Slashdot Mirror
Study: Wi-Fi users Still Don't Encrypt
Shackleford writes "SecurityFocus has an article saying that two days of electronic eavesdropping at the 802.11 Planet Expo in Boston last week sniffed out more evidence that most Wi-Fi users still aren't securing their networks. Security vendor AirDefense set up two of its commercial 'AirDefense Guard' sensors at opposite corners of the exhibit hall at the Boston World Trade Center, the site of the conference, and for two days analyzed the traffic flowing between conference-goers and 141 unencrypted access points set up by the conference for public use, and by vendors on the floor.
What they found was that users checking their e-mail through unencrypted POP connections vastly outnumbered those using a VPN or another encrypted tunnel. Only three percent of e-mail downloads were encrypted on the first day of the conference, 12 percent on the second day."
This only verifies the importance of application level encryption. Every socket communication should be encrypted so that security doesn't rely on the network connection itself.
Suprasphere encrypts all socket communication using a dynamically generated Diffie-Hellman key exchange. This is much better than SSL because it does not require using a CA so you can set it all up without any administrative overhead.
Furthermore, all authentication uses a zero-knowledge proof so that a password is never sent over the wire. Even though the traffic is all encrypted anyway, this adds another level of security so that a compromised passphrase at one sphere will not allow authentication at any other. You can store a profile at different places that can only give you access if you can prove beyond a statistically reasonable doubt that you are who you say you are.
I live in a small iniversity town. Even the shortest bike ride with my Zaurus running kismet finds many access points in businesses and homes unencrypted (war biking?). I often run ethereal for the few minutes it takes me to get up and order coffee at one of the local cafes. It never fails to catch pop and imap passwords, mail, and instant messaging conversations. I always use ssh or VPN, but I don't feel superior. Most of my own non-work related mail is sent in plain text.
First entomology, then virology, and finally bioinformatics systems. Bugs follow me wherever I go.
A few years ago I was given a demo of TCP-dump by a resident BOFH. First step was to read all of the private communications between a certain user and other people in a chat room. The next was to take a look at some people's emails as they were relayed through the router (including their POP3 passwords). Since that day I have not sent any password unencrypted...
I am TheRaven on Soylent News
If you use WEP, but everyone knows the key (e.g., at a trade show so you need to make the key public to let people on the WiFi network), I assume that's the same as unencrypted. However, why couldn't there be a RSA or symmetric encryption for 802.11[x]? So you make the public key for the access point, available, anyone with that can connect, but your PC/WiFi card encrypts every packet going out the door, so the traffic going from the client to the access point is now secure. Similarly, the client gives the access point its public key, so all the traffic coming back to the client is also secure. This probably requires a lot more overhead in the access point and client, but I don't think that it would be unreasonably so.
the problem lies more in the way the access points work at the moment rather than the end users not using POP without security. The best you can do with access points today is to set up single key (like WEP) that is shared among multiple users. The accesspoints of the future would hopefully have 2 WEPs: One to allow access to acesspoint and a second second one - dynamically assigned to individual clients(probably recognized by unique mac address) for all data communication between that unique client and accesspoint.
Siggy Say, Siggy Do
Encryption might take a while to set up, but it's a very good thing. Not only for your own data.
I'll explain. Many of us run web servers and let friends have sites or mail accounts on them. Now, I'm pretty sure that in most places reading your user's mail is illegal. Suppose you're logged in on your server trying to solve some problem by looking at what's going on with a sniffer like tcpdump or ethereal. Accidentally you see a friend's private email scroll by.
Now, of course, this wasn't intentional. But what if you make a slip? The email could have been about some event you didn't know about. Then, a week later you forget where you got that information from, you ask that friend about whether his grandma got better. The friend then asks "How do you know that? You weren't reading my mail, were you?". Depending on how this person feels about you, you might get into some trouble.
This is why on my server I provide IMAP accounts only though SSL. I never look in user directories unless needed. And I tell everybody who gets an account that if they want to be completely sure their data stays confidential that they should use PGP and that I can explain how to use it.
It's not that hard to set up, anyway. Set up a mail server with SSL and you'll be able to check your mail safely from anywhere. Install SSH for administration. Install Apache SSL even if you don't need it much, to give the users who want it the ability to log in with an encrypted connection. Use an instant messenger like Jabber with a SSL connection too.
Don't worry about self-signed certificates. A certificate from Verisign provides a rather small increase of security which people tend to ignore anyway. If you just want to avoid your traffic from being sniffed, it should be enough.
Excepting web browsing, most of my data is encrypted. I even found that I can browse kuro5hin.org throught https. It's a good thing too, when I login my password won't be sent in clear text.
So perhaps this *may* mean that only 3-12% of the people feel that what is contained in their email is important enough to encrypt. Why does this article assume that VPNs are necessary in every case?
You know, it is sometimes good to be "paranoid", but often it is just that, paranoia. Do I care if someone sniffs my unencrypted "penis enlargement NOW!" emails? Security is not always the primary design factor, and sometimes is disregarded altogether in the face of getting things done.
I can't help when I think of "security" of the push/pull battle that the U.S. Army had with the Manhattan Project personal. The Army, of course, say bogeymen under every rock at Los Alamos, but the scientists soon discovered that to aid in the project, many "security" concerns had to be circumvented...
never bring a twinkie to a food fight.
We use Blue Socket boxes behind our WAPs, so while anyone can get an IP address from our WAP, you won't be able to get anywhere until you authenticate (via SSL). Since the wireless network is outside our firewall, you have to either use a VPN or SSL-web access to get your e-mail.
but not as trivial as sniffing on an unswitched network.
Furthermore... if I'm the sysadmin, and I catch you running a sniffer, well, I probably won't care.
If I catch you doing arp poisoning in order to intercept traffic on a switched lan, I'm going to yank your connection / get you fired / expelled / press charges for hacking.
One involves listening. The other involves messing with stuff and deliberately breaking how things work.
Its plain to see! Take my hometown.. right next to a beautifull mountain range. Just get on top of one of the mountains and use a dish tolook down.. 72% of the 180 networks that showed up within 5-6 minutes were all unencrypted!
Humour aside, probabky won't be long before we have spam wagons. Spammers in converted trucks crusing the highways to find wireless access points for spamming.
Someone could cause chaos by strolling through a downtown with an infected system.
One line blog. I hear that they're called Twitters now.
A good friend of mine has an interesting hobby - he's looking for APs and checks whether there's a mostly open file server around and then proceeds to copy the contents to the laptop, burn a CD or two and drop them into the phyisical mailbox of that company or office.
In at least two cases, he got the contents of a lawyer office. Some people were supposedly not amused, but at least they accepted his help in securing their networks.
My father and I have gone "war-flying" at 500 feet above residential areas in his Cessna 120 (2 seater airplane) and have literaly picked up HUNDREDS of open and unencrypted AP's within minutes. From what I understand, it is completely legal to listen in and monitor any radio frequency, so long as it is not encrypted and you do not publish any of the content.
For fun in college, my buddies and I used to terrorize our fellow dorm mates by listening in on their cordless telephone conversations using a police scanner. We would call them back and mention parts of their conversation in amusing ways. We were always kind of hoping that we would overhear a girl say "I'm so horny right now" and then go knocking on her door at just the right moment. We were pretty pathetic...
Listen to Live FM Radio
I agree.
I have yet to actually get WEP to work for anything beyond a brand X access point talking to a Brand X card. There are actually 2 or 3 different notations vendor's use for WEP keys. I'm just to lazy to learn one more level of obfuscation that is cracked with a tool downloadable from sourceforge!
Besides, in my place we have live jacks all over. I just assume that wireless is as vulnerable as a hardline. Anything one honestly cares about should by SSL encrypted. Besides, SSH also takes care of spoofing and man-in-the-middle attacks.
Just because your access point is secure doesn't mean badness doesn't await you past the next router.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming