Wi Fi Hacking & VPN (Watchdog)

SMG · 29-10-2009, 22:13

I have just watched "Watchdog" expose the vulnerability of wi fi sites. As soon as you log on to your mails etc, someone else on the same wi fi can acquire your details. They mentioned VPN. I googled it & read a bit.

As I will be taking my laptop on holiday, mainly to keep in touch with my boys, who are in the forces. I`m now worried about insecure wi fi in the hotel.

Does anyone use VPN? Apparently there is software available to combat this type of "Fraud", but who knows what else the software may do!

Any help would be appreciated.

Reedy · 29-10-2009, 22:16

I noticed they were all using web based email clients. I wonder if it's the same for Outlook?

SMG · 29-10-2009, 23:27

Dont know m8, I was hoping for a better responce, but perhaps its early days yet.

webcrawler2050 · 29-10-2009, 23:40

Quote:

Originally Posted by SMG

I have just watched "Watchdog" expose the vulnerability of wi fi sites. As soon as you log on to your mails etc, someone else on the same wi fi can acquire your details. They mentioned VPN. I googled it & read a bit.

As I will be taking my laptop on holiday, mainly to keep in touch with my boys, who are in the forces. I`m now worried about insecure wi fi in the hotel.

Does anyone use VPN? Apparently there is software available to combat this type of "Fraud", but who knows what else the software may do!

Any help would be appreciated.

Talking out of their rear end to be fair. As far as I'm aware, the only way they would be able to get those details, is if you saved them on your browser on your device, laptop, phone etc. And, if they have the known how to intercept an http connection. There may be other ways..

**Paul** · 29-10-2009, 23:48

Yes, its not hard to monitor the packets as they are transmitted

Of course, if you use https for your webmail then you should be ok.

SMG · 30-10-2009, 01:42

They went to a cyber cafe where there is a wi fi. One guy, face blocked out, used some hack to gain access to another guys laptop as he was sending an e mail, the hacker then sent him an e mail, from himself, saying his laptop had been compromised.

I dont know if the hotel I`m going to has an encrypted wi fi or not. I will be using my VOIP programme to call the USA, UK, & Germany, possibly the Mid East too.

Obviously I will be checking my e mails too. My concern is that I have a dispute pending with Paypal, & I dont want to log on without knowing the connection is secure.

webcrawler2050 · 30-10-2009, 01:47

Paypal is fine. Https:// with an EV certificate. On "public" wifi only login if you see https://

SMG · 30-10-2009, 01:50

Thanks for that m8. I will keep that in mind.

Raistlin · 30-10-2009, 08:39

Provided you ensure that:

a) any site you provide credentials to, or pass sensitive information over, is using a https/ssl encrypted connection;
b) your laptop is fully patched, running an updated AV product, and preferably a personal firewall (the built-in XP one will be fine for this purpose);

.....then in the scenario you describe you should be ok. There are methods for circumventing the protection that SSL provides, and there are methods of attack that will negate the protection provided by AV/firewall, but your window of exposure should be sufficiently small to make most of these impractical to deploy against you.

Any 'public' wi-fi connection should be considered 'unsafe' (I use the word in the absence of something more appropriate, I'm sure you understand) and you should ensure that you're mindful of the risks that they pose when you're using them. This isn't to say that you should avoid them, or in fact that you should change your usage/habits, but you should always be aware of the risks and make sure you're doing what you need to do to protect yourself

Aragorn · 30-10-2009, 10:29

If you are really paranoid, you can set up OpenVPN on your home system and use it as a VPN host - downside is you need to leave the home PC & broadband on to connect to it.
ElReg did an article about setting up OpenVPN.
Or you could sign up for a cheap commercial VPN.
But as Rob says while public WiFi is 'unsafe' it's a very small risk.

Russ · 30-10-2009, 10:33

Would anti-keyloging programmes help?

Aragorn · 30-10-2009, 10:37

I doubt it - for unecrypted traffic they were using simple packet sniffing. For the SSL encrypted stuff they were stealling the session keys, I think. They probably didn't get the GMail password but didn't need it once the session had been owned.

30-10-2009, 11:47

Interesting that the owner of the account could not sign out of the gmail account. Why was that? Was it becuase they were signed in elsewhere?

Raistlin · 30-10-2009, 12:18

Interesting that they continually refer to a special piece of 'kit', not sure what they mean there. All you need to perpetrate the attack they're using here is a wireless enabled laptop and some software.

They use a lot of fairly emotive terminology as well, they're talking about 'breaking into' peoples' mail accounts. They're not really doing anything of the sort - they're gaining unauthorised access to them, but they don't appear to be breaking into anything. It looks like they're simply capturing usernames and passwords as they pass across the network and then using them to log in.

The issue that they're exposing/exploiting here is that by their very nature these 'public' access points connect you to a network that contains people and systems that you can't know/trust. Anything you send across those networks is potentially available to all the other users, unless you take steps to prevent that from happening.

I won't go into how I think they accomplished the business of blocking him from signing out of his gMail account - that bit of the segment in particular suggests to me that they're doing something additional beyond just gathering passwords off the wire (or 'air' in this case). If they are doing what I think they're doing then that's the only truly clever part of what they're doing.....

webcrawler2050 · 30-10-2009, 12:35

Quote:

Originally Posted by Rob M

Interesting that they continually refer to a special piece of 'kit', not sure what they mean there. All you need to perpetrate the attack they're using here is a wireless enabled laptop and some software.

They use a lot of fairly emotive terminology as well, they're talking about 'breaking into' peoples' mail accounts. They're not really doing anything of the sort - they're gaining unauthorised access to them, but they don't appear to be breaking into anything. It looks like they're simply capturing usernames and passwords as they pass across the network and then using them to log in.

The issue that they're exposing/exploiting here is that by their very nature these 'public' access points connect you to a network that contains people and systems that you can't know/trust. Anything you send across those networks is potentially available to all the other users, unless you take steps to prevent that from happening.

I won't go into how I think they accomplished the business of blocking him from signing out of his gMail account - that bit of the segment in particular suggests to me that they're doing something additional beyond just gathering passwords off the wire (or 'air' in this case). If they are doing what I think they're doing then that's the only truly clever part of what they're doing.....

I personally think they are trying to "pimp" the idea and generally have no clue what the heck they are talking about