New Hacking tools for hotspots

[Jerusalem Blade]

In today's online NYTimes: New Hacking Tools Pose Bigger Threats to Wi-Fi Users

In a hotspot (when we get back to NYC, DV) I'll be using a V.P.N. for protection; from my research that's the only thing I'll trust. I'll have no home or private network for the first month or two, and I'll have to do necessary banking at Starbucks or the like.

 

[NaphtaliPress]

How can you tell if one is using WEP or WPA encryption?

 

[Marrow Man]

When I click on the link, it takes me to a blank page.

 

[NaphtaliPress]

Looks like I have WPA. So do folks recommend a V.P.N? Whose good; who of the free ones are good?

 

[Jerusalem Blade]

Tim, I don't know - I think you have to register with the NYT online, but it's free. . . no place on the page to register?

Chris, I don't know; I won't get VPN till I'm back in the states and need it. I'll have to research it further.

Here's a google search: best vpn service - Google Search

 

[NaphtaliPress]

To hack your WPA they hacker has to break the password, correct? I have like a 40 digit alphanumeric password. Is that safe enough or is it necessary to use vpn from my home wireless router?

 

[Jerusalem Blade]

I was first turned onto VPN technology reading this article: I will be careful when using a wireless network | Utilities | Macworld

As I'm a Mac user I wanted to go with something Mac compatible, and from the article linked to just above I chose PublicVPN.com. Whether I'm paying $60 a year or $6.95 a month for it is no big problem (I'm not rich) as I need a trusted secure connection while I'm "homeless". When I have a home (maybe an apartment) and an internet connection I'll make sure it's secure with other technology. I don't think I'll need a VPN all the time.

But as I said, I'll research it more -- also to see if VPN can be hacked. One never knows nowadays.

---------- Post added at 09:42 AM ---------- Previous post was at 09:30 AM ----------

Chris, I'm not sure. What you're doing is what I plan to do when I get settled. I'll have to pick better tech brains than mine to see if that's adequate.

Here's a recent search on it: secure home routers - Google Search

One of the results indicates maybe not (careful, an ad on this site is mildly risque). This is something I don't need to address where I am now; but when I get into NYC I surely will.

 

[O'GodHowGreatThouArt]

WPA is actually the more secure setting; I just can't use it due to compatibility problems between router and computers within the house.

For those having trouble reading the article, the full text is below. It should answer several question poised thus far:

You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.

“Like it or not, we are now living in a cyberpunk novel,” said Darren Kitchen, a systems administrator for an aerospace company in Richmond, Calif., and the host of Hak5, a video podcast about computer hacking and security. “When people find out how trivial and easy it is to see and even modify what you do online, they are shocked.”

Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.

Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.

“I released Firesheep to show that a core and widespread issue in Web site security is being ignored,” said Eric Butler, a freelance software developer in Seattle who created the program. “It points out the lack of end-to-end encryption.”

What he means is that while the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.

More than a million people have downloaded the program in the last three months (including this reporter, who is not exactly a computer genius). And it is easy to use.

The only sites that are safe from snoopers are those that employ the cryptographic protocol transport layer security or its predecessor, secure sockets layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with “https” rather than “http.”

“The usual reason Web sites give for not encrypting all communication is that it will slow down the site and would be a huge engineering expense,” said Chris Palmer, technology director at the Electronic Frontier Foundation, an electronic rights advocacy group based in San Francisco. “Yes, there are operational hurdles, but they are solvable.”

Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.

“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”

Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.

Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaboration with the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at eff.org/https-everywhere, makes “https” the stubbornly unchangeable default on all sites that support it.

Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”

But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.

A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.

Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin ($156). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.

To protect yourself, changing the Service Set Identifier or SSID of your wireless network from the default name of your router (like Linksys or Netgear) to something less predictable helps, as does choosing a lengthy and complicated alphanumeric password.

Setting up a virtual private network, or V.P.N., which encrypts all communications you transmit wirelessly whether on your home network or at a hot spot, is even more secure. The data looks like gibberish to a snooper as it travels from your computer to a secure server before it is blasted onto the Internet.

Popular V.P.N. providers include VyperVPN, HotSpotVPN and LogMeIn Hamachi. Some are free; others are as much as $18 a month, depending on how much data is encrypted. Free versions tend to encrypt only Web activity and not e-mail exchanges.

However, Mr. Palmer at the Electronic Frontier Foundation blames poorly designed Web sites, not vulnerable Wi-Fi connections, for security lapses. “Many popular sites were not designed for security from the beginning, and now we are suffering the consequences,” he said. “People need to demand ‘https’ so Web sites will do the painful integration work that needs to be done.”

 

[NaphtaliPress]

Thanks Steve. Does anyone know how you disable transmitting their wireless network name? One of the articles about security suggested doing that. I didn't see how immediately from looking at my connection settings.

 

[O'GodHowGreatThouArt]

See if this works Chris.

EDIT: Hard to tell, but the above is a URL.

 

[CovenantalBaptist]

Steve raises an important caution. This is not about what you use at home (but while we're on the subject don't use WEP use WPA2 with a long non-dictionary password - WEP is the easiest to crack) - what you need to know when you're away from home is that you're only as secure as the network you connect to. Wireless internet is laughably simple to crack, from my understanding, so you should not feel secure when you connect to it without a VPN solution. I've had my password compromised from an overnight stay at a hotel where I hardly did anything other than check my email before falling asleep.

A free VPN service that I use when I'm in hotels/airports/public libraries/coffee shops is Hotspot Shield. It's free account has a monthly limit (it used to be 2 GB) and you can't stream video, but, for the kind of business I need to do (mainly search theological websites and check email) it serves me well. Hope it helps.

 

[SRoper]

Chris, it sounds like you have a strong password for the attacks that are currently available.

SSID broadcast is an option that you turn off on your wireless router. You will have to log in to your router to do this. Check your manual, but it usually involves navigating to your wireless router with your web browser. The IP address of your router might be 192.168.0.1 or 192.168.1.1. Hopefully you remember your admin password (it's not the same as your WiFi password).

Keep in mind that turning off SSID broadcast will only make it unavailable to the casual snooper. Basic hacking tools can find your wireless router even with SSID broadcast turned off. Personally, I find the added inconvenience of connecting to a WiFi router without SSID broadcast is not worth the marginal security gain.

It is important to make sure you change the actual SSID name to something unique. Without getting too technical, if you use a commonly used SSID name (Netgear, DLink, Home, etc.), you make it easier for hackers to crack your password.

 

[KMK]

Pardon my density, but what damage can a Starbucks hacker do to me? Also, why not just turn the wireless of while in Starbucks?

 

[O'GodHowGreatThouArt]

They can steal your passwords, thereby gaining access to bank accounts and other sensitive information.

If you happen to fall victim to an exceptionally skilled hacker, they can inject trojans into your computer system. This can do everything from feed information of your activity to another person to completely decimating your computer system.

 

[KMK]

They can steal your passwords, thereby gaining access to bank accounts and other sensitive information.

If you happen to fall victim to an exceptionally skilled hacker, they can inject trojans into your computer system. This can do everything from feed information of your activity to another person to completely decimating your computer system.

They can do this even if you don't use your password while at Starbucks? Again, I am safe if my wireless is turned off, right?

 

[O'GodHowGreatThouArt]

They can steal your passwords, thereby gaining access to bank accounts and other sensitive information.

If you happen to fall victim to an exceptionally skilled hacker, they can inject trojans into your computer system. This can do everything from feed information of your activity to another person to completely decimating your computer system.

They can do this even if you don't use your password while at Starbucks? Again, I am safe if my wireless is turned off, right?

Correct. As long as you are not connected at any point (including coming and leaving the area), then you should have no problems. The only way they can hack you directly is if they directly hook up the computer through wired means.

 

[Marrow Man]

Tim, I don't know - I think you have to register with the NYT online, but it's free. . . no place on the page to register?

That appears to have been the problem, but no, nothing came up at all (it was a totally blank page). The Missus is a registered user, though, and she pulled up the page for me on her computer.

 

[O'GodHowGreatThouArt]

Tim, I don't know - I think you have to register with the NYT online, but it's free. . . no place on the page to register?

That appears to have been the problem, but no, nothing came up at all (it was a totally blank page). The Missus is a registered user, though, and she pulled up the page for me on her computer.

Odd. I'm not a registered member, yet I pulled it up without a problem.

 

[littlepeople]

MAC address filtering is a valuable layer of protection to add to your home router. Disable ssid broadcast, enable Mac address filtering, and use a long alphanumeric, case-sensitive password; you should have no worries.

 

[Marrow Man]

Odd. I'm not a registered member, yet I pulled it up without a problem.

The NYT doesn't like me I guess.

 

[SRoper]

MAC address filtering is a valuable layer of protection to add to your home router. Disable ssid broadcast, enable Mac address filtering, and use a long alphanumeric, case-sensitive password; you should have no worries.

MAC address filtering is not particularly valuable. MAC addresses are easily acquired from network traffic and spoofed. Again, I don't find the hassle of setting up each device on the router worth it.