Doh! You got pwn3d..

Wireless technology has slowly but surely evolved from a luxury to dependency and unless you’ve been living under a rock for just about the last century (no offense to ants, worms or other insects), you’ve started to notice it everywhere. From airports to coffee shops, even to the park across the street, wireless technology is available for your use. Sometimes you have to pay for it and sometimes you don’t, but one thing remains constant for any public use WIFI: it doesn’t care about you! I’m not saying wireless is a technology with or without feelings, I’m saying that every wireless (802.11) provider isn’t taking care of your security, so it’s about time you take the initiative!

Some providers and airports may provide the service free of charge with no questions. Others will force you to a Captive Portal which will allow you to connect, however once you try to access any URL, you’ll be redirected to a login page where you can pay or use your existing login information to ultimately obtain access to the internet via the wireless. This may be a false sense of security for some users as they may not realize that the data they are transmitting is sent in the clear across the network. Remember, authentication does not equal encryption!

If you’re traveling with an attacker in your mists, you’ll probably never notice him but be assured he’ll notice you! All “Johnny Hacksalittle” needs is a wireless card and a 802.11 sniffer (wireshark, kismet, etc..). By locking on to the channel with the most clients and applying the following filter in wireshark an attacker is provided with all of the client’s HTTP activities:

Wow, that was complicated! (can you sense the sarcasm? ) With this trivial technique, an attacker can literally recreate any of the users HTTP activities from the time they start their sniffer to when they stop it. Even more devastating is if the attacker reuses exposed session cookies which would allow him to access any websites you’ve authenticated to without even knowing your username and password! Robert Graham got a good amount of press when he recently publicized how Gmail momentary used HTTP during its login phase which exposed its users session IDs. Although, if the attacker is watching while you’re accessing a website that requires authentication, he can easily filter for HTTP POST requests using “http.request.method eq POST” and potentially sniff your usernames and passwords.

All of this is simply because the 802.11 wireless provider is not using the built in encryption with 802.11, nor are they using any additional mechanisms to ensure the security of your connection (remember they don’t care!). I’m not saying that these 802.11 wireless providers are evil people, they are giving you a service and in turn you are accepting the risks by using that service. So if you still want to use the wireless you just have to be mindful of a couple things.

1. Before entering any data into any field on a webpage, check the URL bar for “https://”. Because HTTPS encrypts all of its data, any of sites the client visits which start with “https://” will not be exposed to this attack, but there are other slightly more advanced attacks which can ultimately trick the user into exposing their sessions. SSL won’t stop the attacker from identifying the website you’re visiting, but it will definitely protect all of your data. Don’t forget what Juan Bocanegra was saying in his blog post, “On the importance of SSL”!
2. If you’re lucky enough to have VPN to your place of work, validate that split tunneling isn’t enabled. An easy test is to go to http://www.whatismyip.com before and after you connect your VPN client. If your IP changes, it’s likely that split tunneling isn’t enabled. With split tunneling enabled, only certain traffic is forced through the tunnel, so you really want to make sure split tunneling is disabled first. If it is, set up your VPN connection and use that to encrypt all of your data. The only downside to this is that you may be subject to the corporate internet filter.

HTTP is used as an example here because it is very common for users to relate to, but this is an issue with all protocols. If there is not built in encryption with the app/protocol you’re using (AIM, telnet, etc..) your activities can be easily monitored by an attacker without you even knowing it! Knowledge is protection (and so is an EVDO card), so be smart about what you’re doing.