I’m in a hotel in Nigeria and 24 hours after arriving our Ebay account has been attacked, the password doesn’t work (also on my Google Chrome login) and I’ve received a dodgy email, which invites me to click on some links, which I WON’T be doing. I got into the web by a different route and the email is definitely a spoof.

Is this just coincidental with me arriving here or could somebody in, say, the hotel’s IT department be hacking guests’ computers through the wi-fi? Free wi-fi has only just been intoduced here so it’s entirely likely that somebody here is taking advantage of it. I don’t understand enough about these things to know if this is possible.

What AV etc are you running?

Do you have security on your laptop?

yep, easily.

Erm… what’s an AV?

I’m running a Sophos check right now and so far nothing found.

Possible? Yes. Though it doesn’t have to be the “hotel’s IT dept”, assuming they even have such a thing, it could just be another guest.

Coincidence? Could be.

Yep. Free wifi is a great way of attacking people’s computers.
It could be the IT team or another of the guests or just about anyone to be honest. you’ll need to extend your search for suspects to roughly a square mile around the hotel, possibly further depending on what equipment they might have.

It is astonishingly easy too. Plenty of freely available tools to help people get on with the job, they don’t have to be smart or geeks.

You should get some type of VPN software back to blighty if you want to be safe. Patch your computer. Don;t trust anything you’ve already connected to from there. in fact don;t trust anything.

we have not got wifi at our nigerian camp for this reason.

we had it … this happened we ditched it.

you want on the net you wire in (not to a network either – straight to the router)

also you might find that just the act of you logging in from nigeria has triggered the attack alarms on EBAy – it did when i was in Equatorial Guinea – just over the water and tried to log into paypal.

Possible, but very very unlikely.

I think t_r’s suggestion of eBay detecting a login from Nigeria is most plausible.

Wow! Great IT help from the STW crew!

Yes, just spoken with Ebay who conform that it was when I logged in from Lagos that they disabled my account.

She says that even the email I rceived, which is a spoof according to the web, was genuine. They are sending me a new login email and I will do it later from my agent’s office.

Last hotel I was in all the guests machines showed up on the Network, basic security in windows preventing access. However there are plenty of tools…. Quite a lot of Bank branded machine names in there too.

This happened to my GF’s laptop, also in Nigeria!

That’s good but you should still remaining immensely suspicious of the public wifi? The above advice is all still valid and that’s the case for any public wifi service no matter where it is.

That’s good but you should still remaining immensely suspicious of the public wifi? The above advice is all still valid and that’s the case for any public wifi service no matter where it is.

this.

When doing my Oracle certs I stayed in a training center and the group in the room next door was running an ‘ethical hacking; course. We all sat in the bar in the evening and watched them hack peoples laptops over the public wifi – you could see when they all came into the classroom and onto the network as the lecturer’s laptop’s AV would start pinging. Easy to do apparently.

(two of the DBA’s on my course were military and extremely unhappy the first time someone tried to hack into their (very secure) laptop. Cue a very burly, very angry man shouting and threatening to insert said laptop into geek orifices)

Personally I’d not access anything in any way sensitive over public wifi…

@ woffle – WTH is ethical hacking?

Yes, just spoken with Ebay who conform that it was when I logged in from Lagos that they disabled my account.

Ah but maybe they’ve hacked the hotel PABX as well and you actually spoke to someone pretending to be from eBay…

@ woffle – WTH is ethical hacking?

Finding security holes and letting the ‘victims’ know so that they can do something about them before being, erm, non-ethically hacked…

Ethical hacking is hacking for the good guys.
So people will attempt to break into IT systems to show where the holes in those systems are to allow the owners to fix the issues before some real bad guys come along and break in.

Ok so assuming I need to use public wifi, what should I do to be as secure as possible?

I select ‘public’ network profile of course, this actually disables file sharing doesn’t it? I’ve got a firewall too of course.

It’s very easy to sit on an open wifi network and snoop the network traffic. If you know what you’re looking for it will give basic things like email addresses and stuff with no problems.

Most banking sites etc are in HTTPS so you have to be a little cleverer to extract any information but my advice would be not to trust any public hotspots.

Ethical Hacking is ace. Really interesting subject!

“Ethical Hacking”? Wash your mouth out! Just call it pen testing and have done with it.

You really want to get a VPN connection back a trusted source and then browse the web via that – that way everything on the local wifi / LAN is encrypted.

As above, while protecting the device itself is a good start, you should also be aware that you may be sending unencrypted credentials over the link. These are very simple to sniff. Use a free VPN to connect to a backbone service that ensure the wifi part of the transmission at least, is protected.

I’d always advise being fully patched as well, that’ll be one of the biggest steps you can make in protecting your device on open networks.

A final point is making sure you are really connecting to the WIFI point you think you are. It’s a relatively trivial matter to spoof an access point and provide a false sense of security.

And for general personal WIFI protection while we’re here.
Never use WEP encryption, use WPA2 if possible.
MAC address filtering is trivial to bypass.
Password length is the best step you can make in securing your own WIFI. Forget that complexity rubbish, make it as long as you can endure. 20 characters at least.

WPA2 was actually faster to fall depending on the router used than WEP used to be….

I use AT&T global network client for work – the question is, is all my traffic going through that or just the work stuff? I guess the former, otherwise it’s a massive security risk for work’s network!

Depends how it is set up. OH used to work for Peugeot and everything on her work laptop went via Paris over a VPN, so web browsing was uber slow as HQ was a bit of a bottle neck – however, very secure.

EDIT: you should be able to work it out:

Bring up a CMD shell and type ‘ROUTE print’ then see where stuff goes….

intersting topic. I wonder how easy it is to hack an android tablet over a public coffee shop wifi? And what precautions can be taken against that happening?

Erm… what’s an AV?

Anti-Virus.

But what security package are you using, and did you fully update it before going out there?

Ok so assuming I need to use public wifi, what should I do to be as secure as possible?

It’s OK, no one would do it to you molly, as it would be both impolite and unfair 😉

WPA2 was actually faster to fall depending on the router used than WEP used to be….

No idea where you get that from. WEP is fundamentally flawed which is why it is so easy to break. WPA2 doesn’t carry the same inherent flaws.

It’s still breakable but only by brute forcing it. WPA2 is only quickly breakable when the key is easy to guess. Some companies used the SSID in the key and others used the MAC address which made them far easier to break but that wasn’t router manufacturer dependent, that was a very poor policy decision

No matter which router you use, if it supports WPA then a long key will render it effectively uncrackable because of the amount of time it will take to brute it.

I wonder how easy it is to hack an android tablet over a public coffee shop wifi?

Normally much quicker if you’ve rooted it as people forget to reset the root password!

For those with concerns Wi-Fi hotspots are inherently insecure, much in the same way that public toilets (great analogy) are. They provide a public service but it’s up to you to make sure you don’t get aids.

Have a read of http://www.guardian.co.uk/technology/askjack/2010/sep/16/internet-wifi-security-ask-jack but the key things are:

1. Have a firewall and have it turned on.
2. Look for the HTTPS / padlock thingy in the browser. Some browsers have add-ons that will doggedly try to use HTTPS (secure) for all communications regardless of what the site wants you to do.
3. If popups appear that you don’t expect, dont click
4. If you get warnings about the security/identity of the site, don’t access – that’ll be your bank details / identity going out of the door

As others have said a trusted VPN or proxy of some kind alleviates a lot of the trust concerns.

Oh and this….

No idea where you get that from. WEP is fundamentally flawed which is why it is so easy to break. WPA2 doesn’t carry the same inherent flaws.

No idea either…..

Hypothetically one could have tried it and be basing it on evidence, but as that would be morally wrong I just guessed.

Normally much quicker if you’ve rooted it as people forget to reset the root password!

Oh dear….

Man in the middle attack is simple, and made easier by the fact that most laptops, phones and tablets automatically try to connect to known networks first. Make sure you don’t appear to be connected to a know home/office/etc. WiFi AP.

If you have a home server on 24/7, then you can do ssh tunnel too. Simple in Linux (and probably OSX), or with Putty on windows. Oh and as a bonus, this trick also lets you do iplayer while overseas, and see all the censored youtube vids in Germany 🙂

Or just tracert.

Answer is – I get to bbc.co.uk without going on my work network.

Answer is – I get to bbc.co.uk without going on my work network.

You have an employer who is relaxed about security!

You have an employer who is relaxed about security!

We already know that, don’t you remember Mogrips recent post regarding amending his work laptop settings?