Slashdot Mirror
Web Surfing in Public Places Is A Way to Court Trouble
We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?
I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?
I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.
While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.
I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.
North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...
I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.
The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.
The worst security? Man, it might be easier to say the best security. At a cellphone store with my brother, he looks at a blackberry and says "...it's overkill, but, probably handy if you need to get online all the time, check email etc". So, I take my PSP out of my pocket, and in about 15 seconds, I show him gmail. Every idiot seems to have unsecured wireless.
The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see what networks I could find. Everything was secured but one, and it seemed their ISP was down. So I said to my brother: "Only one jerk in this neighborhood didn't secure their wireless... and they have a flakey ISP, so I couldn't get online", he says: "Oh, that's me".
Of course, from checking my mail on the road, there are now items in my sent folder with such subjects as "Do you have the north korea nuclear salesman's number?" and "Cheap anthrax mailing services" and "Increase your volume by 6000%"
It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.
I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.
Funnypics
It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).
I use irony whenever I can, but my shirts are still wrinkled...
Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.
The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.
ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.
I find this comment in the article very interesting:
Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.
That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!
The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"
YOU'RE IN A F CKING SHOP!
The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was
I wonder how many people here are actually just using these computers to do something sinister?
Summation 2
So the usual sitting in the gate waiting for the plane to board. /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it) :)
:)
I happen to be happily on my laptop, doing those Oh so critical things like, well,
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop.
Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane.
I am 31337 or something.
These guys must be part of my upper level of management.
:)
I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.
I ended up installing the damn thing anyway, confirmed my suspicions, and saved myself and several hours many days of hunting around. Didn't tell them that, though
Every news story that tries to use the fear of "packet sniffers" as a dangerous tool can pretty much be dismissed out of hand. Watching the data flow in and out of your own computer is never a security risk.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I had a few problems with the article:
- I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
- When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
- Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.
However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.The login process an ING would stop keyloggers. Kind of hard to explain, but basically you have to enter a piece of your authentication info using an onscreen keypad. The numbers on the keypad are mapped to keys (the change every time), so you can use a keyboard to enther the info, but the keystrokes would be different everytime.
I never use internet kiosks where you have to pay to use the systems. Ever. I can not for the life of me fathom a circumstance where I couldn't just wait until I got home to check something online. Bank account balance? ATM. E-mail? Mobile phone, or just be patient and wait.
Student Manager - Take control of your education!
One solution is a box with numbers randomly distributed inside it. You click on the numbers to enter your password. Saving mouse clicks will not work because the box never has the same distribution of numbers. You would have to screen capture all the time which isn't feasible. Of course, you could combine a mouse click monitor with a screen capture of the region around the mouse.
While that does decrease the risk somewhat, the risk is still there. My friend once showed me a keylogger he designed that would fit right inside the old AT-style keyboard plug. No software required. Of course that was years ago, but it's still possible that something like this could happen on computers in public places. This is a bit paranoid, granted. Maybe you can use knoppix and then change your bank passwords shortly after.
You mean captchas? captchas won't fool a keylogger. The important stuff will already have been recorded.
However if the captcha is "Which one of these is your mother?" or some other piece of info that is specific to you, then that would make the data thief's job a little harder.
The using the randomly-ordered on-screen keypad to enter data is a pretty clever solution, though.
The president of my division (about 1000 people) was flying from our main business office to our main engineering facility. When he was waiting in the airport for a flight, you overheard a conversation between 2 people sitting near him that were getting on the same flight as him. He later called someone in my office and reported back what he heard.
The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.
You should always be careful what you talk about in public places, you never know who is around and listening.
Its not what it is, its something else.
I did a few times while in Ireland - it was something cheap like 2 euros an hour and all the coffee you could drink. If you need to check your favorite websites or read your email it's worth it. I used the internet for a total of about 3 hours the entire two weeks I was in Ireland - the least time I've spent on the internet since probably about 1995 or so. It was worth the euros.
That said, I would never check my online banking or anything else more secure than my personal email from a machine I didn't personally own or someone I know and trust owns. People who check their online banking in an internet cafe or at a kiosk are totally insane - maybe if you could boot your own OS on the machine, I don't know if many places would let you do that though.
That's actually not a bad idea, but is that a feature that we will ever see make it down to the consumer level APs? I mean, how many people purchasing consumer level APs will be that interested in security that they will look for a router with that feature? I would imagine that subset of security concious people will also be the same people who turn off SSID broadcasting, enable WPA encryption, and utilize MAC Address filtering. IE, these are the same kinds of people who wouldn't have any untrusted computers running on their network to begin with.
That said,I myself would be interested in seeing this. I rent a basement from a gentleman and leach my internet access from his wireless network (with his permission). I do use a NAT router to segment my network from his and protect my computers as best I can, but I actually have no way of protecting myself from an ARP poisoning attack performed on his segment of the network. His network is only secured via 64 Bit WEP with a pretty simple password -- the barest of securities and any education on the matter has fallen on deaf ears.
Lastly, for the record I've acutally used ARP poisoning to monitor network traffic for select computers in an office before. It's really quite amazing how easy it is to do and how brilliantly it works. Especially when you use the tool (this was a couple of years ago so I don't remember what it was called) that would allow your browser to display all of their web browser requests, allowing you to see the same pages they were visiting.
If Murphy's Law can go wrong, it will.
A business in my town did several stupid things that led to disaster.
1. run windows 98 as your server (in 2005)
2. no passwords on anything
3. lets install a wap
4. passwords are inconvenient on a wap, turn them off
2am Sunday morning, janitorial staff notice a kid in the parking lot sitting next to his bike, typing on a laptop.
Next day, all gone. Except one rude note left on what was left of the fileserver. He basically deleted everything that he could, which was just about everything.
Darwin at work I suppose.
I work for the Department of Redundancy Department.