Re: Strange SSID in the air...

Aloke Prasad <aprasad123@xxxxxxxxxxxxxxxxxxxxxxx> hath wroth:

URL redirection: will some of the anti-phishing features in Firefox or
IE7 help in this case? This is a serious problem if people are unable
to detect this on public network.

Good question. No. It won't be detected at all:
<http://www.mozilla.com/en-US/firefox/phishing-protection/>
Try the test site at:
<http://www.mozilla.com/firefox/its-a-trap.html>
The problem is that Firefox, IE, Norton, etc require a list of "known
phishing sites" to be effective. Chances that a coffee shop web site
was reported and verified to be a phishing site is zero.

How can I verify if any of this is happening on my home network (with
the cable modem assigning Gateway+DNS to the Linksys router etc.)?

Sigh. Another good question. Probably not detectable. The problem
with a hacker controlled router at the user end is that there's no way
to verify that DNS lookups actually point to the real web site.

You can test the problem easily on your own machine.
First, clear the DNS cache with:
start -> run -> cmd <enter>
ipconfig /flushdns
Under XP or W2K go to the hosts file at:
C:\WINNT\system32\drivers\etc\hosts
Add a line at the bottom of the hosts file with:
74.125.19.147 www.wellsfargo.com
The IP address is one of Googles many servers. Now, fire up your
favorite browser and go to:
http://www.wellsfargo.com
Guess what? You went to Google instead. No warning, no indication
that it's been redirected, and everything looks just fine. Note that
some anti-virus and anti-spyware programs will detect changes to the
hosts file, but that's not the point. This is just a simulation of
what can be done by manipulating DNS. If this were the real thing,
the changes would be made in the router, where the anti-whatever
program would not be able to see or detect anything. When you're done
tinkering and testing, run:
ipconfig /flushdns
to clear the bogus entries from your machine.

Is the "Evil hacker owning the router" scenario applicable for public
routers at airports, Starbucks etc? While those are administered by
professionals (I hope), I suppose it is safest to assume that they could
be compromised.

Assumption, the mother of all screwups. In this case, we have to
assume that they are professionally administered by a competent
service company with an active concern for the security of their
customers data. It would not due to have the lack of adequate
protection precipitate an identity theft, and have the customer turn
around and sure the provider. I think that's a fair assumption for
most large hotspots.

However, it is NOT a good assumption for the do it thyself variety
found in hotels, coffee shops, and in particular home users. If you
must use one of these, kindly invest in a VPN/SSL/TLS tunneling
service:
<http://wireless.wikia.com/wiki/Wi-Fi#SSL.2FTLS>
Or arrange something with your ISP.

How do I detect password sniffing in the (public) router?

You can't. Passive sniffing does not require the sniffer to send any
data. If the data moving on the wireless or wired part of the network
are unencrypted, sniffing is trivial. Even if the wireless part were
encrypted, it would still be possible to sniff the traffic in the
backhaul or at the wired connection.

I'm assuming
that this will not happen on my home router (WRT54GS). What about my
ISP's router? How do I detect password sniffing in general?

Again, you can't. The government requires ISP's to provide sniffing
services to fight crime or some such rubbish.
<http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act>
<http://en.wikipedia.org/wiki/Carnivore_(FBI)>

What If I save a bunch of bookmarks (like the bank's login page) with IP
addresses instead of domain names. I bet the IP addresses of commercial
pages don't change that often.

You'll lose your bet. Most large web sites have a number of gateway
servers, all over the world. They're controlled by a load balancer
which usually delivers the IP address of a server with minimal
utilization for new connection requests. The idea is to prevent users
from overloading one server, while another remains under-utilized.
This is most often done with DNS redirection, which prevents you from
using a static IP address. You can go to a site by IP address, but
then there's no guarantee that you won't hit a very busy server, or
one that is temporarily down for maintenance or backups. It also gets
really complicated if your ISP is running anycast DNS servers, where
the IP address of the DNS server can also change.

C:\>nslookup
Default Server: DD-WRT
Address: 192.168.1.1
> set type=A
> www.google.com
Server: DD-WRT
Address: 192.168.1.1

Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.19.147, 74.125.19.104, 74.125.19.99,
74.125.19.103
Aliases: www.google.com

4 different IP addresses for Google. If I try it later tonite, it
will probably be a different collection.

Password sniffing has me worried, though. How to detect/deal with that?
Aloke

You can't detect sniffing. Make sure you never send you password in
the clear. That means you have to go through a long list of really
dumb applications that are not very smart about encrypting passwords.
In particular, telnet, ftp, POP3, authenticated SMTP, and various web
forms. Take each application INDIVIDUALLY and determine exactly how
it deals with passwords. Also realize that your "saved passwords" is
a perfect target for hackers. I have 400 passwords, so it's
impossible to use unique passwords for all of these accounts. So,
divide up the list by priority. Anything that involves a movement of
money or might cause problems with identity theft if leaked gets:
1. A unique non-dictionary pronounceable password.
2. Does NOT get saved on my various machines.
3. Is stored on my removable USB dongle. Both the file and the
entire dongle are encrypted.
4. Backed up to an identical USB dongle and buried in my safe deposit
box.
5. The really important (banking, finance, medical) passwords get
changed regularly.

--
Jeff Liebermann jeffl@xxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.

Relevant Pages

  • Re: Cannot connect to RWW from home PC
    ... eth0 172.26.0.1/16 Extra none ... That would be the address you need a DNS record for. ... One question - if I reset the Thomson Router will that clear all the ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect to RWW from home PC
    ... No 10.0.0.138 is the address used to log onto Thomson's router to make the ... On the DNS question I can add an MX record in the DNS area of GoDaddy's ... eth0 172.26.0.1/16 Extra none ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... NIC, you need to specify an external DNS server for DNS, instead of the ... Both NICs should point to his internal IP for DNS. ... forward ports to it reliably in the router. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strange SSID in the air...
    ... the cable modem assigning Gateway+DNS to the Linksys router etc.)? ... to verify that DNS lookups actually point to the real web site. ... from overloading one server, while another remains under-utilized. ... dumb applications that are not very smart about encrypting passwords. ...
    (alt.internet.wireless)
  • Re: Cannot connect to RWW from home PC
    ... You say "And in the router you need to forward to your external nic IP" ... You say "You need the domain hoster to setup a DNS record that will be ... We have rerun CEICW sort of hoping it would sort out the router but no ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)