[olug] Slightly OT: "Evil Twins" In Wireless Networking
Sam Tetherow
tetherow at sandhillswireless.net
Sun Jan 23 03:39:06 UTC 2005
A wireless network should be treated just like any other network that
you do not controll 100% of the physical access to. All sensitive
information should be encrypted end to end via some form of VPN (tls,
ipsec, ssh, etc). WEP is effectively useless other than keeping out the
trivial/accidental access and should not be considered security any more
than not broadcasting a beacon or using MAC filtering.
There is nothing wrong with wireless (I make my living off of it) but
you have to realize the inherent lack of security and plan appropriately.
Terry wrote:
>Interesting article. When one sends banking information across the
>wire (or air in this point, a certificate is in place or should be in
>place to encrypt this traffic between the browser and the server. I
>feel that if I am not sending the information across a secured channel
>(outside of the wireless "security") then I should be able to
>broadcast the information. The Internet and wireless networks and
>more or less public domain and should be treated as such with regards
>to the information that traverses them unless there is strong
>encryption place.
>
>On Sat, 22 Jan 2005 10:37:24 -0600, Don Kauffman <dekauff at cox.net> wrote:
>
>
>>There's been some discussion about wireless networks here. I saw this
>>article on line and thought it might provoke some discussion and
>>solutions. I personally don't have any wireless connections but know
>>there are those that do.
>>
>>Basically they point out that when you connect to a WAP, there is no way
>>to verify that you've connected to a legitimate access point. What some
>>shady people have taken to doing is providing an "evil twin" WAP which
>>allows them to steal all the information that one sends or downloads,
>>including passwords, banking information, credit cards. They suggest not
>>using the wireless network for sensitive information. As far as I'm
>>concerned that takes away a lot of the utility that one gains from
>>having wireless networking capability.
>>
>>http://www.ebcvg.com/articles.php?id=530
>>
>>To get started, my questions are:
>>
>>1> Is this a legitimate threat? Locally? Broader scale?
>>
>>2> If so, then are there ways to build more security into the wireless
>>networks? How would one detect a fraudulent WAP?
>>
>>3> What might be done in the meantime to minimize the risk?
>>
>>I'm curious to know how OLUGger's see this.
>>
>>Don Kauffman
>>--
>>"Life may not be the party we hoped for... but while we are here we
>>might as well dance."
>>
>>_______________________________________________
>>OLUG mailing list
>>OLUG at olug.org
>>http://lists.olug.org/mailman/listinfo/olug
>>
>>
>>
>_______________________________________________
>OLUG mailing list
>OLUG at olug.org
>http://lists.olug.org/mailman/listinfo/olug
>
>
More information about the OLUG
mailing list