back to article UK politicos easily pwned on insecure Wi-Fi networks

The well-understood risk of insecure, public Wi-Fi networks has been graphically illustrated with demonstration hacks against three prominent UK politicians. The pen-testing style experiment demonstrates the ease with which email, finance and social networking details can be stolen while using free Wi-Fi in cafes, hotels and …

  1. Anonymous Coward
    Anonymous Coward

    No SSL/TLS?

    How, exactly, did they get credentials from SSL sessions? Did they use a 0-day exploit in SSL to perform a MitM attack of some sort?

    Or is all this only talking about services that don't use SSL (or lifting credentials from one of those, then seeing if the password is reused on something more important)?

    The point being that SSL is designed to keep the communication secure across a hostile network. For all intents and purposes, the internet, wireless or wired, is considered to be a hostile network. Unencrypted WiFi isn't really different in terms of it's security profile than making the same connection over a wired netwok.

    1. Velv
      Childcatcher

      Re: No SSL/TLS?

      SSL?

      That protocol that's now deprecated and shouldn't be used. If we in the industry can't get it right, what chance has Joe Public got?

    2. Dr.DavidDavidson
      Mushroom

      Re: No SSL/TLS?

      They didn't even bother bypassing SSL/TLS it sounds like.

      What they did was inject a "please log in" popup into existing non-SSL'd web traffic (basically, phishing, just done a bit differently) according to the article. It is a fairly effective way of getting people to give over creds once you are in a man-in-the-middle position :)

      1. Destroy All Monsters Silver badge
        Pint

        Re: No SSL/TLS?

        And anyway "Dave" Cammy is gearing up to have it outlawed so that new, better, backdoored crypto from DUHMURRICA can be employed for the best of all of us.

      2. User McUser

        Re: No SSL/TLS?

        What they did was inject a "please log in" popup

        From the way the article and the video are portraying it, it would appear that only MEP Honeyball got a pop-up phishing message. Lord Strausburger had an unencrypted VOIP session packet-sniffed/recorded and the password capture method for MP Davis was not specifically stated, although HE said: "Alarmingly, the password would have been broken no matter how strong it was. Public Wi-Fi is inherently insecure: usernames and passwords are shown in plain text in the back of a Wi-Fi access point, making them simple for a hacker to steal" which implies heavily that he was not using an encrypted protocol for at least one his logins. Password reuse did the rest.

    3. Roland6 Silver badge

      Re: No SSL/TLS?

      Remember SSL/TLS VPN is vulnerable at session establishment time to MitM, particularly if you're not using PKI and 802.1x certificates.

      What the article omits to mention, is whether the devices being used were personal or official HoC IT supplied devices and hence should be secure by default...

      1. Anonymous Coward
        Anonymous Coward

        Re: No SSL/TLS?

        The lady's device was gov't issued.

    4. NoneSuch Silver badge
      Flame

      Re: No SSL/TLS?

      No secure communications can be made on systems, protocols and designs created by the Americans. They have deliberately undermined those standards since their inception to be able to crack them easily.

      The only way forward is an open source methodology with international review combined with strong encryption standards where the algorithms are public and available for stringent testing.

      Anyone who depends on the 'Mericans for security will be disappointed long term.

      1. DubyaG

        Re: No SSL/TLS?

        "No secure communications can be made on systems, protocols and designs created by the Americans."

        The Americans (of which I am one) are not the only players. Everybody's stuff is being hacked by everybody else. Get your routers from Huawei and let the Chinese in your conversations instead of the Americans. Same stuff different pack of nerds.

      2. Velv
        Black Helicopters

        Re: No SSL/TLS?

        @NoneSuch

        "The only way forward is an open source methodology with international review combined with strong encryption standards where the algorithms are public and available for stringent testing."

        Yes, because that's worked so well for OpenSSL.

        The concept of open source is great, the reality is that we rely on other people not only to do the review, but we need to trust them to be honest with their review. So unless you co-ordinate the reviewers, how do you know you've got the right and appropriate reviews, and if someone does co-ordinate the reviewers, how do you know they've not influenced the results.

  2. ZSn

    Unfair

    While this is amusing I think this a tad unfair. Most people (obviously not those that read the register) think they know how to use a computer and clearly don't. In truth it's a bit like the medical profession - you take the pills and assume the quack knows what they're talking about. With the work laptop most people would assume that's it' secure.

    It's a bit like driving - the vast majority of people think that they are above average, misunderstanding the word average obviously. Not me however, I even scare the locals in Brussels.

    1. BillG
      Angel

      Re: Unfair

      This is why I never use public WiFi. I stick to my phone and tablet's 4G/LTE.

      1. Anonymous Coward
        Linux

        Re: Unfair

        "This is why I never use public WiFi. "

        There's nothing wrong with public wifi. However I will always use OpenVPN when connected and pass all traffic down it. Get your server to listen on 443/tcp and it looks like ordinary https to the router.

        I also run a hand crafted set of firewall rules on my laptop and Squid + some extras and proxy myself (which isn't as painful as it might sound) when the VPN fails for whatever reason or is too slow.

        Using your phone is good advice to give to non-techies though, so have a UV on me.

        1. Anonymous Coward
          Anonymous Coward

          Re: Unfair

          There's nothing wrong with public wifi. However I will always use OpenVPN when connected and pass all traffic down it. Get your server to listen on 443/tcp and it looks like ordinary https to the router.

          Does that really work? It'll be interesting to test, but AFAIK packet inspection stops such fudges.

          At present, all I do on public WiFi is use email which is explicitly forced into encryption (we killed off the unencrypted stuff ages ago, mainly because unencrypted authenticated SMTP transmits UID/PWD pairs in cleartext), but we too are looking at tunnelling everything back home via VPN as a next step because especially the non-tech people need something that is easy and a VPN is about the simplest approach possible as it means otherwise no change to what they do.

          Anyway, time to find a iOS app that supports OpenVPN.

          1. swampdog

            Re: Unfair

            All I've ever done when using my laptop outside of the house is..

            "ssh (-YC) -L localport:destination:remoteport somename@securehost"

            ..then use the services/applications of "destination" via "securehost". The laptop is essentially nothing more than a remote terminal. Worst case scenario is the laptop gets nicked. No data is on it other than the key for securehost.

  3. Doctor_Wibble
    Megaphone

    Your Screen, It Lies To You

    The best way to ensure security is to start with the assumption that everything on your screen is a lie, and work back from there.

    I am not me, you are not you, this site is not El Reg, and there is no such thing as the internet.

    Fortunately for everyone I have a warehouse full of pens, pencils and paper which I could make available to my esteemed co-commentards at particularly favourable prices and with only a small and extremely reasonable charge for P&P per item, each sent separately for your convenience, payments cash-only and in advance for greater security. Roll up roll up I'm not asking five haddock I'm not asking four etc...

    1. Destroy All Monsters Silver badge

      Re: Your Screen, It Lies To You

      “I used to dig in the garden, and there isn’t anything fantastic or ultradimensional about crab grass…unless you are a sf writer, in which case, pretty soon you’re viewing crabgrass with suspicion. What are its real motives? And who sent it in the first place? The question I always found myself asking was, What is it really?”

    2. Anonymous Coward
      Anonymous Coward

      Re: Your Screen, It Lies To You

      The best way to ensure security is to start with the assumption that everything on your screen is a lie, and work back from there.

      Yes, that surprised me. They're politicians, they must be used to reading stuff on screen that is complete fiction, comes with the job :)

  4. Anonymous Coward
    Anonymous Coward

    That's three politicians who understand now

    So perhaps they could explain to that idiot posh boy from Oxfordshire why even ordinary people, doing ordinary things, with "nothing to hide", really do need encryption to stay safe. The sort of encryption that doesn't have backdoors the size of barn doors.

    1. M7S

      Re: That's three politicians who understand now

      To be fair DD has pretty much always understood, and been an advocate against too much of an intrusive state as well, but reinforcing the message never hurts

  5. Dr.DavidDavidson
    Alert

    Dodginess abounds...

    Well now, that all sounds proper bad dodgy!

  6. MissingSecurity
    Pint

    Wireshark ...

    Is a protocol analyzer, and not strictly a security tool. I don't know why this frustrates me, but it seems that even based admins think of wire shark as some free tool designed to break into networks. It's like saying water is a drowning tool for murders.

    Anyway, carry on, have a beer on me ...

  7. Anonymous Coward
    Anonymous Coward

    What? No VPN to a remote egress point?

    Don't!

  8. simmondp

    Another vendor flogging a product with FUD

    Why are the "experts" in this area not coming together to define how to work securely on open, public WiFi?

    Secure protocols, with tools that switch on certificate pinning and force HTTPs only, and only allow you to connect with trusted sites must be the way to go; rather than needing to buy a VPN service from a company, as this:

    a) does not solve the underlying problems, and

    b) wont be used my the majority of the public, and

    c) it liable to the same interception / attacks by anyone who owns the termination node.

  9. Graham Marsden
    Facepalm

    And I have no doubt...

    ... that other politicians, when they are told about this...

    .

    .

    .

    .

    .

    ... will immediately rush through a set of laws making what the White Hats did illegal!

  10. MrZoolook
    Holmes

    An admission of spying powers

    Quote: “I think something should be done, because we all think that passwords make the whole thing secure. I always thought that was the point of passwords. I am surprised and shocked"

    Really? So if you thought passwords were that secure, why have you lot been pushing for biometric data under the guise of increased security if it wasn't needed?

    I'm taking that statement as an admission, from her at least, that biometrics are being pushed simply for an alternative instead of personal security. Don't know about anyone else.

    1. Anonymous Coward
      Anonymous Coward

      Re: An admission of spying powers

      That quote frightingly sounds like coming from a child that discovers a Sad Truth Until Now Hidden By Parents.

  11. Robert Knight

    There are ways of mitigating some of this - for example, a low cost Android device which enables a user to connect to public Wi-Fi, enter details into any landing page (captive portal) and then share the connection to their main device (s) over Wi-Fi. This allows a stronger security policy on the main device (laptop, tablet, hybrid, phablet etc.) which protects that device from malware infection etc.

    Whilst there is potential for the low cost device to be compromised, this is the whole point of it - i.e. it's sacrificial, if necessary.

    Good practice might also be to use a credit card with a low balance/credit to minimise theft etc.

    1. Roland6 Silver badge

      Re: There are ways of mitigating some of this - for example, a low cost Android device

      I think you are thinking of the Alcatel-Lucent Nonstop Laptop Guardian which has been around since 2007. However, whilst it is now a software solution and has been ported to cheaper hardware than the chunky PCMCIA card it was launched on. Whilst is isn't a cheap solution, it is used by others such as BT in their MobileXpress offer.

      1. Robert Knight

        Re: There are ways of mitigating some of this - for example, a low cost Android device

        No, we actually supply these devices (not the 2007 devices you describe). We have both Android smartphones as well as mini-routers.

        These are primarily designed for public sector and more security conscious private sector (regulated etc.). The enable public Wi-Fi connections to be remediated (i.e. the splash screen/captive portal) on a low cost, separate device which then shares its connection to one or more (up to 10) corporate laptop/tablet/smartphones etc.

        Since the corporate device can apply a much stronger security policy (i.e. closed firewall, VPN etc.), it means that there is less risk since they simply PN through the device once the public Wi-Fi is unlocked.

        As the devices NAT connections and have an in-built firewall, they provide additional protection to connected end-points.

        1. Roland6 Silver badge

          Re: There are ways of mitigating some of this - for example, a low cost Android device

          @Robert Knight - Seems that I need to do some updating on losingthewires new products.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like