[LINK] FaceNiff

Karl Auer kauer at biplane.com.au
Sat Jun 4 19:47:32 AEST 2011 

On Sat, 2011-06-04 at 06:32 +0000, stephen at melbpc.org.au wrote:
> <http://faceniff.ponury.net>
> 
> FaceNiff is an Android app that allows you to sniff and intercept web 
> session profiles over the WiFi that your mobile is connected to.

... if you are not using EAP, and if you are not using end-to-end
encryption.

End-to-end encryption in this specific case means "encryption between
two points outside the wifi network", so would also include host-to-host
IPSec, even if the applications were not encrypting their traffic.
Definitely includes SSL, ssh and so on, and doing things like sending
and receiving your emails via secure SMTP and secure POP.

Without wanting to be dismissive (it is good for us to be reminded from
time to time that the world is not as safe as we may have come to
believe), it is not news that wifi networks are insecure.

If you send any credentials in clear text over any network, you risk
those credentials being misappropriated and abused. The risk is
increased if you send those credentials over the Internet, increased
again if you do it over a wireless network, and increased again if you
do it over a public wireless network.

Not only that, but the risk is rarely quantifiable, so one can make no
rational assessment of the risk. Most people don't. They just
optimistically tell themselves - if they consider the matter at all -
that "just this once won't hurt" or "noone will be interested in little
old me", or "how will they find me in all this traffic".

They forget that computers can scan all that traffic and pull out the
interesting stuff, that computers do not need to sleep, and that just
once is all it takes to empty their bank account or vandalise their
Facebook page.  

So use ssh, use SSL, use banks that offer good security mechanisms, use
secure STP and secure POP and don't, not even once, use credentials over
unsecured connections.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20110604/fcb1a46a/attachment.sig>

More information about the Link mailing list