Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problems of Web Surfing in Public Places

Posted by ryuzaki0 on from the whoareyou dept.

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"

16 of 176 comments (clear)

  1. Glaring technical errors by Anonymous Coward · · Score: 5, Informative

    Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.

    Who wrote this crap?

    1. Re:Glaring technical errors by Achromatic1978 · · Score: 3, Informative
      Agreed. I was thinking that. "Don't do {any one of a number of tasks that are almost definitely encrypted}, but right ahead and do {any one of a number of tasks that almost definitely aren't}".

      Mind you, I SSL protect my webmail, too.

    2. Re:Glaring technical errors by lars_boegild_thomsen · · Score: 5, Informative

      Who told you ssl is safe? Any computer on the same lan segment - a bit of arp poisoning and you got an efficient man-in-the-middle attach. Then you present the client with a fake ssl certificate made on the fly to look like the original server certificate. No - it will not have the proper signatures by any cert authorities, but honestly - how often do YOU read all the details of a certificate presented to you before you say "Accept"?

      Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.

      So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.

  2. Re:Auto-login anybody? by daranz · · Score: 3, Informative

    Ideally, a web browser on a public computer would be set up not to save any personal data, such as cookies, passwords, form entries, etc. Of course, in most cases it is not so, and such browser save cookies, and even passwords from the users... Fortunatelly, some browsers, like FF, have a convenient menu item that clears all personal data recorded by the user, and so it's possible to ensure that you leave no cookies or form entries behind, even if the browser is setup to allow them... Worst thing if the public computer runs IE, or some other browser where you have to dig in options screens to clear all your data. In many cases, such meddling with the browser is frowned upon by whoever is supposed to be watching over the computers.

    --
    This is a sig. It is appended to the end of comments I post.
  3. More reason to listen to the End-to-End Argument by ToastyKen · · Score: 3, Informative

    That's all the more reason to listen to The End-to-End Argument [PDF]. (Wiki link if you don't want a PDF.)

    Never trust the network!

    Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..

  4. Re:I read your traffic by Bios_Hakr · · Score: 3, Informative

    You are thinking of it in terms of watching a TV. That's not the problem. Like you say, most people have nothing to say.

    However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords. Once they nail a CC#, they can examine the surrounding packets to find expiration dates, names and addresses, and that stupid "security code". MMO passwords can be used to empty a user's inventory for real money.

    How many people shop from Starbucks? I dunno. I bet quite a few do. How many play WoW at Starbucks? Probably some.

    --
    I'd rather you do it wrong, than for me to have to do it at all.
  5. Re:What gets me... by OmniBeing · · Score: 2, Informative
    One of my clients insists on putting her password under a clear plastic desk protector. Did I mention she's the accountant for the company and she's the only who's supposed to have access, not just to that PC, but to the database...

    Everyone, even the contractors know the password, and they refuse to change it, Dolts.

    --
    - The Google Toolbar has a spell checker button AND it works, consider that before hitting submit next time k?
  6. Re:I read your traffic by Vellmont · · Score: 3, Informative


    However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords.

    While this is somewhat of a concern, the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent. That would make any sniffing attempts useless.

    Hell, even Yahoo has a secure login for email these days.

    --
    AccountKiller
  7. Look At All Of These Passwords! by boingyzain · · Score: 2, Informative

    On a related note, check out this article in ITtoolbox called Look At All Of These Passwords!. Apparently, the public terminals at DefCon had illicit listeners. It's pretty amazing how many popular sites don't have any safeguards against a linux user using ettercap.

  8. Man-In-The-Middle Attacks by Rectum2003 · · Score: 2, Informative

    the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent

    Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.

    1. Re:Man-In-The-Middle Attacks by finkployd · · Score: 2, Informative

      Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.

      Maybe you don't know, but x.509 certificates are signed by a certificate authority. So the situation you describe requires an additional step: faking out a CA company into giving you a bogus cert. Not impossible, but certainly not trivial.

      Now will joe idiot possibly not be daunted by a cert error and just click through? Maybe, but that is not my problem. I can still feel some degree of safety.

      Finkployd

  9. Re:I read your traffic by daranz · · Score: 4, Informative

    Some banks actually issue scratch-off cards, that contain a bunch of authentication numbers. Each of those can be used only once, and they have to be used in order they are listed on the card. That way, even if the login data is stolen, no transaction can be done without intercepting the physical card... Sort of a one time pad scheme for transaction authentication. It's simple, cheap, but effective.

    As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...

    --
    This is a sig. It is appended to the end of comments I post.
  10. Re:Anyone recommend VPN provider? by Scaba · · Score: 2, Informative

    You could get a cheap hosting account that offers SSH and open a SOCKS tunnel on your machine or router and point your browser at that. DNS will be resolved on your hosting company's server (for SOCKS 4a and 5), and everything will be encrypted until it leaves the hosting company's server, at which point it will about as secure as any other wired connection (which is to say, not at all to the determined cracker). You also get the benefit of the static IP address and ability to run mail and web servers. Check here and here and here for some ways of keeping your tunnels persistent under *nix and win32, and look at unixshell# or JVDS for hosting plans. I've used them both, and they both seem pretty good.

  11. SOCKS proxies rock. by SocialEngineer · · Score: 2, Informative

    I just use an SSH-based SOCKS proxy for my secure wireless surfing needs. I've got a Linksys router set up back at home that I loaded with Linux.

    You can read a guide I wrote a while back on how to do this here. FF, Thunderbird, and GAIM all support SOCKS proxies, so it works out great for me. Only problem is your DNS traffic goes out unencrypted, but that isn't necessarily a big deal, unless you are visiting something along the lines of www.penisland.net.

    --
    "Better to be vulgar than non-existent" -Bev Henson
  12. Re:Auto-login anybody? by Anonymous Coward · · Score: 1, Informative

    Um, I think GP was referring to use of public terminals, rather than use of wireless networks. I've logged people I've never met out of their G-mail accounts on public terminals many times...

  13. Re:When used properly by Anonymous Coward · · Score: 1, Informative

    No, the problem with SSL is that it's useless if the endpoint is compromised, eg. keylogger in, eg. net cafe. MiM attacks on SSL are trivial on shared Layer 1 with weak or no encryption, eg. 802.11a/b/g with or without WEP, hubbed or arp spoofed switched ethernet.