RE: Wireless ISPs

["Julian Ho" <julian.ho () sensecurity org>]

> From the PoV of security, yes, putting WEP in does raise the bar a
little.

However, from the Product Mgt PoV of a WISP (having dealt with them in
one of my previous companies):
The claim about "...the internet is insecure anyway so they wont use it"
is baloney.  
The real fact of the matter WISPs are more concerned with how easy
customers find it to get onboard, i.e. associate, without having to
configure anything (or at least just the SSID alone).  Most users look
for minimum fuss and configuration when it comes to WISPs.

If they put WEP in, that's one more thing for customer to do and they'll
go to a competing provider. (and of course, once you put WEP in, you
should use rotating keys if supported and then the customers gotta
follow suit and they'll take their money elsewhere).
Therefore end-user security (at least for the user's perspective)
suffers because of this end-user desire for convenience.
And because the WISPs don't have the time, resources or will to educate
them about the wider security implications, you get what you get. :)
It's the age-old problem of security vs convenience.  


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of D B
Sent: Wednesday, May 12, 2004 3:47 AM
To: Mister Coffee
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Wireless ISPs


Hi Mr Coffee

Im using this venue to influence several wireless ISPs
to use WEP

They claim the internet is insecure anyway so they
wont use it.

I do understand the implications but yes wireless is
totally legal to eavesdrop.

The bottom 6 channels run on HAM frequencies and that
is specifically mentioned as legal to eavesdrop.

Tis a big can of worms this wireless garbage, I'm just
using whatever I can to motivate ISPs ( especially the
local one ) to encrypt data.

Thank you for your reply

Dan Becker

--- Mister Coffee <live4java () stormcenter net> wrote:
> On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:
> > I'm not real sure how to post this, nor am I sure
> of
> > the scope. I am still learning about computers.
> Ok, no worries.  We all start somewhere, right?
>
> > All transactions done via secure websites are
> secure,
> > however the auto mailing feature to confirm orders sometimes 
> > contains sensitive data.
> All transactions done via secure websites are
> _supposed_ to be secure, but the fact is that
> information leakage, poor configurations, MitM
> attacks, and user error, amungst other issues, can
> render a supposedly secure site insecure.
>
> You are right though.  Too many sites will send TMI
> back in a confirmation email.
>
> > When the customer
> > is on a wireless connection, be it ISP or home LAN
> > that data is broadcasted in the clear for anyone
> > within range to eavesdrop.
> Not always.  The wireless link itself may be
> encrypted between the AP and the user's portable
> device - with various levels of security.  Also, if
> they are using a secure website, the SSL traffic is
> encrypted separately from the transport medium.
> That is an end-point to end-point system, so even
> sniffing "clear" wirelss traffic will only gain the
> attacker cyphertext.
>
> > A wired internet connection
> > limits the number of people who have access to
> this
> > data simply by the nature of the internet putting
> it
> > within acceptable risk.
> Define acceptable risk?  A wired connection is
> inherently more secure than a wireless connection,
> but there are going to be points where the traffic
> can be compromised as long as the traffic is going
> over the public internet.  Both wired and wireless
> suffer from that.  The wireless is only inherently
> less secure because of the broadcast element
> somewhere in the data path.  That makes the traffic
> easier to eavesdrop on, but it's not extraordinarly
> difficult to eavesdrop on wired traffic either.
>
> > It is legal according to US law to eavesdrop on
> > wireless connections.
> The safe answer is "No."  The real answer _may_ be
> more complex depending on your circumstances.  For
> example if there's an open AP that's not WEP
> enabled, the users would have no reasonable
> expectation of privacy.  However, if it came down to
> how a US Court would see it, the safe answer is
> usually "no."
>
> This is similar to overhearing conversations on
> portable phones.  You're not supposed to listen in,
> but if you and another user are sharing the freq, it
> would be hard to charge either side with
> eavesdropping.  This is NOT the same thing as
> pointing a high gain 900Mhz antenna at the
> neighbor's house with the intent to listen in.
>
> Intent does matter in the eyes of the law.
>  
> >
http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
> > The only solutions I can offer are one of two
> things.
> > 1. Quit sending auto confirmations with sensitive
> data
> >
> Agreed.
>  
> > 2. Encrypt all wireless transmissions at least
> making
> > someone who gains access to this data
> prosecutable.
> >
> Encryption is a good idea in any case.  But it only
> changes slightly what a malicious user could be
> charged with.  If someone steals your credit card
> information and uses it, they are guilty of a crime
> whether they grabbed it from a cleartext email,
> sniffed it off the wire, or stole a carbon copy
> receipt.
>
> Simply having the data isn't really criminal.  EG.
> You print out an email that has that information and
> leave it by the fax machine for some reason.  If I
> pick up the paper to use as scratch paper or
> something, I haven't done anything immoral,
> unethical, or illegal - but I DO have your data.
>  
> > Please direct all flames to /dev/null
> No flames.  Not even warm, really...
>
> > Dan Becker
> Cheers,
> L4J



        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html