AIRPORT extreme and security regarding web sessions

Yes, it is very easy for a hacker to "listen in" on an unsecured wireless connection. At the very least, WEP encryption should be enabled, but for complete security, WPA encryption with a strong password is the way to go.

SeaN_Price,

No, you're not being paranoid: Wireless is inherently insecure.

Essentially, you're broadcasting your network traffic. Anybody with a properly tuned receiver within radio line of sight can listen in. So, yes, the data he's sending is extremely vulnerable to interception.

If the router isn't configured to reject traffic from outsiders, neighbors are probably already using his internet connection. Even if he allows only his own MAC address, it's only a matter of time before somebody can spoof it and get into the wireless network.

Encryption improves the situation by making it harder to interpret the traffic.
WEP is badly broken; don't use it. WPA is better - the password should be randomly generated - but it is not completely secure.

If the data being sent is really, truly sensitive, your brother should use a wired (ethernet) connection.

-Wayne

WPA is better - the password should be randomly generated - but it is not completely secure.

No network is completely secure. The only reported cracks of WPA-encrypted networks were brute-force attacks, wherein the hacker used an automated method of trying different passwords until one worked. That doesn't take too long with short passwords or passwords based on words in the dictionary. However, with a very strong password, it would take a hacker on the order of several decades to crack it -- possibly even centuries.

15" MacBook Pro, 2.0 GHz Mac OS X (10.4.7) 2 GB RAM, 100 GB 5400 RPM HD

Alan,

However, with a very strong password, it would take a hacker on the order of several decades to crack it -- possibly even centuries.

But then, again, wasn't that the conventional wisdom for 40/64-bit SSL, SHA, DES, and WEP?? It takes a while for exploits, especially those discovered and exploited by the professional criminal element, to be reported.

-Wayne

I guessed you missed Alan's comment:

The only reported cracks of WPA-encrypted networks were brute-force attacks, wherein the hacker used an automated method of trying different passwords until one worked.

That means that the cracker has to be lucky enough to stumble upon the password. The reason it is possible at all is that the speed of computers has made it possible to test thousands in very little time.

Duane,

No, I didn't miss Alan's comment, although you seem to have missed mine:

a) Set of reported/known cracks < Set of exploits/cracks in actual use.

b) "Conventional wisdom" time estimates for encryption system compromise > Real-world time to crack encryption schemes.

c) More secure != unbreakable.

I'm not so certain about your premise, and history gives me reason to question it.

NB: Wireless traffic can be passively recorded over long periods of time; more packets sent using the same key makes brute forcing it easier. Since it's much easier to collect packets from wireless undetected than it is to collect them from wired networks, and the aforementioned technique has been successfully used against encrypted wired networks for decades...

-Wayne

Points a) and b) are speculation and not provable. It is always easy to spread fear and uncertainty.

Duane,

Point a is not speculation: Are you seriously contending that professional criminals report cracks/vulnerabilities they discover immediately, if at all?
Do you really want to claim that holes have NOT been exploited before they were reported?

Point b was addressed in my first post to Alan.

And don't count out the power of modified <a href=http://www.linuxexposed.com/content/view/145/">brute</a> <a href=" http://www.cs.sjsu.edu/faculty/stamp/RUA/TMTO.pdf">force cracking, especially if you can force key collisions. Wasn't DES removed as a government encryption standard when the decades to brute force the key estimates were proven wrong by, well, decades, by EFF's project "Deep Crack?"

-Wayne

1. The LinkSys router's configuration should have a page for setting encryption. You can get at the configuration pages via a web browser pointed at the default gateway address defined on his computer (look at his computer's TCP/IP settings). Older routers don't support WPA encryption, so if your friend's router is one of those, the best you can do is WEP. However, use WPA if it's available and use a strong password, i.e. one with lots of random characters including upper- and lower-case letters, numbers, symbols, and even spaces.

2. About the only thing you can do if he won't/can't secure his connection is to go with a VPN service such as HotSpotVPN. Then, all of your network traffic will be encrypted before it even leaves your computer.

As for this debate over whether WPA is crackable, the whole gathering-enough-packets approach will only work if the key stays constant long enough to gather those packets. WPA rotates the keys on a periodic basis, so someone would have to be seeing an awful lot of traffic in a very short period to crack it that way. WEP used static keys, which made the approach easier (not to mention that the design of WEP was seriously flawed to begin with).

just to supplement Alan's comments...

if WPA2 is available (current airport supports it), rather than WPA, then this addresses some of the issues found with WPA, but even basic WPA is much better than WEP, which in turn is better than nothing at all

if you are connecting to sites that show https, rather than http, in the url, then your communication to the site is secured independently of any wireless/other encryption, both ebay and paypal provide access using https, there are ways of subverting this but imho it is unlikely that you would be exposed to these

To supplement um's comment about ways of subverting https connections, if you're really paranoid, you can click the padlock (or whatever icon your browser of choice uses to indicate a secure connection) before entering any personal information to get information about the security certificate being used. If it's valid and belongs to the site that you think you're connected to, your secure connection to that site is truly secure.