Travel Technology - are people sniffing out your name and password even over a VPN?

This interesting article (http://story.news.yahoo.com/news?tmpl=story&cid=74&e=2&u=/cmp/20031224/tc_cmp/17100109) on Yahoo details how at a recent trade show, numerous people using wi fi were hacked using "man in the middle" attacks which succeeded quite often in getting user names and passwords even with people using a supposedly secure VPN.

Also, NOTICE THAT WINDOWS XP IS VULNERABLE TO AD HOC NETWORK "ATTACKS"!!!! You need to be careful to SHUT OFF this "feature".

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">n addition, the company said it monitored 33 attacks against Extensible Authentication Protocol (EAP), 75 denial-of-service (DoS) attacks aimed at access points and 12 DoS-cloud attacks that attack every user on a specific wireless channel.

The company also reported 25 attacks that broadcast fake access point SSIDs. In fact, the fake SSIDs were for ad hoc wireless connections. Windows XP (news - web sites) users are particularly vulnerable to that type of attack because the fake network shows up as an available WLAN and some users try to log on. When that happens, they are simply sending clear-text information directly to the hacker, Tanzella said. </font>

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by richard:
This interesting article (http://story.news.yahoo.com/news?tmpl=story&cid=74&e=2&u=/cmp/20031224/tc_cmp/17100109) on Yahoo details how at a recent trade show, numerous people using wi fi were hacked using "man in the middle" attacks which succeeded quite often in getting user names and passwords even with people using a supposedly secure VPN.

Also, NOTICE THAT WINDOWS XP IS VULNERABLE TO AD HOC NETWORK "ATTACKS"!!!! You need to be careful to SHUT OFF this "feature".

</font>

Cutting and pasting of login and password are quite useful... especially on public computers.

Any number of things can guard against a man-in-the-middle attack. If you fire up a VPN at a "Wi-Fi" show, you are begging for trouble and should probably know better.

If somebody wants to sniff my VPN credentials, for instance, I'm all for it, because unless they manage to man-in-the-middle me within about 5 or so seconds, my one-time auth token will expire or miss, thus rendering that particular credential worthless. Little things....

I maintain, however, that anybody who does anything but commodity web surfing at a show like this on the wireless network has is coming.... I'd be the guy in the corner with the 1-meter cat-5e plugged in....

------------------
Don't feed the trolls.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by ClueByFour:
Any number of things can guard against a man-in-the-middle attack. If you fire up a VPN at a "Wi-Fi" show, you are begging for trouble and should probably know better.

If somebody wants to sniff my VPN credentials, for instance, I'm all for it, because unless they manage to man-in-the-middle me within about 5 or so seconds, my one-time auth token will expire or miss, thus rendering that particular credential worthless. Little things....

I maintain, however, that anybody who does anything but commodity web surfing at a show like this on the wireless network has is coming.... I'd be the guy in the corner with the 1-meter cat-5e plugged in....

</font>


Well, you're more vigilant than most people. And smarter about computers.

What about airline clubs or hotels? Lots of savvy people there who might want to run some packet sniffing program in promiscuous mode just for fun.

The interesting thing about this news story is that it was presumably savvy people who got exploited.

Anyone who isn't using AES encryption with an active KMS is asking to be hacked. http://www.flyertalk.com/travel/fttravel_forum/smile.gif

WiFi cards are out now that support AES and decent access points support it. Mine do and they also have AES turned on by default for wireless backhaul links.

If you use AES with decent KM, then you cannot be hacked. It's that simple. Soon products will have WPA and eventually 802.11i which will make Wi-Fi suitable for use in IT apps.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by stimpy:
Anyone who isn't using AES encryption with an active KMS is asking to be hacked. http://www.flyertalk.com/travel/fttravel_forum/smile.gif

WiFi cards are out now that support AES and decent access points support it. Mine do and they also have AES turned on by default for wireless backhaul links.

If you use AES with decent KM, then you cannot be hacked. It's that simple. Soon products will have WPA and eventually 802.11i which will make Wi-Fi suitable for use in IT apps.

</font>

Which is completely useless for people on the road in hotels and airports...

Currently the only solutions on public networks are software solutions on your own pc and servers, with the lack of any form of security on public WiFi networks you NEED to take your own precautions.

<font face="Verdana, Arial, Helvetica, sans-serif" size="2">Originally posted by ScottC:
Which is completely useless for people on the road in hotels and airports...

Currently the only solutions on public networks are software solutions on your own pc and servers, with the lack of any form of security on public WiFi networks you NEED to take your own precautions.</font>


Precisely why I now forego 802.11b completely unless at home and just deal with mid-speed browsing with a Sprint 1x Aircard. In a year or so when 1xEV-DV rolls out it should be even less of a speed penalty, but I know for SURE no one's gonna hack that.