Wi Fi Hacking & VPN (Watchdog)
 

I have just watched "Watchdog" expose the vulnerability of wi fi sites. As soon as you log on to your mails etc, someone else on the same wi fi can acquire your details. They mentioned VPN. I googled it & read a bit.

As I will be taking my laptop on holiday, mainly to keep in touch with my boys, who are in the forces. I`m now worried about insecure wi fi in the hotel.

Does anyone use VPN? Apparently there is software available to combat this type of "Fraud", but who knows what else the software may do!

Any help would be appreciated.

Re: Wi Fi Hacking & VPN (Watchdog)
 

I noticed they were all using web based email clients. I wonder if it's the same for Outlook?

Re: Wi Fi Hacking & VPN (Watchdog)
 

Dont know m8, I was hoping for a better responce, but perhaps its early days yet.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Talking out of their rear end to be fair. As far as I'm aware, the only way they would be able to get those details, is if you saved them on your browser on your device, laptop, phone etc. And, if they have the known how to intercept an http connection. There may be other ways..

Re: Wi Fi Hacking & VPN (Watchdog)
 

Yes, its not hard to monitor the packets as they are transmitted ;)

Of course, if you use https for your webmail then you should be ok.

Re: Wi Fi Hacking & VPN (Watchdog)
 

They went to a cyber cafe where there is a wi fi. One guy, face blocked out, used some hack to gain access to another guys laptop as he was sending an e mail, the hacker then sent him an e mail, from himself, saying his laptop had been compromised.

I dont know if the hotel I`m going to has an encrypted wi fi or not. I will be using my VOIP programme to call the USA, UK, & Germany, possibly the Mid East too.

Obviously I will be checking my e mails too. My concern is that I have a dispute pending with Paypal, & I dont want to log on without knowing the connection is secure.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Paypal is fine. Https:// with an EV certificate. On "public" wifi only login if you see https://

Re: Wi Fi Hacking & VPN (Watchdog)
 

Thanks for that m8. I will keep that in mind.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Provided you ensure that:

a) any site you provide credentials to, or pass sensitive information over, is using a https/ssl encrypted connection;
b) your laptop is fully patched, running an updated AV product, and preferably a personal firewall (the built-in XP one will be fine for this purpose);

.....then in the scenario you describe you should be ok. There are methods for circumventing the protection that SSL provides, and there are methods of attack that will negate the protection provided by AV/firewall, but your window of exposure should be sufficiently small to make most of these impractical to deploy against you.

Any 'public' wi-fi connection should be considered 'unsafe' (I use the word in the absence of something more appropriate, I'm sure you understand) and you should ensure that you're mindful of the risks that they pose when you're using them. This isn't to say that you should avoid them, or in fact that you should change your usage/habits, but you should always be aware of the risks and make sure you're doing what you need to do to protect yourself :)

Re: Wi Fi Hacking & VPN (Watchdog)
 

If you are really paranoid, you can set up OpenVPN on your home system and use it as a VPN host - downside is you need to leave the home PC & broadband on to connect to it.
ElReg did an article about setting up OpenVPN.
Or you could sign up for a cheap commercial VPN.
But as Rob says while public WiFi is 'unsafe' it's a very small risk.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Would anti-keyloging programmes help?

Re: Wi Fi Hacking & VPN (Watchdog)
 

I doubt it - for unecrypted traffic they were using simple packet sniffing. For the SSL encrypted stuff they were stealling the session keys, I think. They probably didn't get the GMail password but didn't need it once the session had been owned.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Interesting that the owner of the account could not sign out of the gmail account. Why was that? Was it becuase they were signed in elsewhere?

Re: Wi Fi Hacking & VPN (Watchdog)
 

Interesting that they continually refer to a special piece of 'kit', not sure what they mean there. All you need to perpetrate the attack they're using here is a wireless enabled laptop and some software.

They use a lot of fairly emotive terminology as well, they're talking about 'breaking into' peoples' mail accounts. They're not really doing anything of the sort - they're gaining unauthorised access to them, but they don't appear to be breaking into anything. It looks like they're simply capturing usernames and passwords as they pass across the network and then using them to log in.

The issue that they're exposing/exploiting here is that by their very nature these 'public' access points connect you to a network that contains people and systems that you can't know/trust. Anything you send across those networks is potentially available to all the other users, unless you take steps to prevent that from happening.

I won't go into how I think they accomplished the business of blocking him from signing out of his gMail account - that bit of the segment in particular suggests to me that they're doing something additional beyond just gathering passwords off the wire (or 'air' in this case). If they are doing what I think they're doing then that's the only truly clever part of what they're doing.....

Re: Wi Fi Hacking & VPN (Watchdog)
 

I personally think they are trying to "pimp" the idea and generally have no clue what the heck they are talking about :D:D

Re: Wi Fi Hacking & VPN (Watchdog)
 

As far as I know this method does not invlove passwords at all, I think its along the lines of getting the 'session ID' and using that info to get into the account.

Not sure about stopping you from logging out but I think this along the same lines as the session still being active.

Another method is to setup a false hot spot duplicating t-mobile / openzone etc and foolign you into thinking you are connected to a proper free-wifi hotspot.

JJ

Re: Wi Fi Hacking & VPN (Watchdog)
 

With all this taken in to account, are these any good?

Re: Wi Fi Hacking & VPN (Watchdog)
 

The video clearly shows some of the software that they're using, specifically a piece of software designed to capture packets of traffic off the network. Given that most people are logging in over unencrypted channels this is by far the easiest way to accomplish what they showed in the video.

As for capturing your session, I don't think that's quite what they're doing (although I'm happy to be shown wrong). I think that they're actually not 'capturing' the session, but interfering with the traffic that's being passed as part of it. I would be very (VERY) surprised if gMail was susceptible to session hijacking attempts. It's more than likely a sophisticated man-in-the-middle attack, and given that there happens to have been a nice new tool for this sort of tomfoolery released recently..... ;)

---------- Post added at 12:57 ---------- Previous post was at 12:52 ----------

VPN software is the best defence really, but it relies on you having an end-point to connect your VPN software to.

Typically the idea would be that you set up a VPN end-point on a trusted machine/network. You then connect to that end-point using the VPN software on your laptop, this establishes an encrypted 'tunnel' between you and the end-point, it also (to all intents and purposes) means that you are now vitually connected to the network that the end-point is sat on (hence 'Virtual' Private Network).

Then, when you browse the Internet, all the traffic to or from your laptop goes through that tunnel, and you're actually browsing from the network that your end-point is sat on. Provided that end-point (and the connection it has to the Internet) is trusted and secure then you're safe. Given that most people will configure this so that your end-point is on your home Internet connection you're effectively as safe as you are plugged in and browsing from home, albeit from anywhere in the world that you choose to be.

Re: Wi Fi Hacking & VPN (Watchdog)
 

I think thats whats going on. you explained a lot better than I could., looking at whats out there its seems to be frighteningly easy to do.

Don't see VPN as a viable alternative for most people as it relies on an external server for the end VPN connection. Didn't someone on the show mention that t-mobile were looking to provide that funtionality?

JJ

Re: Wi Fi Hacking & VPN (Watchdog)
 

What they did was very simple and is known as a 'man in the middle attack' or MITM. The attackers laptop pretended to be the default gateway of the wireless network using ARP poisoning, they then captured the packets from the targets laptop and extracted the passwords.

They stopped the guy getting back into his account by killing his internet connection, again using ARP poisoning.

Technically, not that clever but good for TV.

Re: Wi Fi Hacking & VPN (Watchdog)
 

The software looked to be Wireshark, probably running off a wifi card in promiscuous mode.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Correct.

Re: Wi Fi Hacking & VPN (Watchdog)
 

I`ve decided to err on the safe side. I have fitted a spare drive into my laptop & put XP on it with firewall & Av. As I originally only wanted the PC for phone calls around the world, I have just put my VIP provider on, Nothing else.

I did have a look at the VPN software, but as I am not sure what to do, I will take a chance without it. I don't even know if the connection in the hotel is password protected or not. But there wont be anything on the laptop to steal.

Re: Wi Fi Hacking & VPN (Watchdog)
 

It's not about stealing things on the laptop, it's about stealing (or rather, intercepting) data which is transiting between the laptop and whatever you're connected to.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Yes Rob, I understand that, I don't want anything on the PC for someone to steal, passwords e mails nothing, except my VOIP details. If they get hacked I can only loose the account.

I don't suppose anyone can be completely safe.

Re: Wi Fi Hacking & VPN (Watchdog)
 

I don't think you understand what data is actually at risk.

A laptop full of data / a laptop with no data, it makes no difference to me. When you sign into your email account I will (as a hacker) intercept those details and use them later. Your bank details, passport info and other personal details could be in folders on your laptop, but I'm not trying to access that data so it makes no difference.

The suggestion of using a VPN to help secure your data was a pretty silly suggestion by the programme makers. They fail to explain that having a VPN client is only half the equation, you actually need a VPN server to connect to! Not something the average consumer has setup.

Ah well, you got to love TV!

Re: Wi Fi Hacking & VPN (Watchdog)
 

Yep, Watchdog did a great job of worrying and scaremongering, but provided no real 'education'. "Use a VPN" is about as useless a piece of advice as they could possibly have given, I wonder how many people have now installed a VPN client but have nothing to connect it to and still think they're safe? TBH they'd have been better off dedicating a whole show to it and actually showing people how to be secure/safe instead of just telling them that they needed to be.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Yes m8, I do understand, thats why I changed the drive & only put my VOIP provider on it. There is no other info or e mail details on there.

I have changed the password too. If it is hacked, the only info accessible will be the VOIP account. I wont be using it for anything else now.

I have to agree with both of you regarding "Scaremongering" it worried me thinking someone could hack into my PC.

Re: Wi Fi Hacking & VPN (Watchdog)
 

You do leave yourself more open to having the laptop compromised when you attach to these wireless networks, but in your case you've removed as much as you can from the device and you're happy to take the hit on what's left if the worst comes to the worst - you really can't do a whole lot more.

I really hate this sort of 'journalism', they dress it up as a public service but there really wasn't anything in there that actually helped anybody. The real answer to what they were saying appeared to be that the providers of these hotspots should be held accountable, and that it should be up to them to make sure they're secure - typical Watchdog, it's never down to the consumer to protect themselves is it? :erm:

Re: Wi Fi Hacking & VPN (Watchdog)
 

Its not good, it left me wondering, & without any information on how to avoid the problem.

On a positive note, I have a clean install with just 1 "sensitive" program, which at worst, would cost me £7.00, which is the amount remaining. If it is compromised, I will simply open a new account.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Worth noting is that GMail's POP and IMAP are also encrypted. So even using a mail reader like Thunderbird would be "secure". Then you can add encryption/signing to the email client (Enigmail/PGP) to further secure your communications.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Last I checked you could choose whether or not to use an encrypted connection to the Google servers, if they're now forcing that then that's great - people should always check on their own systems though to make sure they're set up to use the encrypted connections.

Re: Wi Fi Hacking & VPN (Watchdog)
 

Gmail is still optional, I'm not sure all of the session is encrypted or just the initial connection even with HTTPS

JJ

Re: Wi Fi Hacking & VPN (Watchdog)
 

I have just typed in gmail.com, and a https address comes up. (but then, I have chosen the option to always use https (doh!)).

Re: Wi Fi Hacking & VPN (Watchdog)
 

That's good, looks like they've changed this to be the default now then for web logins.