The Problems of Web Surfing in Public Places

Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"

Reading sensitive information in public places?

[SillyNickName4me]

Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer

Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.

Glaring technical errors

Just one of several glaring errors: One guy says not to shop online, but reading email is probably ok. WTHeck??? Online shopping is almost universally via ssl these days, which IS safe (as long as you trust your merchant). Reading email is still mostly via unencrypted channels.

Who wrote this crap?

Re:Glaring technical errors

[lars_boegild_thomsen]

Who told you ssl is safe? Any computer on the same lan segment - a bit of arp poisoning and you got an efficient man-in-the-middle attach. Then you present the client with a fake ssl certificate made on the fly to look like the original server certificate. No - it will not have the proper signatures by any cert authorities, but honestly - how often do YOU read all the details of a certificate presented to you before you say "Accept"?

Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.

So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.

Re:Glaring technical errors

[lars_boegild_thomsen]

Well - I am not sure I would call it obvious. Experimentally I had two PC's on the same LAN segment. One was running ettercap the other I used for browsing. Ettercap was configured to do ARP poisoning and track SSL sessions with dynamic certificate generation. From the other PC I logged on to my so-called secure banking and ettercap had absolutely NO problem whatsoever in getting my username and password. From a user perspective the only HINT that something was wrong was that the cert was self signed (all the data in the cert was a replica of the original - just self signed).

Yes - if I had started the attack in the middle of a session it would probably have been obvious, but no - since ettercap was running before I even started logging on - there was no warnings of any kind - just a request from my browser if I wanted to accept the cert or not. Even looking at the cert for Joe Six-pack I would bet it looked pretty ok. You would need to understand the technology behind certificated to know that a self signed certificate is not secure - and honestly - while you and I might do that, how many users of on-line banking know? I am fairly sure that most - if not all - non-IT educated people would readily accept such a cert and therefore in reality browse in the open.

Regarding pop-ups on man in the middle attacks. Well - obviously I went through quite a lot of testing - mostly because I wanted to know what was possible and - if possible - how to prevent it. I did experience a few switches (and that is 2 to be exact out of at least 15 I tried with) that for some reason was not prone to the ARP poisoning, BUT I in those cases the attempt just quietly failed. In all other cases - ettercap happily sniffed just about any connection I tried to make without any hint on the client. The truly scary part is that ettercap can run pretty much unattended and just log whatever passwords it comes across, so I would say it was/is pretty viable to bring a laptop to a Starbucks and let it run for a few hours while I had a cup of coffee - then go home and see what I got. From the ettercap manual:


SSL MITM ATTACK
              While performing the SSL mitm attack, ettercap substitutes the real ssl
              certificate with its own. The fake certificate is created on the fly
              and all the fields are filled according to the real cert presented by
              the server. Only the issuer is modified and signed with the private key
              contained in the 'etter.sll.crt' file. If you want to use a different
              private key you have to regenerate this file.


The key here is that I do not agree with you that the chances of someone being there and ready is pretty small. Someone doesn't need to be ready - just run an application and wait - that is ALL it takes.

So why is this not rampant (as someone else was commenting). Well - I wouldn't know. What I do know is that I just selected ettercap from the standard list of Debian packages and did no configuration whatsoever. I wouldn't know if it run on Windows or if it is hard to install and/or use. I guess in the Starbucks scenario I mentioned, the hard part would be the wep keys, last time I checked that still did require some knowledge and wasn't fully automated, but once on a shared network it does not require much skills.

I read your traffic

[airuck]

It used to be a hobby of mine. tcpdump and ethereal. Chat, email, documents, http requests, password snarfing. Then I discovered that most folks had nothing of any interest to say. One step above listening to teenage girls talk on their cell phones.

Re:I read your traffic

[daranz]

Some banks actually issue scratch-off cards, that contain a bunch of authentication numbers. Each of those can be used only once, and they have to be used in order they are listed on the card. That way, even if the login data is stolen, no transaction can be done without intercepting the physical card... Sort of a one time pad scheme for transaction authentication. It's simple, cheap, but effective.

As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...

Nobody ever logs out.

[hmccabe]

I used to work at an Apple store across the street from a high school. I would estimate that 75% of the packets coming into that store came from myspace.com. Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer. Favorite edits included

• Changing interests to include homosexuality, drugs, etc.
• Changing background images
• Changing profile photos
• Joining a group of people who check their myspace at the apple store. (I'm in that group too)

I couldn't bring myself to break off any friendships, that's a bit too mean.

Re:Nobody ever logs out.

[flonker]

http://catb.org/jargon/html/writing-style.html has a pretty good explanation.


Hackers tend to use quotes as balanced delimiters like parentheses, much to the dismay of American editors. Thus, if "Jim is going" is a phrase, and so are "Bill runs" and "Spock groks", then hackers generally prefer to write: "Jim is going", "Bill runs", and "Spock groks". This is incorrect according to standard American usage (which would put the continuation commas and the final period inside the string quotes); however, it is counter-intuitive to hackers to mutilate literal strings with characters that don't belong in them. Given the sorts of examples that can come up in discussions of programming, American-style quoting can even be grossly misleading. When communicating command lines or small pieces of code, extra characters can be a real pain in the neck.

Consider, for example, a sentence in a vi tutorial that looks like this:

        Then delete a line from the file by typing "dd".

Standard usage would make this

        Then delete a line from the file by typing "dd."

but that would be very bad -- because the reader would be prone to type the string d-d-dot, and it happens that in vi(1), dot repeats the last command accepted. The net result would be to delete two lines!
[...]

Interestingly, a similar style is now preferred practice in Great Britain, though the older style (which became established for typographical reasons having to do with the aesthetics of comma and quotes in typeset text) is still accepted there. Hart's Rules and the Oxford Dictionary for Writers and Editors call the hacker-like style 'new' or 'logical' quoting. This returns British English to the style many other languages (including Spanish, French, Italian, Catalan, and German) have been using all along.

Obligatory..

[StikyPad]

The article looks at...the issues that using a wireless signal in a public place.

Next we're going to look at the issues that posting without editing.

What gets me...

[ackthpt]

How many websites you use have a "log me in automatically" checkbox, ticked by default?

What gets me is sitting down to a mocha double soy and finding all these post it notes under the table with elegantly written little bits like 'bad1983girl', 'iluvpuppies' and 'password'...

At first glance.

[Ocular+Magic]

"The article looks at the sloppy habits people have when using public terminals"

When I first read that, I thought it was going to talk about people picking their nose/teeth/ears while using the terminals. I wonder what those dangers are? "What's that green thing on the key there? EWWWWWWWWWWWWWWwwwww..."

Not just the owner

[grahamsz]

Anyone with a laptop on the same segment or WAP can run their own DHCP server. That way when you connect, there's a very good chance that they can send you connection details first.

That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.

Just wondering...

[Timbotronic]

Has there ever been a documented case of people having their credit card details stolen by eavsdropping over an unsecured transmission? Not keyboard sniffing the user's machine or hacking the receiving servers database. An actual, verified case of cc number theft.

I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.

Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).

Why this obsession with HTTPS?

Re:When used properly

[asuffield]

It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning

Um, excuse me? All the workstations in the net cafe will have the cafe owner's CA certificate installed, which will validate all the MIM attack certificates for them (assuming that they didn't just have a modified version of firefox installed that lied about the SSL status). SSL is completely and totally worthless when the attacker controls the workstation you are using.

The only thing SSL does is to ensure that communication between two secure endpoints cannot be accessed by somebody who merely controls the channel between them. It cannot be of any use to you if your endpoint is not secure.