Slashdot Mirror
The Problems of Web Surfing in Public Places
Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"
Why not set up a minimal Linux installation (say a 2-4 GB partition) for wireless browsing while traveling?. Do not keep any sensitive data on that partition and DO NOT MAKE other partitions mountable.
Sure, nothing is 100% safe, some hacker can get root access, but casual hackers would not find anything intreresting and give up.
But solving that problem is a few dollars away in the form of a screen protector. For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise. What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of military orders in the dumpster at my former Air Force Base. Some people are clueless.
I'm very wary of typing stuff in public terminals nowadays, because even if I have a USB drive with a virtual OS on it (or at least a copy of Opera), I'm still paranoid that it might have a hardware keylogger attached (although I'm not really worth anything). You can't really protect against that.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I'm soon moving to an apartment that offers free Wi-Fi internet connectivity. Though it's an encrypted connection, I don't necessarily want anyone in the apartment complex to be able to look at the contents of every un-secured website I go to. Can someone recommend a VPN provider that:
1. Will provide a static IP address so I can run services like SMTP and HTTP
2. Will easily work with some version of firmware on my wireless router, a WRT-54G. This way I can provide
seemless access to the rest of the machines on my network without running VPN software on them.
AccountKiller
I am wondering, is there a way to protect me when I am not using a laptop but a pc in an internet cafee?
Assuming I cannot trust the browser on that pc to correctly encrypt my traffic even on https sites, I cannot install any vpn software, and I cannot be sure that there are no keyboard loggers.
So, somthing like a java applet (stored on a secure webserver), that I can load, and that opens a browser-in-a-browser, encrypting all traffic, with an added on-screen-keyboard to defeat keyboard loggers?
It would not be absolutely safe, since a good sniffer could also monitor the screen and the mouse movements, but it would be better than nothing.
http://blogs.ittoolbox.com/security/investigator/a rchives/look-at-all-of-these-passwords-11240
this is a good one, anyone buy any amazon books lately? take a look here.
The problem with SSL is that many people, even in the high-tech industry, aren't very good at using it.
It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).
A more involved attack might involve getting a certificate issued for AMAZ0N.COM and the chances are good that you could stage a MIM attack without even a certificate warning appearing.
I also suspect that a fair chunk of users would happily type their information into an order form on Amazon.com even if the connection to them wasn't even https. I'm sure if it "looks like amazon" that'd probably suffice.
Sure the certificates will not match or give a self-issued warning. But how many people surfing at StarBucks care about those broken lockpad symbols?
Well, the browers should bring up a message that says the certificate isn't valid. That might be a red-flag to a lot of people, especially when visiting their bank. Some people might ignore the popup message like they ignore every message.
But in general I agree that online banking could be a problem at your local Starbucks. I've felt for a long time that banks need to enable something better than the stupid username/password authentication. Make it a physical device issued by the bank to each customer that verifies the identity of the bank, and verifies the identity of the customer. Require users have the thing plugged into the USB device whenever they do online banking.
AccountKiller
As for Wireless networks. Look, if it's broadcast, ANYONE, can pick it up. The right person, with the right skills, and the right motivation, and the right amount of time, can do whatever they want with the contents of said broadcast.
Your cell phone conversations are not secure, your computer's files and transmissions over a wireless network are not secure. Granted cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.
Want security? Stick with Ethernet, just don't let anyone too close to the cables, or the equipment.
XP Home needs a couple more steps, but it's just as bad.
Kinda makes any additional security measures pretty futile.
Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission? Not keyboard sniffing the user's machine or hacking the receiving servers database. An actual, verified case of cc number theft.
I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.
Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).
Why this obsession with HTTPS?
One of these days I'm moving to Theory - everything works there
Oh, man, I wish I'd thought of half of the things you (and other replies) are putting out here. Recently, I was at a completely unsecured Windows desktop in a hotel lobby. Apparently, someone at the hotel thought Wireless was a magic bullet and put some Linksys or Dlink crap up, with a click-through agreement.
Now, for whatever reason, my Powerbook with OpenVPN will, with seemingly random frequency, crash all but the most industrial-strength access points. Iowa State University wireless was about the only place I didn't have that problem, and they don't do any kind of NAT -- you get a real Internet IP address. Just a little firewalling -- common things like Windows file sharing and outbound SMTP (spam) -- other than that, every box you have is naked on the Internet. But I digress...
So, this hotel, the desktop in the lobby (next to the front desk, probably 10 feet from their access point) was hooked up via wireless. So I come in, turn on my wireless, click through the agreement, and 10 minutes later -- boom! No more Internet, for the whole fucking hotel.
So I go sit down at the Windows box to check it out. Sure enough, the Internet outages -- which only seem to happen when I'm doing something with my laptop -- occur at exactly the same time, judging by pings to Google on the Windows box and my laptop.
But while at the Windows box, I noticed something. Despite a few warnings on the sign next to the computer, the thing was completely open. Judging by a few of the programs I was seeing here, it had been 0wned several times by several different people, but all with the motive of intercepting credit card numbers (or something), none with the motive of defacing the box. It was blatantly obvious they didn't image it much.
All that power, and the only thing I could think to do (or dared try) was changing the "Internet Explorer" link on the desktop to "Internet Exploder". Too subtle, too -- I should've changed the icon to a bomb. I hope someone gets a chuckle out of it someday, but unfortunately, I doubt it will cause hours of fun for anyone, the way the desktop/screenshot thing might.
Don't thank God, thank a doctor!
Download an easy to use packet analyzer like Cain-n-Able and go to a place with wireless access and connect to the AP. Hotels are the best if you are staying there, but there is no reason you can't just sit in the parking lot. Let CnA run for any amount of time and look at how many email, web page, news or whatever passwords you receive. Then realize that someone could be doing this to you!
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
http://catb.org/jargon/html/writing-style.html has a pretty good explanation.
Hackers tend to use quotes as balanced delimiters like parentheses, much to the dismay of American editors. Thus, if "Jim is going" is a phrase, and so are "Bill runs" and "Spock groks", then hackers generally prefer to write: "Jim is going", "Bill runs", and "Spock groks". This is incorrect according to standard American usage (which would put the continuation commas and the final period inside the string quotes); however, it is counter-intuitive to hackers to mutilate literal strings with characters that don't belong in them. Given the sorts of examples that can come up in discussions of programming, American-style quoting can even be grossly misleading. When communicating command lines or small pieces of code, extra characters can be a real pain in the neck.
Consider, for example, a sentence in a vi tutorial that looks like this:
Then delete a line from the file by typing "dd".
Standard usage would make this
Then delete a line from the file by typing "dd."
but that would be very bad -- because the reader would be prone to type the string d-d-dot, and it happens that in vi(1), dot repeats the last command accepted. The net result would be to delete two lines!
[...]
Interestingly, a similar style is now preferred practice in Great Britain, though the older style (which became established for typographical reasons having to do with the aesthetics of comma and quotes in typeset text) is still accepted there. Hart's Rules and the Oxford Dictionary for Writers and Editors call the hacker-like style 'new' or 'logical' quoting. This returns British English to the style many other languages (including Spanish, French, Italian, Catalan, and German) have been using all along.
Well - I am not sure I would call it obvious. Experimentally I had two PC's on the same LAN segment. One was running ettercap the other I used for browsing. Ettercap was configured to do ARP poisoning and track SSL sessions with dynamic certificate generation. From the other PC I logged on to my so-called secure banking and ettercap had absolutely NO problem whatsoever in getting my username and password. From a user perspective the only HINT that something was wrong was that the cert was self signed (all the data in the cert was a replica of the original - just self signed).
Yes - if I had started the attack in the middle of a session it would probably have been obvious, but no - since ettercap was running before I even started logging on - there was no warnings of any kind - just a request from my browser if I wanted to accept the cert or not. Even looking at the cert for Joe Six-pack I would bet it looked pretty ok. You would need to understand the technology behind certificated to know that a self signed certificate is not secure - and honestly - while you and I might do that, how many users of on-line banking know? I am fairly sure that most - if not all - non-IT educated people would readily accept such a cert and therefore in reality browse in the open.
Regarding pop-ups on man in the middle attacks. Well - obviously I went through quite a lot of testing - mostly because I wanted to know what was possible and - if possible - how to prevent it. I did experience a few switches (and that is 2 to be exact out of at least 15 I tried with) that for some reason was not prone to the ARP poisoning, BUT I in those cases the attempt just quietly failed. In all other cases - ettercap happily sniffed just about any connection I tried to make without any hint on the client. The truly scary part is that ettercap can run pretty much unattended and just log whatever passwords it comes across, so I would say it was/is pretty viable to bring a laptop to a Starbucks and let it run for a few hours while I had a cup of coffee - then go home and see what I got. From the ettercap manual:
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real ssl
certificate with its own. The fake certificate is created on the fly
and all the fields are filled according to the real cert presented by
the server. Only the issuer is modified and signed with the private key
contained in the 'etter.sll.crt' file. If you want to use a different
private key you have to regenerate this file.
The key here is that I do not agree with you that the chances of someone being there and ready is pretty small. Someone doesn't need to be ready - just run an application and wait - that is ALL it takes.
So why is this not rampant (as someone else was commenting). Well - I wouldn't know. What I do know is that I just selected ettercap from the standard list of Debian packages and did no configuration whatsoever. I wouldn't know if it run on Windows or if it is hard to install and/or use. I guess in the Starbucks scenario I mentioned, the hard part would be the wep keys, last time I checked that still did require some knowledge and wasn't fully automated, but once on a shared network it does not require much skills.
I was being asked why it wasn't rampant and I merely stated I wouldn't know that :) All I know is that it is doable and it doesn't require much skills to do so, so yes - my personal guess is that it is pretty common and will become even more so in the future.
:)
Actually I did consider writing that the only reason I could think of was that people are still essentially honest with only a few crooks around - but I decided against it
One of the New Zealand banks (BankDirect) a while back had their SSL certificate expire. In the 12 hours before it was fixed, 300 people were presented with an invalid certificate warning dialog and 299 people logged in regardless.
Actual numbers. Google it for yourself.
455fe10422ca29c4933f95052b792ab2
I recall stumbling across a good database of 900 MHz cordless phone frequencies ages ago (pre-2.4GHz). I scrambled for my police scanner. For about five minutes, I thought I had died and gone to heaven. First, I listened to my neighbor talk about how she was not sure if *he* was really *the one*. Next, I fell asleep. Then I remembered that (US) police made (and still make) a habit of broadcasting your full name, social security number, date of birth, driver's license number and your special crime over unsecured, unencrypted long-range wireless networks all day. I could tell you all sorts of information about John Q. Public back when I gave a crap. If a transaction online does not feel safe, it probably isn't. Slashdot readers don't need to be berated by this message or by this article.
FairTax baby!