Wi Fi Hacking & VPN (Watchdog)

[jamiefrost]

As far as I know this method does not invlove passwords at all, I think its along the lines of getting the 'session ID' and using that info to get into the account.

Not sure about stopping you from logging out but I think this along the same lines as the session still being active.

Another method is to setup a false hot spot duplicating t-mobile / openzone etc and foolign you into thinking you are connected to a proper free-wifi hotspot.

JJ

[Russ]

With all this taken in to account, are these any good?

[Raistlin]

Quote:

Originally Posted by jamiefrost

As far as I know this method does not invlove passwords at all, I think its along the lines of getting the 'session ID' and using that info to get into the account.

Not sure about stopping you from logging out but I think this along the same lines as the session still being active.

Another method is to setup a false hot spot duplicating t-mobile / openzone etc and foolign you into thinking you are connected to a proper free-wifi hotspot.

JJ

The video clearly shows some of the software that they're using, specifically a piece of software designed to capture packets of traffic off the network. Given that most people are logging in over unencrypted channels this is by far the easiest way to accomplish what they showed in the video.

As for capturing your session, I don't think that's quite what they're doing (although I'm happy to be shown wrong). I think that they're actually not 'capturing' the session, but interfering with the traffic that's being passed as part of it. I would be very (VERY) surprised if gMail was susceptible to session hijacking attempts. It's more than likely a sophisticated man-in-the-middle attack, and given that there happens to have been a nice new tool for this sort of tomfoolery released recently.....

---------- Post added at 12:57 ---------- Previous post was at 12:52 ----------

Quote:

Originally Posted by Russ

With all this taken in to account, are these any good?

VPN software is the best defence really, but it relies on you having an end-point to connect your VPN software to.

Typically the idea would be that you set up a VPN end-point on a trusted machine/network. You then connect to that end-point using the VPN software on your laptop, this establishes an encrypted 'tunnel' between you and the end-point, it also (to all intents and purposes) means that you are now vitually connected to the network that the end-point is sat on (hence 'Virtual' Private Network).

Then, when you browse the Internet, all the traffic to or from your laptop goes through that tunnel, and you're actually browsing from the network that your end-point is sat on. Provided that end-point (and the connection it has to the Internet) is trusted and secure then you're safe. Given that most people will configure this so that your end-point is on your home Internet connection you're effectively as safe as you are plugged in and browsing from home, albeit from anywhere in the world that you choose to be.

[jamiefrost]

I think thats whats going on. you explained a lot better than I could., looking at whats out there its seems to be frighteningly easy to do.

Don't see VPN as a viable alternative for most people as it relies on an external server for the end VPN connection. Didn't someone on the show mention that t-mobile were looking to provide that funtionality?

JJ

[mattrgee]

What they did was very simple and is known as a 'man in the middle attack' or MITM. The attackers laptop pretended to be the default gateway of the wireless network using ARP poisoning, they then captured the packets from the targets laptop and extracted the passwords.

They stopped the guy getting back into his account by killing his internet connection, again using ARP poisoning.

Technically, not that clever but good for TV.

[GeoffW]

Quote:

Originally Posted by Rob M

The video clearly shows some of the software that they're using, specifically a piece of software designed to capture packets of traffic off the network. Given that most people are logging in over unencrypted channels this is by far the easiest way to accomplish what they showed in the video.
.

The software looked to be Wireshark, probably running off a wifi card in promiscuous mode.

[Raistlin]

Correct.

[SMG]

I`ve decided to err on the safe side. I have fitted a spare drive into my laptop & put XP on it with firewall & Av. As I originally only wanted the PC for phone calls around the world, I have just put my VIP provider on, Nothing else.

I did have a look at the VPN software, but as I am not sure what to do, I will take a chance without it. I don't even know if the connection in the hotel is password protected or not. But there wont be anything on the laptop to steal.

[Raistlin]

It's not about stealing things on the laptop, it's about stealing (or rather, intercepting) data which is transiting between the laptop and whatever you're connected to.

[SMG]

Yes Rob, I understand that, I don't want anything on the PC for someone to steal, passwords e mails nothing, except my VOIP details. If they get hacked I can only loose the account.

I don't suppose anyone can be completely safe.

[mattrgee]

I don't think you understand what data is actually at risk.

A laptop full of data / a laptop with no data, it makes no difference to me. When you sign into your email account I will (as a hacker) intercept those details and use them later. Your bank details, passport info and other personal details could be in folders on your laptop, but I'm not trying to access that data so it makes no difference.

The suggestion of using a VPN to help secure your data was a pretty silly suggestion by the programme makers. They fail to explain that having a VPN client is only half the equation, you actually need a VPN server to connect to! Not something the average consumer has setup.

Ah well, you got to love TV!

[Raistlin]

Yep, Watchdog did a great job of worrying and scaremongering, but provided no real 'education'. "Use a VPN" is about as useless a piece of advice as they could possibly have given, I wonder how many people have now installed a VPN client but have nothing to connect it to and still think they're safe? TBH they'd have been better off dedicating a whole show to it and actually showing people how to be secure/safe instead of just telling them that they needed to be.

[SMG]

Quote:

Originally Posted by mattrgee

I don't think you understand what data is actually at risk.

A laptop full of data / a laptop with no data, it makes no difference to me. When you sign into your email account I will (as a hacker) intercept those details and use them later. Your bank details, passport info and other personal details could be in folders on your laptop, but I'm not trying to access that data so it makes no difference.

Yes m8, I do understand, thats why I changed the drive & only put my VOIP provider on it. There is no other info or e mail details on there.

I have changed the password too. If it is hacked, the only info accessible will be the VOIP account. I wont be using it for anything else now.

I have to agree with both of you regarding "Scaremongering" it worried me thinking someone could hack into my PC.

[Raistlin]

You do leave yourself more open to having the laptop compromised when you attach to these wireless networks, but in your case you've removed as much as you can from the device and you're happy to take the hit on what's left if the worst comes to the worst - you really can't do a whole lot more.

I really hate this sort of 'journalism', they dress it up as a public service but there really wasn't anything in there that actually helped anybody. The real answer to what they were saying appeared to be that the providers of these hotspots should be held accountable, and that it should be up to them to make sure they're secure - typical Watchdog, it's never down to the consumer to protect themselves is it?

[SMG]

Quote:

Originally Posted by Rob M

You do leave yourself more open to having the laptop compromised when you attach to these wireless networks, but in your case you've removed as much as you can from the device and you're happy to take the hit on what's left if the worst comes to the worst - you really can't do a whole lot more.

I really hate this sort of 'journalism', they dress it up as a public service but there really wasn't anything in there that actually helped anybody. The real answer to what they were saying appeared to be that the providers of these hotspots should be held accountable, and that it should be up to them to make sure they're secure - typical Watchdog, it's never down to the consumer to protect themselves is it?

Its not good, it left me wondering, & without any information on how to avoid the problem.

On a positive note, I have a clean install with just 1 "sensitive" program, which at worst, would cost me £7.00, which is the amount remaining. If it is compromised, I will simply open a new account.