Re: [Full-Disclosure] Wireless ISPs

[Konstantin Gavrilenko <mlists@xxxxxxxxxx>]

WEP will not help you in this situation, since the same key will be 
assigned to every client, making it virtually a "protected hub".
What you need to do is to persuade your ISPis to implement per-session 
key,  possible solution WPA+Radius.


cheers,
kos


--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: k.gavrilenko@xxxxxxxxxx

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com



D B wrote:
> Hi Mr Coffee
>
> Im using this venue to influence several wireless ISPs
> to use WEP
>
> They claim the internet is insecure anyway so they
> wont use it.
>
> I do understand the implications but yes wireless is
> totally legal to eavesdrop.
>
> The bottom 6 channels run on HAM frequencies and that
> is specifically mentioned as legal to eavesdrop.
>
> Tis a big can of worms this wireless garbage, I'm just
> using whatever I can to motivate ISPs ( especially the
> local one ) to encrypt data.
>
> Thank you for your reply
>
> Dan Becker
>
> --- Mister Coffee <live4java@xxxxxxxxxxxxxxx> wrote:
>
> > On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:
> >
> > > I'm not real sure how to post this, nor am I sure
> >
> > of
> >
> > > the scope. I am still learning about computers.
> >
> > Ok, no worries.  We all start somewhere, right?
> >
> >
> > > All transactions done via secure websites are
> >
> > secure,
> >
> > > however the auto mailing feature to confirm orders
> > > sometimes contains sensitive data.
> >
> > All transactions done via secure websites are
> > _supposed_ to be secure, but the fact is that
> > information leakage, poor configurations, MitM
> > attacks, and user error, amungst other issues, can
> > render a supposedly secure site insecure.
> >
> > You are right though.  Too many sites will send TMI
> > back in a confirmation email.
> >
> >
> > > When the customer
> > > is on a wireless connection, be it ISP or home LAN
> > > that data is broadcasted in the clear for anyone
> > > within range to eavesdrop.
> >
> > Not always.  The wireless link itself may be
> > encrypted between the AP and the user's portable
> > device - with various levels of security.  Also, if
> > they are using a secure website, the SSL traffic is
> > encrypted separately from the transport medium. 
> > That is an end-point to end-point system, so even
> > sniffing "clear" wirelss traffic will only gain the
> > attacker cyphertext.
> >
> >
> > > A wired internet connection
> > > limits the number of people who have access to
> >
> > this
> >
> > > data simply by the nature of the internet putting
> >
> > it
> >
> > > within acceptable risk.
> >
> > Define acceptable risk?  A wired connection is
> > inherently more secure than a wireless connection,
> > but there are going to be points where the traffic
> > can be compromised as long as the traffic is going
> > over the public internet.  Both wired and wireless
> > suffer from that.  The wireless is only inherently
> > less secure because of the broadcast element
> > somewhere in the data path.  That makes the traffic
> > easier to eavesdrop on, but it's not extraordinarly
> > difficult to eavesdrop on wired traffic either.
> >
> >
> > > It is legal according to US law to eavesdrop on
> > > wireless connections. 
> >
> > The safe answer is "No."  The real answer _may_ be
> > more complex depending on your circumstances.  For
> > example if there's an open AP that's not WEP
> > enabled, the users would have no reasonable
> > expectation of privacy.  However, if it came down to
> > how a US Court would see it, the safe answer is
> > usually "no."
> >
> > This is similar to overhearing conversations on
> > portable phones.  You're not supposed to listen in,
> > but if you and another user are sharing the freq, it
> > would be hard to charge either side with
> > eavesdropping.  This is NOT the same thing as
> > pointing a high gain 900Mhz antenna at the
> > neighbor's house with the intent to listen in.
> >
> > Intent does matter in the eyes of the law.
> http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
>
> > > The only solutions I can offer are one of two
> >
> > things. 
> >
> > > 1. Quit sending auto confirmations with sensitive
> >
> > data
> >
> > Agreed.
> >
> >
> > > 2. Encrypt all wireless transmissions at least
> >
> > making
> >
> > > someone who gains access to this data
> >
> > prosecutable. 
> >
> > Encryption is a good idea in any case.  But it only
> > changes slightly what a malicious user could be
> > charged with.  If someone steals your credit card
> > information and uses it, they are guilty of a crime
> > whether they grabbed it from a cleartext email,
> > sniffed it off the wire, or stole a carbon copy
> > receipt.  
> >
> > Simply having the data isn't really criminal.  EG. 
> > You print out an email that has that information and
> > leave it by the fax machine for some reason.  If I
> > pick up the paper to use as scratch paper or
> > something, I haven't done anything immoral,
> > unethical, or illegal - but I DO have your data.
> >
> >
> > > Please direct all flames to /dev/null
> >
> > No flames.  Not even warm, really...
> >
> >
> > > Dan Becker
> >
> > Cheers,
> > L4J
>
>
>
>
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs  
> http://hotjobs.sweepstakes.yahoo.com/careermakeover 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html