Full Disclosure mailing list archives
Re: Wireless ISPs
From: Konstantin Gavrilenko <mlists () arhont com>
Date: Tue, 11 May 2004 22:55:51 +0100
WEP will not help you in this situation, since the same key will be assigned to every client, making it virtually a "protected hub". What you need to do is to persuade your ISPis to implement per-session key, possible solution WPA+Radius.
cheers, kos -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko () arhont com tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com D B wrote:
Hi Mr Coffee Im using this venue to influence several wireless ISPs to use WEP They claim the internet is insecure anyway so they wont use it. I do understand the implications but yes wireless is totally legal to eavesdrop. The bottom 6 channels run on HAM frequencies and that is specifically mentioned as legal to eavesdrop. Tis a big can of worms this wireless garbage, I'm just using whatever I can to motivate ISPs ( especially the local one ) to encrypt data. Thank you for your reply Dan Becker --- Mister Coffee <live4java () stormcenter net> wrote:On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:I'm not real sure how to post this, nor am I sureofthe scope. I am still learning about computers.Ok, no worries. We all start somewhere, right?All transactions done via secure websites aresecure,however the auto mailing feature to confirm orders sometimes contains sensitive data.All transactions done via secure websites are _supposed_ to be secure, but the fact is that information leakage, poor configurations, MitM attacks, and user error, amungst other issues, can render a supposedly secure site insecure. You are right though. Too many sites will send TMI back in a confirmation email.When the customer is on a wireless connection, be it ISP or home LAN that data is broadcasted in the clear for anyone within range to eavesdrop.Not always. The wireless link itself may be encrypted between the AP and the user's portable device - with various levels of security. Also, if they are using a secure website, the SSL traffic isencrypted separately from the transport medium. That is an end-point to end-point system, so evensniffing "clear" wirelss traffic will only gain the attacker cyphertext.A wired internet connection limits the number of people who have access tothisdata simply by the nature of the internet puttingitwithin acceptable risk.Define acceptable risk? A wired connection is inherently more secure than a wireless connection, but there are going to be points where the traffic can be compromised as long as the traffic is going over the public internet. Both wired and wireless suffer from that. The wireless is only inherently less secure because of the broadcast element somewhere in the data path. That makes the traffic easier to eavesdrop on, but it's not extraordinarly difficult to eavesdrop on wired traffic either.It is legal according to US law to eavesdrop onwireless connections.The safe answer is "No." The real answer _may_ be more complex depending on your circumstances. For example if there's an open AP that's not WEP enabled, the users would have no reasonable expectation of privacy. However, if it came down to how a US Court would see it, the safe answer is usually "no." This is similar to overhearing conversations on portable phones. You're not supposed to listen in, but if you and another user are sharing the freq, it would be hard to charge either side with eavesdropping. This is NOT the same thing as pointing a high gain 900Mhz antenna at the neighbor's house with the intent to listen in. Intent does matter in the eyes of the law.http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htmThe only solutions I can offer are one of twothings.1. Quit sending auto confirmations with sensitivedata Agreed.2. Encrypt all wireless transmissions at leastmakingsomeone who gains access to this dataprosecutable.Encryption is a good idea in any case. But it only changes slightly what a malicious user could be charged with. If someone steals your credit card information and uses it, they are guilty of a crime whether they grabbed it from a cleartext email, sniffed it off the wire, or stole a carbon copyreceipt. Simply having the data isn't really criminal. EG. You print out an email that has that information andleave it by the fax machine for some reason. If I pick up the paper to use as scratch paper or something, I haven't done anything immoral, unethical, or illegal - but I DO have your data.Please direct all flames to /dev/nullNo flames. Not even warm, really...Dan BeckerCheers, L4J__________________________________ Do you Yahoo!?Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Wireless ISPs, (continued)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Chris Adams (May 11)
- Re: Wireless ISPs Sean Milheim (May 11)
- Re: Wireless ISPs Valdis . Kletnieks (May 11)
- Re: Wireless ISPs Maarten (May 11)
- Re: Wireless ISPs Xavier Beaudouin (May 12)
- Re: Wireless ISPs D B (May 11)
- Re: Wireless ISPs Scott Taylor (May 11)
- RE: Wireless ISPs Aditya, ALD [Aditya Lalit Deshmukh] (May 12)
- Re: Wireless ISPs Valdis . Kletnieks (May 12)
- Re: Wireless ISPs Scott Taylor (May 11)
- Re: Wireless ISPs Konstantin Gavrilenko (May 11)
- RE: Wireless ISPs amilabs (May 11)
- RE: Wireless ISPs Michael Gargiullo (May 11)
- RE: Wireless ISPs Byron Copeland (May 11)
- RE: Wireless ISPs Julian Ho (May 11)
- RE: Wireless ISPs Jeff Workman (May 11)
- Re: Wireless ISPs Mister Coffee (May 12)