Packet Sniffers
 

I guess I am getting paranoid, but I am trying to figure out how much a “threat” packet sniffers are. People are saying that a person with a piece of freeware can watch all of your traffic in a public WIFI location.

Is this correct? If so what are people doing to protect themselves?

I use WildPackets, and it's a great piece of software.

Mostly use it for troubleshooting client/server configurations and discover network bottlenecks, but it's amazing the stuff you can see with them

You want protection, connect via a VPN, you can see the connection and traffic, but everything is secure.

true, but not a big worry
 

Network analyzers (Sniffer is a registered trademark of Network General) can be used to watch all the packets going to/from a WiFi AP. Ethereal is the best known "free" network analyzer.
However, going from the raw packets to what you're actually doing is not trivial. I'm been working with network analyzers since I helped build some of the first commercial ones in the late 80's and early 90's, and its still not easy for me.
In addition, any traffic to/from a commercial website should be encrypted (https: in the URL and look for the "lock" symbol in your browser), which means that all a bad guy could tell is how much total data you sent to the site, not any of the contents. Similarly, if you are connecting to a corporate LAN you should be doing it over an IPSEC or SSL VPN, which is also encrypted.
You shouldn't send any confidential data in the clear over a public WiFi link. Just make sure you use the secure logon pages for Amazon, EBay, Etrade, etc, and you should be fine.

Bob

It is certainly a risk. There are many others, too. If you need to do something online when the connection is not secure, you need to connect to a trusted system via a VPN (encrypted tunnel). A very simple example would be something like pc-anywhere. You'd connect securely to your machine and use that for whatever you need to do.

snoop and tcpdump, but for windows I use ethreal
it does magic for me.

I also use Google Secure Access, and it works well for me

try megaproxy.com

Sure they can unless you have a secure connection. You shouldn't be sending sensitive stuff over the wire without an encrypted connection anyway.

One thing I am considering purchasing for my home office is a wireless router that has VPN capabilities. That way, when overseas and at a public WiFi hotspot, I log into my own VPN at home and use that internet connection to transfer data. This way, you're using your own bandwidth on your home plan (plus whatever you pay at the public hotspot, if it charges). At least I think that's how it works!

The most recent editions of Security Now! with Steve Gibson and Leo Laporte have been talking about it http://www.grc.com/securitynow.htm.

I go one step further. When I'm on a public WiFi hotspot, I send ALL my traffic over the VPN. It's slower, but I don't have to worry about anyone looking at anything.

Edited to include:
As usual I didn't read carefully enough and Kanebear provided the best advice... listen to that Podcast or at least read the transcripts. I love listening and my wife hates it b/c i keep saying "I've been saying that for years!!!"... Gibson is a lovable nut and is right on when it comes to security.


here's the deal...and I'm not overly simplifying...

Anything you do on a public network (hotel, etc) or on wifi should be something you are ok with being on the front of the news paper tomorrow.

Sniffers (as others have pointed out) pretty much rely on hubs, of which some research (see the podcast mentioned above) suggests over 50% of hotels use. Switches work on a lower level and basically help protect against sniffing- traditionally speaking.

Never the less there is stuff out there that can "poison" the switch and then capture packets... thus reading everything you send.

Its important to remember that POP (email) is completely insecure, as are a lot of protocols (isn't the sign-in to flyertalk insecure?). Even if you don't do anything private, there are still people who enjoy watching your surfing habits.

Your best bet is to get a VPN router at home (linksys makes one for like $100) where you can then establish a very secure connection back to your home router (and access files, etc) and be assured that you are safe. There are also home SSL servers that allow similar things via web pages (ssl explorer is a good one). Even easier are some of the afore mentioned proxy servers, but you HAVE to use the SSL (https) web connection. I like proxify.com...

Bottom line, public Wifi and hotels are completely and utterly insecure....

-N
p.s. I AM that guy, I always run a certain piece of software on every public network... its amazing... i have even sent people e-mails from them selves (using their pop info) to tell them exactly what I'm typing here.

Except that most POP3 or IMAP mailboxes are not secure. This is because most ISPs don't enforce or even offer secure options like SPOP or IMAPS, or APOP, which at least keeps your password obscured though your mail data is cleartext.

What does that mean? If you run outlook express or outlook on your laptop and have a personal email account that uses POP3 or IMAP, **even if you are VPNed into your work network**, that traffic is in the clear.

it means in many cases your password and email for your ISP accounts are avaliable to be sniffed.

of course i know all of this and still check my ISP email, using POP3 all the time. i'm sitting at SFO gate 81 doing it now...

This makes me very uneasy now. . . .

I will now take the extra few steps and login to our companies VPN starting now.

When did you last use it?

A month ago they blocked it for all locations except for their one public AP...

ohhh you're [email protected] with the password of....
:D

Don't get me wrong, I mean to scare!

My uncle is the president of a significant company and he frequently works from home and installed a regular belkin wireless router.... didn't make any changes. I used that certain program i mentioned and showed him his email, passwords and even excel sheet of salaries....

My company is the opposite, we don't even have OWA outside of our network.

At home i run my own exchange server (and VPN of course) but I use a secure cert for OWA and it works great for secure e-mail anywhere.

-N

I do the same at public Wi-Fi hotspots. As I don't have a corporate VPN to use, I subscribed to:

http://www.personalvpn.com/

...and only pay $39.50 per year for the service. Works great, though it does slow your speed somewhat, but nothing that's really noticeable.

Another question / concern.

At home I just hook up to the internet through a Linksys Router - that should keep my traffic local - right. Somebody running a packet sniffer shouldn't be able to see my email or am I fooling myself?

Whomever noted that you should not do anything that you don't want to catch in the paper is spot on. That said, I run my work stuff thru a VPN, read my personal e-mail via SSH on a shell account (remember those?), and when the need arises, bounce off an SSL proxy that a personal friend has.

That said, I don't really care if joe hacker knows that I'm reading cnn.com and the like.

Do I hear a vote for pine, and socks? :D

If you're hard wired to the router (i.e. not using wireless/802.11), you are slightly more secure, as someone would have to compromise a point upstream in the Internet to read your traffic. That's not impossible, but its much harder to crack a Telco or ISP router than it is to capture packets going wireless to an 802.11 access point 15 feet away.

Log on to public web sites via the HTTPS (secure) option if available. DON'T do banking or anything else critical if there isn't a secure option. Use VPN or SSL connections wherever possible.
If you must download email via POP or another "in the clear" protocol, you're probably OK if you are using a wired connection at home straight to a DSL router to your ISP, as the only compromise points are at major ISP/telco locations that are generally well monitored and secure. Having said that, I wouldn't do it myself.

On the other hand, I'm posting this via unencrypted wireless to an 802.11 AP, but if someone did sniff it all they'd get would be my flyertalk logon/password. Not a big deal.

That brings up another good security point. DON'T USE THE SAME PASSWORD EVERYWHERE. Especially don't use the same password at secure sites (like your bank) and insecure sites (like this chat room). If someone gets your password from one site, they'll try it at others.

Bob
PS: I know I'm vastly oversimplifying everything above, but it would be much too complex to explain really good Internet hygiene here. But if anyone's curious, I've been a 'Net user since it was the Arpanet running POP instead of TCP/IP, and I've been building network management and security products since 1988, so I really do know what I'm doing, even if my posts don't make that clear :-)

Something like that :).

Pine is good stuff. I don't know if I'll ever be able to switch. I simply cannot manage e-mail as quickly with any GUI based mail clients.

If you want to keep your email safe then ask your ISP if they support secure POP, which they should. Then it is a simple config change in your e-mail client.

However, as other have pointed out, e-mail is just plane insecure. If you want to sure it up a bit there are encryption programs (OpenPGP, etc) but they require that each user has the program yadda yadda... and there is very little preventing that email from being forwarded once decrypted. You can also get a personal certificate from someone like registerfly.com which will allow outlook to encrypt email.

But banking and shopping online, as long as you see the little padlock, is very very safe.

Wireless at home is a tricky beast. The only strong protection is WPA. WEP (on older models) and MAC filtering are 100% worthless. In other threads others have pointed out "yeah, but who is going to bother when there are tons of open APs around?".... anyone 12 year old with free software is who!
Turn on WPA on your router and you are golden (of course Steve Gibson would suggest a 63bit password from www.grc.com/pass... which is what I do and keep it on a network share on my lan and on a usb stick)

If it's wireless, you should enable encryption.

FREAK :D

WIFI or not, all your data is available for packet capture to anyone upstream. What should you do? The same thing as always. Use SSH, SSL and HTTPS. If you packets are encrypted it does not matter who is looking at them. :)

This depends on who is operating the AP. It is possible to intercept ssl (https). The user would probably get a message about the key not being issued by the provider, but those are common enough messages that most people would probably just click, "OK."

Even if you have WEP and MAC filtering it's still easy to crack? I'm not a techie, so I didn't know that.

Could you tell me how WPA differs and why it's stronger? I've got a 2-3 year old Linksys router, and don't remember seeing it on there.

Mac filtering can be defeated by changing your mac address to match what is expected by the router.

There are numerous sites with WEP hacks posted.

WPA uses better encryption and key-exchange methods and so is more difficult to defeat. Organizations where security is important run WPA and also use a VPN over the encrypted link.

but you have to live in mountain view to get it...

MAC filtering is pretty simple to crack. Basically- as you probably know- the MAC address is just a unique ID assigned to each network device (Be it wired or wireless). MAC filtering tells the AP to only allow certian wireless devices. However when signals go out from the AP, the MAC address info is sent in the clear. Basically its out there yelling "HEY, I've got a web page here for 123abc, who is 123abc? anyone? anyone?" All someone has to do is intercept that message, change their MAC to 123abc and they are on the AP.

WEP's weakness gets tricky, someone else can probably explain this better than I can. But basically there is a pre-shared key that is used to generate the cryptography. The AP sends its part of the key and a request for the response to any device trying to connect. Widely available software can even stimulate the AP into sending even more data which. After there is enough data sent cracking software can determine the master key from all the peices.

WPA uses the same cryptography, but it takes the key and hases it something like 1024 times then changes it fairly often. It also encapsulates the key itself where as WEP sends it in the clear. Basically with WPA, once the secure connection is established, the key changes faster than it can be cracked. WPA CAN be cracked, but it requires someone to capture a LOT of data and use a powerful computer to run a brute force crack against it. So if you WPA password is something like "We Love Paris" even though it seems strong b/c its a sentence, all the words are in the dictonary so its subject to such an attack.

What I do, and Steve Gibson has recomended the same thing on a podcast, is use a random 63bit password. I keep it stored on an encrypted network share and on a USB key (that I keep locked in my wine fridge - only so I'll remember where it is). www.grc.com/pass has the best algorthim that I know of. WHat I HAD used wa something I downloaded for OS X, but I think Gibson's is probably a tad stronger. When you use a 63bit password WPA is uncrackable- mathmatically speaking.

Of course I'm also a freak- I don't want guests on my LAN so I have a seperate wireless subnet with an open access point that only uses MAC filtering. I have some WiFi phones that don't support WPA. So even if its cracked (and I craked it myself several times just to learn) then people can only get out to the internet and are not on my network. I'm not thrilled with that solution at all currently... but it means my phones work and my LAN is safe. On my LAN I use WPA2 with the affore mentioned 63bit password. So far I've never needed to have anyone join my LAN WiFi so the USB key is still next to the Turley and Martinelli zinfendels...

-N

Great explanation, thanks!

Many believe that if it's allowed to be commercially available it's only because the NSA has already developed a means to crack it. AFAIK, the only technology which is uncrackable given our current understanding of mathematics and the laws of physics is Quantum encryption. I would agree that your 63 bit password WPA is sufficiently safe for the typical user. In general, the goal is to keep the cost of cracking the system above any potential benefit to the cracker.

You can't use a GUI mail client on a 9600 baud terminal, either.

You know- I agree with you.
I think there was a time when PGP was uncrackable- and maybe still is- and there was that export only version... that was about the EXACT same time that law makers started talking about cracking down on the internet.
I remember this GREAT article on using a track from an audio CD as the key... so basically I could send you a file and then if we both had Willie Nelson's greatest hits you could you "The red headed stranger" as the key and I'd never have to risk sending it seperatly... I was blown away at the time. So I started thinking... hummm NSA, etc cannot make a public stink about this being a danger, but they can crack down on internet comerce, regulations, etc.
I suspect a super computer could crack WPA with a 63bit passphrase in a few hours (who knows... days, minutes...?) but I'm more worried about what is in index.dat in the windows folder (entire computer usage history perhaps?)

Sorry... derailed the thread with consipricy theroy... and No I don't live at home in my parent's basement :)

Actually WPA isn't really that good. For top level you want WPA2 which is supported in most equipment nowadays. WPA uses TKIP which is software based, slow and just a trumped up WEP. WPA2 uses AES encryption which is military level, yet licensed free for the whole world to use. Better yet most WiFi products include AES support in hardware so it doesn't slow things down.

However most public wifi doesn't use any security so you should run a layer 3 VPN and then you will have no worries.