Re: Home office with WiFi: do I need Spotlock?

"CWatters" <colin.watters@xxxxxxxxxxxxxxxxxxxxxxxxx> hath wroth:

I wouldn't use the word easy. You do need a certain level of knowledge and
skill to set up the equipment. Nobody will accidentally crack WEP.
http://www.tomsnetworking.com/2005/05/10/how_to_crack_wep_/
The above article suggests it takes about an hour to crack 128 bit WEP and
the program needs to generate and to record a lot of traffic to do so.

It depends on the tool (program) used. The ones that require large
capture files, take well over an hour depending on traffic. The ones
that induce traffic using deauthenticate and deassociated packets, can
do it in about 10 minutes. When the FBI gave their demo, they
accidentally did it in 3 minutes.

Or does a https
connection already take care of that?

It adds another layer. But can be broken by what's called a "man in the
middle attack".
http://en.wikipedia.org/wiki/HTTPS
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
http://blogs.ittoolbox.com/wireless/networks/archives/wireless-man-in-the-middle-attack-part-ii-7421
again that not trivial to set up.

I've gotten into the habit of running traceroute (tracert) at coffee
shops after connecting. I do this more for curiosity than for
security. It will often show a "man in the middle" problem. I also
know the MAC address of most of the access points to which I usually
connect. Any changes are noted, again more for curiosity than
security. Only once did I catch what I thought was a spoofed SSID,
which turned out to be the someone at the hotel trying to add a new
access point and doing a very bad job of it. I've never seen a
wireless "man in the middle" or spoofed AP in the wild.

One difference between cracking a WEP key and a "man in the middle"
attack is that the "man in the middle" attack requires hearing both
sides of the traffic. To crack the WEP key, one only needs to hear
the access point traffic. For "man in the middle" both sides need to
be heard. This puts a rather difficult to achieve location
requirement on the attacker. It can probably be done in a crowded
cafe, airport, or public hot spot, but not easily in a hotel or from
nearby housing.

In my never humble opinion, HTTPS is good enough for most users and
applications. If a higher level of security is required, then VPN's
and more exotic key exchange mechanisms are available. There's also
end to end encryption with a better key exchange such as IPSec VPN's.

I don't know anything about Spotlock other than what I read on their
web pile. The example of sniffing email is for real. I have a packet
(sequence number) reassembler that can reconstruct email messages
fairly well.
http://www.jiwire.com/spotlock-sniffer.htm
The example is a bit far fetched, but possible. I do know some total
idiots that would conduct a financial transaction over an unsecured
wireless connection.

Reading between the lines, it appears that Spotlock is just a VPN
client that secures traffic between the wireless client computer and
the Spotlock VPN terminating servers. That works but only secures the
traffic between them. Once the traffic leaves the Spotlock VPN
servers, and goes to its intended destination, it's all in the clear
and can be sniffed on the wired network. See the FAQ at:
| http://en.wikibooks.org/wiki/Wireless_Internet/Wi-Fi#Wi-Fi_Security
for additional VPN services. Personally, I prefer end to end VPN
encryption as (sometimes) provided the email ISP.

The real danger with "man in the middle" and similar sniffing is
obtaining the email address and password. Most users recycle the same
password over and over for all their accounts. If the attacker gets
one, he also gets access to many other accounts. I have a friend that
leaked his over-used email password (his car license number), which
was then used to attack his eBay and PayPal accounts. Once one has
the password, there's no need to sniff the traffic to obtain
incriminating email. Just login and read someones email at the
attackers leisure. Try to think of security in terms of what one is
trying to protect. I have some rather unconventional opinions as to
the value of user operated security (i.e. passwords) which I won't
bore anyone today.

--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Using the Fluhrer, Mantin, and Shamir Attack to Break WEP
    ... Using the Fluhrer, Mantin, and Shamir Attack to Break WEP ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • [NT] DCE RPC Vulnerabilities New Attack Vectors Analysis
    ... Get your security news from a reliable source. ... These new attack methods were found while researching exploitation ... They might also apply to other vulnerabilities such as the DCE RPC DCOM ...
    (Securiteam)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.backoffice.smallbiz)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.backoffice.smallbiz2000)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.windows.server.sbs)