So I'm Using Someone Else's Connection...

[Dan02]

Quote:

Originally Posted by Madman

If you use Firefox, you can download an Add-on called KeyScrambler.

"When you type on your keyboard, the keys travel along a path within the operating system before it arrives at your browser. Keyloggers plant themselves along this path and observe and record your keystrokes. The collected information is then sent to the criminals who will use it to steal from you.

KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable."

https://addons.mozilla.org/en-US/firefox/addon/3383

ummm there are keyloggers which log everything you hit, whether it's in your browser or a random keystroke that your dog hits when theres nothing open on your desktop.

[photon]

Quote:

Originally Posted by mykalberta

If the owner of the connection was deviant he/she could have that setup and after time break the bank encryption.

How much time? Would they be able to do it before the heat death of the universe? Or before our sun explodes?

[cSpooge]

Quote:

Originally Posted by photon

How much time? Would they be able to do it before the heat death of the universe? Or before our sun explodes?

more like 10 times the life of the universe using ALL computing power in the world today .. Unless you have a 64-bit quantum computer that the world doesn't know about.

[Burninator]

So is there a site on "how to secure your internets and stop teh haxzors, for noobs?"

[Regorium]

How easy are keyloggers to plant into a system?

I was surfing WoW sites and accidentally clicked on what was obviously a keylogging site. I immediately closed, deleted all my cookies and ran an ad-aware and Norton scan, which came up clean.

Is my system now compromised?

[4X4]

Quote:

Originally Posted by mykalberta

The only thing to be worried about is traffic sniffers. Encryption is only as good as the trust between client and host.

If the owner of the connection was deviant he/she could have that setup and after time break the bank encryption.

You either have an idiot user with an open WIFI or deviant user who thinks they are an elite computer user hoping some sap will use his/her connection so that they can sniff the traffic.

Try logging on to the router (DISCLAIMER simply using the Internet connection isnt illegal, this crosses that line from safe to a merky area of law) 192.168.1.1 by default (you can tell normally based on your DHCP Class C Range).1 Check to see if there are any ports forwarded and if so to what address.

My router allows me to bidirectionally forward traffic from any user to specific ports. I then have sniffers setup on those ports. I cant be bothered any more to dabble in that sort of thing now that I have a secure VPN router to my home.

Ironically, you lost me at the word 'idiot'. But I'm sure someone else got something out of your post. Thanks anyway.

[Madman]

Anyone heard of ThreatFire?

http://www.threatfire.com/

Just found it in that list of 157 free programs from the other thread.

It works in conjunction with a traditional anti-virus and looks for virus behaviours in your PC, not actual viruses. It states on their website that it's good for finding keyloggers.

[Shazam]

Using an unsecured wireless network will make you susceptible to "man in the middle" attacks.

Let us describe a scenario:

- You connect to a wireless network.
- They specify their own DNS servers.
- Their DNS servers have different addresses for all the major bank sites.
- You decide to do some banking. Instead of going to your actual bank site, you end up at an alternate site that looks just like your bank's. This web site could even be internal to the network you're on.
- You enter your bank # and password. They now have your banking information.

Another universal problem with wireless networks is that there's nothing stopping someone from making a network with the same network ID as someone else's. This is a big problem because you can then potentially connect to the unscrupulous network. This is especially a problem at public hotspots.

If you do decide to use someone else's network, I highly suggest you use OpenDNS's DNS servers to protect yourself from DNS phishing. And never use public hotspots. If you do need to use them, also use a VPN. If you don't know what a VPN is, don't use public hotspots.

[gottabekd]

Quote:

Originally Posted by Shazam

Using an unsecured wireless network will make you susceptible to "man in the middle" attacks.

Let us describe a scenario:

- You connect to a wireless network.
- They specify their own DNS servers.
- Their DNS servers have different addresses for all the major bank sites.
- You decide to do some banking. Instead of going to your actual bank site, you end up at an alternate site that looks just like your bank's. This web site could even be internal to the network you're on.
- You enter your bank # and password. They now have your banking information.

For completeness, in this situation your web browser will pop up a warning dialog "The security certificate is for a different server...blah blah...steal your data..blah blah. Do you want to continue?" It is exactly this situation the warning dialogs are for, so it is a good idea to pay attention to them...If you ignore the warning, yes, they've stolen your bank logon.

[Shazam]

Quote:

Originally Posted by gottabekd

For completeness, in this situation your web browser will pop up a warning dialog "The security certificate is for a different server...blah blah...steal your data..blah blah. Do you want to continue?" It is exactly this situation the warning dialogs are for, so it is a good idea to pay attention to them...If you ignore the warning, yes, they've stolen your bank logon.

This is presuming you go right to your bank's login screen. As it happens many people just bookmark their bank's main web page, which is not usually SSL encrypted, and go to the login screen from there. For some banks, it's a huge PITA to bookmark the login screen (PC Financial being one).

[mykalberta]

Quote:

Originally Posted by photon

How much time? Would they be able to do it before the heat death of the universe? Or before our sun explodes?

Depends.

If someone really wanted to they would setup a temp account at the bank and log on and compare the packets to the ones captured then it probably wouldnt take that much time - a month or 2 maybe.

Its likely that the headers and packet ends for the username and password are the same for both accounts, thats all you need and then break it from there. You dont need the rest of the information. Also the username can likely be broke by social engineering the user so that just leaves the password.

Its by no means easy, but by no means will take as long as you suggest. Most users, even IT persons use passwords of 10 digits or under can be broke by a dedicated host box if you have a confirmed sample of the data in under 800 hours. This is also assuming that none the leg work has been done and published by anyone else.

[mykalberta]

Quote:

Originally Posted by 4X4

Ironically, you lost me at the word 'idiot'. But I'm sure someone else got something out of your post. Thanks anyway.

Idiot was the wrong word there, basic would have been better.

[photon]

Quote:

Originally Posted by mykalberta

Depends.

If someone really wanted to they would setup a temp account at the bank and log on and compare the packets to the ones captured then it probably wouldnt take that much time - a month or 2 maybe.

Its likely that the headers and packet ends for the username and password are the same for both accounts, thats all you need and then break it from there. You dont need the rest of the information.

How would that work if the packets are encrypted? It's not like every time you log into the bank site the encrypted packets that go back and forth with your ID and password in them look the same unencrypted. You still have to crack the encryption which would take forever.

Quote:

Also the username can likely be broke by social engineering the user so that just leaves the password.

It's probably easier to get the password through social engineering as well.

Quote:

Its by no means easy, but by no means will take as long as you suggest. Most users, even IT persons use passwords of 10 digits or under can be broke by a dedicated host box if you have a confirmed sample of the data in under 800 hours. This is also assuming that none the leg work has been done and published by anyone else.

Sure if you're cracking a password, but in this case you aren't cracking a password, you're cracking the encryption around the password.

It's not like cracking a Windows password where you have all the info you need to crack it.

Or maybe I'm just not understanding how you're trying to do it, maybe a detailed example, or a proof of concept where someone's done it?

[Dan02]

Quote:

Originally Posted by mykalberta

Depends.

If someone really wanted to they would setup a temp account at the bank and log on and compare the packets to the ones captured then it probably wouldnt take that much time - a month or 2 maybe.

heard of encryption much? I think 128 bit is the standard for secure communications now.

Quote:

How about 1 and 1^38 (1 followed by 38 zeros). That is (roughly) the key space using a 128-bit key. For comparison purposes, let’s use a (so far) non-existent computer that can guess 1 trillion (1 followed by 12 zeroes) keys a second. On average, it would take around 2 million million million (2 followed by 18 zeroes) years to guess the key.

Assuming there isn't a flaw in the algorithm it would take longer then the age of the universe to guess the key.

[llama64]

Quote:

Originally Posted by Regorium

How easy are keyloggers to plant into a system?

I was surfing WoW sites and accidentally clicked on what was obviously a keylogging site. I immediately closed, deleted all my cookies and ran an ad-aware and Norton scan, which came up clean.

Is my system now compromised?

Depends. Did you view it with Internet Explorer 6? I think most modern browsers are reasonably safe from this, but IE6 may not be.

Most of those key-logger sites operate by displaying an image, usually a JPEG. There were a number of remote execution vulnerabilities inherent to Windows and Firefox that these images target. If you're all patched up, the code shouldn't be able to execute.

To be safe, look at all the processes running in the background of your computer. Research any that seem suspicious.

And if I'm being naive of these types of attacks, please let me know. I did the same thing as Regorium and got concerned for a while. These vulnerabilities exist on the Apple side of the world as well.

[cSpooge]

Quote:

Originally Posted by mykalberta

Depends.

If someone really wanted to they would setup a temp account at the bank and log on and compare the packets to the ones captured then it probably wouldnt take that much time - a month or 2 maybe.

Its likely that the headers and packet ends for the username and password are the same for both accounts, thats all you need and then break it from there. You dont need the rest of the information. Also the username can likely be broke by social engineering the user so that just leaves the password.

Its by no means easy, but by no means will take as long as you suggest. Most users, even IT persons use passwords of 10 digits or under can be broke by a dedicated host box if you have a confirmed sample of the data in under 800 hours. This is also assuming that none the leg work has been done and published by anyone else.

all the packets are encrypted with a decent encryption (192-bit TDES at min, 256 AES at max) so if you can break that in a month or 2 please tell me how because you have just broken some of the most sophisticated encryption schemes in the world.

As for passwords yes it is fairly easy to beak them for most people. For account numbers most of the time is it just your account number/card number.