<div dir="ltr">You've already gotten a good response from Brian, but I'd like to add a few things below...<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 23, 2013 at 11:07 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div text="#000000" bgcolor="#ffffff">
Hi David,<br>
<br>
Thanks for the info. I want to get some clarification on a couple of
things. See below.<br>
<br>
Sincerely,<br>
<br>
Ron<div class="im"><br>
<br>
On 1/23/2013 12:57 PM, David Tomaschik wrote:
<blockquote type="cite">
<div dir="ltr">On Wed, Jan 23, 2013 at 8:08 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex">Hi
all,<br>
<br>
I appreciate all who've responded to this to shed a little light on it
for me. It's very complex, and each answer seems to open up new
questions. I guess I'll have to review the OSI model that I learned
about years ago and look at some of the low level protocols.<br>
<br>
Tell me if the following are true. Assume I'm at my home network.
Even though it's more complex than this, say I had one wifi router
with 4 port switch connected to the cable modem. Suppose I wanted to
run wireshark to monitor things. All PC's, tablets, dvr's, etc are
attached via wifi. The printer is attached to the 4 port switch using
a wire.<br>
<br>
* If I attach my laptop to the switch with a wire and run wireshark, I
would see only the traffic to / from my pc's ip address and nothing
else, except for broadcast traffic like ARP, etc, and then only what
the switch is programmed to forward. I would not, for example, see
traffic destined for the printer unless I'm sending it.<br>
</blockquote>
<div><br>
</div>
<div>It's actually all traffic destined to your PC's MAC
address and the broadcast MAC (FF:FF:FF:FF:FF:FF). Switches are Layer
2 devices, they don't know about IP. (Yes, some devices are branded as
"Layer 3 switches", but it's unlikely that you have one of those in
your house.)</div>
<div> </div>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex"><br>
* If my laptop is attached via wifi, then wireshark will see everything
ANY PC on the same wifi ssid is sending or receiving, including traffic
to / from the printer or to / from the internet.<br>
</blockquote>
<div><br>
</div>
<div>Yes, but it's not straightforward. With WEP or
unecrypted wifi, it's just as easy as running Wireshark -- all packets
are visible to all clients. With WPA-PSK, there's a per-client,
per-session key, but if you have the PSK, you can derive the client and
session keys *IF* you captured the handshake: <a href="http://wiki.wireshark.org/HowToDecrypt802.11" target="_blank">http://wiki.wireshark.org/HowToDecrypt802.11</a>
With WPA Enterprise (802.1x) the keys are derived more securely, and
you'd need access to the keystore to decrypt other client's packets.</div>
<div> </div>
</div>
</div>
</div>
</blockquote>
<br></div>
Let's say I'm at my house, or at the local coffee shop. All the wifi
is running WPA PSK. I know the password. I log onto the wifi and
start wireshark. I'm able to observe and capture other machines
logging on, whether they're mine or someone else's. I am thus able to
capture their logon handshake sequences. Are you saying that I would
then be able to decrypt, on the fly, all the wifi traffic traversing to
and from that SSID, except that which is using SSL or a VPN, etc.?
That's very disconcerting for the coffee shop scenario.<br></div></blockquote><div><br></div><div style>Yes, that's exactly the case. WPA PSK is a "Pre Shared Key" so anyone with that key can decrypt any other traffic with that key. Because of the way the session key is generated (the only parameters other than the PSK used are transmitted in the clear) anyone who captures the handshake + has the PSK can re-generate the session key. Known session key = decryptable traffic.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#ffffff">
Let's say I'm at a place with open wifi, like McDonalds. You have to
agree to their TOS to get on, but there's no password. In that case,
then, all the traffic in the room is clearly visible, and readable, and
copyable, including mine, unless I'm using SSL or a VPN.<br>
<br></div></blockquote><div><br></div><div style>Yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#ffffff">
Just to clarify that. Let's say I go log on at McDonalds. I start up
Google, type in "horse", link to a wikipedia article, then display a
picture of a horse. Anyone within radio range of the hotspot could
monitor and observe everything I'm doing, correct?<br>
<br></div></blockquote><div><br></div><div style>Yes. See "Cookie Cadger" and "Firesheep".</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#ffffff">
What about email? My Eudora OSE client settings for POP and SMTP are
set to SSL / TLS. But there is a check box that says Secure
Authentication, and that is off. On my tablet, the menus are
different. There is a settings option that I have set to SSL always.
But, there is also an authentication option which is set to plain for
getting mail and login for sending mail. Does that mean that my email
can or cannot be snooped on?<br></div></blockquote><div><br></div><div style>SSL and TLS protect the entire channel. Unless you accept an invalid cert, someone has a valid cert (i.e., compromised CA), or there is a flaw discovered in SSL/TLS, the data within that channel is relatively safe. (Modulo side channel attacks, but I don't know of any practical side channels on SSL/TLS.)</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#ffffff">
<br>
If I'm using the browser, once I establish an HTTPS connection, with my
bank, for example, I'm assuming that connection is no longer snoopable,
even if I'm at McDonalds. Correct?<br></div></blockquote><div><br></div><div style>In theory, yes. Of course, you have to make sure everything you're doing is over SSL (HTTPS). For one, just going to "<a href="http://www.bank.com">www.bank.com</a>" (without typing https://) often lands you on an HTTP version of the page, and then when you log in it goes to SSL. The problem being that it's trivial to intercept your HTTP request and rewrite it so the submission ALSO goes over HTTP.</div>
<div style><br></div><div style>Worse yet is mixed-mode content, which Brian alluded to, but I don't think he sees it as a big threat. On any given website, there are requests for the body of the page (the main request) and additional requests for any JS or images used on the page. Sure, your credentials are in that main request and should be relatively safe, but there's a LOT of risk from the mixed-mode content. Unless cookies are properly protected (i.e., set to https only) they will be sent over those HTTP channels as well, and often that's enough to impersonate a session (Firesheep and Cookie Cadger as examples, again). Even if the cookies were done correctly, having javascript sent in the clear is bad -- anyone who is MITMing the connection can modify the JS and send you malicious JS with the "origin" of your banks website. In other words, that JS can send cookies elsewhere, log keystrokes, etc.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#ffffff">
<br>
I'm also assuming that NONE of my traffic is snoopable once I bring up
a VPN. Correct?<div class="im"><br></div></div></blockquote><div><br></div><div style>If your VPN sets up the default route to go over the VPN -- not all do. (Though commercial services sold for privacy/security generally do. Corporate VPNs are sometimes set up as "split tunnel": only traffic to the corporate network goes through the VPN, saving their bandwidth.)</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#ffffff"><div class="im">
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex"><br>
* The only way to monitor everything on the network would be to attach
a HUB to the cable modem, attach wireshark to the hub with a wire, then
attach the wifi router to another port on the hub. But, no, then I'd
only see traffic to / from the internet. Traffic routed solely by the
wifi router, between devices, or to the printer, would not be seen.
Also, the PC would be directly exposed to the internet and would be in
potential danger.<br>
</blockquote>
<div><br>
</div>
<div>You could also use a PC with 2 NICs in bridging mode,
but you still need to be between the two machines whose traffic you
want to see. If you have a nice router (or use something like
OpenWRT/DD-WRT) you might be able to put one NIC port into "mirror" or
"monitor" mode where the switch copies all packets to that port.
Something like this works: <a href="http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/" target="_blank">http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/</a>
(Actually uses iptables rather than the built-in switch, but the
concept is the same.)</div>
<div> </div>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex"><br>
* What I'm getting from the prior discussion about firewalls is that,
if any packets come into the NIC, and it triggers an interrupt
presumably, then certain parts of the system software, the tcp/ip
stack, are triggered to deal with the packet even if it's a low level
protocol like ARP. Higher level software in the system, like the
firewall, doesn't even see it, and can't filter it. However,
vulnerabilities may exist even at that low level that could allow the
PC to be compromised.<br>
</blockquote>
<div><br>
</div>
<div>Yes, every packet not dropped by the NIC will be
processed in some fashion, generally by at least the Ethernet/Wifi
stack and the firewall code itself.</div>
<div> </div>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex"><br>
* Regarding what Windows or Mac does, you COULD disassemble the
executables in the networking stack to see what happens, although it
would be incredibly tedious and complicated and time consuming to do so.<br>
<br>
By the way, I think it's a stretch to say no Windows PC is safe
(enough) on the internet. Even if 1/3 are infected, as stated on the
Going Linux podcast, which is truly horrible if true, then the other
2/3 are not infected, which amounts to about 700 million users. And,
most of those are probably not even configured properly for maximum
safety.<br>
<br>
I do all the following on my PC's, whether Windows or Linux as
applicable. I think I'm fairly safe. I'm sure I could always do
better. If you think I'm missing something critical, let me know. I
will admit that very few users have done all these things, thus, they
are more vulnerable.<br>
<br>
<snip><br>
<br>
Well, that's all I can think of at the moment. Hopefully, that's
enough. Did someone say I wasn't paranoid enough.<br>
<br>
I'm more concerned when I'm in a restaurant or something, since I don't
have control over their router. I'm sure there is a nat firewall.
However, I'm still on the same lan as everyone else on the wifi. The
only thing I know to do there, other than what I've already done to the
pc, is to crank up hotspot vpn, which I have a subscription to. At the
moment, I know how to do that in Windows, but not in Linux.<br>
<br>
It would be interesting to know if the wifi nic responds to any local
lan traffic once the vpn is up.<br>
</blockquote>
<div><br>
</div>
<div>Sure it will. It will still process packets. After
all, it doesn't "know" anything about a VPN.</div>
<div> </div>
</div>
</div>
</div>
</blockquote>
<br></div>
So, if I'm connected to the wifi at a coffee shop and I have the VPN up
and running, no one can snoop on my traffic. However, if there is a
vulnerability to attack in the networking stack or the firewall, then
that vector is still there and the VPN doesn't protect me from that?</div></blockquote><div><br></div><div style>That's correct.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#ffffff"><div class="im"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204,204,204);margin:0px 0px 0px 0.8ex;padding-left:1ex"><br>
Sincerely,<br>
<br>
Ron</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
David Tomaschik<br>
OpenPGP: 0x5DEA789B<br>
<a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br>
<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>
</div>
<br>
</blockquote>
<br>
</div><pre cols="72"><span class="HOEnZb"><font color="#888888">--
(To whom it may concern. My email address has changed. Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address. Please send all personal correspondence to the new address.)
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new email messages very quickly.)
Ron Frazier
</font></span><div class="im"><a href="tel:770-205-9422" value="+17702059422" target="_blank">770-205-9422</a> (O) Leave a message.
linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a>
</div></pre>
</div>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>