SoylentNews is people
SoylentNews
from the forgot-to-put-the-key-in-the-switch dept.
There are plenty of reasons not to use hotel Wi-Fi. It’s often expensive, sluggish, and unreliable. Sometimes it seems like nobody knows the network password, and when trouble arises it’s hard to convince the front desk that there’s a problem with their network, not one with your devices.
Now you can add something new to that list: Hackers are using hotel Wi-Fi to steal data through zero-day vulnerabilities that companies like Adobe and Microsoft aren’t even aware of. ( http://blogs.wsj.com/digits/2014/11/10/cybercrime-gang-targets-execs-using-hotel-internet/?mod=ST1 )
Kaspersky Lab has appropriately dubbed the attacks the Darkhotel APT ( https://securelist.com/blog/research/66779/the-darkhotel-apt/ ). (It’s not as catchy as Heartbleed, but it’s a little more explanatory, I guess.) Darkhotel works by taking advantage of hotel Wi-Fi’s public nature and the willingness with which many people install updates to popular software like Adobe’s Flash. Hackers are said to have used the tactic to steal information from people traveling in Asia, but researchers found that the malware infected computer across North America and Europe, too.
(Score: 2) by TheLink on Tuesday November 11 2014, @04:39PM
I suggested this years ago:
http://it.slashdot.org/comments.pl?sid=457132&cid=22455074 [slashdot.org]
Current wireless solutions in practice don't have something like https usage.
Where "anonymous" users can securely communicate with servers (that can be validated - if the users actually care).
If you have a WiFi network secured using a naive shared key method, anyone with the shared key can decipher the access of the other users. This might be fine in your house, but not good in some public cafe.
Seems the way around this with current WiFi technology is to let every user use an account - username and password.
Apparently in this case even if users share the same username and password, using WPA2 or whatever (I can't be bothered to keep accurate tabs on below par crap ;) ) they can't decrypt each others sessions. Not sure if this is 100% true given the track record ;).
Assuming it's true, it would be much easier if Windows (and other O/Ses) would default to a standard username and password AND also check the cert of the AP (and issue warnings if it looks dodgy). You should be allowed to log in using a particular user account, or be prompted if the AP rejects the default.
Then people like Starbucks/BK/etc could use certs for their WiFi networks, and customer can have reasonably secured comms at least between themselves and the AP.
The WiFi Alliance should have copied the SSL _concepts_ and got the help of decent security people, rather than coming up with crap year after year (for how many years?).
IBM announced something similar later: https://media.blackhat.com/bh-us-11/Arsenal/BH_US_11_Cross_Arsenal_Secure_Wireless_Slides.pdf [blackhat.com]
And I think there's some bunch going about trying to do it with limited success - seems some clients require specifying a client certificate even if none is required.
But overall not many seem that interested. I guess we have to wait for it to become a big enough problem?