The Problems of Web Surfing in Public Places

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"

Reading sensitive information in public places?

[SillyNickName4me]

Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer

Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.

Re:Reading sensitive information in public places?

[heartless_]

But solving that problem is a few dollars away in the form of a screen protector. For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise. What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of military orders in the dumpster at my former Air Force Base. Some people are clueless.

Re:Reading sensitive information in public places?

[ms1234]

Does anyone else than me find it funny that when lcd screen were new people would bitch and moan about the angles from which the screen could be seen was bad and now when you have an almost 180 degree field of vision on the damn things people bitch and moan that others can see whats on their screens and are buying screen protectors?

Auto-login anybody?

[minuszero]

How many websites you use have a "log me in automatically" checkbox, ticked by default?

Bet it's most.

How many average users do you suppose won't bother/remember to uncheck it?

Re:Auto-login anybody?

[daranz]

Ideally, a web browser on a public computer would be set up not to save any personal data, such as cookies, passwords, form entries, etc. Of course, in most cases it is not so, and such browser save cookies, and even passwords from the users... Fortunatelly, some browsers, like FF, have a convenient menu item that clears all personal data recorded by the user, and so it's possible to ensure that you leave no cookies or form entries behind, even if the browser is setup to allow them... Worst thing if the public computer runs IE, or some other browser where you have to dig in options screens to clear all your data. In many cases, such meddling with the browser is frowned upon by whoever is supposed to be watching over the computers.

Glaring technical errors

Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.

Who wrote this crap?

Re:Glaring technical errors

[Achromatic1978]

Agreed. I was thinking that. "Don't do {any one of a number of tasks that are almost definitely encrypted}, but right ahead and do {any one of a number of tasks that almost definitely aren't}".

Mind you, I SSL protect my webmail, too.

Re:Glaring technical errors

[lars_boegild_thomsen]

Who told you ssl is safe? Any computer on the same lan segment - a bit of arp poisoning and you got an efficient man-in-the-middle attach. Then you present the client with a fake ssl certificate made on the fly to look like the original server certificate. No - it will not have the proper signatures by any cert authorities, but honestly - how often do YOU read all the details of a certificate presented to you before you say "Accept"?

Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.

So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.

Re:Glaring technical errors

[lars_boegild_thomsen]

Well - I am not sure I would call it obvious. Experimentally I had two PC's on the same LAN segment. One was running ettercap the other I used for browsing. Ettercap was configured to do ARP poisoning and track SSL sessions with dynamic certificate generation. From the other PC I logged on to my so-called secure banking and ettercap had absolutely NO problem whatsoever in getting my username and password. From a user perspective the only HINT that something was wrong was that the cert was self signed (all the data in the cert was a replica of the original - just self signed).

Yes - if I had started the attack in the middle of a session it would probably have been obvious, but no - since ettercap was running before I even started logging on - there was no warnings of any kind - just a request from my browser if I wanted to accept the cert or not. Even looking at the cert for Joe Six-pack I would bet it looked pretty ok. You would need to understand the technology behind certificated to know that a self signed certificate is not secure - and honestly - while you and I might do that, how many users of on-line banking know? I am fairly sure that most - if not all - non-IT educated people would readily accept such a cert and therefore in reality browse in the open.

Regarding pop-ups on man in the middle attacks. Well - obviously I went through quite a lot of testing - mostly because I wanted to know what was possible and - if possible - how to prevent it. I did experience a few switches (and that is 2 to be exact out of at least 15 I tried with) that for some reason was not prone to the ARP poisoning, BUT I in those cases the attempt just quietly failed. In all other cases - ettercap happily sniffed just about any connection I tried to make without any hint on the client. The truly scary part is that ettercap can run pretty much unattended and just log whatever passwords it comes across, so I would say it was/is pretty viable to bring a laptop to a Starbucks and let it run for a few hours while I had a cup of coffee - then go home and see what I got. From the ettercap manual:


SSL MITM ATTACK
              While performing the SSL mitm attack, ettercap substitutes the real ssl
              certificate with its own. The fake certificate is created on the fly
              and all the fields are filled according to the real cert presented by
              the server. Only the issuer is modified and signed with the private key
              contained in the 'etter.sll.crt' file. If you want to use a different
              private key you have to regenerate this file.


The key here is that I do not agree with you that the chances of someone being there and ready is pretty small. Someone doesn't need to be ready - just run an application and wait - that is ALL it takes.

So why is this not rampant (as someone else was commenting). Well - I wouldn't know. What I do know is that I just selected ettercap from the standard list of Debian packages and did no configuration whatsoever. I wouldn't know if it run on Windows or if it is hard to install and/or use. I guess in the Starbucks scenario I mentioned, the hard part would be the wep keys, last time I checked that still did require some knowledge and wasn't fully automated, but once on a shared network it does not require much skills.

I read your traffic

[airuck]

It used to be a hobby of mine. tcpdump and ethereal. Chat, email, documents, http requests, password snarfing. Then I discovered that most folks had nothing of any interest to say. One step above listening to teenage girls talk on their cell phones.

Re:I read your traffic

[Bios_Hakr]

You are thinking of it in terms of watching a TV. That's not the problem. Like you say, most people have nothing to say.

However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords. Once they nail a CC#, they can examine the surrounding packets to find expiration dates, names and addresses, and that stupid "security code". MMO passwords can be used to empty a user's inventory for real money.

How many people shop from Starbucks? I dunno. I bet quite a few do. How many play WoW at Starbucks? Probably some.

Re:I read your traffic

[Vellmont]

However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords.

While this is somewhat of a concern, the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent. That would make any sniffing attempts useless.

Hell, even Yahoo has a secure login for email these days.

Re:I read your traffic

[Chuck+Chunder]

One step above listening to teenage girls talk on their cell phones.

Presumeably this was before the existence of MySpace?

Re:I read your traffic

[daranz]

Some banks actually issue scratch-off cards, that contain a bunch of authentication numbers. Each of those can be used only once, and they have to be used in order they are listed on the card. That way, even if the login data is stolen, no transaction can be done without intercepting the physical card... Sort of a one time pad scheme for transaction authentication. It's simple, cheap, but effective.

As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...

Re:I read your traffic

[zcat_NZ]

One of the New Zealand banks (BankDirect) a while back had their SSL certificate expire. In the 12 hours before it was fixed, 300 people were presented with an invalid certificate warning dialog and 299 people logged in regardless.

Actual numbers. Google it for yourself.

Nobody ever logs out.

[hmccabe]

I used to work at an Apple store across the street from a high school. I would estimate that 75% of the packets coming into that store came from myspace.com. Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer. Favorite edits included

• Changing interests to include homosexuality, drugs, etc.
• Changing background images
• Changing profile photos
• Joining a group of people who check their myspace at the apple store. (I'm in that group too)

I couldn't bring myself to break off any friendships, that's a bit too mean.

Re:Nobody ever logs out.

[jlarocco]

What a cunt -- you need a good kicking. Hope you get it one day.

Shouldn't you be practicing homosexuality, doing drugs, or checking your myspace at the Apple store right now?

Re:Nobody ever logs out.

[hmccabe]

Funny you should mention that, I used to do that too. I worked for a porn hosting company (imagine how much different it was to work for Apple) where people on different shifts shared the same Windows 2000 workstations. IIRC, the registry had a different key for each user on the box, so we would go in and change other people's wallpaper to Tiger-beatesque Backstreet Boys wallpaper and such. I often thought about doing the screenshot of the desktop thing, I bet it was awesome.

Pagers were the other key element of office fun. The back page of the Phoenix New Times used to have these local numbers that would play a recording that told you all the 1-900 numbers for whatever kind of phone sex floated your boat. I would page the engineers sitting in the next desk with those numbers and listen when they called. When they got confused it was funny, when they used the speakerphone it was epic.

I think I might have figured out why the job search is taking so long.

What was this story about again?

Re:Nobody ever logs out.

[flonker]

http://catb.org/jargon/html/writing-style.html has a pretty good explanation.


Hackers tend to use quotes as balanced delimiters like parentheses, much to the dismay of American editors. Thus, if "Jim is going" is a phrase, and so are "Bill runs" and "Spock groks", then hackers generally prefer to write: "Jim is going", "Bill runs", and "Spock groks". This is incorrect according to standard American usage (which would put the continuation commas and the final period inside the string quotes); however, it is counter-intuitive to hackers to mutilate literal strings with characters that don't belong in them. Given the sorts of examples that can come up in discussions of programming, American-style quoting can even be grossly misleading. When communicating command lines or small pieces of code, extra characters can be a real pain in the neck.

Consider, for example, a sentence in a vi tutorial that looks like this:

        Then delete a line from the file by typing "dd".

Standard usage would make this

        Then delete a line from the file by typing "dd."

but that would be very bad -- because the reader would be prone to type the string d-d-dot, and it happens that in vi(1), dot repeats the last command accepted. The net result would be to delete two lines!
[...]

Interestingly, a similar style is now preferred practice in Great Britain, though the older style (which became established for typographical reasons having to do with the aesthetics of comma and quotes in typeset text) is still accepted there. Hart's Rules and the Oxford Dictionary for Writers and Editors call the hacker-like style 'new' or 'logical' quoting. This returns British English to the style many other languages (including Spanish, French, Italian, Catalan, and German) have been using all along.

Obligatory..

[StikyPad]

The article looks at...the issues that using a wireless signal in a public place.

Next we're going to look at the issues that posting without editing.

What gets me...

[ackthpt]

How many websites you use have a "log me in automatically" checkbox, ticked by default?

What gets me is sitting down to a mocha double soy and finding all these post it notes under the table with elegantly written little bits like 'bad1983girl', 'iluvpuppies' and 'password'...

Re:What gets me...

[Ph33r+th3+g(O)at]

Clean them out -- you have plausible deniability, and you warned them. If things get hot, take a jet to Belize :).

More reason to listen to the End-to-End Argument

[ToastyKen]

That's all the more reason to listen to The End-to-End Argument [PDF]. (Wiki link if you don't want a PDF.)

Never trust the network!

Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..

security in internet cafees

[F�an�ro]

I am wondering, is there a way to protect me when I am not using a laptop but a pc in an internet cafee?

Assuming I cannot trust the browser on that pc to correctly encrypt my traffic even on https sites, I cannot install any vpn software, and I cannot be sure that there are no keyboard loggers.

So, somthing like a java applet (stored on a secure webserver), that I can load, and that opens a browser-in-a-browser, encrypting all traffic, with an added on-screen-keyboard to defeat keyboard loggers?

It would not be absolutely safe, since a good sniffer could also monitor the screen and the mouse movements, but it would be better than nothing.

At first glance.

[Ocular+Magic]

"The article looks at the sloppy habits people have when using public terminals"

When I first read that, I thought it was going to talk about people picking their nose/teeth/ears while using the terminals. I wonder what those dangers are? "What's that green thing on the key there? EWWWWWWWWWWWWWWwwwww..."

When used properly

[grahamsz]

The problem with SSL is that many people, even in the high-tech industry, aren't very good at using it.

It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).

A more involved attack might involve getting a certificate issued for AMAZ0N.COM and the chances are good that you could stage a MIM attack without even a certificate warning appearing.

I also suspect that a fair chunk of users would happily type their information into an order form on Amazon.com even if the connection to them wasn't even https. I'm sure if it "looks like amazon" that'd probably suffice.

Re:When used properly

[asuffield]

It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning

Um, excuse me? All the workstations in the net cafe will have the cafe owner's CA certificate installed, which will validate all the MIM attack certificates for them (assuming that they didn't just have a modified version of firefox installed that lied about the SSL status). SSL is completely and totally worthless when the attacker controls the workstation you are using.

The only thing SSL does is to ensure that communication between two secure endpoints cannot be accessed by somebody who merely controls the channel between them. It cannot be of any use to you if your endpoint is not secure.

Re:Man-In-The-Middle Attacks

[Vellmont]

Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect.

That's why SSL certificates are signed. As long as the certificate issuers are doing their jobs and only giving out signed certificates for www.myURLNameHere.com to the actual owner of www.myURLNameHere.com, and people actually don't complete transactions when a warning of a self-signed certificate comes up, you're fine. The cert issuers are pretty good (I haven't heard of any real problems). Some people do ignore cert warnings, but that's the risk they take. I know to take cert warnings seriously when entering in secure information, so the risks to me are minimal.

The Bottom Line

[PixieDust]

Here it is folks. Anyone using a public terminal and transmitting/receiving any type of personal information in one way or another, is playing russian roulette with their information.

As for Wireless networks. Look, if it's broadcast, ANYONE, can pick it up. The right person, with the right skills, and the right motivation, and the right amount of time, can do whatever they want with the contents of said broadcast.

Your cell phone conversations are not secure, your computer's files and transmissions over a wireless network are not secure. Granted cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.

Want security? Stick with Ethernet, just don't let anyone too close to the cables, or the equipment.

Not just the owner

[grahamsz]

Anyone with a laptop on the same segment or WAP can run their own DHCP server. That way when you connect, there's a very good chance that they can send you connection details first.

That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.

Just wondering...

[Timbotronic]

Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission? Not keyboard sniffing the user's machine or hacking the receiving servers database. An actual, verified case of cc number theft.

I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.

Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).

Why this obsession with HTTPS?

Re:Just wondering...

[fm6]

Why this obsession with HTTPS?

They same reason people buy car alarms that will be ignored when they go off, or guns that they don't have the training to use. People want some technological solution to their security problems. They don't want to go through the hassle of doing a real security strategy. The real purpose of most security technology is not to provide security, but to provide the feeling of security.

Re:In case you are interested...

[StikyPad]

Oh.. we thought that was your name.

Technically unaware on slashdot?

[grrowl]

I wasn't aware the technically uninformed read "News for Nerds" Slashdot.

Re:Solution

[mpmann]

Pull out for security. Where have I heard that before?