Newbie question about wireless access & security

[Infohawk]

Hi,

I was thinking about getting a wireless card to access my school's network and also to try and access some public places if possible. My school's warning is that information sent over the wireless network is not secure and cannot be protected.

I don't like the idea of sending passwords over the airwaves if they are easily intercepted.

Is there anyway to make sure my passwords don't get intercepted? If you use SSL, does that protect you when you sent info to secured webpages? Or can people just intercept them? How hard is it it to intercept passwords?

I'm pretty much only worried about passwords since I don't know what else might be compromised if I access a wireless point. (I wouldn't really care if someone saw me downloading the latest redhat iso [i use winxp usually]).

Thanks

 

[SaigonK]

There are tons of ways to secure the wireless networks out there....

SSL is the next generation of security, it will make the use of VPN over wireless obsolete.
If you are using 128Bit-WEP you should be fine, you have to push a TON of data to be hacked, it just isnt going to happen at your home or at school.

 

[Infohawk]

There are tons of ways to secure the wireless networks out there....

But how can I know if my school's used one of those ways? All I know is they require logins.

What about at internet cafés? I have no control over their security...

Can I still be confident in sending passwords over the air if my browser has that gold lock in it?

 

[SaigonK]

Check with the IT department at your school, as far as cafes, they usually dont use anything since they want to make it easy for the customer to get on and get surfing.

 

[Infohawk]

Related question:

I know that if you use a pop mail password in an internet café, someone could sniff it. But what if you use ssl in an internet cafe to send your password (to say yahoo mail for example)? Couldn't someone just sniff the key and then get the password? :Q

 

[SaigonK]

If they can sniff out SSL and get something form it, then they deserve to get whatever they find.
You should be fine, I dont know of anyone breaking SSL yet.

 

[akseli]

I don't think you shoud worry about anything. First of all I doubt that anyone will bother hacking you just to see what e-mails you have recieved...

Your school most probably uses wep, I don't think that they are dumb enough to leave their networks unprotected.

 

[Antoneo]

Originally posted by: akseli
I don't think you shoud worry about anything. First of all I doubt that anyone will bother hacking you just to see what e-mails you have recieved...

Your school most probably uses wep, I don't think that they are dumb enough to leave their networks unprotected.

You're probably right about most people not caring about the data that is being sent over but there probably will be a select few that pride themselves in doing so. I usually just don't do any money transactions over the wireless at my school.

My schools (and many other schools for the most part I've seen) do not enable WEP in order to reduce the amount of frustration and complaints. They would rather have a network that is simply setup and usually disable it.

 

[Soybomb]

Originally posted by: akseli
I don't think you shoud worry about anything. First of all I doubt that anyone will bother hacking you just to see what e-mails you have recieved...

Your school most probably uses wep, I don't think that they are dumb enough to leave their networks unprotected.

Wep is about the closest to unprotected you can get though

Use it but just you would on an untrusted lan do not transmit any sensitive data in clear text. Use ssl/ssh, etc. I use my laptop on wifi to log into servers, look at network monitoring tools, check email, etc but only if its available over a channel with strong encryption.

 

[SaigonK]

Contrary to popular belief, WEP is actually strong enough.
Again, you have to sniff a TON of data to find the WEp keys, then you have to break them. Allot of schools are using rotating keys every so many minutes to make it harder to sniff them out.

I can say i cant wait for SSL over wireless, by bye Wep and bye bye VPN solutions.

 

[Soybomb]

Originally posted by: SaigonK
Contrary to popular belief, WEP is actually strong enough.
Again, you have to sniff a TON of data to find the WEp keys, then you have to break them. Allot of schools are using rotating keys every so many minutes to make it harder to sniff them out.

I can say i cant wait for SSL over wireless, by bye Wep and bye bye VPN solutions.

Heh I guess it depends on your data. Wep is a weak encryption algorithm. I wouldn't trust my sensitive data behind it anymore than I would to trust shorts to be adequate insulation in the arctic. At the local univeristy there are a few access points with leap, but most are clear and open. I'm paranoid

Perhaps this is a dumb question because I've never played with it from this standpoint, but lets say WEP is as strong as blowfish or 3des or something. If everyone on the wlan has the wep key(s) it doesn't matter since someone else on the wlan with their card in promiscious mode could capture your data as long as they have the same keys right? You'd certainly cut down on the potential number of eavesdroppers but still have a very large base of them.

 

[SaigonK]

you are correct, that is the real weakness of WEP, not that one person has the key, but that so many have it.
You personally may not push 1gb of data across your pipe in 8 hours, but you neighbor might and as such he gets "hacked".

Rotating WEP keys is a nice way to solve this. Enterasys has this down to a science.

 

[Soybomb]

Originally posted by: SaigonK
you are correct, that is the real weakness of WEP, not that one person has the key, but that so many have it.
You personally may not push 1gb of data across your pipe in 8 hours, but you neighbor might and as such he gets "hacked".

Rotating WEP keys is a nice way to solve this. Enterasys has this down to a science.

I'm not even concerned as much that my neighbor might make enough traffic to allow the third party to crack wep, but instead that my neighbor already has the key and I don't trust him since he could snoop on my data even easier and might well have more cause to do so being an angry coworker, nosy janitor wanting to cause problems, or a student wanting to just snoop.