dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6859
share rss forum feed


MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2
Reviews:
·voip.ms
·TekSavvy DSL

Beware Hotel WiFi

I run a tight network ship at home for the family. We just got back from four days on the road, including two nights at a hotel. We used the hotel wifi to keep connected, including my wife checking her Gmail account via our iPad. Upon our return, my wife found a warning from Gmail that somebody from China had attempted to login to her account. This was confirmed by looking at the login details in her Gmail account.

I didn't have this problem as I use my Blackberry to check my Gmail.

Just a reminder to all, never use hotel wifi to login to any account that you value! It's worthwhile using a separate address you only access from home or work for your sensitive stuff like banking and domain registration.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

gmail doesn't use https?



MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2
Reviews:
·voip.ms
·TekSavvy DSL

This was with the iPad's built-in email app. I don't know if it uses HTTPS login like the web login forces.

I have no concrete proof, which isn't unexpected with most security breaches, but I think it's just too much of a coincidence that this hack occurred on the same day we checked out of the hotel.



Hank
Searching for a new Frontier
Premium
join:2002-05-21
Burlington, WV
kudos:2
Reviews:
·Frontier Communi..
reply to dave

said by dave:

gmail doesn't use https?

Did a Google search and several articles came up. Here is an example.

»howto.cnet.com/8301-11310_39-200···account/

I don't use gmail so I have not experience with it.


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
reply to dave

IMAP and POP use SSL or TLS


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

said by Napsterbater:

IMAP and POP use SSL or TLS

I was assuming (incorrectly) that the access was via a web browser.

POP and SMTP *can* use secured connections but it's not mandatory in the protocol and for all I know, gmail doesn't insist. I myself use Verizon, and they offer but do not require the use of secured connections (you configure your client for a different port number).


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by dave:

POP and SMTP *can* use secured connections but it's not mandatory in the protocol...

Yup. POP/SMTP are plain-text (including passwords) protocols. Many providers now allow it over SSL/TLS (encrypted) connections but some don't.

Most hotel/hotspot Wi-Fi is unencrypted so users using POP/SMTP over that show everything to anyone looking.
--
Don't feed trolls--it only makes them grow!


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
reply to dave

I was talking about IMAP and POP connections to google/gmail, they require SSL or TLS


peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
reply to MacGyver

Someone tried to hack my Gmail Dec. 1st. Maybe they are targeting us nice Canadians and it is a coincidence.

»Google gibberish?


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to Napsterbater

Ah, ok. So we're left with not really knowing how the exposure happened - since IMAP and POP require SSL/TLS, and HTTPS is at least possible....



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Well if a Chinese hacker had access to hotel Wi-Fi and the user was using an encrypted connection to get their email (SSL/TLS/HTTPS/VPN etc) they'd have seen nothing but gibberish. The email address would be unknown by the hacker. If standard (unencrypted) POP/SMTP was used they'd have seen the email addy and the password (as clear text). With the latter no "hacking attempts" would've been required--they'd simply log in.

In short it's probably coincidence.
--
Don't feed trolls--it only makes them grow!



wa2ibm
Premium
join:2000-10-10
San Jose, CA
reply to MacGyver

You might want to check if your home ISP offers VPN services (mine does). Then if you're on a public network (hotel, coffee shop, etc.), you simply log into your ISP's VPN first, then everything you do through the local network is encrypted. There are VPN clients for most every platform (PC, Mac, iPhone, Android).
--
- Bill


TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to MacGyver

Setup your own VPN server at home or on your router (if it has this capability). Then, always use the VPN while using untrusted networks.

I do this all the time now. It also has uses beyond security/privacy, as it effectively allows you to stop any html injection, DNS redirection, blocked sites, blocked ports, etc. For me it's just like being at home, minus the speed, since the download speeds over the VPN are limited by my home connection's upload speed (a measly 1Mbps).



hacker1035

@start.ca
reply to MacGyver

I had the same gmail problem, about a week or two ago... but from the US and google warned of suspicious activity... turns out something sent junk URL to some contacts from my gmail. However, I figure this was my fault since I foolishly logged into my gmail from a somewhat 'public' machine. Since this was just my personal gmail account, this was very low-risk for me, I use a different password for my more sensitive accounts anyways, but have moved to a password manager, (lastpass).

I figure a bot/rootkit or some type of logger picked up my password, my gmail password was somewhat strong... was 10 chars total, with four numbers, and a mix of upper and lower case letters, so i'm confident it was not brute force.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to MacGyver

People are constantly attempting to login to my GMail / Google account. Google offers two factor login, to counteract this problem.

I enabled two factor login, some time ago. This protects me from people in China, and other countries - but it causes occasional inconvenience.

If you enable two factor login, be sure to always carry your cell phone (or whatever token you choose). If you move location / change browser / change computer frequently, when using GMail, plan to have times when using two factor login can cause stress.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr



MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2
Reviews:
·voip.ms
·TekSavvy DSL

A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by MacGyver:

A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked.

how to? (or is this the one time pad for 2 step authentication)
--
* seek help if having trouble coping
--Standard disclaimers apply.--


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

I have a VPN setup on my home router as well. I use that while connected to open WiFi hotspots. Either that, or I tether my device to my smartphone that has tethering built in.



MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2
reply to AVD

It's an idea I pitched to Google.


OZO
Premium
join:2003-01-17
kudos:2
reply to MacGyver

Assuming that it's working as described. How one time log in is much better idea than anything? What if you will have to check your gmail account again in a half of hour and so on? And you'll have to think twice (or even more than that) before you log out... It's not practical at all.
--
Keep it simple, it'll become complex by itself...


TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to cacroll

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

OZO
Premium
join:2003-01-17
kudos:2

Good. Because a two or even five factor verification is not a solution for hotel WiFi hacking problem. Especially if it requires a cell phone... Your personal VPN, IMHO, is.
--
Keep it simple, it'll become complex by itself...



Spike
Premium
join:2008-05-16
Toronto, ON
reply to MacGyver

I've been staying in a hotel myself for Christmas and new years and since I refuse to pay for clear unencrypted laggy WiFi, I went the Rogers LTE Rocket Hub route instead.

You cannot guarantee *anything* you do online is safe when using clear WiFi unless its over a VPN tunnel, but even then, why should anyone pay for laggy WiFi that doesn't guarantee any decently usable service as well as a VPN tunnel?



Baud1200

join:2003-02-10
Reviews:
·Shaw

4 edits

Its really not that hard for people to set up and fake a free wireless provider.
Simple as using one of these and just naming your honeypot network the appropriate name to get suckers to try connect to it.

»hak5.org/store/wifi-pineapple-version-2

Really not much to it at all, this is just one simple example and an old one at that, the new product is even more invasive. Resourceful users can make the hardware themselves. A knowledgeable user can do even more with a laptop w/promiscuous mode wifi adapter and the appropriate hardware setup.
Just take one of these to your hotel room and mimic a name that might get ignorant users to connect ie. "HotelName_Wifi" and watch them connect in droves.

Solution: Don't be an ignorant user. Know what you are doing and how you are doing it; and simply don't use public access wifi.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to MacGyver

They use one time passwords, already, for non browser applications. They call them "Application-specific passwords".

Some applications that work outside a browser aren't yet compatible with 2-step verification and cannot ask for verification codes.
But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr


cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to TheMG

You can get a prepaid "burner" phone for maybe $20. If you never use it for voice communication, it's there when you need it for backup Google access.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to TheMG

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

you can use a house phone with it.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to cacroll

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to AVD

said by AVD:

you can use a house phone with it.

A handy solution to avoiding problems with hotel wi-fi, then.


Vchat20
Landing is the REAL challenge
Premium
join:2003-09-16
Columbus, OH
reply to AVD

said by AVD:

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.

Actually when you set it up they do give you a list of emergency one time use' codes to stash in case the normal channels are unavailable. Think they give you 12?

And as noted: It works with standard telephones, too. Basically it must be a phone number but they do either SMS or Voice. Mind you it is a 'they call you, you do not call them' so it must be a set, reliable number.

But given the system is open source, there are numerous non-Android/SMS based authenticator clients you can also use: »en.wikipedia.org/wiki/Google_Aut···entation
--
I swear, some people should have pace-makers installed to free up the resources. Breathing and heart beat taxes their whole system, all of their brain cells wasted on life support.-two bit brains, and the second bit is wasted on parity! ~head_spaz