What you need to do is to persuade your ISPis to implement per-session key, possible solution WPA+Radius.
cheers, kos
-- Respectfully, Konstantin V. Gavrilenko
Arhont Ltd - Information Security
web: http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED]
tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141
PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com
D B wrote:
Hi Mr Coffee
Im using this venue to influence several wireless ISPs to use WEP
They claim the internet is insecure anyway so they wont use it.
I do understand the implications but yes wireless is totally legal to eavesdrop.
The bottom 6 channels run on HAM frequencies and that is specifically mentioned as legal to eavesdrop.
Tis a big can of worms this wireless garbage, I'm just using whatever I can to motivate ISPs ( especially the local one ) to encrypt data.
Thank you for your reply
Dan Becker
--- Mister Coffee <[EMAIL PROTECTED]> wrote:
On Tue, May 11, 2004 at 11:33:25AM -0700, D B wrote:http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm
I'm not real sure how to post this, nor am I sure
of
the scope. I am still learning about computers.
Ok, no worries. We all start somewhere, right?
All transactions done via secure websites are
secure,
however the auto mailing feature to confirm orders sometimes contains sensitive data.
All transactions done via secure websites are _supposed_ to be secure, but the fact is that information leakage, poor configurations, MitM attacks, and user error, amungst other issues, can render a supposedly secure site insecure.
You are right though. Too many sites will send TMI back in a confirmation email.
When the customer is on a wireless connection, be it ISP or home LAN that data is broadcasted in the clear for anyone within range to eavesdrop.
Not always. The wireless link itself may be
encrypted between the AP and the user's portable
device - with various levels of security. Also, if
they are using a secure website, the SSL traffic is
encrypted separately from the transport medium. That is an end-point to end-point system, so even
sniffing "clear" wirelss traffic will only gain the
attacker cyphertext.
A wired internet connection limits the number of people who have access to
this
data simply by the nature of the internet putting
it
within acceptable risk.
Define acceptable risk? A wired connection is inherently more secure than a wireless connection, but there are going to be points where the traffic can be compromised as long as the traffic is going over the public internet. Both wired and wireless suffer from that. The wireless is only inherently less secure because of the broadcast element somewhere in the data path. That makes the traffic easier to eavesdrop on, but it's not extraordinarly difficult to eavesdrop on wired traffic either.
It is legal according to US law to eavesdrop on
wireless connections.
The safe answer is "No." The real answer _may_ be more complex depending on your circumstances. For example if there's an open AP that's not WEP enabled, the users would have no reasonable expectation of privacy. However, if it came down to how a US Court would see it, the safe answer is usually "no."
This is similar to overhearing conversations on portable phones. You're not supposed to listen in, but if you and another user are sharing the freq, it would be hard to charge either side with eavesdropping. This is NOT the same thing as pointing a high gain 900Mhz antenna at the neighbor's house with the intent to listen in.
Intent does matter in the eyes of the law.
The only solutions I can offer are one of two
things.
1. Quit sending auto confirmations with sensitive
data
Agreed.
2. Encrypt all wireless transmissions at least
making
someone who gains access to this data
prosecutable.
Encryption is a good idea in any case. But it only
changes slightly what a malicious user could be
charged with. If someone steals your credit card
information and uses it, they are guilty of a crime
whether they grabbed it from a cleartext email,
sniffed it off the wire, or stole a carbon copy
receipt.
Simply having the data isn't really criminal. EG. You print out an email that has that information and
leave it by the fax machine for some reason. If I
pick up the paper to use as scratch paper or
something, I haven't done anything immoral,
unethical, or illegal - but I DO have your data.
Please direct all flames to /dev/null
No flames. Not even warm, really...
Dan Becker
Cheers, L4J
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
