Slashdot Mirror
The Problems of Web Surfing in Public Places
Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"
Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer
Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.
If you broadcast your unencrypted data, someone can read it.
How many websites you use have a "log me in automatically" checkbox, ticked by default?
Bet it's most.
How many average users do you suppose won't bother/remember to uncheck it?
Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.
Who wrote this crap?
Why not set up a minimal Linux installation (say a 2-4 GB partition) for wireless browsing while traveling?. Do not keep any sensitive data on that partition and DO NOT MAKE other partitions mountable.
Sure, nothing is 100% safe, some hacker can get root access, but casual hackers would not find anything intreresting and give up.
Yes, indeed, run along now, I'm busy snarfing your transmisson...
CmdrTaco's search results for 'BEAT BEDWETTING THROUGH SELF HYPNOSIS' found 0 matches, try again?
A feeling of having made the same mistake before: Deja Foobar
It used to be a hobby of mine. tcpdump and ethereal. Chat, email, documents, http requests, password snarfing. Then I discovered that most folks had nothing of any interest to say. One step above listening to teenage girls talk on their cell phones.
First entomology, then virology, and finally bioinformatics systems. Bugs follow me wherever I go.
I'm very wary of typing stuff in public terminals nowadays, because even if I have a USB drive with a virtual OS on it (or at least a copy of Opera), I'm still paranoid that it might have a hardware keylogger attached (although I'm not really worth anything). You can't really protect against that.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I used to work at an Apple store across the street from a high school. I would estimate that 75% of the packets coming into that store came from myspace.com. Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer. Favorite edits included
- Changing interests to include homosexuality, drugs, etc.
- Changing background images
- Changing profile photos
- Joining a group of people who check their myspace at the apple store. (I'm in that group too)
I couldn't bring myself to break off any friendships, that's a bit too mean.The article looks at...the issues that using a wireless signal in a public place.
Next we're going to look at the issues that posting without editing.
https://www.eff.org/https-everywhere
How many websites you use have a "log me in automatically" checkbox, ticked by default?
What gets me is sitting down to a mocha double soy and finding all these post it notes under the table with elegantly written little bits like 'bad1983girl', 'iluvpuppies' and 'password'...
A feeling of having made the same mistake before: Deja Foobar
That's all the more reason to listen to The End-to-End Argument [PDF]. (Wiki link if you don't want a PDF.)
Never trust the network!
Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..
I'm soon moving to an apartment that offers free Wi-Fi internet connectivity. Though it's an encrypted connection, I don't necessarily want anyone in the apartment complex to be able to look at the contents of every un-secured website I go to. Can someone recommend a VPN provider that:
1. Will provide a static IP address so I can run services like SMTP and HTTP
2. Will easily work with some version of firmware on my wireless router, a WRT-54G. This way I can provide
seemless access to the rest of the machines on my network without running VPN software on them.
AccountKiller
I am wondering, is there a way to protect me when I am not using a laptop but a pc in an internet cafee?
Assuming I cannot trust the browser on that pc to correctly encrypt my traffic even on https sites, I cannot install any vpn software, and I cannot be sure that there are no keyboard loggers.
So, somthing like a java applet (stored on a secure webserver), that I can load, and that opens a browser-in-a-browser, encrypting all traffic, with an added on-screen-keyboard to defeat keyboard loggers?
It would not be absolutely safe, since a good sniffer could also monitor the screen and the mouse movements, but it would be better than nothing.
http://blogs.ittoolbox.com/security/investigator/a rchives/look-at-all-of-these-passwords-11240
this is a good one, anyone buy any amazon books lately? take a look here.
"The article looks at the sloppy habits people have when using public terminals"
When I first read that, I thought it was going to talk about people picking their nose/teeth/ears while using the terminals. I wonder what those dangers are? "What's that green thing on the key there? EWWWWWWWWWWWWWWwwwww..."
"the issues that using a wireless signal in a public place"
/. mistake... join big time crew. I must find a better way to spend my time.
Like pressing enter before reading the comment. Hej... I spot a
What will the trolls complain about now!
on my blog. Basically, I think people's habits are valid assumptions of relatively adequate privacy while using wired networks... but that gets thrown off the hook when using wireless networks. I make the assumption that a protocol change would give back that relative privacy.
http://www.micheldonais.com/archives/44
I guess I wasn't the only one that got interested in that. That's not counting books on the topic, or anything.
On a related note, check out this article in ITtoolbox called Look At All Of These Passwords!. Apparently, the public terminals at DefCon had illicit listeners. It's pretty amazing how many popular sites don't have any safeguards against a linux user using ettercap.
I have this 20 rolls of tinfoil in my basement...
:)
And people call *ME* paranoid
I had to log in.
The International Tribune is carrying the same story.
The problem with SSL is that many people, even in the high-tech industry, aren't very good at using it.
It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).
A more involved attack might involve getting a certificate issued for AMAZ0N.COM and the chances are good that you could stage a MIM attack without even a certificate warning appearing.
I also suspect that a fair chunk of users would happily type their information into an order form on Amazon.com even if the connection to them wasn't even https. I'm sure if it "looks like amazon" that'd probably suffice.
the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent
Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.
Yeah, and Starbucks doesn't sell toilet rolls..
I'm not sure how that description fits a scenario where a browser popa up a window and tells you that tells you what might be going on.
If I am asked about the certificate when I am buying something online or visiting my bank I probably won't read all the details but I will surely be clicking no.
Accessing an SSL site over wireless is perfectly fine if you aren't a cretin.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
It really gives the people sitting next to you a bad impression when all they see are pr0n popups!
As for Wireless networks. Look, if it's broadcast, ANYONE, can pick it up. The right person, with the right skills, and the right motivation, and the right amount of time, can do whatever they want with the contents of said broadcast.
Your cell phone conversations are not secure, your computer's files and transmissions over a wireless network are not secure. Granted cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.
Want security? Stick with Ethernet, just don't let anyone too close to the cables, or the equipment.
//shameless plug
I just got interviewed about protecting email using encryption, the article appeared in Sunday's Washington Post.
The interviewer was really interested in talking about encrypting the email messages using PGP. I think that's a great idea; we encrypt most email we send. However, I tried to hammer home the fact that if your email password gets sniffed while you're checking your encrypted emails, that you'll end up needing to encrypt every email since someone else might be checking it for you. And/or deleting or changing it....
//end shameless plug
---
Read and comment on the musings of information security geeks
Check out our infosecurity industry blog: http://securitymusings.com/
Anyone with a laptop on the same segment or WAP can run their own DHCP server. That way when you connect, there's a very good chance that they can send you connection details first.
That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.
Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission? Not keyboard sniffing the user's machine or hacking the receiving servers database. An actual, verified case of cc number theft.
I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.
Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).
Why this obsession with HTTPS?
One of these days I'm moving to Theory - everything works there
I just use an SSH-based SOCKS proxy for my secure wireless surfing needs. I've got a Linksys router set up back at home that I loaded with Linux.
You can read a guide I wrote a while back on how to do this here. FF, Thunderbird, and GAIM all support SOCKS proxies, so it works out great for me. Only problem is your DNS traffic goes out unencrypted, but that isn't necessarily a big deal, unless you are visiting something along the lines of www.penisland.net.
"Better to be vulgar than non-existent" -Bev Henson
Long answer: If you can't trust the software, you're SOL. If you can't trust the browser, how can you trust a java applet that the browser delivers? If you suspect a keylogger, your java applet will only be secure so long as it's uncommon enough that no one cares to counter it with common keylogging software. Unless you propose to implement the crypto in Java, and distribute all required components inside your Java app, there's a good chance you have to call a local crypto library, so one could easily imagine keylogging software grabbing everything you're doing from the crypto API, after you type it but before it's actually encrypted and sent out.
And of course, as you say, they could monitor the screen and mouse movements, they could discover that you're using an applet and do a MITM (sending you to another applet that looks similar to yours but logs what you do), they could...
Hell, they could just visit that applet themselves, steal your bandwidth.
There's a very, very good chance that if you bring a boot CD, boot DVD, bootable flash, or any combination of the above, that you will be as secure as you would with a laptop. There could easily be hardware keyloggers, but that's probably significantly rarer.
But really, bring a laptop and use a VPN. Laptops can be had ridiculously cheap, and VPNs can be ridiculously easy to set up, and Tempest attacks are ridiculously hard to execute. Then your biggest problem would be shoulder surfing. But that's easy -- type too fast for them to catch your passwords, and make sure you're not being watched when you hit anything particularly sensitive. I also use Dvorak, for an added layer of confusion.
Any security can be beat, but mine is very, very difficult to break, while at the same time being insanely easy for me.
Don't thank God, thank a doctor!
Download an easy to use packet analyzer like Cain-n-Able and go to a place with wireless access and connect to the AP. Hotels are the best if you are staying there, but there is no reason you can't just sit in the parking lot. Let CnA run for any amount of time and look at how many email, web page, news or whatever passwords you receive. Then realize that someone could be doing this to you!
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
A web browser on a usb flash drive. All dependent files and caches on the flash drive. Plug in to browse. Pull out for security.
I wasn't aware the technically uninformed read "News for Nerds" Slashdot.
It's pretty obvious that if you surf on a popular, insecure wireless network, there's a good chance that someone will come along and start sniffing data. When using these networks, you have to act as if someone is sniffing it. One thing you shouldn't do is make important transactions, especially those that involve things like credit card numbers. Sure, there's SSL, but do you really want to take the chance that someone might not be determined enough to try and break it somehow?
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
I recall stumbling across a good database of 900 MHz cordless phone frequencies ages ago (pre-2.4GHz). I scrambled for my police scanner. For about five minutes, I thought I had died and gone to heaven. First, I listened to my neighbor talk about how she was not sure if *he* was really *the one*. Next, I fell asleep. Then I remembered that (US) police made (and still make) a habit of broadcasting your full name, social security number, date of birth, driver's license number and your special crime over unsecured, unencrypted long-range wireless networks all day. I could tell you all sorts of information about John Q. Public back when I gave a crap. If a transaction online does not feel safe, it probably isn't. Slashdot readers don't need to be berated by this message or by this article.
FairTax baby!
One thing to defeat a key logger is to create a notepad document
at the public place and write the relevent numbers and names AND
alot of other names and numbers that are irrelevent. Mix the names
and numbers up in the text document. One then puts in the text boxes,
the relevent numbers and names simply by cut and pasting from the
text document.
I don't understand why they don't replace the 3 digit secuity code with a matrix on the back of the physical card, and when asked for CC details you are asked to provide the numbers/letters at given points in the matrix (e.g. Please enter security codes A3, B9 and T7), which can then be verified by the bank. Sure, it's not completely secure, but it's a hell of a lot more secure than 3 fixed numbers. I guess the banks would consider this as too complicated for ma and pa Bloggs, but surely they could offer it as a choice for people who shop online a lot.
Anybody have screenshots of what these "self-signed certificate" errors look like so that I know what to beware?
Penny - plain text accounting
When I use my laptop at any WIFI connection, I use OpenVPN to create a secure connection.
When I have to use a public computer, I use ssh and a hardware token which generates a one-time password.
Of course, you will have to have your own 'server' connected to the Internet, however this could also be a DSL box at home.
(and it requires some work to install this, but that's part of the fun obviously)
While this might not be in the direction of the article, getting a URL wrong can be equally as dangerous.
I was at a public access terminal in an airport. The terminal was set up so no new windows could be opened. Ever heard of the web comic Sinfest ? I read it daily. Did you know there is also a sinfest.org ? I got confused. Never have I had to close so many pop-up windows so quickly while also trying to click on the HOME button
How often do you read (or send) your credit-card number by email?
Neither is good from an information-theft perspective, but dealing with sites that have your financial info generally requires more security.
I recently setup my girlfriend's cafe with a speedy little router. The Cafe's WiFi is open, not WEP enabled (for ease of use) .txt, uninstall C&A and nobody would know the difference.
;)
The Cafe has one 1 public PC for the use of anybody (also on wireless network)
What i told her is to never do anything critical on the public PC. Then i showed her from my flash drive how fast i could install Cain+Able (or similar) and extract protected passwords to a
I would never abuse patron's info, because it is bad for business! But others might not be as honorable. (i would make some edits on a myspace in a instant if left open
Besides a disclaimer to patrons (watch your shti!) What really can you do to prevent an open WiFI spot from being abused?
**without making things a pain in the arse for customers
Kill your TV