.

JetPack SSID and password

<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Wed Apr 03, 2013 2:57 pm

Re: JetPack SSID and password

ajohnson wrote:Yep. If I'm at a coffee shop and need to hit the restroom, I pack everything up and bring my bag with me. Everyone else probably thinks I need a porn break, but that's better than leaving my system unattended, even for a few minutes.


Well, since I am not in China or a Hacker Convention, isn't that a bit "overkill"?

Also, in my case, don't you think OS-X Screen-Saver Lock is sufficient?  (I have that set to go off like after a minute or so, and I always do Ctrl+Shift+Eject before leaving my laptop.)


Tom
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Apr 03, 2013 10:57 pm

Re: JetPack SSID and password

Tom I think you're mis-understanding the point of the SSID and Password on the Jetpack.

A computer uses a user name and password to protect your data. Putting those in tells the COMPUTER that YOU as the user is authorized to use the computer (the user name) and the password authenticates that it really is you.

On a Jetpack: The SSID is the name of the network that you tell your computer to connect to for internet access. The Password on that, tells the network that you are authorized and to authenticate you. You need the device to display the password or else you can not tell it you are Authorized by presenting the authentication key.

The Jetpack is roughly the size of a really thick wallet. So not anyone should be able to walk up to it, and see the screen.

The way wifi works, it sends out a beacon like a light house. This tells everyone in the area that  Hey I'm here connect to me, and if you can authenticate you must be authorized. You can HIDE that Beacon. So instead of it being a light house, it's like a hidden door that you have to have the key for. If you look at your computer's wifi client, it'll present a list of access points. Those are other people's access points being light houses.

Does that make more sense?

----

The physical security side. Having done remotes at events, with computers, mixing boards, and all the other fancy stuff for OVER THE AIR FM RADIO Broadcasts. If you're going out as a one man operation, you're doing it wrong. In those cases your partner in the broadcast should be "trusted" enough to maintain the system so you don't have to pack up.

If you're broadcasting solo, get a partner.

And you don't have to be in China or at a hacker con to worry about someone jacking your stuff. Plenty of hits on google for it. But if you've got money to burn...
https://encrypted.google.com/search?&q= ... fee%20shop

I also really like this story about iPhone Theft from NYC. http://www.today.com/tech/double-troubl ... -1C8146675

Work on shrinking your rig. You shouldn't have to set up more than a laptop and a headset. Everything else once on, unless using a mixer, should go back in to the bag, next to your feet, or better yet between your feet.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Apr 03, 2013 11:04 pm

Re: JetPack SSID and password

H1t M0k3y was looking for help with iphones recently because a lady got her computer stolen out of her office, and locked up her phone.

As for broadcasting rigs, look in to the stuff the guys that did the Occupy Ustream channels did. Most had multiple batteries, video cameras, laptops, cellphones, mifi points etc, all set up to be worn in a backpack. they only had to expose what they needed, when they needed.
OSWP, Sec+
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 04, 2013 11:20 am

Re: JetPack SSID and password

On a side note, I am loving this "Hacker Talk" because it's all so new to me.  (Haven't gotten a damn thing done during the last two days, but am enjoying these conversations!!)


chrisj wrote:Tom I think you're mis-understanding the point of the SSID and Password on the Jetpack.

A computer uses a user name and password to protect your data. Putting those in tells the COMPUTER that YOU as the user is authorized to use the computer (the user name) and the password authenticates that it really is you.

On a Jetpack: The SSID is the name of the network that you tell your computer to connect to for internet access. The Password on that, tells the network that you are authorized and to authenticate you. You need the device to display the password or else you can not tell it you are Authorized by presenting the authentication key.


Hang on a second...

I understand that the SSID uniquely identifies my soon to be JetPack.  And that since the JetPack would be a "secure" hotspot, that it doesn't really matter if someone knows it exists.  (As opposed to a SSID for an unprotected wireless hotspot, say at home.)

However, if I may be so bold, I don't follow your comment on the Passcode...  :-\

My understanding - never having used any of this stuff before - but based on other conversations, and reading the Verizon manual from above - is that your Passcode is the "keys to the kingdom"!!

If you get my Passcode, then you have a way to access my JetPack.

I know from the Manual that there is a way to hide the SSID and Passcode on the JetPack itself, so if someone walked by and started playing with it, they couldn't change my settings or use the Passcode to log into my JetPack.


You said, "You need the device to display the password or else you can not tell it you are Authorized by presenting the authentication key."

But I'm not following that.  My understanding is that the way you log in to the Jet Pack is to open your browser, go to 192.168.1.1, select your SSID, and then type in your Passcode into the web form on the web page that came up when you accessed 192.168.1.1 from your browser.  (At no time are you needing to see the SSID or Passcode on the physical JetPack itself.  And at no time are you doing anything on the JetPack itself.  Everything is happening in your browser on your computer.  That is how I understand how things work.)

Also, from what others have said, IF someone did get your Passcode and jump onto your JetPack, they would be able to Side-Jack you?! (This should be easy to verify on a "hacking" website...)

And if they "Side-Jacked" you, then all kinds of bad things could happen!  (Things that I am trying to avoid by getting a secured connection to the Internet via my own JetPack.  Right?


The Jetpack is roughly the size of a really thick wallet. So not anyone should be able to walk up to it, and see the screen.


But that would be my fear - if I don't take your advice - and go to the bathroom.

Hacker Harry sees me leave my table at McDonalds, taps the JetPack, memorizes the SSID and Passcode, goes back to his table and laptop, types those in, and BINGO, he is now on my JetPack waiting for me to return so he can "Side-Jack" me?!


The physical security side. Having done remotes at events, with computers, mixing boards, and all the other fancy stuff for OVER THE AIR FM RADIO Broadcasts. If you're going out as a one man operation, you're doing it wrong. In those cases your partner in the broadcast should be "trusted" enough to maintain the system so you don't have to pack up.

If you're broadcasting solo, get a partner.


You misunderstand what I'm doing.

When I am working away from home, which as an IT Contractor is almost always, I often find a McDonalds (or whatever), spend $1 on coffee, and then camp out for the day doing work and what-not.  (I often camp out for 6, 8, 12 hours so I'm gonna have to pee!!!)

On weekends, I often listen to radio shows (e.g. "House of Hair with Dee Snyder") and I record them and later edit them and save them as MP3s so I have a permanent copy.

It may sound funny, but this is one of my "religions", and there is no way I am shutting down my laptop and missing part of the show to pee!!  (Even worse, so I'm listening to Casey Kasem's AT40 countdown.  I'm not skipping #9 through #6 so I can pee or get more coffee.)

It's a silly thing to most, but I am a bigtime audiophile, and my music recording is important to me.


And you don't have to be in China or at a hacker con to worry about someone jacking your stuff. Plenty of hits on google for it. But if you've got money to burn...
https://encrypted.google.com/search?&q= ... fee%20shop


Point made.

(BTW, what is "ENCRYPTED.google.com" ?)


Work on shrinking your rig. You shouldn't have to set up more than a laptop and a headset. Everything else once on, unless using a mixer, should go back in to the bag, next to your feet, or better yet between your feet.


I know your are ultimately right on this, but sometimes life is a compromise...  (I guess you just found one of my "weaknesses"...)

Silly question, but is there some way to make it so when I close the lid on my MacBook it doesn't go to sleep and kill my app recording my radio show?

Is there also a way to not lose my Internet connection?

If I could close my laptop and not have it disrupt my recording app or Internet connection, THEN I wouldn't mind taking it for a walk to the bathroom, if you follow me?!


Tom
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Apr 05, 2013 8:27 am

Re: JetPack SSID and password

I don't have a Macbook, but I'd assume that, just like a windows laptop, there should be a setting to tell it to do nothing when you shut the lid...  I can't believe they wouldn't have one...

If that, in and of itself, is enough to answer all your questions (besides changing the passwords - and the SSID if possible - to something other than the default, which I'd still strongly recommend), then by all means, find out how to do it, so you can take it with you, and that solves your issues.

As far as sidejacking, etc, that's a whole other discussion.  Apologies, that I don't have time to jump in on that one, this morning, but I'm sure others here might respond to it.

Good luck in your learning.  :)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Apr 05, 2013 8:30 am

Re: JetPack SSID and password

Oh, and one more note...

If you're at McDonalds or wherever, that they HAVE wireless, you really have no need to leave your JetPack on, anyway.  You won't be using your data /Verizon's services, while you're on restaurant wireless, so turn it off, while there, and that part ALSO becomes a moot point.

The only reason to have it on, there, is if you're trying to get others to connect through YOUR connection, which isn't really ethical.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Apr 05, 2013 12:37 pm

Re: JetPack SSID and password

The only reason to have it on, there, is if you're trying to get others to connect through YOUR connection, which isn't really ethical.


I think it was Verizon that had the commercial, but could be wrong. There was a commercial not to long ago, that said you can't trust coffee house / restaurant / etc free wifi because anyone can connect to it and steal your data. You need a mifi device to add an extra level of security to what you do in public.

It was a pure FUD commercial, but gave another reason to use their paid service over the free service besides being unethical.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Apr 05, 2013 1:01 pm

Re: JetPack SSID and password

If you just want to encrypt web traffic on public networks, and this ties into your other thread about VPNS, look at setting up an SSH SOCKS proxy. You can even configure your browser to send DNS requests through the proxy (at least with Firefox), so anyone sniffing traffic won't even see what websites you're requesting. I hit my VPS, but you could just as easily set it up at home. With keys-based authentication, it's easy and secure.
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Fri Apr 05, 2013 4:47 pm

Re: JetPack SSID and password

hayabusa wrote:Oh, and one more note...

If you're at McDonalds or wherever, that they HAVE wireless, you really have no need to leave your JetPack on, anyway.  You won't be using your data /Verizon's services, while you're on restaurant wireless, so turn it off, while there, and that part ALSO becomes a moot point.

The only reason to have it on, there, is if you're trying to get others to connect through YOUR connection, which isn't really ethical.


Well, I guess I was thinking of this whole thing as "all or none".  That is, while I have heard a few people say, "If you have a Personal VPN, you can safely surf the Internet," I'm a little leery of that.

Rewind...

Over the last month, my plan was to break down and buy a JetPack from Verizon for "Security" and "Privacy".  But it turns out that while a JetPack would keep my communications "secure" and "private" from my MacBook to Verizon, it would not keep things "private" in a larger sense, because Verizon could be logging everything I do.

So I will be getting a JetPack maybe next week to address that issue.

In the mean time, in reading and talking with people, I learned that for "privacy" I should get a Personal VPN.  So I learned about that too, and I'm all for that as well.

Now back to your point...

Probably talking out of my rear, but while "in theory" a VPN would provide both "security" and "privacy" at McDonalds, I'm not so sure I trust that.

In my newbie mind, it seems like it would be MUCH safer to try and connect from my MacBook to my JetPack and then Verizon, AND THEN after I have a "secure" connection, THEN I could take advantage of something like WiTopia for "privacy".

I guess my worry of using just WiTopia at McDonalds, is that someone could sniff my connection and hand-shake, and hijack things before I had a safe tunnel into my WiTopia account?!

The point being that I was planning both my JetPack and WiTopia 100% of the time unless I am at home using my wired DSL line.

Follow me?


Tom
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Fri Apr 05, 2013 5:14 pm

Re: JetPack SSID and password

hayabusa wrote:I don't have a Macbook, but I'd assume that, just like a windows laptop, there should be a setting to tell it to do nothing when you shut the lid...  I can't believe they wouldn't have one...


I thought exactly the same, but apparently you can't without installing a third party app such as NoSleep for example. To run with the lid closed in what Apple refer to as Clamshell, you need a keyboard, mouse, or trackpad and an external display plugged in.

TomTees wrote:I guess my worry of using just WiTopia at McDonalds, is that someone could sniff my connection and hand-shake, and hijack things before I had a safe tunnel into my WiTopia account?!

The point being that I was planning both my JetPack and WiTopia 100% of the time unless I am at home using my wired DSL line.

Follow me?

Tom


I don't know WiTopia, but I'd be alarmed if the initial logon wasn't initiated over https.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Fri Apr 05, 2013 5:24 pm

Re: JetPack SSID and password

m0wgli wrote:
hayabusa wrote:I don't have a Macbook, but I'd assume that, just like a windows laptop, there should be a setting to tell it to do nothing when you shut the lid...  I can't believe they wouldn't have one...


I thought exactly the same, but apparently you can't without installing a third party app such as NoSleep for example. To run with the lid closed in what Apple refer to as Clamshell, you need a keyboard, mouse, or trackpad and an external display plugged in.


I'll have to check all of that out.  Thanks for the leads!


m0wgli wrote:
TomTees wrote:I guess my worry of using just WiTopia at McDonalds, is that someone could sniff my connection and hand-shake, and hijack things before I had a safe tunnel into my WiTopia account?!

The point being that I was planning both my JetPack and WiTopia 100% of the time unless I am at home using my wired DSL line.

Follow me?

Tom


I don't know WiTopia, but I'd be alarmed if the initial logon wasn't initiated over https.


Again, a layperson here...

Would the connection and encryption and keys be more secure connection from my MacBook to my JetPack to Verizon, than from my MacBook using WiTopia to McDonalds horribly insecure Free Wifi?

(Is there even a way to "quantify" that analogy?!)   ???


See, this is why I get so paranoid about all of this...  It is stuff I can't see or probably understand other than a high-level explanation.  (Talk about "blind faith"!!!!)


BTW, I had always planned to use my JetPack anytime I was away from home, so to me that is no big deal.  And it sounds like what spawned that point was the "Closing your laptop, leaving it running and connected, and for God's sake, take it with you to pee!!" concern.  So I don't see always using my JetPack as a deal breaker.

But since it came up, I would be interested if any experts out there could break down the distinction between...

MacBook--->JetPack--->Verizon Network--->Internet

versus

MacBook/WiTopia--->McDonald's Free WiFi--->Internet


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Apr 05, 2013 6:25 pm

Re: JetPack SSID and password

Secure tunneling protocols are designed so an attacker can observe the handshake but not use that information to decrypt the encrypted data in transit.

It's possible to man-in-the-middle these connections, but the success depends on the user ignoring warnings and proceeding without caution. These attacks work when an attacker can intercept communications, not just observe them.

In such cases, there are actually two connections, one between you and the attacker, and one between the attacker and the intended destination. Both of these connections and valid and secure; it's just that the attacker controls these channels, so the data can be decrypted and collected, and then reencrypted and retransmitted to the intended recipient. There are tools that make this process fairly transparent and effortless.

However, most applications will warn you that something odd is going on. SSL/TLS will warn you that the certificate isn't valid (which is why it's important to use a valid certificate; otherwise you will become accustomed to ignoring this warning), SSH will tell you that the server's fingerprint has changed, and so on.
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Sat Apr 06, 2013 9:06 pm

Re: JetPack SSID and password

ajohnson wrote:Secure tunneling protocols are designed so an attacker can observe the handshake but not use that information to decrypt the encrypted data in transit.

It's possible to man-in-the-middle these connections, but the success depends on the user ignoring warnings and proceeding without caution. These attacks work when an attacker can intercept communications, not just observe them.

In such cases, there are actually two connections, one between you and the attacker, and one between the attacker and the intended destination. Both of these connections and valid and secure; it's just that the attacker controls these channels, so the data can be decrypted and collected, and then reencrypted and retransmitted to the intended recipient. There are tools that make this process fairly transparent and effortless.

However, most applications will warn you that something odd is going on. SSL/TLS will warn you that the certificate isn't valid (which is why it's important to use a valid certificate; otherwise you will become accustomed to ignoring this warning), SSH will tell you that the server's fingerprint has changed, and so on.


Okay, but back to my question above, which of these would be easier to "hack"...

MacBook--->JetPack--->Verizon Network--->Internet

versus

MacBook/WiTopia--->McDonald's Free WiFi--->Internet


And would one be more susceptible than the other to a certain type of attack (e.g. Man-In-The-Middle) that might compromise the security and privacy of the connection?


Tom
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Apr 07, 2013 10:33 am

Re: JetPack SSID and password

The two are essentially the same, with a key distinction:

Both are wireless, but at least, if you change the defaults on your Jetpack, there's less chance of someone getting your actual key.  And because it's your Jetpack, you have more control over encryption type being used, etc.

But at the end of the day, if you use a good VPN / secure tunnel, for any data you need secured, you'll save money by using McD's bandwidth (no cellular data), unless Verizon has suddenly come back with unlimited data plans.  I know they dropped them, here.  It sounds like you'd be using it a lot, so your data plan would be costly, if you use the Jetpack.  When I used a mobile hotspot solution, it was for 'random' occasions, not everyday, consistent usage.

That said, the VPN solution is one you'll want to look closely at, as well.  I've found quite a few holes in the web-based / ssl vpn solutions.
Last edited by hayabusa on Sun Apr 07, 2013 10:34 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Sun Apr 07, 2013 1:46 pm

Re: JetPack SSID and password

hayabusa wrote:The two are essentially the same, with a key distinction:

Both are wireless, but at least, if you change the defaults on your Jetpack, there's less chance of someone getting your actual key.  And because it's your Jetpack, you have more control over encryption type being used, etc.

But at the end of the day, if you use a good VPN / secure tunnel, for any data you need secured, you'll save money by using McD's bandwidth (no cellular data), unless Verizon has suddenly come back with unlimited data plans.  I know they dropped them, here.  It sounds like you'd be using it a lot, so your data plan would be costly, if you use the Jetpack.  When I used a mobile hotspot solution, it was for 'random' occasions, not everyday, consistent usage.


Actually, if you subtract when I listen to streaming audio (e.g. Radio, Sports, etc.) my Internet usage is minimal.  (Just e-mail and things like this forum.)


That said, the VPN solution is one you'll want to look closely at, as well.  I've found quite a few holes in the web-based / ssl vpn solutions.


Was with you until the last sentence...

I thought you were saying that communication over a VPN and Free Wifi was comparable to using the JetPack.  But in your last sentence you mention "quite a few holes in the web-based / ssl vpn solutions."  ???

For a VPN, I was going to buy WiTopia's service, since they seem pretty down-to-earth, and I just liked their website and what they had to say.  (Although for anyone doing illegal activities out there, I wouldn't trust them as far as log files and the authorities go...)  ;)


Tom
PreviousNext

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software