Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 12-01-2006, 08:28 PM   #1 (permalink)
Tilted
 
Necrosis's Avatar
 
A question for the security mavens

I enjoy visiting internet cafes from time to time. There are usually other happy people in there with headphones, listening to music and getting work or studying done without being bothered.

If I have the little security symbol at the bottom right of my browser, am I safe in doing online banking, or is that a huge risk to do via public wi-fi?
Necrosis is offline  
Old 12-01-2006, 08:40 PM   #2 (permalink)
Crazy
 
I sure wouldn't do it.
__________________
Even if you stop the clock, it gives the right time twice a day.
Once we get out of the eighties, the nineties are going to make the sixties look like the fifties.
kofspades is offline  
Old 12-01-2006, 09:11 PM   #3 (permalink)
Tilted Cat Head
 
Cynthetiq's Avatar
 
Administrator
Location: Manhattan, NY
IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer.

You run the same risk IMO.

I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store.
__________________
I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not.

Last edited by Cynthetiq; 12-01-2006 at 09:14 PM..
Cynthetiq is offline  
Old 12-02-2006, 03:54 AM   #4 (permalink)
Crazy
 
zed wolf's Avatar
 
Location: The Darkest Parts Of Places Unknown
Quote:
Originally Posted by Cynthetiq
IMO it's not much different than handing your credit card to the waitress when you're done with your meal/beer.

You run the same risk IMO.

I'd also qualify it by saying I'd only do it if it was absolutely necessary, just like using an offbrand ATM at some liquor store.
Agreed. There are risks involved in everything you will ever do in life. millions of people do business over wi fi every day with no problems, however, there are also people out there looking to take advantage of the people who do. I wouldn't let that stop me though any more then the possibility of being in a traffic accident would stop me from driving a car.
zed wolf is offline  
Old 12-02-2006, 06:40 AM   #5 (permalink)
paranoid
 
Silvy's Avatar
 
Location: The Netherlands
The encryption used by most on-line banking sites assumes that you're communicating over an insecure network.

This means that the security measures assume that the communication is picked up by others. (If you use a fixed internet connection your ISP, it's employees, or other computers on the route may also eavesdrop on the connection).
The encryption scheme used (SSL) should ensure that listening in will not reveal any of the data that is transferred.

In theory you should be just as safe using a fixed internet connection as you were using a WiFi connection.

But (there is always a 'but', isn't there?) security schemes may be broken. If that happens, no internet connection is safe, but a WiFi connection is even less safe because it's easier to listen into anonymously*.

Also, using a WiFi connection allows other computers to connect to yours. That connection would normally be refused, but that is also a measure that might be broken. Potentially your PC could be hacked into allowing others to copy your screen without needing to listen in on the connection**

Hope this makes it a little clearer....

* This is not likely, but a decent post about security should mention this
** This is not very likely, but possible. This is akin to someone looking over your shoulder. You might not notice someone across the street using binoculars to read your screen. (Not likely, but not impossible either).
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. "
- Murphy MacManus (Boondock Saints)
Silvy is offline  
Old 12-02-2006, 07:23 AM   #6 (permalink)
Adequate
 
cyrnel's Avatar
 
Location: In my angry-dome.
Good summary, Silvy.

I'd just add that with WiFi hotspots, be wary of "alternate" SSIDs. Be sure you're connecting to the correct, trusted, access point. That initial assumption of trust, when misplaced, opens the door to serious damage.
__________________
There are a vast number of people who are uninformed and heavily propagandized, but fundamentally decent. The propaganda that inundates them is effective when unchallenged, but much of it goes only skin deep. If they can be brought to raise questions and apply their decent instincts and basic intelligence, many people quickly escape the confines of the doctrinal system and are willing to do something to help others who are really suffering and oppressed." -Manufacturing Consent: Noam Chomsky and the Media, p. 195
cyrnel is offline  
Old 12-02-2006, 06:30 PM   #7 (permalink)
Junkie
 
Location: Melbourne, Australia
No way I'd do that.

And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.

Some other ways of recording keystrokes include special keyboards and PCs. (Lookup keyghost).
Nimetic is offline  
Old 12-03-2006, 03:19 AM   #8 (permalink)
paranoid
 
Silvy's Avatar
 
Location: The Netherlands
Quote:
Originally Posted by Nimetic
And here's a problem you may not have thought of... I've been in internet cafes that have security cameras. How easy would it be to replay the keystrokes there.
Though you're correct in the existence of keyloggers, Necrosis, I assumed, was talking about using your own laptop in a WiFi hotspot facility. Stil a camera would accomplish the same.

Keyloggers are a security risk everywhere (and probably a common thing after a hacker has had access to your system). Keyloggers record all keystrokes, and with a little guesswork you can easily derive usernames and passwords from them.

However, a keylogger would not do anybody any good with my online banking service. I have to enter a one-time key sequence to gain access. That sequence cannot be re-used. (this is for reading my account status). For modifying my accounts (payments, banktransfers, and such) I need to use a physical 'calculator' to calculate an answer to the key sequence the bank gives me.

This solves several things:
- the system is based on the very secure something you know and something you posess system. The 'calculator' needs your bank card for it's calculations and won't work without a PIN. (hence you know the PIN number, and you posess your bankcard.) This defeats reading over shoulders or stealing your bankcard, a thief needs to do both.
(The 'calculator' itself is universal for all accounts. So stealing the PIN and bankcard is enough to "own" the account.)

- Proxy based (fishing) attack. Since the patching of a few browsers, fishing attacks are more difficult. The bank actually warns me to look at the browser address bar to verify that I'm actually communicating with the bank.

- Reading my log-in sequence will only allow an attacker to view my account status. (note: this would actually help me, as he/she can confim I don't have any money )

- There is a single attack vector that would work**. But it requires a huge amount of preparation, access to the network and physical or hacked access to the PC to make work. And even then, I've noticed that the bank is not easily fooled.

Trust me, the banks are very security minded (sometimes freakishly so), and, at least around here, will not implement a banking system prone to easy attacks. The thing is, banks rely on one thing: public trust. If public trust diminishes the entire banking system is at risk. Security issues are therefore dealt with swiftly.

Cheers!

** I haven't tried or researched into this attack vector. It might very well not be possible. But since the system has been put in place a couple of years ago, its been on my mind that it probably is possible, but very difficult to pull off, only work on 1 PC at a time, and will not fool a vigilant user.
__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. "
- Murphy MacManus (Boondock Saints)
Silvy is offline  
Old 12-03-2006, 11:33 AM   #9 (permalink)
Tilted
 
Necrosis's Avatar
 
Thanks, especially to Silvy, for some useful info.
Necrosis is offline  
Old 12-03-2006, 01:12 PM   #10 (permalink)
Devils Cabana Boy
 
Dilbert1234567's Avatar
 
Location: Central Coast CA
There are a few attack vectors, but they are extremely difficult, the one I am most familiar with is a variation on the man in the middle attack.

First, poison the arp table and control all the traffic. Then pretend to be all parties required for the transaction, including every party that handles the encryption certificates. (The hard part). Record all traffic and take what you want. You don’t actually need access to the internals of the network, just a client. arp poisoning is easy, but the certificates is hard, and well out of reach for nearly everyone.

You are relatively safe, but not completely. I’ve mentioned this before, but I’ll say it again, if you are on a wired connection, with a part of the network is unencrypted wireless, you are not secure, and anyone can view all of your internal traffic, wired and wireless.
__________________
Donate Blood!

"Love is not finding the perfect person, but learning to see an imperfect person perfectly." -Sam Keen
Dilbert1234567 is offline  
Old 12-07-2006, 09:24 AM   #11 (permalink)
High Honorary Junkie
 
Location: Tri-state.
this is crazy -- you're probably OK, of course taking normal precautions like avoiding letting people look at what you're doing, making sure you're connecting to the right network. personally, i avoid doing anything serious over wireless connections unless i'm in control of the wireless access point.

if you're asking this question, you probably don't need/want to know about cache poisoning.
macmanmike6100 is offline  
Old 12-08-2006, 12:56 PM   #12 (permalink)
Tilted
 
Location: Auckland, New Zealand
I'd be more worried about stuff on your own computer - keyloggers, malware, viruses etc - than i would about an ssl tunnel being broken.
NotAnAlias is offline  
 

Tags
mavens, question, security


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 07:15 PM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360