WiFi Security / Privacy
 

I often use the work WiFi for internet stuff where security is not an issue; reading the news, perusing the wisdom of PARF, that sort of thing.
Foe secure stuff, banking, etc, I use my own device connected via 3G.
My questions: (while realising that nothing is absolutely "unhackable")....

If the WiFi is hacked, should the banking encryption be sufficent to stop my meagre funds going to Nigeria?

Could work IT get passwords etc entered over WiFi? (I assume work IT can see what websites I'm visting)

Thanks in advance.

Anything encrypted can be decrypted it's generally safe enough to not lose sleep over..

The amount of traffic that an employer typically logs makes it unrealistic that you have anything to worry about.

Several things you can do to help keep the wireless a little more secure are: Use encryption and change key frequently, make sure administrator account has been changed w/ password that is frequently changed, limit the number of "boxes" that can be connected at any one time and last of all set connections so they are by MAC address only so strangers cannot get in. Remember that HTTPS only is secure between the client and server. At the server and into the database hopefully the bank system is using something like Oracle's database level encryption?

Keep in mind: your company may allow you to surf the interwebs while you are at work, but you are using company property to surf. IE: They own the computer, but allow you to use it for personal surfing.

Do they track everything? They certainly can. It is their firewall that you are sending packets through out to the world wide web.

Will they sniff your id's and passwords? Unlikely, as that would land your company into a world of trouble.

It boils down to this: how much do your trust your company's data protection capability? Are the systems down because you are constantly getting hacked? Is the network stable, no problems, and no issues with hackers? Become friends with your IT staff (we don't bite - really!), and they may be able to provide the answers to these questions...

-Z

Zoltan, I get the impression he's using a personal device to go through the company WiFi, not his work pc. Still, they can track and see what you do while going through their network, or at least, you should assume they can. How secure things are and what they can our might do with the data can vary a lot depending upon the company.

Sounds like he's using a MIFI or similar cellular personal hotspot.

He says it's 3G.

To clarify:
I use my iPhone on WiFi to read the newspaper at 02:00 if it's quiet, that sort of thing.
But I've always disabled WiFi and used a cellular connection for banking, paying bills etc.
Just wondering it that was sensible, or paranoid.

As others have noted it really comes down to your employer and their policies.

In general, it's sensible.

Any decent site should only put your credentials over an already-encrypted HTTPS connection. That said, I've seen more than one website that didn't actually start HTTPS until you provided the login/pass "in the clear". But barring bonehead moves like that on the part of the destination website, your work IT shouldn't be able to get anything beyond the websites you're going to. Unless they crack the remote website and use that to snoop your connection.

If you were really concerned, use VPN; which protects you from snooping on the local network, at least until you pop out somewhere else, anonymously and a lot, lot busier than your office or coffee shop - although at some point Echelon will see you. Even though that doesn't exist.

As far as "encrypted" traffic is concerned; who knows what vulnerabilities in SSL/TLS and/or 3G exist today and aren't publicized by the folks happily reading your traffic? Read this The NSA's Heartbleed problem is the problem with the NSA | Julian Sanchez | Technology | The Guardian

If you're concerned about three letter agencies, you're pretty much screwed - the NSA, for example, even if they can't read it today, can hoover up all your traffic and store it, encrypted, until they can. Given enough power, anything can be cracked. And they probably have more than everyone else put together..

The biggest concern for most folks should probably be the hosting site.

Because these don't handle/store credentials/information they shouldn't, are all run by competent IS professionals, only run correctly configured & secured systems/software with all applicable patches and respond appropriately in a timely fashion always. Just ask Linked In/TJX/Facebook/Adobe/Target/Pinterest/Home Depot/JP Morgan Chase/Ebay/Sony et al...

If you're not using your personal device, and using a company-supplied computer, I know at least one large US company that routinely, in the standard build (without which you can't get on their network) installs a keylogger. Which records every single keystroke you ever type - and this is legal in that jurisdiction. Because it's "their" computer.

I'm not familiar with the local data protection/privacy/ownership of information laws in Oz. You should maybe look into those :)