Friday, August 14, 2009

Question about web security

Wanted to put out a question to readers. I recently happened to tune in to the Kim Komando show and heard something that sounded like a mistake. However, I'm not a security expert, so I'd like to find out more.

A caller had been making use of his neighbor's unsecured wireless connection when his own internet was down. He was wondering about the security hazards of doing this.

Kim's answer was mostly correct, which was to say that anything you transmit or receive over the web is visible across the entire network. By using freely available software, your neighbor could potentially steal your information. He could have a packet sniffer and log the information on his computer, or even in the router.

Kim then went on to say "So obviously you wouldn't want to do any banking over the unsecured line, because you don't know who's looking at your data."

These struck me as solid words of caution, but potentially incomplete. Presumably your bank would make you log in over an SSL connection. My own understanding is fuzzy, but I believe this means that the data gets encrypted at each end before being sent over the network, and only your client and their server have the information necessary to decrypt the data.

Can anybody confirm or deny that my understanding is correct? Is there some way you know of where the neighbor could read your secure data as plain text? If not, what information is your neighbor lacking that would allow him to see it?

5 comments:

  1. The neighbor would have to be intentionally malicious for an attack to work, and would have to make an attack on a poorly implemented version of SSL. The problem is not with the encryption, but where the encryption keys come from.

    If the server is not utilizing a public key infrastructure, then the client, upon first visit to the server, will get a key from a database on the server maintained by the sysadmin. (commonly) This attack assumes that the client automatically accepts new keys, which is done mostly out of convenience of not having to manually add keys for every server you want to securely communicate with.

    So, your neighbor could set up a man in the middle attack where it emulates the server you want to communicate with, issues a key for the client, who assumes it is talking directly to the server, since it has no previous key to compare with. Then the MITM forwards your packets to the server, using the server's keys for communication with the server, and the fake keys generated by the MITM to communicate with the client. Then it is simply a matter of looking at the packets you are sending to the server, through the MITM.

    I don't know how likely this attack is, since it assumes that the server is not using public key infrastructure (like verisign), which is common with major sites where you would really need SSL. It also assumes that the client never communicated with the server before, and thus, doesn't have an original key to compare with. And lastly, assumes that your neighbor is a jerk waiting to prey on you.

    It's not likely to happen with a neighbor, but it would be likely if someone were to set up a public wireless network, as you would have more potential victims connecting through your network, and they might be using their work laptop to check a personal account, which they might not have done before.

    ReplyDelete
  2. I can just imagine some guy in a recliner celebrating another successful Xanatos Gambit with a sinister smile, when he sees that his neighbor finally took the bait and used the unsecured internet connection. Now, he can finally get his neighbor's bank statement information, mwahahaha!!

    You'd think he could just steal his neighbor's mail if he wanted to get some sensitive information, no?

    In all likelihood, if the guy (or girl?!) left the home wifi connection unsecured, they're probably not savvy enough to plan a malicious attack on you.

    ... but... that's just what they'd want you to think, isn't it?

    ReplyDelete
  3. Yeah, a MITM attack is *possible*... but with third-party authentication of credentials, it is VERY hard to really pull off. Most sites do use third party credential authentication.

    The only thing that makes it easier is that most users will blindly hit the "yeah, it's ok" button when the credentials are flagged... but if youre a reasonably savvy user, your spidey-sense should tingle when that warning comes up for YOUR BANK.

    However... for a more playful view on this:
    http://www.ex-parrot.com/pete/upside-down-ternet.html

    ReplyDelete
  4. Thanks everyone. Very informative and hilarious.

    ReplyDelete
  5. Just to underscore what Brian posted: This MITM exploit has been demonstrated to work in the past. As of last month, the EV SSL (Extended Verification) that Charlie referred to has also been shown to be vulnerable to exploit now [ http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361180,00.html ].

    Having said that, I know for a fact that my neighbor isn't capable of doing this. Hell, I'm an IT consultant and *I* don't know how to do it.

    Then again, I'm not eeeeeevil...

    ReplyDelete