One simple step to making public wifi more secure

Impetus

Most wifi hotspots in English speaking countries don't take advantage of the in-built security features of WiFi. This is done by giving visitors a WPA2+AES password - rather than a log-in page - which does not encrypt the WiFi wireless traffic between the visitor's PC and the site's WiFi access point. Best to block off WEP and WPA at the access point, and accept only WPA2 +AES.

Everyone can use the same password. You can even embed the password in the SSID that will show up on people's devices as they search for WiFi. Use an SSID such as 'Password = FLIGHT for free wifi' for the SSID at an airport wifi system. The customer just enters 'FLIGHT' and is connected. You can then serve them with a page of terms and conditions if you wish. The safe SSID max length is 31 characters.

Wifi at airports and other public locations, are a black hat hackers haven. Many people using their PCs in public places don't bother to lock down their networking - leaving their documents open to the public to read. Their systems are also wide open for malware installation.

syklops

Impetus wrote: »

Most wifi hotspots in English speaking countries don't take advantage of the in-built security features of WiFi. This is done by giving visitors a WPA2+AES password - rather than a log-in page - which does not encrypt the WiFi wireless traffic between the visitor's PC and the site's WiFi access point. Best to block off WEP and WPA at the access point, and accept only WPA2 +AES.

Everyone can use the same password. You can even embed the password in the SSID that will show up on people's devices as they search for WiFi. Use an SSID such as 'Password = FLIGHT for free wifi' for the SSID at an airport wifi system. The customer just enters 'FLIGHT' and is connected. You can then serve them with a page of terms and conditions if you wish. The safe SSID max length is 31 characters.

Wifi at airports and other public locations, are a black hat hackers haven. Many people using their PCs in public places don't bother to lock down their networking - leaving their documents open to the public to read. Their systems are also wide open for malware installation.

Then I connect to the now encrypted network, arp poison the network so I am now the gateway, and sniff all the traffic. Bit of sslstrip-foo, and I 0wn most of their data.

Everyone has a smartphone. Data plans are really very cheap. Don't use public wifi.

Impetus

syklops wrote: »

Then I connect to the now encrypted network, arp poison the network so I am now the gateway, and sniff all the traffic. Bit of sslstrip-foo, and I 0wn most of their data.

Everyone has a smartphone. Data plans are really very cheap. Don't use public wifi.

That involves a lot more work and resources than the average person using an airport wifi system before a flight might have. It is a simple precaution to reduce the risks, rather than being wifi security nirvana.

I have been in hotels in other countries, and with little more than network discovery switched on, could see and open PCs of other guests. I accidentally came across this, trying to access my own network over the internet. One guy had his driving license scan, passport scan, his wife/girlfriend's stuff, and scans of utility bills (obviously a Brit without an ID card). He didn't even have password protected directories. Not to mind some form of encryption for his ID data.

I am advocating using the 80:20 rule. Rather than something that is 100% secure.

I always use mobile data myself - but even this is not secure in most countries with intelligence agencies snooping your traffic etc. Mobile phones only offer PPTP type encryption for VPNs - which is broken. All the mobile phone networks licensed in Ireland are owned by companies based in states known to snoop on everything one says or transmits.

The planet needs an open source, high security VPN standard whose source code is open and which is available royalty free.

Blowfish

Impetus wrote: »

That involves a lot more work and resources than the average person using an airport wifi system before a flight might have. It is a simple precaution to reduce the risks, rather than being wifi security nirvana.

He was talking from a black hat perspective that just implementing WPA2 on it's own really doesn't slow an attacker down all that much, though if you add in client isolation solution, it'd definitely help.

Like a huge amount of InfoSec though, the issue is far more one of awareness that there's an actual problem in the first place, combined with lack of actually giving a ****, rather than the difficulty of implementing the solution.

Impetus

Blowfish wrote: »

He was talking from a black hat perspective that just implementing WPA2 on it's own really doesn't slow an attacker down all that much, though if you add in client isolation solution, it'd definitely help.

Like a huge amount of InfoSec though, the issue is far more one of awareness that there's an actual problem in the first place, combined with lack of actually giving a ****, rather than the difficulty of implementing the solution.

Agreed. But if you are responsible for a public WiFi, it is a simple matter to use WPA2 in the manner I described above. Security needs to to focus on the 80:20 rule.

Most of the media hype about hacking risks, is just that. But it (WPA2 on public wifi) is a very practical contribution to computer security to prevent someone from accidentally or otherwise stumbling into someone else (ie their PC) while sharing public wifi.

And with my lawyer's hat on, you risk being negligent if you don't take this basic precaution.

h57xiucj2z946q

Impetus wrote: »

I have been in hotels in other countries, and with little more than network discovery switched on, could see and open PCs of other guests. I accidentally came across this, trying to access my own network over the internet. One guy had his driving license scan, passport scan, his wife/girlfriend's stuff, and scans of utility bills (obviously a Brit without an ID card). He didn't even have password protected directories. Not to mind some form of encryption for his ID data.

To be fair, that could be the case had you's both been connected to a WPA2 protected network.

Impetus wrote: »

Mobile phones only offer PPTP type encryption for VPNs - which is broken. All the mobile phone networks licensed in Ireland are owned by companies based in states known to snoop on everything one says or transmits.

Both of them statements are factually incorrect.

Impetus wrote: »

The planet needs an open source, high security VPN standard whose source code is open and which is available royalty free.

OpenVPN ?

syklops

Impetus wrote: »

Agreed. But if you are responsible for a public WiFi, it is a simple matter to use WPA2 in the manner I described above. Security needs to to focus on the 80:20 rule.

Most of the media hype about hacking risks, is just that. But it (WPA2 on public wifi) is a very practical contribution to computer security to prevent someone from accidentally or otherwise stumbling into someone else (ie their PC) while sharing public wifi.

And with my lawyer's hat on, you risk being negligent if you don't take this basic precaution.

But what problem does encrypting the network achieve from a security point of view?