Beware the Airport Wireless 120
schwit1 writes to tell us that a recent study by a Silicon Valley-based security company shows that black-hats have been ramping up their use of tempting free or unsecured wireless access points in high travel areas like airports and hotels. "According to their study, even the 'secure' networks weren't all too safe. Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001. Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer."
What's the big deal? (Score:5, Insightful)
What's the big deal? Why worry about the insecurity of the local wireless network when you're connecting to the Internet... hello, it's insecure!! If your computer isn't secure it doesn't matter whether the local network is or isn't, your computer is still insecure. If you are doing things across the network that you want to keep private and you aren't doing them over SSL/SSH/VPN you are an idiot regardless of whether the local wifi uses WEP, WPA2, or no encryption at all.
Re:Old (Score:5, Insightful)
And for that matter, you're in a insecure place connecting via some random network. Its just stupid.
But very convenient. You'd be surprised how much Stupid you can get for Convenience.
How is this dangerous to a normal user? (Score:3, Insightful)
Re:How is this dangerous to a normal user? (Score:5, Insightful)
What about if the hotspot doesn't actually give the user the real page, but instead phishing page? I doubt many normal users notice that HTTPS isn't on. Or like in the above The Real Hustle video, "for $1 you can get one hour of surfing time, just enter your credit card details" and you probably can guess what happens from there.
Re:Old (Score:3, Insightful)
I think it's more ignorance. Of a fairly technical issue, at least for most people. A little bit of self-defensiveness there, I'm far less computer literate than most /. users and had no idea that WEP had been broken for 8 years.
Granted, I wasn't assuming it was safe, doing online banking while on an unknown network in a crowded airport. I've only used my nintendo DS on them. Now I guess I can't even do that, assholes always trying to steal me level 40 Charizard...
Comment removed (Score:5, Insightful)
appallingly stupid study (Score:2, Insightful)
No one should ever rely on the network layer for security, because networks are by nature insecure. Run traceroute sometime if you're curious to see how many nodes are located between your computer and your bank/stock broker/webmail. Every one of those nodes can see every one of your packets. The only solution is to use application layer encryption, and once you've done that, it doesn't matter who is spying on your traffic.
You'll notice that this study was done by "AirTight Networks, a wireless security company." In other words, they are fear-mongering in order to try to sell more of their products. No matter how secure you make your wireless network, it still won't stop anyone even 1 hop away from seeing all of your traffic. As security professionals, the researchers from AirTight Networks know this, which makes their study all the more stupid and despicable.
Re:SSL? (Score:3, Insightful)
This article contains a lot of FUD. If you're banking or anything important money-wise you're probably using SSL with a signed certificate, even if you're a Joe Sixpack. If I'm doing anything work related I'm on a VPN. You should never, ever, trust that your connection through the "internets" is secure anyway. Wireless access doesn't change anything about that. This article is just trying to gain attention by using fear.
There really is a tremendous amount of ignorance concerning the most basic knowledge of computers and networks. Of course, you can decide that if you are going to use a complex tool for important tasks, that it is wise to learn what you can about that tool so that you use it effectively. That you bear some responsibility is welcome news, for it means you have some control over whether you have a good experience. In fact you can be curious about how it works and enjoy discovering and learning new things. The mark of such people is that over time, they gradually get better and better as they gain experience and their knowledge expands.
You can also insist that you have a God-given right to perform complex tasks with little or no understanding. You can then resent anyone who tells you that you bear at least some responsibility for this decision and for any undesirable events that result from it. You can decide that while lesser men may have to read up on a thing or learn about it, you are too special for that and will magically do everything that they do while investing no such effort. You can memorize a monotonous and robotic list of steps instead of developing any real understanding of what you are doing and why, causing interface changes to lead to "retraining costs." The mark of such people is that they are "permanent noobs" who can somehow manage to use a device for years and know nothing more about it than when they first started.
The folks in that second category seem proud of it. They seem to view understanding the tools they use the same way the aristocracy of old felt about "fraternizing with the help." I am not glad when they encounter misfortune, but I don't consider them to be victims either.
Re:Wrong (Score:2, Insightful)
I must really be a paranoid geek. I trained my wife to always look at the certificate, and inspect the trust chain, EVERY time she logs into the bank, etc...
So what? (Score:4, Insightful)
If i can get outside and not pay anything, why should i care that its not 'official'? Really, i'm not joking.
Re:Old (Score:3, Insightful)
You forgot to mention that it's also not relevant.
The Internet itself is "insecure". It is so by design, so if the purpose of the Wifi is to get to teh iNternetz then there is logically no substantial value to encrypting your hotspot.
Practically, I can only think of two benefits:
1) Prevent neighbors from leeching bandwidth and making your YT videos "skippy".
2) Prevent neighbors from sharing MP3s on your connection so that the RIAA sues you. Of course, if you don't secure your connection, you have plausible deniability when they sue....
Now, if you are actually running a local NETWORK, (EG: printer sharing, etc) then things change a bit. But even then, it's sensible to secure your services so that security issues don't plague you. Since all my company's resources need to be "roadable", we don't bother with VPNs and instead just used all encrypted protocols. (EG: rather than SMB, we use DAV over HTTPS, SMTPS/IMAPS for email, etc)
Re:Old (Score:2, Insightful)
He doesn't own and operate that router... which is a key point here.
In that case, why is he trusting any device that is outside his administrative control, and has no contractual agreement or working relationship of any kind, with the owner of said device? O.o
Re:they were running off someone else's computer (Score:1, Insightful)
Which Windows machine ?