User Panel
User Panel
User Panel
|
Posted: 5/7/2024 9:42:05 AM EDT
What's the cure for this: Novel attack against virtually all VPN apps neuters their entire purpose?
Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering. TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user's IP address. The researchers believe it affects all VPN applications when they're connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then. |
|
|
|
|
Posted: 5/7/2024 9:43:56 AM EDT
[#1]
Privacy was always an illusion.
|
|
|
|
NE, USA
|
Posted: 5/7/2024 10:07:50 AM EDT
[#2]
Quote HistoryOriginally Posted By ServusVeritatis: Privacy was always an illusion. This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. |
|
|
|
Posted: 5/7/2024 10:09:51 AM EDT
[#3]
Wonder why android and linux are not affected
|
|
|
|
|
Posted: 5/7/2024 10:13:24 AM EDT
[#4]
Quote HistoryOriginally Posted By wvfarrier: Wonder why android and linux are not affected Different operating system? |
|
|
|
NV, USA
|
Posted: 5/7/2024 10:16:57 AM EDT
[Last Edit: LVMIKE]
[#5]
I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from.
This isn't a vulnerability that is easily executed on a large scale. |
|
|
MO, USA
|
Posted: 5/7/2024 10:17:18 AM EDT
[#6]
So that is saying that if you have a compromised server as part of your VPN infrastructure your VPN is probably compromised?
|
|
|
|
Posted: 5/7/2024 10:18:16 AM EDT
[#7]
Quote HistoryOriginally Posted By Bogdan: Different operating system? Quote HistoryOriginally Posted By Bogdan: Originally Posted By wvfarrier: Wonder why android and linux are not affected Different operating system? there's likely more to this story.. like it was only tested on windows or a very specific build of windows. |
|
|
|
|
Posted: 5/7/2024 10:21:54 AM EDT
[Last Edit: Paul]
[#8]
 Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble.  The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. |
|
|
|
NV, USA
|
Posted: 5/7/2024 10:22:35 AM EDT
[#9]
I also doubt this effects a mature corporate VPN solution that limits available interfaces and routes to only allow VPN traffic out.
|
|
|
TX, USA
|
Posted: 5/7/2024 10:22:42 AM EDT
[#10]
Quote HistoryOriginally Posted By wvfarrier: Wonder why android and linux are not affected “Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121.” |
|
|
|
Posted: 5/7/2024 10:24:36 AM EDT
[#11]
Quote HistoryOriginally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. |
|
|
|
TX, USA
|
Posted: 5/7/2024 10:24:58 AM EDT
[Last Edit: C3H5N3O9]
[#12]
Quote HistoryOriginally Posted By LVMIKE: I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from. This isn't a vulnerability that is easily executed on a large scale. This is my take as well. You have to either be able to control the DHCP server for the network or be able to run a rogue DHCP server on the network. The solution is: “The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device.” |
|
|
NV, USA
|
Posted: 5/7/2024 10:25:20 AM EDT
[Last Edit: LVMIKE]
[#13]
Quote HistoryOriginally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. |
|
|
|
Posted: 5/7/2024 10:25:21 AM EDT
[#14]
Quote HistoryOriginally Posted By LVMIKE: I also doubt this effects a mature corporate VPN solution that limits available interfaces and routes to only allow VPN traffic out. /this Traffic across the network isn't VPN'ed but rather hidden using overloaded NAT. I have hundreds of users behind each IP address. |
|
|
|
MO, USA
|
Posted: 5/7/2024 10:25:51 AM EDT
[#15]
Quote HistoryOriginally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. Ars has been a clickbait site for a while with some of this shit. |
|
|
NPL
|
Posted: 5/7/2024 10:26:35 AM EDT
[Last Edit: 4thbreak]
[#16]
It's existed since 2002 and now here we are?
|
|
|
TX, USA
|
Posted: 5/7/2024 10:28:00 AM EDT
[Last Edit: C3H5N3O9]
[#17]
Quote HistoryOriginally Posted By Network_Daddy: So that is saying that if you have a compromised server as part of your VPN infrastructure your VPN is probably compromised? Essentially, yes. However, people connect to VPNs from public wifi like airports and coffee shops, so possibly the bad actor could set up a rogue DHCP server there. |
|
|
|
Posted: 5/7/2024 10:28:35 AM EDT
[#18]
Quote HistoryOriginally Posted By right_rudder: Yeah.. went and read the article. unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. Quote HistoryOriginally Posted By right_rudder: Originally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. unless there's a part to this that isn't published (and I'll research it further) the fix is to either A) set a trusted manual DHCP setting or B) update the VPN app to force all DHCP through the VPN tunnel. Stop trusting the routing table to enforce your security policy. |
|
|
|
|
Posted: 5/7/2024 10:29:40 AM EDT
[#19]
Quote HistoryOriginally Posted By wvfarrier: Wonder why android and linux are not affected They don't have option 121 which allows for the forwarding of the VPN traffic. |
|
|
|
|
Posted: 5/7/2024 10:30:50 AM EDT
[Last Edit: Paul]
[#20]
Quote HistoryOriginally Posted By LVMIKE:No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. Without admin rights please tell me how you're going to establish the trust relationship with the directory service?  We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. |
|
|
|
|
Posted: 5/7/2024 10:32:22 AM EDT
[#21]
Quote HistoryOriginally Posted By 2ANut: This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. Quote HistoryOriginally Posted By 2ANut: Originally Posted By ServusVeritatis: Privacy was always an illusion. This. I always thought the big highly-advertised VPNs were compromised somehow, because if they were actually secure and private, the system would be acting to block/suppress them or at least try to link them to "violent right-wing extremists" in everyone's minds. That's not what this is at all. VPNs still offer a measure of privacy for most. Keep in mind VPNs are banned in countries like China, that should tell you something. |
|
|
|
TX, USA
|
Posted: 5/7/2024 10:34:59 AM EDT
[#22]
Quote HistoryOriginally Posted By Paul: Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. Quote HistoryOriginally Posted By Paul: Originally Posted By LVMIKE:No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. Pretend for a second that you’re a coffee shop owner that offers free public WiFi and has no idea what you’re doing. What then? |
|
|
NV, USA
|
Posted: 5/7/2024 10:36:52 AM EDT
[Last Edit: LVMIKE]
[#23]
Quote HistoryOriginally Posted By Paul: Without admin rights please tell me how you're going to establish the trust relationship with the directory service? We also don't let people plug things into our network. I'd get a pop-up from the ePO if it caught someone and I'd go down and take another laptop and give it to the director. Any civilian equipment connecting to the network becomes government property by policy. Not even one packet flys down a port without clearing port security. I think you're taking the 'your network' too literally-- how would I know your networks config... I'm speaking generally. Not every network is a domain, running IDS/IDR, properly configured or any combination of those factors. Hence my preface, 'undetected rogue DHCP server'. The base minimum for this to work is what I posted. |
|
|
|
Posted: 5/7/2024 10:37:03 AM EDT
[#24]
Quote HistoryOriginally Posted By right_rudder: Android is Linux. there's likely more to this story.. like it was only tested on windows or a very specific build of windows. It states in the article they don't use option 121 which is what introduces the vulnerability |
|
|
|
|
Posted: 5/7/2024 10:39:32 AM EDT
[#25]
Yes, the risk is probably very low when you're connected to a well-managed corporate network. But when your physical interface is connected to a wifi AP at the airport, hotel, coffee shop, etc., all bets are off. Pineappling is a thing. Best to use your cell phone hotspot in locations like those.
|
|
|
|
|
Posted: 5/7/2024 10:41:19 AM EDT
[#26]
After reading the article I'm sort of wondering was the intent to let me know a vulnerability exists or to make me think a VPN is useless and to not use them so all of my traffic is in the clear.
Article seems more like the former. OP reads like the latter whether it was intentional or not |
|
|
|
|
Posted: 5/7/2024 10:42:44 AM EDT
[#27]
this is dumb
|
|
|
|
|
Posted: 5/7/2024 10:44:36 AM EDT
[#28]
Quote HistoryOriginally Posted By JTX23: It states in the article they don't use option 121 which is what introduces the vulnerability |
|
|
|
|
Posted: 5/7/2024 10:48:25 AM EDT
[#29]
Quote HistoryOriginally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. Yeah, article is factually correct, but assumes way too much. It's clickbait essentially. |
|
|
|
|
Posted: 5/7/2024 10:51:14 AM EDT
[#30]
Quote HistoryOriginally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. But what about my infestation of rogue admins in my Attic? |
|
|
|
TX, USA
|
Posted: 5/7/2024 10:51:45 AM EDT
[#31]
Quote HistoryOriginally Posted By Paul: Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it. All of which requires administrative abilities. The same administrative abilities that allow me to set your IP address, just not see it. The same admin abilities that let me see everything on your computer before or after VPNs. If you have rouge admins setting up DHCP servers inside your house or business to make changes to the default gateway you're in trouble. The rouge admins would have to shut down your normal DHCP servers less they respond to a discovery/offer request before the fake ones. That does not necessarily require administrative access to anything but the rogue DHCP server. If an attacker can get theirs on the network and can respond to clients faster than the legitimate DHCP server, it stands a good chance of intercepting. |
|
|
TX, USA
|
Posted: 5/7/2024 10:52:13 AM EDT
[#32]
Quote HistoryOriginally Posted By wvfarrier: Wonder why android and linux are not affected Because people don't use them. |
|
|
|
Posted: 5/7/2024 11:02:07 AM EDT
[#33]
Ok, I had to do some digging but I found out what they're going on about.
This is not a new development, it's seemingly been known since the end of 2002. This is more of a DHCP issue then a client issue and being that I've never heard of it till now begs the question, has it ever been used in a malicious way? Not likely. |
|
|
|
|
Posted: 5/7/2024 11:13:14 AM EDT
[#34]
Quote HistoryOriginally Posted By LVMIKE: I'll spare you the details, but this mostly effect public networks like coffee shops wifi and similar. For this to work you need a foothold on the network the VPN user is coming from. This isn't a vulnerability that is easily executed on a large scale. This, and DHCP snooping would be a further mitigation for public networks. |
|
|
|
|
Posted: 5/7/2024 11:15:19 AM EDT
[#35]
Quote HistoryOriginally Posted By right_rudder: Ok, I had to do some digging but I found out what they're going on about. This is not a new development, it's seemingly been known since the end of 2002. This is more of a DHCP issue then a client issue and being that I've never heard of it till now begs the question, has it ever been used in a malicious way? Not likely. And that. |
|
|
|
NV, USA
|
Posted: 5/7/2024 11:25:43 AM EDT
[#36]
Quote HistoryOriginally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? |
|
|
|
Posted: 5/7/2024 12:11:03 PM EDT
[#37]
Quote HistoryOriginally Posted By LVMIKE: I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? Quote HistoryOriginally Posted By LVMIKE: Originally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. |
|
|
|
AZ, USA
|
Posted: 5/7/2024 12:13:28 PM EDT
[#38]
Quote HistoryOriginally Posted By LVMIKE: No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. Quote HistoryOriginally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. |
|
|
|
Posted: 5/7/2024 12:14:55 PM EDT
[#39]
Quote HistoryOriginally Posted By Imzadi: You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. Quote HistoryOriginally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. |
|
|
|
USA
|
Posted: 5/7/2024 12:16:09 PM EDT
[#40]
Disable DHCP and run everything static.
|
|
|
|
Posted: 5/7/2024 12:16:44 PM EDT
[#41]
What's next, omg there's a hosts file that if edited *could*....
|
|
|
|
AZ, USA
|
Posted: 5/7/2024 12:19:03 PM EDT
[#42]
Quote HistoryOriginally Posted By dmnoid77: We're not talking about a DOS attack. Quote HistoryOriginally Posted By dmnoid77: Originally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. I know. But the real DHCP server will stop issuing DHCP Offers when its pool is expired. At that point your rogue DHCP server will be the only one on the network issuing leases. |
|
|
NV, USA
|
Posted: 5/7/2024 12:19:28 PM EDT
[#43]
Quote HistoryOriginally Posted By dmnoid77: We're not talking about a DOS attack. Quote HistoryOriginally Posted By dmnoid77: Originally Posted By Imzadi: Originally Posted By LVMIKE: Originally Posted By Paul: All of which requires administrative abilities. No, all it takes is being able to run a rogue DHCP server inside your network without detection. At the minimum that only requires control (and possibly not even admin level control) of a single device. It will take some luck to get the target machine to pull it's config from your evil DHCP server but maybe there is some deauth-type attack you could repeat until it occurs. It's not a nothing burger, but it's not a doomsday. If you manage your corporate The VPN solution it's worth looking into. You don't need to de-auth. You just exhaust the real DHCP's pool with fake leases. We're not talking about a DOS attack. I think what he's saying is your rogue DHCP server would keep spoofing DHCP lease requests to exhaust the pool, then use those responses as it's own pool. When the real server runs out of leases I'm guessing there is a mechanism in the DHCP protocol that would allow to evil-DHCP to fulfill the requests |
|
|
AZ, USA
|
Posted: 5/7/2024 12:19:37 PM EDT
[#44]
Quote HistoryOriginally Posted By CZ75_9MM: Disable DHCP and run everything static. So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? |
|
|
USA
|
Posted: 5/7/2024 12:23:42 PM EDT
[#45]
Quote HistoryOriginally Posted By Imzadi: So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? |
|
|
MO, USA
|
Posted: 5/7/2024 12:34:07 PM EDT
[#46]
Quote HistoryOriginally Posted By dmnoid77: Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. Quote HistoryOriginally Posted By dmnoid77: Originally Posted By LVMIKE: Originally Posted By dmnoid77: This, and DHCP snooping would be a further mitigation for public networks. I've brought my own connection for so long I honestly don't know what public wifi from large companies like for example starbucks even looks like now-a-days. I've assumed the bigger companies took some level of responsibility for their public networks and bought (and properly configured) devices from companies like Ubiquity with these basic features in them... While a majority of small businesses are running some SOHO device with varying levels of competency in configuration... Is that the case? Most of your chains would have in-house or contracted IT support and I would expect some degree of basic security configurations to be in place. Your local mom and pops might be using something off the rack at Best Buy configured by a relative that "knows computers". Obviously, it is impossible to know for sure without doing a security audit, which nobody is going to let you do. Your best indicator is probably the presence of a landing page and required consent to acceptable use prior to being connected to the internet on a public wifi. I did work for a while NOC for a managed service provider company and we did networking for major chains like Michaels, IHOP, Sally Beauty, Dollar General, etc. We even did a lot of smaller customers with a handful of sites. Security was taken pretty seriously at all. |
|
|
CO, USA
|
Posted: 5/7/2024 1:18:45 PM EDT
[Last Edit: jeremy223]
[#47]
Quote HistoryOriginally Posted By CZ75_9MM: Yes. Internet would be a better place if it were more difficult to connect to.  DHCP Snooping would stop this attach in its tracks, along with other long standard controls. |
|
|
NV, USA
|
Posted: 5/7/2024 1:18:51 PM EDT
[Last Edit: LVMIKE]
[#48]
Quote HistoryOriginally Posted By Imzadi: So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? Quote HistoryOriginally Posted By Imzadi: Originally Posted By CZ75_9MM: Disable DHCP and run everything static. So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? Please take a pin with your coffee sir  Originally Posted By Network_Daddy: I did work for a while NOC for a managed service provider company and we did networking for major chains like Michaels, IHOP, Sally Beauty, Dollar General, etc. We even did a lot of smaller customers with a handful of sites. Security was taken pretty seriously at all. Thats good to hear. |
|
|
WI, USA
|
Posted: 5/7/2024 1:21:24 PM EDT
[Last Edit: JVD]
[#49]
Quote HistoryOriginally Posted By LVMIKE: Please take a pin with your coffee sir https://i.ibb.co/Xkm04LK/DHCPserver.jpg Quote HistoryOriginally Posted By LVMIKE: Originally Posted By Imzadi: Originally Posted By CZ75_9MM: Disable DHCP and run everything static. So your starbucks barista is going to have to manage an IPAM system and explain static IP addresses to grandma? Please take a pin with your coffee sir https://i.ibb.co/Xkm04LK/DHCPserver.jpg
|
|
|
GA, USA
|
Posted: 5/7/2024 2:58:47 PM EDT
[#50]
Quote HistoryOriginally Posted By Scion: Yes, the risk is probably very low when you're connected to a well-managed corporate network. But when your physical interface is connected to a wifi AP at the airport, hotel, coffee shop, etc., all bets are off. Pineappling is a thing. Best to use your cell phone hotspot in locations like those. this is what i do. i have a jetpack that i use if im in a public place. i never use 'free' wifi services. and if im out of my house, i turn off my smartphone's wifi ability (and bluetooth). |
|
|
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.
