general mobile hot spot/wifi safety question

[ShaggyKids]

I know there are plenty of freebie wifi locations available to people (Starbucks, McDonalds -- wherever). I sure don't want anyone being able to access the information on my devices/private home network so I have never considered using an public access wifi.

What do you folks do for security measures when you're accessing these?

 

[Jude526]

I never really thought about it. I use free wifi alot and have never had problems with my info being threatened by using it.

Sent from my ADR6400L using Android Central Forums

 

[Josefius]

Should be fine, just don't fall for any phishing scams.

Sent from my Nexus 7 using Tapatalk 2

 

[ShaggyKids]

Wow, that's really surprising! Thanks.

 

[dotism]

Make sure you are accessing sites via https:// when secure data is being transmitted, i.e, SSL.

Install Lookout, just do it.

And the smartest head would say don't do anything over public WiFi, but that just doesn't translate. Use Google, Facebook, etc. via their SSL interfaces (again, use https://) and things should be just fine.

Ignore emails that you don't recognize, all that stuff. But don't suspect everyone in your periphery: you could be missing out on the love of your life. They are staring because you are cute, not because they are clocking your visage for further Jelly Bean face login hacking.

Edit: ...or are they? Don't blink.

 

[Bossxii]

As mentioned above...Facebook, YouTube etc... your fine. However I would highly discourage logging into your bank or other personal accounts you wish to stay private. Those public hot spots are open books for anyone with minimal knowledge and a few scripts can access your data.

Having been through several security classes for various MS certifications I can tell you using caution is always best. After seeing the instructor show us how easy it us to obtain other peoples data at he local Starbucks I maybe a but on the cautious side but I only use my own hotspot now.

Sent from my Nexus 7 using Tapatalk 2

 

[dotism]

But how about using interfaces over SSL? Regardless of the entity behind it, SSL is kinda gnarly, right? These folks, Google, Facebook, Twitter, etc. are basing their business models on it.

I wouldn't suggest logging into your bank with the secure sockets layer enabled and nothing else at DefCon, but at Starbucks?

Edit: There are SecurityNow! episodes claiming that SSL is fine at Starbucks and that guy is a frickin' loon when it comes to security.

 

[natehoy]

But how about using interfaces over SSL? Regardless of the entity behind it, SSL is kinda gnarly, right? These folks, Google, Facebook, Twitter, etc. are basing their business models on it.

I wouldn't suggest logging into your bank with the secure sockets layer enabled and nothing else at DefCon, but at Starbucks?

Edit: There are SecurityNow! episodes claiming that SSL is fine at Starbucks and that guy is a frickin' loon when it comes to security.

SSL is fine. It encrypts the data from your browser all the way to your bank. Someone can encrypt the stream but properly-encrypted SSL is legitimately safe even over an open channel.

Anything less than SSL is pure lunacy for anything financial. Even if you're running on your own very highly secured network, as soon as it hits your router it converts back to cleartext transmission and any router between you and your bank could easily record it.

Don't worry about the kid with the ripped t-shirt and the duct taped laptop snickering next to you at Starbucks. Worry about the guy in the Armani suit you'll never see because he's 500 miles away. Or the guy who owns the access point and has a cheap computer with a terabyte hard drive recording everything that goes over the WAN port.

Encrypt the stream the WHOLE way (which is SSL).

Obviously, if you have a choice, SSL-over-WPA2 is ideal. But the "-over-WPA2" part is the optional part.

https:// Always.

 

[dotism]

Obviously, if you have a choice, SSL-over-WPA2 is ideal. But the "-over-WPA2" part is the optional part.

I didn't even think to bring this up, and you did, thank you: When you login to that open access point be sure it is WPA. (And make sure your wireless router is locked down with WPA). I've cracked WEP passwords in seconds when I was desperate in Portland, OR. It was so easy that it became preferable, due to overloaded access points elsewhere.

I'm not sure how WPA applies to completely open networks, i.e. no password needed, but check that SSL before you hop on one of those honeypots anyway

 

[natehoy]

I'm not sure how WPA applies to completely open networks, i.e. no password needed, but check that SSL before you hop on one of those honeypots anyway

It does not. If it's an OPEN access point (no WEP, no WPA), then there's no encryption on the actual network connection, so anything your computer and the access point say to each other is in plaintext (it's like having a loud conversation in a public place, anyone can overhear you).

The "good" news about using OPEN access points is that the conversation is still "audible" once it hits the access point anyway, so the vulnerability is only unique to wireless for the first few feet of the data's travels. Once it hits the actual wired network that the access point is attached to, it's open, and traveling out over the Internet it's also open. Any router between the access point and the data's intended destination can easily record everything being sent and received.

I'm only concerned that the data is encrypted. I don't care how. And the additional layer of encryption involved in using WPA2/EAS is really only useful in corporate environments where the data will then hit a secure wired network, or in private home networks where you don't want your network shares snoopable. A public network has no need of encryption because there's no point in encrypting the wireless signal - anything anyone cares about should be end-to-end encrypted.

Just because someone is giving you a free access point doesn't mean they are trustworthy.

 

[dotism]

I'm only concerned that the data is encrypted. I don't care how.

I love this thread.

And the only way to ensure that data is encrypted once it enters the ether between you and the intended target is SSL with all certificates intact.

 

[natehoy]

And the only way to ensure that data is encrypted once it enters the ether between you and the intended target is SSL with all certificates intact.

Correct-a-mundo, amigo. If it's not a signed (or otherwise verified) certificate, you are subject to a man-in-the-middle attack. The dude in the ripped t-shirt with the wireless laptop next to you can't get it, but the guy next to him who has plugged into the WIRED connection the careless hotspot operator left open can easily fire up a NIC in promiscuous mode and hit RECORD on a LAN sniffer. As can the operator of the hotspot itself, as can the operator of any router between said hotspot and your intended endpoint. A couple of bad routing entries and that data is in China - it's happened before and WILL happen again.

Encryption between your device and the wireless access point is useful only between your device and the wireless access point. This is great if you have specific assets on the wired network behind that access point you wish to protect. Including your Internet connection in case you have a service provider who likes to play nicey-nicey with the likes of MPAA or RIAA. Personally, I encrypt the living feces out of my WiFi, not because I don't want to share, but because I don't want some drive-by asshat to put me in bankruptcy court because they decided they wanted to use my connection do download two albums. But the lunacy of copyright law is a discussion for another thread.

Proper SSL with certificates is useful from your device to the endpoint, and prevents both data interception AND connection interception (where someone in the middle can pretend to be the endpoint you are seeking and record the conversation wholesale or introduce altered data into it, such as changing the dollar amount, R/T, and account numbers on that wire transfer you just authorized - so the ten bucks you just sent to Uncle Ed for his birthday just turned into ten thousand bucks for Uncle Al Qaeda).

Again, some sort of encryption on the wireless is nice in a "belt and suspenders" sort of way. But SSL is more than adequate encryption for anything short of the kind of stuff people in large black SUVs with immediate access to really cool black helicopters might need.

Open access points are not a security risk if any data you care about is SSL encrypted.

WPA2/AES with a 30-character complex passcode is VERY MUCH a SEVERE security risk if any data you care about is NOT SSL-encrypted end-to-end. As soon as it comes off the wireless, it's PLAINTEXT.

Paranoia is great, just make sure it's USEFUL paranoia. Worrying about the security of the first thirty feet of your data's travels is silly when it's got many thousands of miles left to go and you're OK with it being plaintext for that part of the journey. It's like putting your seatbelt on to pull out of your driveway then taking it off once you're driving.

 

[Unicorn Rancher]

Meh. I guess I don't really care if someone knows I'm watching a video on youtube or looking up something on wikipedia.

 

[natehoy]

Meh. I guess I don't really care if someone knows I'm watching a video on youtube or looking up something on wikipedia.

And that's perfectly OK. Almost all services that require a password any more use SSL or similar encryption to encrypt that data (and any reasonable site design also includes encryption of anything that should also be accessible only while using that password).

Don't worry about your YouTube videos or Wikipedia searches.

But make sure if you are going to access your webmail over an open hotspot that the URL starts with https://

And check into any apps you might use that exchange any data you might care about. If there's an encryption option, enable it. If not, check with the developer to make sure that any sensitive data is encrypted.

Facebook and Gmail both use SSL both for their apps and by default for their web pages now. Most webmail companies are also good about this (Yahoo, Microsoft, etc).

And then, of course, understand that the wireless encryption doesn't protect you to the endpoint anyway, so unless you have a secure connection all the way to the other end, wireless encryption itself is virtually meaningless. And if you DO have a secure connection all the way to the other end, wireless encryption is irrelevant.

 

[zedorda]

I found this thread kind of funny with all the WEP and WPA2 being thrown around like it mattered when the real dangers of the public open access points are the other members of the same network. No matter what the encryption is if a member from the same network can access your device with almost no effort. With just some simple scripts I have been able to login to these public networks from my home computer miles away and browse all the devices connected to that network. WEP,WPA2, etc only stop those not already part of the network from gaining access but since these are public access points they can gain access without having to break in.

Hackers often call users of free public access points as "ducks" you know the ones people shot in barrels.

 

[dotism]

I was just about to bring this up... When you are connected to an open access point, you are open.

Even without scripts, Samba shares are available, public folders are available, guest logins might exist, a bunch of stuff will pop up in a users file system immediately upon connecting if they are looking for it.

I use full disk encryption on my devices, but still am sketched out a bit by public WiFi. My own experience might have something to do with it.

Though, cell data is easily tampered with as well--or so I am told--so who knows what to do. I choose not to do much outside of my local network, honestly, but I also don't use Facebook, Foursquare, Twitter, or any of these other pollutants. I can understand the fear a paranoiac might face if they had a two-pack-a-day social network fix to contend with. *Alas*