Topic 'Re: Beware Hotel WiFi' in forum 'Security' - dslreports.com

Re: Beware Hotel WiFi

Thu, 03 Jan 2013 15:19:37 EDT

AVD posted : Isn't the VPN connection susceptible to the same MitM attack that SSL is?
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Thu, 03 Jan 2013 08:21:50 EDT

watice posted : your best bet is a VPN. I can recommend »www.hotspotshield.com/en as they have an iphone/ipad app that easily integrates the setup into your connection without any technical know how, & they used to offer 250mb free not sure if they do anymore.

I can also vouch for gmail's 2 form authentication. Call me paranoid, but if I were abroad or on vacation I would really be using BOTH.

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 22:02:10 EDT

Brano posted :

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

Not entirely correct. For travel and other emergencies you can pre-print up to 10 2-factor authentication codes on a paper and take with you. Each code can be used only once (for up to 30 days if you allow cookies and allow the browser to be 'trusted').

»support.google.com/accounts/bin/···=1187538
»support.google.com/accounts/bin/···=2544838

As mentioned already, always use HTTPS

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 20:23:06 EDT

TheMG posted :

said by AVD:

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

you can use a house phone with it.

Which is useless because if you need to access the account away from home, well, you're out of luck. Also, your own computer at home is likely the lowest-risk environment you're going to log in to your account on.

I think it would be nice if they had the option of a hard token similar to the SecurID tokens. Something small you put on your keychain and doesn't rely on a phone.

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 19:57:47 EDT

cacroll posted :

said by Vchat20:

It works with standard telephones, too. Basically it must be a phone number but they do either SMS or Voice. Mind you it is a 'they call you, you do not call them' so it must be a set, reliable number.

That's the one drawback with the house phone option - you have to register it in advance - so it's useless when you travel. That's where the burner cell phone is a necessity.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 19:54:46 EDT

cacroll posted : Or a house phone - if one is convenient and if you like listening to the robot.

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 15:25:13 EDT

Archivis posted : There's a program called SSLstrip that does exactly what I was talking about. Works for gmail as well as other sites.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 15:23:51 EDT

Archivis posted : On many sites, https is used just for the authentication, but no for the actual session, so many sites can have your sessions hijacked and your accounts hacked even if you used https to sign in.

Gmail will use https for the entire session, but as I was saying earlier is that when someone intercepts the connections for wifi connections, they can intercept and automatically re-issue certifications in the middle of your session. Your browser may flag something, but most people click by it and not think anything of it. Some browsers may not be set high enough to notice it, setting only an innocuous alert at the bottom of the screen, or not at all.

There are all sorts of other various methods as well. If you went to an http site that had you log in and redirected you to an https site, you could be redirected to login somewhere that issues its own cert and then captures your credentials.

»www.ietf.org/mail-archive/web/tl···948.html

This is an outdated example one of many various security flaws that have been discovered in SSL/TLS over the years and if any of the devices are running unpatched firmware, it's easier for an attacker to pop in the middle and hijack your session.
--
A government big enough to give you everything you want, is strong enough to take everything you have. -MLK

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 15:12:24 EDT

AVD posted :

said by Archivis:

said by dave:

gmail doesn't use https?

It doesn't matter if it does. HTTPS is not secure when you're on an open wireless network. There are tools in place that allow people to hijack sessions on open wi-fi networks, allowing them to place themselves in your secure session.

There are other tools that can even hijack wi-fi sessions to route through the hacker's laptop (or whatever) before the data gets sent to the wireless router. Everyone would connect to the laptop as its hotspot and the hacker's laptop would send that information onward, capturing everything in its path, including secure sessions.

https: protects against this
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 15:09:23 EDT

Archivis posted :

said by dave:

gmail doesn't use https?

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 14:42:26 EDT

AVD posted : they can call you, not smartphone required. I think the pad was 12, might be a few more, I'll check when home.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 13:15:56 EDT

Vchat20 posted :

said by AVD:

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.

Actually when you set it up they do give you a list of emergency one time use' codes to stash in case the normal channels are unavailable. Think they give you 12?

And as noted: It works with standard telephones, too. Basically it must be a phone number but they do either SMS or Voice. Mind you it is a 'they call you, you do not call them' so it must be a set, reliable number.

But given the system is open source, there are numerous non-Android/SMS based authenticator clients you can also use: »en.wikipedia.org/wiki/Google_Aut···entation
--
I swear, some people should have pace-makers installed to free up the resources. Breathing and heart beat taxes their whole system, all of their brain cells wasted on life support.-two bit brains, and the second bit is wasted on parity! ~head_spaz

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 12:55:41 EDT

dave posted :

said by AVD:

you can use a house phone with it.

A handy solution to avoiding problems with hotel wi-fi, then.

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 10:17:38 EDT

AVD posted :

said by cacroll:

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.

or carry the "one-time" pad with 12 passwords.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Wed, 02 Jan 2013 10:16:18 EDT

AVD posted :

said by TheMG:

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

you can use a house phone with it.
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Tue, 01 Jan 2013 11:40:44 EDT

cacroll posted : You can get a prepaid "burner" phone for maybe $20. If you never use it for voice communication, it's there when you need it for backup Google access.

Re: Beware Hotel WiFi

Tue, 01 Jan 2013 11:34:55 EDT

cacroll posted : They use one time passwords, already, for non browser applications. They call them "Application-specific passwords".

Some applications that work outside a browser aren't yet compatible with 2-step verification and cannot ask for verification codes.

But "2 step verification" essentially uses one time passwords. You get the one time passwords using SMS, from your phone, when needed.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr

Re: Beware Hotel WiFi

Tue, 01 Jan 2013 07:06:17 EDT

Baud1200 posted : Its really not that hard for people to set up and fake a free wireless provider.
Simple as using one of these and just naming your honeypot network the appropriate name to get suckers to try connect to it.

»hak5.org/store/wifi-pineapple-version-2

Really not much to it at all, this is just one simple example and an old one at that, the new product is even more invasive. Resourceful users can make the hardware themselves. A knowledgeable user can do even more with a laptop w/promiscuous mode wifi adapter and the appropriate hardware setup.
Just take one of these to your hotel room and mimic a name that might get ignorant users to connect ie. "HotelName_Wifi" and watch them connect in droves.

Solution: Don't be an ignorant user. Know what you are doing and how you are doing it; and simply don't use public access wifi.

Re: Beware Hotel WiFi

Tue, 01 Jan 2013 01:05:06 EDT

Spike posted : I've been staying in a hotel myself for Christmas and new years and since I refuse to pay for clear unencrypted laggy WiFi, I went the Rogers LTE Rocket Hub route instead.

You cannot guarantee *anything* you do online is safe when using clear WiFi unless its over a VPN tunnel, but even then, why should anyone pay for laggy WiFi that doesn't guarantee any decently usable service as well as a VPN tunnel?

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 22:10:14 EDT

OZO posted : Good. Because a two or even five factor verification is not a solution for hotel WiFi hacking problem. Especially if it requires a cell phone... Your personal VPN, IMHO, is.
--
Keep it simple, it'll become complex by itself...

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 21:47:04 EDT

TheMG posted :

said by cacroll:

Google offers two factor login, to counteract this problem.

Which unfortunately requires a cell phone, something not everyone has.

No cell phone = no two-factor authentication.

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 21:21:58 EDT

OZO posted : Assuming that it's working as described. How one time log in is much better idea than anything? What if you will have to check your gmail account again in a half of hour and so on? And you'll have to think twice (or even more than that) before you log out... It's not practical at all.
--
Keep it simple, it'll become complex by itself...

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 16:21:36 EDT

MacGyver posted : It's an idea I pitched to Google.

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 16:18:54 EDT

trparky posted : I have a VPN setup on my home router as well. I use that while connected to open WiFi hotspots. Either that, or I tether my device to my smartphone that has tethering built in.

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 16:10:40 EDT

AVD posted :

said by MacGyver:

A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked.

how to? (or is this the one time pad for 2 step authentication)
--
* seek help if having trouble coping
--Standard disclaimers apply.--

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 15:40:14 EDT

MacGyver posted : A much better idea in my opinion is the setting of one-time use passwords. You set them in advance in your GMail account while you are at home using your regular password, then if you have to login in an insecure environment, using a one-time password that is no good afterwards ensures your account can't be hijacked.

Re: Beware Hotel WiFi

Mon, 31 Dec 2012 02:44:28 EDT

cacroll posted : People are constantly attempting to login to my GMail / Google account. Google offers two factor login, to counteract this problem.

I enabled two factor login, some time ago. This protects me from people in China, and other countries - but it causes occasional inconvenience.

If you enable two factor login, be sure to always carry your cell phone (or whatever token you choose). If you move location / change browser / change computer frequently, when using GMail, plan to have times when using two factor login can cause stress.
--
Cheers,
Chuck
Nitecruzr Dot Net
Google+ - Nitecruzr

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 22:48:12 EDT

anon posted : I had the same gmail problem, about a week or two ago... but from the US and google warned of suspicious activity... turns out something sent junk URL to some contacts from my gmail. However, I figure this was my fault since I foolishly logged into my gmail from a somewhat 'public' machine. Since this was just my personal gmail account, this was very low-risk for me, I use a different password for my more sensitive accounts anyways, but have moved to a password manager, (lastpass).

I figure a bot/rootkit or some type of logger picked up my password, my gmail password was somewhat strong... was 10 chars total, with four numbers, and a mix of upper and lower case letters, so i'm confident it was not brute force.

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 19:28:17 EDT

TheMG posted : Setup your own VPN server at home or on your router (if it has this capability). Then, always use the VPN while using untrusted networks.

I do this all the time now. It also has uses beyond security/privacy, as it effectively allows you to stop any html injection, DNS redirection, blocked sites, blocked ports, etc. For me it's just like being at home, minus the speed, since the download speeds over the VPN are limited by my home connection's upload speed (a measly 1Mbps).

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 15:38:55 EDT

wa2ibm posted : You might want to check if your home ISP offers VPN services (mine does). Then if you're on a public network (hotel, coffee shop, etc.), you simply log into your ISP's VPN first, then everything you do through the local network is encrypted. There are VPN clients for most every platform (PC, Mac, iPhone, Android).
--
- Bill

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 14:10:06 EDT

StuartMW posted : Well if a Chinese hacker had access to hotel Wi-Fi and the user was using an encrypted connection to get their email (SSL/TLS/HTTPS/VPN etc) they'd have seen nothing but gibberish. The email address would be unknown by the hacker. If standard (unencrypted) POP/SMTP was used they'd have seen the email addy and the password (as clear text). With the latter no "hacking attempts" would've been required--they'd simply log in.

In short it's probably coincidence.
--
Don't feed trolls--it only makes them grow!

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 14:00:26 EDT

dave posted : Ah, ok. So we're left with not really knowing how the exposure happened - since IMAP and POP require SSL/TLS, and HTTPS is at least possible....

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 13:59:51 EDT

peterboro posted : Someone tried to hack my Gmail Dec. 1st. Maybe they are targeting us nice Canadians and it is a coincidence. ;)

»Google gibberish?

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 13:57:06 EDT

Napsterbater posted : I was talking about IMAP and POP connections to google/gmail, they require SSL or TLS

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 13:06:55 EDT

StuartMW posted :

said by dave:

POP and SMTP *can* use secured connections but it's not mandatory in the protocol...

Yup. POP/SMTP are plain-text (including passwords) protocols. Many providers now allow it over SSL/TLS (encrypted) connections but some don't.

Most hotel/hotspot Wi-Fi is unencrypted so users using POP/SMTP over that show everything to anyone looking.
--
Don't feed trolls--it only makes them grow!

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 12:54:26 EDT

dave posted :

said by Napsterbater:

IMAP and POP use SSL or TLS

I was assuming (incorrectly) that the access was via a web browser.

POP and SMTP *can* use secured connections but it's not mandatory in the protocol and for all I know, gmail doesn't insist. I myself use Verizon, and they offer but do not require the use of secured connections (you configure your client for a different port number).

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 10:45:39 EDT

Napsterbater posted : IMAP and POP use SSL or TLS

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 09:40:11 EDT

Hank posted :

said by dave:

gmail doesn't use https?

Did a Google search and several articles came up. Here is an example.

»howto.cnet.com/8301-11310_39-200···account/

I don't use gmail so I have not experience with it.

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 09:39:33 EDT

MacGyver posted : This was with the iPad's built-in email app. I don't know if it uses HTTPS login like the web login forces.

I have no concrete proof, which isn't unexpected with most security breaches, but I think it's just too much of a coincidence that this hack occurred on the same day we checked out of the hotel.

Re: Beware Hotel WiFi

Sun, 30 Dec 2012 09:29:28 EDT

dave posted : gmail doesn't use https?

Beware Hotel WiFi

Sun, 30 Dec 2012 09:19:46 EDT

MacGyver posted : I run a tight network ship at home for the family. We just got back from four days on the road, including two nights at a hotel. We used the hotel wifi to keep connected, including my wife checking her Gmail account via our iPad. Upon our return, my wife found a warning from Gmail that somebody from China had attempted to login to her account. This was confirmed by looking at the login details in her Gmail account.

I didn't have this problem as I use my Blackberry to check my Gmail.

Just a reminder to all, never use hotel wifi to login to any account that you value! It's worthwhile using a separate address you only access from home or work for your sensitive stuff like banking and domain registration.