[ale] how can a firewalled PC POSSIBLY be attacked?

[Brian MacLeod]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/23/13 2:07 PM, Ron Frazier (ALE) wrote:

> Let's say I'm at a place with open wifi, like McDonalds.  You have
> to agree to their TOS to get on, but there's no password.  In that
> case, then, all the traffic in the room is clearly visible, and
> readable, and copyable, including mine, unless I'm using SSL or a
> VPN.
> 
> Just to clarify that.  Let's say I go log on at McDonalds.  I start
> up Google, type in "horse", link to a wikipedia article, then
> display a picture of a horse.  Anyone within radio range of the
> hotspot could monitor and observe everything I'm doing, correct?


Absolutely.


> What about email?  My Eudora OSE client settings for POP and SMTP
> are set to SSL / TLS.  But there is a check box that says Secure 
> Authentication, and that is off. On my tablet, the menus are
> different. There is a settings option that I have set to SSL
> always.  But, there is also an authentication option which is set
> to plain for getting mail and login for sending mail.  Does that
> mean that my email can or cannot be snooped on?


The Secure Authentication determines whether password is sent in clear
or is hashed in some way on the channel in use.

If you are talking SSL for the channel, then your password is
encrypted like all the other traffic in the channel, but to anyone
(any app)) on that channel, it is not.  So, the other users of the
Wifi hotspot would just see SSL encrypted stuff, the apps at each end
of the connection see the password in a less secure way (in this case,
plaintext).  Not ideal, but far better than any other combination.

Your email viewing would be encrypted via SSL.


> If I'm using the browser, once I establish an HTTPS connection,
> with my bank, for example, I'm assuming that connection is no
> longer snoopable, even if I'm at McDonalds.  Correct?


The connection to the bank, and any requests used on the channel are
not snoopable.  But, beware that not everything on a webpage is always
sent through that encrypted channel.  you may have seen your browser
warn on this that some elements of the page are encrypted and some are
not.  Naturally the personally identifiable stuff should be in the
encrypted bits, but it might be possible for someone to figure out
what it is you are connecting to with the unencrypted bits.

Fortunately, most banks have stopped using that stupid mixed mode. At
least, I hope they have...  :-/


> I'm also assuming that NONE of my traffic is snoopable once I bring
> up a VPN.  Correct?


This is absolutely 100% NOT GUARANTEED! It depends on the settings of
the VPN client in use (which you may or may not be able to change), as
well as the VPN service/concentrator settings on the other end (unless
you administer it, good luck).  Your typical traffic _CAN BE_ 100%
secured if the VPN effectively becomes the default route for
communications, which is typical of most workplace VPNs (and why one
must be careful of viewing questionable materials on machines with
workplace VPNs -- so, hint, hint, separate work/personal machines),
but unless you have confirmed this with the operator of the VPN, be
wary.

It also depends on whether the VPN is a routed or bridged VPN.  Routed
is typical, but that means that broadcast communications and all Layer
2 traffic are (usually) not sent through it, just Layer 3, and usually
just TCP/IP.  Bridged VPNs nearly always send all traffic (Layer 2 &
3, broadcast), but come at a cost of potentially disrupting local
network connectivity (DHCP broadcasts get directed off of the local
lan, so you may lose all connectivity when your lease expires).  There
are ways to configure clients to behave well in that instance, but
that effectively means that no, not all traffic is protected by the
VPN.  But a 100% secure VPN is also severely limiting.

That said, in most cases, the stuff you are worried about transmitting
receiving aren't going to be broadcasts and layer 2 traffic.  They
will be TCP/IP based and likely routed through the VPN.  But the VPN
provides no host security from the network it is being used on -- or
perhaps more clearly: A windows machine running a VPN connection on
McDonald's wifi is still vulnerable to threats on that wifi, even if
the Bank site is SSL secured and being transmitted through the VPN.

There is a large scale of implementation questions that would
determine the reality of just what is secured by the VPN.  My point is
to illustrate that just because the VPN is running doesn't mean you
are 100% secured (reality is, you never will be), but most or nearly
all of the traffic you might be worried about _CAN BE_, and the rest
is part of joining a part of someone else's network.



The problem with asking questions is having more of them after getting
your answers. ;-)


Brian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQE4BAEBCAAiBQJRAEDQGxhoa3A6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbQAKCRD5
XCJY/q4Y6F4/B/9eAYm8yiNaI9JQ0TVuF5Kdj/c/1ZLGEaB5eisscfGONUcLmhvV
NMbXxvF8rqKW6E/icXsx89DlobkEw+YJrflTZNQjDD+xBm3FyaTwBum/r5QB8c57
FRB7RdSdYBjLmD/8pYu3yGjB0i8NgJkjVp4PvZRQzATgqcD8JXBItkZmODRmgaBj
xuTI2V3t9P8beG0zxgxp0XXJ7wm5YwwEBAxX1FaGln7gx09Tu5MjbMfvM+xHfFRm
LJk90HVTIWy3pYHURox45pZwYzMOFBWuqx6AdhRD7SOI9mn4u7MSFr+IQctbUv6Q
89ysI1whC47+PG4Ft6gH0PLSfDFmNZAqkYdV
=KUlc
-----END PGP SIGNATURE-----