I have a small home office setup and connect to the net via a wireless connection.
To be sure passwords (bank accounts, FTP, etc.) are safe, do I need a utility such as JiWire's Spotlock? Or would McAfee's secruity or something like it be enough?
What sort of wireless connection?
In theory WEP 64 can be broken. Can it do WEP 128?
Other improvements would be to:
1) Change the SSID to something other than the default. Turn off broadcast SSID and manually enter the same SSID at both ends. 2) Turn on MAC filtering and only enter the MAC address of your computers WLAN card. 3) Change the password on the router to something other than the default.But if I understand well, these steps still make it easy for someone to scan in on the passwords I use when I logon to a site? Or does a https connection already take care of that?
If you are very concerned then either don't use wireless or yes you could use something like Spotlock.
I wouldn't use the word easy. You do need a certain level of knowledge and skill to set up the equipment. Nobody will accidentally crack WEP.
It adds another layer. But can be broken by what's called a "man in the middle attack".
Theory? That's no theory, both 64 and 128 bit WEP crumble very quickly.
Turning off SSID introduces no security.
MAC filtering has no real security value either.
That's a start! :)
David.
"CWatters" hath wroth:
It depends on the tool (program) used. The ones that require large capture files, take well over an hour depending on traffic. The ones that induce traffic using deauthenticate and deassociated packets, can do it in about 10 minutes. When the FBI gave their demo, they accidentally did it in 3 minutes.
I've gotten into the habit of running traceroute (tracert) at coffee shops after connecting. I do this more for curiosity than for security. It will often show a "man in the middle" problem. I also know the MAC address of most of the access points to which I usually connect. Any changes are noted, again more for curiosity than security. Only once did I catch what I thought was a spoofed SSID, which turned out to be the someone at the hotel trying to add a new access point and doing a very bad job of it. I've never seen a wireless "man in the middle" or spoofed AP in the wild.
One difference between cracking a WEP key and a "man in the middle" attack is that the "man in the middle" attack requires hearing both sides of the traffic. To crack the WEP key, one only needs to hear the access point traffic. For "man in the middle" both sides need to be heard. This puts a rather difficult to achieve location requirement on the attacker. It can probably be done in a crowded cafe, airport, or public hot spot, but not easily in a hotel or from nearby housing.
In my never humble opinion, HTTPS is good enough for most users and applications. If a higher level of security is required, then VPN's and more exotic key exchange mechanisms are available. There's also end to end encryption with a better key exchange such as IPSec VPN's.
I don't know anything about Spotlock other than what I read on their web pile. The example of sniffing email is for real. I have a packet (sequence number) reassembler that can reconstruct email messages fairly well.
Reading between the lines, it appears that Spotlock is just a VPN client that secures traffic between the wireless client computer and the Spotlock VPN terminating servers. That works but only secures the traffic between them. Once the traffic leaves the Spotlock VPN servers, and goes to its intended destination, it's all in the clear and can be sniffed on the wired network. See the FAQ at: |
The real danger with "man in the middle" and similar sniffing is obtaining the email address and password. Most users recycle the same password over and over for all their accounts. If the attacker gets one, he also gets access to many other accounts. I have a friend that leaked his over-used email password (his car license number), which was then used to attack his eBay and PayPal accounts. Once one has the password, there's no need to sniff the traffic to obtain incriminating email. Just login and read someones email at the attackers leisure. Try to think of security in terms of what one is trying to protect. I have some rather unconventional opinions as to the value of user operated security (i.e. passwords) which I won't bore anyone today.
"I have some rather unconventional opinions as to the value of user operated security (i.e. passwords) which I won't bore anyone today. "
Would be interesting to hear though...
Thanks for all the info everbody!
snipped-for-privacy@gmail.com hath wroth:
I ranted on the topic or password security previously. This posting should cover most of my points. |
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.