. Is the risk that someone will actually intercept the signals you are giving out and obtain information from it, or is the risk of someone USING the signal to connect to your machine, and run hacking software on it to SEND information to them?

A good firewall/antivirus/antispyware will protect against the latter, but not the former.

Link-layer security is no substitute for application-layer security.

Absolutely agree. But would you want both layers of security, or only one if you could? :)

And thanks, made me remember something I wanted to do with a server on ddns at home. :blush:

Absolutely agree. But would you want both layers of security, or only one if you could? :)


Well, at home I run with wpa2-ccmp on the wireless (mainly because I do not want people leeching my bandwidth), and when not at home I do not sweat it because I already do Paranoid By Default (secure app-layer protocols where possible, throwaway accounts with throwaway passwords where not). If you are already using app-layer security, tho, link-layer security is gilding the lilly.

It rather amuses me to see the other posters on this thread implying that you should be more concerned about spyware and such when using a public access point -- one of the hats I used to wear at work for Four Letter Computer Company was The Guy Who Knows Everything About Spyware. There is no greater chance of getting a virus or a spyware infection at a public access point than at home or at work -- there really is no substitute for keeping things patched and being paranoid in your surfing and downloading habits. Here are a few simple steps I have used to keep my Windows boxen virus and spyware free for years:
Always have the firewall enabled. Learn how to effectivly configure whatever firewall you are using. I get by just fine with the Windows firewall.
Never use Internet Explorer unless a specific website you have to access demands it. Instead...
Use Firefox + Adblock + a throurough adblock.txt. The overwhelming majority of spyware installs happen by exploiting the web browser through any one of the ad serving networks, because it is cheap and easy to purchase a banner ad, and you can hit millions of machines at once. If your web browser never talks to the ad servers, you have closed off the single largest infection vector (not to mention web browsing is so much nicer without all the ads).
Use webmail over https for non work-related email. This avoids whole classes of attacks targeting the huge, gaping security hole we call Outlook Express. If you must use a standard email client, use Thunderbird and configure it to only use the secure variants of the email protocols.
For instant messaging, use an all-in-one client such as Gaim or Trillian.
Any email asking you for your account information or passwords is lying.
On the internet, everything is guilty until proven innocent. Any email asking you for your account information or passwords is lying, and any file you download should be scanned. Password protected .zip or .rar files should be deleted without opening them unless you are absolutely certian the file is safe.
And, for $DEITIE's sake, never open an attachment included in an email unless you are absolutely certian that it is what it says it is.
This combination has kept me spyware and virus free on my Windows machines for years.


And thanks, made me remember something I wanted to do with a server on ddns at home. :blush:

SSH? SSH has been My Friend for... has it really been more than a decade? Wow... how time flies...

Okay, I'm not sure I'm clear on the risk of using a public wireless hotspot. Is the risk that someone will actually intercept the signals you are giving out and obtain information from it
Yes. Sitting at a public AP with kismet or wellenreiter open, I can watch the cleartext go by, and it is the easiest thing in the world to log all the packets to a file and scan them for username/password pairs*.
or is the risk of someone USING the signal to connect to your machine, and run hacking software on it to SEND information to them?
As long as you have a firewall running and set to deny-by-default, you should not have to worry about this at all.

A good firewall/antivirus/antispyware will protect against the latter, but not the former.
Actually, no -- a firewall is your first line of defense here. If your machine is not listening for incoming connections it cannot be easily attacked, and most attackers will go looking for easier prey.


Not that I would ever do this.

...If you are already using app-layer security, tho, link-layer security is gilding the lilly.

Or think of it this way... If you are already doing everything you can at the app level, then why not go the whole nine yards and include link security?

I guess we just differ on the paranoia level, nescafe. :)


...and it is the easiest thing in the world to log all the packets to a file and scan them for username/password pairs*.

Not that I would ever do this.

Yup, I would never do this also.

But I could

Realizing that I am not the smartest brain on the block, hey if I could do it, what about the evil geniuses type of people out there?

Yes. Sitting at a public AP with kismet or wellenreiter open, I can watch the cleartext go by, and it is the easiest thing in the world to log all the packets to a file and scan them for username/password pairs*.Okay, now earlier posts seem to suggest that if I'm connecting to a secure server (https://blahblahblah...), I should be okay. So if I'm sitting in Starbucks, and I access my bank account logon page, and the logon page is a secure https page, am I safe? Are my logon and password encrypted from the instant they leave my laptop? If you scan my packets and save them to a log file*, are you getting just a bunch of useless encrypted data?


*...not that you would ever do that, of course...

Okay, now earlier posts seem to suggest that if I'm connecting to a secure server (https://blahblahblah...), I should be okay. So if I'm sitting in Starbucks, and I access my bank account logon page, and the logon page is a secure https page, am I safe? Are my logon and password encrypted from the instant they leave my laptop? If you scan my packets and save them to a log file*, are you getting just a bunch of useless encrypted data?


*...not that you would ever do that, of course...

Yes. If you are using https, I cannot access the cleartext -- your information is secure all the way to the bank. :)

Unless, that is, I knew how to break diffie-hellman or RSA key exchange and perform an instant man-in-the-middle attack... but we are getting more into stupid Hollywood movie plot territory here*. :D


There are people who think the above is really feasible. These people are a bit too paranoid -- it is much easier to subvert the user (or their computer), someone at the bank, or (best of all) someone with access to a root certificate than it is to crack RSA and diffie-hellman**.
[**]Unless, that is, you happen to be able to quickly factor large prime numbers. If you can, there is a Fields Prize waiting for you, some very large corporations will pay you huge amounts of money to not spread the word, and you will have the perfect bullet point on your resume for that career at the NSA.

Correct me if I am wrong as I am a mainframe programmer and does not have much experience in the new technology.

Encryption/decryption are just algorithm. So if you know what the encryption key, then in theory, then you can decrypt the data.

I can only imagine that if you log on to a secure site, that site would send to you the encryption key so that it would understand what you send it. So if you can intercept what the server sent, then you would understand what the reply is.

Correct me if I am wrong as I am a mainframe programmer and does not have much experience in the new technology.

Encryption/decryption are just algorithm. So if you know what the encryption key, then in theory, then you can decrypt the data.

I can only imagine that if you log on to a secure site, that site would send to you the encryption key so that it would understand what you send it. So if you can intercept what the server sent, then you would understand what the reply is.

Correct.

Depending on the algorithm used, some keys are easy to crack and others aren't.

In example, the wireless WEP standard is pathetically easy to crack - even if a 128 bit key is used - by using an application called "airsnort". Other algorithm's are a lot harder, such as the SSL algorithm used in a 128 bit https connection.

In the weak algorithm situation, the more encrypted traffic that's sent, the easier it is to break.

If you want to be safe on a wireless home LAN, buy cards and access points that support TKIP. TKIP uses passphrases and (by default) regenerates and issues a new key every 5 minutes - far too short a time for airsnort or any other product to capture enough traffic to analyze and solve the current key. (And if by luck they happen to nail it during a five-minute period - which is really, really unlikely - it changes again in five minutes and they're back where they started from.) TKIP can be configured in most devices to change as frequently as every minute, if you wish - but 5 minutes is more than adequate.

Correct me if I am wrong as I am a mainframe programmer and does not have much experience in the new technology.

Encryption/decryption are just algorithm. So if you know what the encryption key, then in theory, then you can decrypt the data.

I can only imagine that if you log on to a secure site, that site would send to you the encryption key so that it would understand what you send it. So if you can intercept what the server sent, then you would understand what the reply is.

That is why we have public-key cryptography and the PKCS keysigning infrastructure and protocols. What you say is true for symmetric encryption, but public-key cryptography uses asymmetric encryption (where you have seperate keys for encryption and decryption), which would require knowledge of how to quickly factor large prime numbers to be vulnerable to the attack you describe. Here is a rough outline of the process:
Your web browser comes equipped with a set of signed, known-good public keys for the PKCS public key infrastructure.
When you web browser wants to communicate with your bank over HTTPS, it asks the bank for a copy of its public key. It then checks that public key to ensure that it is correctly signed by a member of the PKCS infrastructure -- this verifies that the public key really is for the bank.
Once the public key has been checked and verified, your web browser and the bank's server start communicating in packets secured by public-key encryption to negotiate what type of symmetric encryption to use, generate a one-time key to use for further communications, and switch to the negotiated cipher and key for the remainder of their communication.

HotSpotVPN is another option
http://www.hotspotvpn.com/

This encrypts up-to HotSpot's servers. By that time unless they're really trying to get your stuff you're probably OK.

Here's an article I wrote on VPN's. Not sure it will help.
http://db.tidbits.com/article/8209

Hiding the SSID won't help at all. Anyone who is really out to get into your network (recover your WEP key) is going to be able to locate your wifi network whether your SSID is hidden or not.

I know, hence I have set up my router to hide SSID, ignore ping requests, use MAC address filtering, and adopt WPA encryption. Nothing is ever 100% secure, but it at least makes me a more difficult target than the others who are freely broadcasting their SSIDs and have no encryption enabled. Like the joke about the two guys and the hungry bear, one only needs to outrun the other guy.

BTW, I understand that the security of WEP encryption has been compromised since the algorithm for decoding it has been floating about the net.

Good thread,

I guess I fall in the upper to middle 'Noid Index.

-Globe

If you want to be safe on a wireless home LAN, buy cards and access points that support TKIP. TKIP uses passphrases and (by default) regenerates and issues a new key every 5 minutes - far too short a time for airsnort or any other product to capture enough traffic to analyze and solve the current key. (And if by luck they happen to nail it during a five-minute period - which is really, really unlikely - it changes again in five minutes and they're back where they started from.) TKIP can be configured in most devices to change as frequently as every minute, if you wish - but 5 minutes is more than adequate.


I've Some Googling to do....... ;)

Since I often detect two neighbours on average (don't know if they're the same guys since the SSID for both are "LINKSYS" after their router) who don't have any encryption on their home wireless network, with the rest on WEP and only one other guy on WPA, I can just foresee trouble ahead.

That I can detect their networks is already cause for concern. One should always hide the SSID.

Want to bet their router configuration password is "admin"?

I'd be tempted to log in, change the password , encrypt the network and lock them out. They could reset it in ten minutes, but it might save them a lot of money.

[**]Unless, that is, you happen to be able to quickly factor large prime numbers. If you can, there is a Fields Prize waiting for you, some very large corporations will pay you huge amounts of money to not spread the word, and you will have the perfect bullet point on your resume for that career at the NSA.

Unless you get a bullet from the CIA first.:D

Want to bet their router configuration password is "admin"?

I'd be tempted to log in, change the password , encrypt the network and lock them out. They could reset it in ten minutes, but it might save them a lot of money.

I doubt they're aware they can reconfigure/reset their router.

Fair point.

I have a linksys wf router modem myself. The instructions were pretty plain and do specifically advise changing the defaults. There's also a hard reset button.

Nonetheless, you are probably right.