[SGVLUG] if it possible to sniff packets if you can't get on the wi-fi network?

[Homan Chou]

So the take away is: the traffic IS encrypted by the router if password
protected to get on the network. I don't know if its wep or wpa.

His in house programmer set it the mac address white listing and now he is
no longer there. I'm not entirely sure what it was for.  The whole setup is
very confusing.  They use PayPal Checkout and don't have a customer login
so prob thought they didn't need https. The pos is a separate website. the
pos is not local, it is available on the Internet over http.  The pos is a
different domain and different app server. But the pos website and the
customer facing website share the same database so I'm guessing a DOS
attack on front-end could still use up all db connections for the
pos.  He's trying to find a new web developer to update his customer site.
But since its so custom integrated with the POS most of them are telling
him he needs to start over. I'm trying to give him some advice and wanted
to understand if keeping legacy code was cheaper or in the long run more
expensive?  Thanks for everyone's input on the security part.

On Sunday, January 12, 2014, Jess Bermudes wrote:

> Promiscuous mode simply means that the NIC will keep packets that are not
> addressed to it. However, in order to know if a packet is addressed to it,
> it has to be authenticated on the network. The packets will otherwise be
> encrypted. The network key is what is used to make sense of the traffic.
> However, as the stackexchange link pointed out, some methods of encryption
> such as WEP offer little protection as known flaws in the protocol allow
> for enough information leak for a passerby to gain enough clues to
> reconstruct the key.
>
> I'm curious as to why he doesn't use https? If his stuff is just local
> then using a locally generated certificate (read: free) would be good
> enough I would think, as the only downside is you'd get Firefox complaining
> that it's an untrusted cert.
>
> Even then with HTTPS, I think the usual solution is that you want to
> partition your network so that your privileged public users can't
> accidentally DoS your POS, even if it's not malicious in intent, e.g.
> someone left their torrenting on or starts a game, etc. I'm not a network
> engineer so perhaps others can elaborate on what it'd take to do that.
> There are software solutions and more expensive hardware solutions
> depending on the need.
>
> If I were him, I wouldn't trust just the MAC whitelisting. Just because a
> machine you whitelisted belongs to somebody you trust doesn't mean the
> machine isn't compromised, nor does that prevent a malicious user from
> attempting to spoof his MAC. I know your friend probably isn't trying to
> protect Fort Knox, but if somebody knows enough to set up MAC whitelists,
> they should look into HTTPS anyway, the prices aren't too bad in many cases
> and if a business can't afford the ~$10/yr for one, that business probably
> has bigger problems than unsecure wifi ;-)
>
>
> On Sun, Jan 12, 2014 at 5:32 PM, Dan Kegel <dank at kegel.com> wrote:
>
>>
>> http://security.stackexchange.com/questions/12596/can-a-hacker-sniff-others-network-data-over-a-wireless-connection
>> might explain a bit about the raw wifi part.
>>
>>
>> On Sun, Jan 12, 2014 at 5:29 PM, Jeffrey Kutz <jdkutz_682004 at yahoo.com>
>> wrote:
>> > Interesting question. I am trying to remember back to my Network Design
>> 101,
>> > where we used wireshark on a wired network. It was my impression that
>> all
>> > that you needed was to see the traffic and wireshark was happy. It is
>> really
>> > good security to keep people off of your Wi-Fi by whitelisting the
>> allowed
>> > MAC addresses but I don't see where this would stop someone from seeing
>> any
>> > open and unencrypted traffic. I would be concerned that someone would
>> get
>> > enough information to log onto their private website via a route other
>> than
>> > the local Wi-Fi. I would even question just where the security of https
>> > comes into play. Is there some open traffic before the http turns into
>> https
>> > that would allow some evil-doer to cause trouble?
>> >
>> > I will be following this thread with interest. Next year I will get
>> taking a
>> > security class at my local tech school. You can be sure I will bring
>> this
>> > whole story up for classroom discussion.
>> >
>> >
>> >
>> >
>> >
>> > On Sunday, January 12, 2014 1:32 PM, Homan Chou <homanchou at gmail.com>
>> wrote:
>> > A lot of businesses offer free wi-fi access within their walls as a
>> perk of
>> > being there.
>> >
>> > I have a friend that is a business owner that does NOT offer it because
>> of
>> > "security" reasons.  In fact, in order to get on his wifi, he can't just
>> > give you the password, he actually has to whitelist your MAC address
>> into
>> > his router or something like that.
>> >
>> > His web developer set it up this way because their custom point of sale
>> > program is just a website. And they don't use https.  So my question
>> is, if
>> > that website login form was accessed over non-secure http is the login
>> just
>> > send in plain text in packets?  Could someone theoretically observe that
>> > with wire-shark without even being logged in to the wi-fi network?  Or
>> do
>> > you need to be connected to the wi-fi router in order to be able to do
>> that?
>> >
>> > I think it's the former but I'm not a wire-shark expert, can someone
>> > confirm?  (Either way I will tell him he needs https).  And I want to
>> > encourage him to provide free wi-fi, and if his POS is secured over
>> https it
>> > shouldn't make his business anymore vulnerable than he is now, is that
>> > correct?
>> >
>> > Homan
>> >
>> >
>> >
>> >
>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20140116/b69d4052/attachment.html>