dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7162
share rss forum feed

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to cacroll

Re: Beware Hotel WiFi

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

OZO
Premium
join:2003-01-17
kudos:2

Good. Because a two or even five factor verification is not a solution for hotel WiFi hacking problem. Especially if it requires a cell phone... Your personal VPN, IMHO, is.
--
Keep it simple, it'll become complex by itself...



Spike
Premium
join:2008-05-16
Toronto, ON
reply to MacGyver

I've been staying in a hotel myself for Christmas and new years and since I refuse to pay for clear unencrypted laggy WiFi, I went the Rogers LTE Rocket Hub route instead.

You cannot guarantee *anything* you do online is safe when using clear WiFi unless its over a VPN tunnel, but even then, why should anyone pay for laggy WiFi that doesn't guarantee any decently usable service as well as a VPN tunnel?



Baud1200

join:2003-02-10
Reviews:
·Shaw

4 edits

Its really not that hard for people to set up and fake a free wireless provider.
Simple as using one of these and just naming your honeypot network the appropriate name to get suckers to try connect to it.

»hak5.org/store/wifi-pineapple-version-2

Really not much to it at all, this is just one simple example and an old one at that, the new product is even more invasive. Resourceful users can make the hardware themselves. A knowledgeable user can do even more with a laptop w/promiscuous mode wifi adapter and the appropriate hardware setup.
Just take one of these to your hotel room and mimic a name that might get ignorant users to connect ie. "HotelName_Wifi" and watch them connect in droves.

Solution: Don't be an ignorant user. Know what you are doing and how you are doing it; and simply don't use public access wifi.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to MacGyver

They use one time passwords, already, for non browser applications. They call them "Application-specific passwords".

Some applications that work outside a browser aren't yet compatible with 2-step verification and cannot ask for verification codes.
But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr


cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to TheMG

You can get a prepaid "burner" phone for maybe $20. If you never use it for voice communication, it's there when you need it for backup Google access.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to TheMG

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

you can use a house phone with it.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to cacroll

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to AVD

said by AVD:

you can use a house phone with it.

A handy solution to avoiding problems with hotel wi-fi, then.


Vchat20
Landing is the REAL challenge
Premium
join:2003-09-16
Columbus, OH
reply to AVD

said by AVD:

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.

Actually when you set it up they do give you a list of emergency one time use' codes to stash in case the normal channels are unavailable. Think they give you 12?

And as noted: It works with standard telephones, too. Basically it must be a phone number but they do either SMS or Voice. Mind you it is a 'they call you, you do not call them' so it must be a set, reliable number.

But given the system is open source, there are numerous non-Android/SMS based authenticator clients you can also use: »en.wikipedia.org/wiki/Google_Aut···entation
--
I swear, some people should have pace-makers installed to free up the resources. Breathing and heart beat taxes their whole system, all of their brain cells wasted on life support.-two bit brains, and the second bit is wasted on parity! ~head_spaz


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

they can call you, not smartphone required. I think the pad was 12, might be a few more, I'll check when home.
--
* seek help if having trouble coping
--Standard disclaimers apply.--



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19
reply to dave

said by dave:

gmail doesn't use https?

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by Archivis:

said by dave:

gmail doesn't use https?

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.

https: protects against this
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19

On many sites, https is used just for the authentication, but no for the actual session, so many sites can have your sessions hijacked and your accounts hacked even if you used https to sign in.

Gmail will use https for the entire session, but as I was saying earlier is that when someone intercepts the connections for wifi connections, they can intercept and automatically re-issue certifications in the middle of your session. Your browser may flag something, but most people click by it and not think anything of it. Some browsers may not be set high enough to notice it, setting only an innocuous alert at the bottom of the screen, or not at all.

There are all sorts of other various methods as well. If you went to an http site that had you log in and redirected you to an https site, you could be redirected to login somewhere that issues its own cert and then captures your credentials.

»www.ietf.org/mail-archive/web/tl···948.html

This is an outdated example one of many various security flaws that have been discovered in SSL/TLS over the years and if any of the devices are running unpatched firmware, it's easier for an attacker to pop in the middle and hijack your session.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK



Archivis
Your Daddy
Premium
join:2001-11-26
Earth
kudos:19

There's a program called SSLstrip that does exactly what I was talking about. Works for gmail as well as other sites.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to AVD

Or a house phone - if one is convenient and if you like listening to the robot.



cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
reply to Vchat20

said by Vchat20:

It works with standard telephones, too. Basically it must be a phone number but they do either SMS or Voice. Mind you it is a 'they call you, you do not call them' so it must be a set, reliable number.


That's the one drawback with the house phone option - you have to register it in advance - so it's useless when you travel. That's where the burner cell phone is a necessity.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel
reply to AVD

said by AVD:

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

you can use a house phone with it.

Which is useless because if you need to access the account away from home, well, you're out of luck. Also, your own computer at home is likely the lowest-risk environment you're going to log in to your account on.

I think it would be nice if they had the option of a hard token similar to the SecurID tokens. Something small you put on your keychain and doesn't rely on a phone.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to TheMG

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

Not entirely correct. For travel and other emergencies you can pre-print up to 10 2-factor authentication codes on a paper and take with you. Each code can be used only once (for up to 30 days if you allow cookies and allow the browser to be 'trusted').

»support.google.com/accounts/bin/···=1187538
»support.google.com/accounts/bin/···=2544838

As mentioned already, always use HTTPS

watice

join:2008-11-01
New York, NY
reply to MacGyver

your best bet is a VPN. I can recommend »www.hotspotshield.com/en as they have an iphone/ipad app that easily integrates the setup into your connection without any technical know how, & they used to offer 250mb free not sure if they do anymore.

I can also vouch for gmail's 2 form authentication. Call me paranoid, but if I were abroad or on vacation I would really be using BOTH.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

Isn't the VPN connection susceptible to the same MitM attack that SSL is?
--
* seek help if having trouble coping
--Standard disclaimers apply.--