Re: How safe / unsafe is Free Open WiFi?

[PCSC Information Services <info () pcsage biz>]

Hi Tallat,

While not meaning to detract from any ISP's product offerings, it's  
important to know that any use of any internet connectivity brings  
risk. While I understand that this is somewhat an alarmist stance,  
there is no certainty available. What one can do is minimize risks.  
This means using WiFi access points in a secure way. Tunneling and PKI  
can be of great assistance in this effort.

Certainly a 'free and open' WiFi network doesn't imply WEP, or WPA/2- 
PSK or WPA/2-Radius setup, yet free and open services can (if properly  
set up) and should include at least WEP. It's true that there are  
tools that can crack WEP authentication methods, WPA and WPA2 are  
somewhat more difficult to crack. It's true that because the packets  
are broadcast in the air that the potential for compromise is much  
greater, but it is no more secure 'plugging in' to a wall jack in an  
Internet context. What's ironic to me is that there would be any use  
of WEP at all in light of the fact that this protocol was compromised  
(very publicly) a number of years ago, ushering in WPA, and then WPA2  
protocols.

Even a home office network can be compromised, via rootkits,  
keyloggers, and other capture tools. There is a constant barrage of  
attacks against the mathematics that underpins all computing operations.

ANY encrypted protocol on ANY medium can be captured, and with the  
appropriate computing horsepower be cracked. It's math. What's  
considered best practice is to make it so computationally difficult as  
to prevent trivial access to data that should be kept secure. One can  
only perform due diligence in light of this, by making transmission of  
potentially sensitive data in a protocol that is sufficiently  
computationally difficult to access. Again, being on a wire, or  
broadcasting packets willy nilly in the air are equally dangerous to  
sensitive data.

We could all just call it a day really, and give up on keeping things  
secure, but as I consistently say, security is a process, not a  
destination. Secure computing is really about educating the end-user  
to understand what they need to protect, how to protect it, and how to  
mitigate risks of connecting to other users to share this sensitive  
data. It doesn't help that the 'de facto' standard operating system  
insists on setting up first users as administrators that continually  
operate the machine with administrative credentials.

It seems to me (some days) that this is very much a Sisyphean effort,  
and the boulder is only getting heavier as we move forward.

There are processes that can mitigate the risk of transmitting data  
across any network, and failing to implement these is clearly stepping  
away from 'due diligence'. Then again, one can take the .gov stance  
and say 'if you're not doing anything wrong why would you have  
something to hide?' but I'm sure we're all smarter than that...

Best,

Sean Swayze



On 11-Mar-08, at 4:19 PM, Enquiries Globalart4u wrote:

> So does that mean that the T-mobile wifi hotspots are not safe  
> either as i
> was about to sign up for it?
>
> Tallat
>
> www.promomat.biz
> www.yuckyslugsandsnails.co.uk
>
> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]On Behalf Of amatachick () gmail com
> Sent: 11 March 2008 14:15
> To: security-basics () securityfocus com
> Subject: Re: How safe / unsafe is Free Open WiFi?
>
>
> Tony,
>
> Free/Open WiFi networks are inherently less secure than wired networks
> because of the way the data travels. Instead of packets being sent  
> over a
> wire they are sent out into the air. When packets are sent over a  
> wire one
> must be either connected to the network transmitting the packets to  
> see the
> packets or have physical access to the line and place a sniffer on  
> it. When
> packets are sent over the air anyone in range (and the range can be  
> pretty
> large depending on the type of antenna) can see all the packets.  
> There is no
> longer a need to be connected to the network. So basically, anything  
> sent
> clear text can be read by those around you. This is especially true in
> crowded environments such as airports or coffee houses.
>
> I think it's fine to use Public Wifi for a connection to the  
> internet, it's
> just necessary to realize that anything you type in can be read by the
> general public.
>
> As long as you transmit public information, you're fine. I wouldn't,
> however, transmit sensitive information in such a fashion.
>
> Hope this helps!
>
> Amy Hagerman
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.518 / Virus Database: 269.21.7/1323 - Release Date:  
> 10/03/2008
> 11:07
>
> No virus found in this outgoing message.
> Checked by AVG.
> Version: 7.5.518 / Virus Database: 269.21.7/1323 - Release Date:  
> 10/03/2008
> 11:07