Security issues identified with some hotel Wi-Fi

AnCatDubh

via RTE morning ireland.

Ronan Murphy , CEO of Smarttech , discusses the extent of the cyber security breaches his company uncovered at a number of top hotels in Ireland offering free Wi-Fi to customers

http://www.rte.ie/news/morningireland/player.html?20131211,20488946,20488946,flash,232

gizmo555

Having listened to this, the gentleman concerned talks about being able to access login names, passwords, credit card details, etc

Surely if, for example, I'm accessing my Paypal account - which was one of the services mentioned - the https encryption on the Paypal website would protect my user data, regardless of the encryption level on the public wifi network?

GarIT

Hasn't this been known for the last 10 years? It's part of the way WiFi works, I assumed most people would know this.

GarIT

gizmo555 wrote: »

Having listened to this, the gentleman concerned talks about being able to access login names, passwords, credit card details, etc

Surely if, for example, I'm accessing my Paypal account - which was one of the services mentioned - the https encryption on the Paypal website would protect my user data, regardless of the encryption level on the public wifi network?

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

The Glass Key

GarIT wrote: »

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

I've not gone into it in great detail but in the case of paypal and other connections where ssl was used the client being attacked could spot what was happening because they wouldn't see the https in the URL bar before they logged in.

I know that's not the best protection but some people would spot it.

h57xiucj2z946q

GarIT wrote: »

Nope, once you're on a public network a smart hacker could get everything. You need to be using a VPN at minimum on a public network.

If content is encrypted, smart hacker cannot forge a trusted certificate. So un-less the user is using software to ignore invalid certificates, there should not need to worry about content encrypted.

gizmo555

Rudy Most Zucchini wrote: »

If content is encrypted, smart hacker cannot forge a trusted certificate. So un-less the user is using software to ignore invalid certificates, there should not need to worry about content encrypted.

This is what I would have expected - was the threat described greatly overstated, or am I missing something else?

To me, it seems like the biggest risk would be if you're logging into websites or services which don't use encryption and the passwords for those are also used for other accounts. For example, Boards's login page isn't encrypted.

timetogo

gizmo555 wrote: »

This is what I would have expected - was the threat described greatly overstated, or am I missing something else?

At the end of the piece on RTE the guy said 70% of all traffic in hotels is probably being watched if it's not encrypted. It's almost as if he put an asterix on his sentence and said the encrypted bit as an afterthought. I think that was the only time the word encrypted was mentioned during the piece.

If you have a valid SSL certificate I don't know how bank details / credit card numbers could have been lifted by this company. Is this stuff not illegal to do. They said they did some hotels from the car park. That's kind of implying they had nobodys permission.
If they managed to get users credit card numbers and banking information what did they do with it. Are they storing it, did they delete it straight away. I'm pretty sure there are laws about this. It doesn't matter if it's easy to grab. It doesn't mean you can do it.

timetogo

gizmo555 wrote: »

To me, it seems like the biggest risk would be if you're logging into websites or services which don't use encryption and the passwords for those are also used for other accounts. For example, Boards's login page isn't encrypted.

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

theedude27

Although not mentioned in the RTE News report obviously, I would assume that they used some sort of robust packet sniffing tool in order to capture all the sensitive data in the same way that a keylogger would capture data on a local machine. Am I correct in saying that?

Yes there are Data Protection laws in Ireland but I dont know what the Commissioner's stance on unauthorised penetration testing and war-driving (what they were doing outside the hotel) is!! Will be interesting to see what Billy Hawkes has to say on the matter, especially about the capturing of all the sensitive data and whether it has been stored or disposed of (in a secure manner).

Coming from an information security background myself and constantly having to remind staff of the dangers of using unencrypted devices in unsecured locations, I initially scoffed at the report when I seen it this morning but actually this is something positive for the public because if they are willing to listen and try understand the type of threats (to privacy and data) that are out there, they will be reminded of these threats everytime they go to do something that involves inputting personal data aka online banking, posting to facebook, twittering, using weak passwords etc and hopefully it will make them more vigilant and avoid them resorting to silly rants on the aforementioned sites and boards.ie of course:D

gizmo555

timetogo wrote: »

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

The home page, which includes a login dialogue box, doesn't appear to be:

http://www.boards.ie/

timetogo wrote: »

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

You're right of course, but as we know, a great many people do.

theedude27 wrote: »

Although not mentioned in the RTE News report obviously, I would assume that they used some sort of robust packet sniffing tool in order to capture all the sensitive data in the same way that a keylogger would capture data on a local machine. Am I correct in saying that?

Sorry, can you clarify how this would work on, say, an encrypted connection to my Paypal account? What kind of robust packet sniffing tool could break the encryption?

theedude27 wrote: »

. . I dont know what the Commissioner's stance on unauthorised penetration testing and war-driving (what they were doing outside the hotel) is!! Will be interesting to see what Billy Hawkes has to say on the matter . . .

A spokesman for his office was quoted briefly in the RTÉ report and they seemed pretty relaxed about it.

h57xiucj2z946q

timetogo wrote: »

Boards login page is encrypted for me.

https://www.boards.ie/auth/login

Actually, you don't want to reuse passwords for important sites anyway. There have been several instances over the last year where sites have been hacked and the passwords were exposed to the public.

Login page itself is encrypted, but after login, you immediately fall back to good old http to facilitate cookie stealing, which I guess can be as dangerous. Having either the password or the session cookie exposes the user's account, so in my opinion, both should be protected. I have been able to sniff out boards.ie cookie sessions on my local LAN at home and inject cookies into my browser on a different setup and be authenticated as the original user simply using their cookies. But this is valid for any website using session cookies and http. Boards.ie should give the option to use ssl, let alone forcing it. It would create a considerable extra load on their servers though.

If you force it to use https for normal browsing:
https://www.boards.ie/vbulletin/forumdisplay.php?f=24

Your browser should block non encrypted content if you are accessing the page over https, otherwise its possible to still steal cookies. And as it seems, boards.ie serves some static content only over http. Look at the https link above with a recent version of firefox or chrome, and even internet explorer! to see what I mean. Older versions of these browsers still loaded the non encrypted content but gave a warning. Now they won't load the content.

h57xiucj2z946q

I think a more interesting threat to public wifi spots that require login code or paid authentication:

https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass.sh
https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass-android.sh

Works on many guest wifi's places I tried.

cormie

Rudy Most Zucchini wrote: »

I think a more interesting threat to public wifi spots that require login code or paid authentication:

https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass.sh
https://github.com/poliva/random-scripts/blob/master/wifi/hotspot-bypass-android.sh

Works on many guest wifi's places I tried.

What are them links for? What do you do with them? Pretty scary stuff out there, especially after watching this: http://www.youtube.com/watch?v=lA4R84xfLOQ

mambo

It's reasonably well known (though not by the general public) than regular HTTP traffic on open wi-fi networks can be easily intercepted and sessions hijacked, etc.

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information, but go into no more specific detail of what was available or how it could be accessed, and not publish any details on their website.

I'm sure the banks would want to know if their SSL encryption was being broken!

Far be it from me to claim they were exagerrating what's possible in order to get more publicity for themsevles. :cool:

gizmo555

mambo wrote: »

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information, but go into no more specific detail of what was available . . .

He went into a lot of very specific detail - quoting directly from the interview: "user names, passwords, login details, credit card info, online bank details including Paypal logins and passwords, email addresses and passwords . . ."

What I'm struggling to understand and where the detail was lacking is how this is possible if the websites concerned were using bog standard encryption.

MyPeopleDrankTheSoup

it's just crap for publicity. they can't break SSL. the guy who wrote it is Tom O'C who used to be with databackup.ie
https://twitter.com/databackup/status/410712172470087680

http://databackup.ie/

I respect the hustle to get in all the media today but it looks pretty poor on the part of our national broadcaster making it a main news story. And the Irish Times, the so called paper of record.

AnCatDubh

gizmo555 wrote: »

The home page, which includes a login dialogue box, doesn't appear to be: http://www.boards.ie/

The homepage isn't but the login form on the homepage has an action which will post the user data over https/ssl so effectively is for login purposes.

But yes, then falls back to http. Perhaps not the end of the world if your boards account gets hacked or a session is temporarily stolen.

gizmo555

gizmo555 wrote: »

What I'm struggling to understand and where the detail was lacking is how this is possible if the websites concerned were using bog standard encryption.

This Indo story gives a little more information about what they say they did - does this make sense?

It said that most public wifi networks share a single internet provider, or IP, subnet and this gives potential hackers the ability to pretend that their laptop or mobile device is the gateway on that subnet. It is known as a Man in the Middle Attack.

AnCatDubh

georgiecasey wrote: »

they can't break SSL. https://twitter.com/databackup/status/410712172470087680

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

hmmm

I want to find out who their PR company are, they've done a great job with this non-story.

mrdarrenm

AnCatDubh wrote: »

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

They don't need to 'break' ssl, just to do the man in the middle and some other trickery. Look up a tool called sslstrip, it can allow you to do this very easily and the site will have an explanation by a guy called Moxie Marlinspike who wrote it. Basically the attacking machine initiates the ssl connection. Because it is one way SSL (no client side certs) this is fine as the server won't have verification of correct user, only vice versa.

So the html which is encrypted by this valid ssl session is passed from the man in the middle attacker back to victim in cleartext html. There won't be an ssl lock icon for the end user but most people won't notice. Credentials are captured in the middle before being passed in to the attackers valid ssl connection. Don't know if I'm explaining well, could do with a diagram. Anyway, this is more than likely what they did.

There's also other attacks like dns cache poisoning. Few options really. I haven't seen the story but sounds like nothing new about hotels; same as cafes, airport, anywhere. Unless there's more to it than it sounds.

mrdarrenm

AnCatDubh wrote: »

The company seems to be tweeting a lot about ssl / https, and man-in-the-middle attacks. He's also been saying that they will publish/blog about some of the detail/findings.

I think it would be really interesting if they were to release at least some detail of the technical exploits used to better inform as to what they actually found wrong.

They don't need to 'break' ssl, just to do the man in the middle and some other trickery. Look up a tool called sslstrip, it can allow you to do this very easily and the site will have an explanation by a guy called Moxie Marlinspike who wrote it. Basically the attacking machine initiates the ssl connection. Because it is one way SSL (no client side certs) this is fine as the server won't have verification of correct user, only vice versa.

So the html which is encrypted by this valid ssl session is passed from the man in the middle attacker back to victim in cleartext html. There won't be an ssl lock icon for the end user but most people won't notice. Credentials are captured in the middle before being passed in to the attackers valid ssl connection. Don't know if I'm explaining well, could do with a diagram. Anyway, this is more than likely what they did.

There's also other attacks like dns cache poisoning. Few options really. I haven't seen the story but sounds like nothing new about hotels; same as cafes, airport, anywhere. Unless there's more to it than it sounds.

srsly78

SSLstrip literally just replaces https with http. It won't work on stuff that forcibly requires https.

The man in the middle attack on ssl is also detected, and results in a big "this certificate cannot be trusted" warning. If you see this (I see it a lot in work), that's because your corporate/dodgy network is likely doing it. If you don't see it in work, then either A: they have preloaded trusted company/dodgy certs on your box or B: they aren't snooping on you.

All these SSL "vulnerabilities" are overly alarmist, and some are even "working as designed" (as happens when your corporate box has the mitm certs preloaded). As others have said, if SSL was really hacked it would be big news.

timetogo

mrdarrenm wrote: »

Unless there's more to it than it sounds.

I'd say it's a press release by a newish company to drum up business. They'll probably get some business out of it.
The real story is how they got it onto RTE Radio in a prime time slot. Can you pay RTE for that type of coverage? The interviewer was really milking the "can see bank account and credit card details".
There wasn't one mention of anybody paying attention to their HTTPS logo on every browser (Chrome even throws me up a big red screen when it doesn't like the security settings).

h57xiucj2z946q

Secure pages should also use https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Security

mambo

They should have submitted their claims for some sort of peer review before going to the media with them. And the media ought to be sceptical about claims like this if they haven't been peer reviewed to some extent, and the people making the claims haven't published fuller details for those who understand this sort of thing to go over with a fine tooth comb.

Still waiting to see any fine detail from the company making these claims. All very vague and sensationalistic so far! The longer this goes on, the more it looks like they are just hyping up the dangers to get some free publicity.

There's the makings of a story here if some security-aware blogger would like to run with it.

Permabear

This post has been deleted.

mambo

Well said. Also where does that "70%" claim come from? It all reminds me of the famous sexed up WMD "dodgy dossier" a bit.

Stuxnet

Time I thought my 5 year old how to use WireShark !

Khannie

Just listened to this now.

mambo wrote: »

It's strange the guy would go on Morning Ireland, etc. claiming they could easily access, say, people's online banking information

Yeah, he was asked a very specific question on online banking and implied that he had no bother accessing it.

Bollox.