How about a simple keystroke logger embedded on your computer at the campground. Once they have that done it seems to me things would be incredibly easy for the hackers. Or do the banks and brokers somehow also prevent that from happening?
OK, so if wifi providers such as CG's, McD's, Staples, clubs, rest stops, restaurants, hot spots, "ignorant" private citizens, etc. and the folks like me who connect to them are so at risk, why don't I hear about calamities by the millions or thousands or hundreds every day?
Finally Fulltiming wrote: OK, so if wifi providers such as CG's, McD's, Staples, clubs, rest stops, restaurants, hot spots, "ignorant" private citizens, etc. and the folks like me who connect to them are so at risk, why don't I hear about calamities by the millions or thousands or hundreds every day?
Methinks the sky is falling.
Because its allot more productive to data mine a large server farm than a few guys at a campground.
christopherglenn wrote: The problem with wifi is "man in the middle". I can put a wifi access point, and a proxy server (with VERY special software). You connect ot my wifi, and go to yourbank.com, My server connects to your bank (this is what proxy servers normally do), and makes a second website, just for you, with all the information that yourbank.com sends to my server. - complete with login fields. You have a ssl (encrypted) connection to my server, I have a ssl connection to yourbank.com. All the data that goes from you to your bank passes through my server, and it is not encrypted while I pass it from one ssl to the other. From your end it looks fine, from your banks it looks fine. I have clear text of your password, username, account number, balance, etc. I can log back into your bank as soon as you log off and transfer money from account to account, and (if you bank allows it from the internet) wire money offshore.
Generally, your MITM attack has a problem in that you won't be able to authenticate yourself as the bank. You may intercept the bank's public key, but if you send that to me, you won't be able to decrypt messages because you don't have the bank's private key. If instead you swap your public key for the bank's, then I will receive a warning that the digital certificate is not valid.
Tom
Keep in mind, sence I am the proxy server, I see all of your traffic coming and going. I can intercept the message checking if the key is invalid, and replace my public key with the banks public key, and pass the "all ok" message back to your computer.
If all else fails I can just use brute force with the banks public key, and assuming the first things you type are your username, and password, keep encripting letter and number combos locally till I find a match. Worst case you have 50 characters combined, (most are closer to 20 combined).
If you are concerned about security, it is best to start with the weakest link first.
Panda Security recently estimated that 50% of all PCs are already compromised. There are so many flaws in the way that Windows is designed and built that there is a constant race between the hackers and Microsoft. New vulnerabilities are exposed and new fixes are put in place, but two things happen - there is always a gap in time between the new hack and the corrective patch which usually takes weeks or months. Even if you do security updates several times a day, your computer can be vulnerable on any random day, and there is nothing you can do to prevent it.
Of course the weakest link is the user. People are always clicking on bad links, failing to update their security, answering bogus emails, etc.
So, the best we can do is be religious about updating Windows and our security programs (everyone should be running several all the time), and avoiding stupid behaviors.
The saving grace is that the banks tend to eat the losses from computer fraud - which we pay for in the end spread across every customer hidden in bank fees to merchants which are reflected in the prices we pay.
christopherglenn wrote: The problem with wifi is "man in the middle". I can put a wifi access point, and a proxy server (with VERY special software). You connect ot my wifi, and go to yourbank.com, My server connects to your bank (this is what proxy servers normally do), and makes a second website, just for you, with all the information that yourbank.com sends to my server. - complete with login fields. You have a ssl (encrypted) connection to my server, I have a ssl connection to yourbank.com. All the data that goes from you to your bank passes through my server, and it is not encrypted while I pass it from one ssl to the other. From your end it looks fine, from your banks it looks fine. I have clear text of your password, username, account number, balance, etc. I can log back into your bank as soon as you log off and transfer money from account to account, and (if you bank allows it from the internet) wire money offshore.
Generally, your MITM attack has a problem in that you won't be able to authenticate yourself as the bank. You may intercept the bank's public key, but if you send that to me, you won't be able to decrypt messages because you don't have the bank's private key. If instead you swap your public key for the bank's, then I will receive a warning that the digital certificate is not valid.
Tom
Keep in mind, sence I am the proxy server, I see all of your traffic coming and going. I can intercept the message checking if the key is invalid, and replace my public key with the banks public key, and pass the "all ok" message back to your computer.
If all else fails I can just use brute force with the banks public key, and assuming the first things you type are your username, and password, keep encripting letter and number combos locally till I find a match. Worst case you have 50 characters combined, (most are closer to 20 combined).
Yep, makes much more sense to expend all that time and effort going after one identity of unknown value than going after a server full of identities.
Now where did they put the sarcasm key?
Joe and Dakota, the wacko cat
2006 Dodge 3500 QC CTD SRW Jacobs Exhaust brake
2006 Heartland Bighorn 3600RL, MorRyde suspension, TrailAir pinbox http://happykayakers.com/blogger/
mockturtle wrote: I guess we could all go back to using cash.
Personally, I like cash currency just fine, but I don't think there is any reversing the ongoing trend of moving away from a cash based system. For example, if you are a vendor at the weekend farmers market and you don't accept some type of electronic payment such as CC, debit, EBT, as well as cash, you will simply not be able to compete, at least not for long.
Offline
