Web Surfing in Public Places Is A Way to Court Trouble

We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

classic diligence, albeit in a modern world

[yagu]

I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?

I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.

While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.

I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.

Re:classic diligence, albeit in a modern world

[gEvil+(beta)]

So how much money did you make on that particular IPO? :-D

Re:classic diligence, albeit in a modern world

[Hoi+Polloi]

"I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers."

I needed a laptop for a biz trip to a software convention in SF CA. I was giving a talk and was reviewing my notes. But the thing the laptop was best for was killing the time during the flight. I was playing Nethack and even got a double take and knowing smile from a fellow techy who was walking down the aisle.

Re:classic diligence, albeit in a modern world

[Control+Group]

This reminds me of an anecdote I read somewhere, the details of which I mostly forget. So I wouldn't believe it, if I were you, but it's still amusing.

Dr. Smith is a medical researcher, helping run one end of a typical double-blind clinical trial of Unobtainasil, a new drug which is hoped to treat a severe condition. He's flying to Switzerland for a conference of some kind.

While in the airport, he happens to sit down next to Dr. Jones, whom he met a while back at another conference. They get to talking shop, as is not surprising - and it eventually comes out that Dr. Jones is also working on the clinical trials of Unobtainasil.

With great dismay, they realize they've just compromised the trial, and all the data will probably need to be thrown out.

Whoops.

Moral of the story: never talk about anything with anyone.

Re:classic diligence, albeit in a modern world

I was playing Nethack and even got a double take and knowing smile from a fellow techy who was walking down the aisle.

That smile had nothing to do with Nethack, it was probably another Mac user, he natually thought you were gay as well.

Re:classic diligence, albeit in a modern world

[networkBoy]

I had someone ask "what's that" to which I replied "nethack". They instant assumed I was some evil hacker and informed the gate personel. Sucky day for me.

I had to explain that it was a game "see it's in my games folder" and that it was also available as a GUI "see here it is with pictures". Wasen't till I showed them my badge and business cards from the multinational that I work for that they started beliving me.

After that I only played in GUI mode while in public. (ASCII at work though, 'cause anyone who know's I'm not working also won't rat me out :-)
-nB

Denver Airport

North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...

Re:Denver Airport

[ScottyH]

"bags"?

Re:Denver Airport

[Crisavec]

He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.

Re:Denver Airport

[__aaclcg7560]

"snakes" :P

Re:Denver Airport

[Alkivar]

it was "Denver" last time I went through that airport...

Re:Interesting question

[Atheose]

I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.

The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.

Public computers

[spineboy]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.

I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.

Re:Public computers

[denebian+devil]

My biggest issue has always been what am I willing to do or not do when I'm in various situations: on a friend's computer, a wired kiosk, a non-secured wireless connection using my own computer, etc., and the heartache that comes with those decisions.

I find this comment in the article very interesting:

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office's server, where it is decoded before going to its destination.

Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.

That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!

Re:Public computers

[jonwil]

SSL doesnt help when the machine you are using is running a software or hardware keylogger.

Re:Public computers

[caluml]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer.

Carry round Knoppix/Ubuntu/Gentoo Live CD. Boot off that, and you're safe. Apart from hardware nonsense, which you're probably OK with at a friends house. Depending on your kind of friends.

Re:Public computers

[bsane]

The login process an ING would stop keyloggers. Kind of hard to explain, but basically you have to enter a piece of your authentication info using an onscreen keypad. The numbers on the keypad are mapped to keys (the change every time), so you can use a keyboard to enther the info, but the keystrokes would be different everytime.

Re:Public computers

[squiggleslash]

I'm not going to go so far as to suggest boxed unencrypted VPN connection systems do not exist, but every VPN system I've ever come across has provided some kind of encryption between the remote machines and the networks they're connecting to.

I guess you can bodge something together to run pppd over telnet, but generally off-the-shelf systems tend to be more secure than that.

Re:Public computers

[Hobbled+Grubs]

One solution is a box with numbers randomly distributed inside it. You click on the numbers to enter your password. Saving mouse clicks will not work because the box never has the same distribution of numbers. You would have to screen capture all the time which isn't feasible. Of course, you could combine a mouse click monitor with a screen capture of the region around the mouse.

Re:Public computers

[caseih]

While that does decrease the risk somewhat, the risk is still there. My friend once showed me a keylogger he designed that would fit right inside the old AT-style keyboard plug. No software required. Of course that was years ago, but it's still possible that something like this could happen on computers in public places. This is a bit paranoid, granted. Maybe you can use knoppix and then change your bank passwords shortly after.

Re:Public computers

[Compulsion]

You mean captchas? captchas won't fool a keylogger. The important stuff will already have been recorded.

However if the captcha is "Which one of these is your mother?" or some other piece of info that is specific to you, then that would make the data thief's job a little harder.

The using the randomly-ordered on-screen keypad to enter data is a pretty clever solution, though.

Re:Public computers

[ConceptJunkie]

Since when does VPN = Encryption?

Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.

Re:Public computers

[CastrTroy]

This solution, and the one your sibling poster pointed out, do stop keyloggers, but don't stop the general case of software on the client machine that monitors what they are doing. You could just as easily write a program that records mouse clicks, and screen shots, to see what they are clicking on. Maybe just record a square 128x128 pixels centred around the cursor, and save it compressed in 16 colours so you wouldn't have to store so much information. Maybe they could just attach something to whatever module is being called to encrypt the information for sending it over ssl, so they record all the information that you are sending out over ssl. The point is, is that it's impossible for the person designing the website to protect against malicious software running on the users machine. If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

Re:Public computers

[Fred_A]

Since we're on the topic of comments, I particularly liked that one from some guy from the Federal Bureau of Made-up Statistics :

Still, the most recent computer crime and security survey, conducted annually by the Computer Security Institute with the Federal Bureau of Investigation, found that the average loss from computer security incidents in 2005 was $167,713 per respondent (based on 313 companies and organizations that answered the question).

Wow, you could buy that 911 document that got leaked a few years back twice over with just one hack ! </sarcasm>

Re:Public computers

[pclminion]

If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

We Have The Solution: Announcing the CryptoGoggle 9000. Supported by dozens of popular websites, our technology causes websites to be displayed as a random mash of blended colors. By donning the CryptoGoggle 9000, this incomprehensible mishmash can be magically unscrambled before your very eyes! Take the CryptoGoggle 9000 everywhere you go! Weight 26.4 pounds, shipped weight 34.1 pounds. And as a bonus, you get to look like a special forces secret operative while using it! Only $1,999.99, while supplies last! Order yours today!

Re:Public computers

[ConceptJunkie]

When I'm in the bathroom, I'd really appreciate some privacy, but it's not like nobody knows what I'm doing in there!

Posting to /., of course.

Best security ever

[protocoldroid]

The worst security? Man, it might be easier to say the best security. At a cellphone store with my brother, he looks at a blackberry and says "...it's overkill, but, probably handy if you need to get online all the time, check email etc". So, I take my PSP out of my pocket, and in about 15 seconds, I show him gmail. Every idiot seems to have unsecured wireless.

The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see what networks I could find. Everything was secured but one, and it seemed their ISP was down. So I said to my brother: "Only one jerk in this neighborhood didn't secure their wireless... and they have a flakey ISP, so I couldn't get online", he says: "Oh, that's me".

Of course, from checking my mail on the road, there are now items in my sent folder with such subjects as "Do you have the north korea nuclear salesman's number?" and "Cheap anthrax mailing services" and "Increase your volume by 6000%"

Cheap software

[crazyjeremy]

It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.

I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.

Sensationalist, at least about wireless

[markov_chain]

From TFA:

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels.

Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*

Re:Sensationalist, at least about wireless

[timeOday]

Exactly. I think this article is extremely ignorant:

Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay. "Where I'd draw the line is putting in your bank account information or credit card number," he said

You will have a very hard time finding any online shopping site that transmits a credit card number without SSL. If you find one, you shouldn't be entering your credit card number there, either from home or at the airport it makes no difference. (All this is assuming you're using your own laptop; you can't trust a publicly accessible Internet terminal for anything). Anyways, people don't steal credit card numbers by going to the airport and sitting around waiting for somebody to send one unencrypted; they steal them by breaking into a website and grabbing its database so they can get thousands at a time. Or they buy them at a few cents per, from somebody who already did that.

Re:Sensationalist, at least about wireless

[freeweed]

These guys must be part of my upper level of management.

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

I ended up installing the damn thing anyway, confirmed my suspicions, and saved myself and several hours many days of hunting around. Didn't tell them that, though :)

Every news story that tries to use the fear of "packet sniffers" as a dangerous tool can pretty much be dismissed out of hand. Watching the data flow in and out of your own computer is never a security risk.

Re:Sensationalist, at least about wireless

[nine-times]

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

You know, having worked in IT, my inclination is to say that users shouldn't be doing that stuff. You're network is segmented enough? Unless you're in charge of IT security, it's not your job to decide that. I don't know what you're background in particular was, but I used to work for an engineering firm that made software (among other things). The programmers were constantly telling us that they needed to be able to install software, that they knew how to run their own machines, that they understood software better than we did, etc. And guess what? Those were the same guys whose computers were *constantly* broken. They did tons of stupid stuff because they didn't know what they were doing. Some of the best guys were tinkerers, who had been fixing computers for years, but didn't understand that working IT is different. In a business setting, mistakes and errors can have totally different ramifications.

So I'm not saying you did the wrong thing, but that it should have been your IT staff to do it. If you have a bad IT staff, that's a separate problem, but they're right to try to discourage you from tinkering around on your own. Being your own IT person is like being your own doctor, or a lawyer representing himself in court. It's just a bad idea.

Personally, I sometimes wish I had someone else who would lock me out of administering my own machine to keep me from fucking around and breaking things.

It's not the security I'm worried about....

[HikingStick]

It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).

Re:It's not the security I'm worried about....

[Geoffreyerffoeg]

Yes, but are you sure those are necessarily evil networks?

Your post reminded me of the ad-hoc "Free Public WiFi" that I've been seeing a lot of, and I've never gotten a connection through. A quick Google revealed that this seems to be a case of computers picking up that ad-hoc network from other computers and rebroadcasting that name for the next while. TechBlog: "Free Public WiFi"? Not!

And yes, I don't have a problem connecting to sketchy networks. Other people can always associate with the legitimate network I'm on and try attacks, and my firewall's decent. And if I'm worried about sniffing I'll launch a VPN.

Re:It's not the security I'm worried about....

[wx327]

I installed OpenVPN on my home desktop machine, and whenever I am on the road I connect my laptop to whatever available internet connection and VPN back to my home network. Configuration is set so ALL of my traffic is automatically routed through the home network then back onto the internet. No proxy changes needed as the OpenVPN config can be set to make your computer use the VPN as the default gateway. If you want to try something like this, send me a note and I'll dig up the URL that was the most useful when I was setting this up.

The virus of Troy wooden horse type

Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.

The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.

ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.

Re:The virus of Troy wooden horse type

Only in Asia will you find hotel rooms with both a Hello Kitty branded computer and a bunch of Trojans.

Re:Interesting question

[justinbach]

Wow, that's a sure sign I've had a rough weekend; my last post on Friday afternoon was a +5 Funny, and here I am Monday morning with a 0, Troll. I guess I need a hug... :-(

Public websurfing

[SoVeryTired]

Public websurfing is an inherently dangerous thing to do. If you don't believe me, check out the "security now" article on ARP cache poisoning.

http://www.grc.com/nat/arp.htm

It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.

Re:Public websurfing

[RESPAWN]

That's actually not a bad idea, but is that a feature that we will ever see make it down to the consumer level APs? I mean, how many people purchasing consumer level APs will be that interested in security that they will look for a router with that feature? I would imagine that subset of security concious people will also be the same people who turn off SSID broadcasting, enable WPA encryption, and utilize MAC Address filtering. IE, these are the same kinds of people who wouldn't have any untrusted computers running on their network to begin with.

That said,I myself would be interested in seeing this. I rent a basement from a gentleman and leach my internet access from his wireless network (with his permission). I do use a NAT router to segment my network from his and protect my computers as best I can, but I actually have no way of protecting myself from an ARP poisoning attack performed on his segment of the network. His network is only secured via 64 Bit WEP with a pretty simple password -- the barest of securities and any education on the matter has fallen on deaf ears.

Lastly, for the record I've acutally used ARP poisoning to monitor network traffic for select computers in an office before. It's really quite amazing how easy it is to do and how brilliantly it works. Especially when you use the tool (this was a couple of years ago so I don't remember what it was called) that would allow your browser to display all of their web browser requests, allowing you to see the same pages they were visiting.

Sometimes OTT

[16K+Ram+Pack]

I've locked down people's home office PCs for their 3 man company systems (offices at home) with WPA and MAC address blocking, and they still want to know what else they can do in case someone wants to get their information.

It's not like they were trading invention information pre-patent, more things like memos about (small) customers. It would have cost someone more to hire a detective to snoop on them than what the information was worth.

The worst place? That's easy

[Rik+Sweeney]

The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"

YOU'RE IN A F CKING SHOP!

The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was

I wonder how many people here are actually just using these computers to do something sinister?

Amusing/Lesson in boredom

[Mr+Krinkle]

So the usual sitting in the gate waiting for the plane to board.
I happen to be happily on my laptop, doing those Oh so critical things like, well, /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it)
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop. :)

Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane. :)

Utter garbage

[gnomeza]

[Packet sniffers] are typically set up to capture passwords, credit card numbers and bank account information ... "Where I'd draw the line is putting in your bank account information or credit card number."

Robert Vamosi, Senior Editor at CNET, you are an idiot. (Or maybe Susan Stellin is a terrible journalist - I suspect both.)

Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users understand about online safety, despite efforts to educate them about SSL...

And they even mentioned key-loggers later on...

*gah*

Re:Utter garbage

[gnomeza]

Even wired switches are vulnerable to ARP cache poisoning.

TFA is uninformed

[Facekhan]

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.

Of course, the converse applies too...

[gjuk]

Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?

Re:CC numbers? Bank details? email?

[woodsrunner]

No kidding! I just sold some property and the realtor wanted me to email the title company my social security number so they could process the paperwork. I had a hard time explaining to them that I would only telephone or mail the number since email was insecure. Finally they emailed me their telephone number. I just can't imagine what a treasure trove their email account would be for identity thieves.

EVDO

[TrappedByMyself]

FTW

Terminal rooms in schools

Back in the 80's when terminals and mainframes still ruled universities (don't know if they still do) students in CS classes still had to use the public terminals to do school work. Many of the students (especially in the introductory courses) seemed to be incapable of remembering to log out. The terminals were VTs so they didn't time you out or lock the screen. I was regularly logging people out when I saw them grab their stuff and leave. I finally got sick of it and started encouraging them to log out by, say, changing their default process name on the VAX to "{sys admin's name} SUCKS" or adding a line to their "INTRO TO CS" program that printed out their intention to hurt the president of the US. Don't know if it improved security but it sure amused me.

Problems with the article

[RT+Alec]

I had a few problems with the article:

• I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
• When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
• Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.

However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.

Re:Interesting question

[ubergenius]

I never use internet kiosks where you have to pay to use the systems. Ever. I can not for the life of me fathom a circumstance where I couldn't just wait until I got home to check something online. Bank account balance? ATM. E-mail? Mobile phone, or just be patient and wait.

Virtual *Private* Network

[NixLuver]

It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.

Re:Interesting question

[MMC+Monster]

If you are that essential to a business that you need your email while on vacation, you can afford a mobile phone and have a secretary read you the highlights. If you need network access for work while on a trip, you should have the work get you a laptop. They're cheap enough.

Re:Interesting question

[libkarl2]

This is the first time I have ever heard of a keylogger that actually broadcasts it's presence in the system tray, althought I can see how that would be useful for non-malicious purposes.

The typical keyloggers I have dealt with operate as a standard process in the background. Most do not show up on the taskbar but can be stopped from the Process Manager (the Ctrl+Alt+Del applet).

The nastier ones either replace, or patch the keyboard driver. Upon reboot, they run at all times and can only be found by AV scanner (knock on wood) and/or by the log file they create. The classic infection vector for these are rootkits, and software installation packages that have been tampered with.

Re:Utter garbage, Redux

[NixLuver]

Man-in-the-middle is not that trivial, my friend.

From SANS WhitePaper:

"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."

So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.

But there is some truth to your assertion, if you are of the Windows Ilk:

"One faulty SSL client implementation, Microsoft's Internet Explorer, allows for transparent SSL MITM attacks when the attacker has any CA-signed certificate."

Sweet! ANOTHER reason I can't wait to run Boot Camp and install Windows.

Consider the three basic VPN security methods

[postbigbang]

PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.

IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.

SSL uses a nice scheme that's difficult to crunch.

NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.

Airport Talk

[Necroman]

The president of my division (about 1000 people) was flying from our main business office to our main engineering facility. When he was waiting in the airport for a flight, you overheard a conversation between 2 people sitting near him that were getting on the same flight as him. He later called someone in my office and reported back what he heard.

The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.

You should always be careful what you talk about in public places, you never know who is around and listening.

and people don't realize it

[phorm]

I got a call from my uncle recently asking if (during his upcoming trip to Thailand /w his wife) he should bring his laptop so that he could get online, or whether he might be able to connect from public terminals. After discussing what he wanted to do, he indicated that he would like to get online to do his internet banking so that they could handle any bills etc while away.

My answer was of course: neither

Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).

The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.

Re:Interesting question

[Jett]

I did a few times while in Ireland - it was something cheap like 2 euros an hour and all the coffee you could drink. If you need to check your favorite websites or read your email it's worth it. I used the internet for a total of about 3 hours the entire two weeks I was in Ireland - the least time I've spent on the internet since probably about 1995 or so. It was worth the euros.

That said, I would never check my online banking or anything else more secure than my personal email from a machine I didn't personally own or someone I know and trust owns. People who check their online banking in an internet cafe or at a kiosk are totally insane - maybe if you could boot your own OS on the machine, I don't know if many places would let you do that though.

Re:Interesting question

[theskipper]

5 minutes?

Did you at least allow him a bathroom break during this time?

Wireless ATM

[BlahMatt]

The tech school I went to had a wireless ATM in the pub.

Needless to say several of us brought in our laptop(just to see what the traffic looked like) and there it was, clear as day, encryped pins bouncing happily back and forth. I mean, it's bad enough to even have a wireless ATM, but to put it in a technical institute where it will be surrounded by poor students learning how to manipulate computers. That's just asking for trouble :P. AND to top it all of, lets put it where they will be drinking.

Conference Call

[onkelonkel]

Similar situation - except it was a conference call between us and a supplier (10 people in our office on a speakerphone talking to 10 people in their office). At some point we needed to discuss something amongst ourselves so we told the suppliers we were going "off the air" for a minute and put the phone on mute. To our amazement, the suppliers thought that because they could no longer hear us that we could no longer hear them. Their mic was still open and we heard the talking as if we were no longer listening. They were quite candidly discussing flaws in their equipment that we hadn't found yet, and trying to decide which imaginary ship date they were going to tell us given that their product wasn't really going to be ready for 4 more months.

Needless to say, we made the "off the air" discussion a part of every call we had with them.

Re:Interesting question

[foamrotreturns]

No, you unplug the bastard and pocket it. Those things retail for about $90. Can you say eBay?

Stupidest security policy on the road

[Roadkills-R-Us]

A friend of a friend was recently in Asia (don't recall whether this incident occurred in Cambodia or Thailand). He went to an internet cafe, where he had to pay in advance for the amount of time he wanted. But regardless of how much time he bought (1/2 hour in his case) the email client was set up to require you to log back in every 5 monutes. So he started hitting "save" at the end of every line.

Re:Now all you need..

[meringuoid]

a video camera built into your glasses, with a wire that goes down into your pocket to the battery and 30GB hard drive. Hey presto, inside information that can be reviewed at a later date.

That, and a bowel disruptor, several drug habits, and two filthy assistants.

Hotel and Airport hygiene

[SallyShears]

From hotel rooms: I do use the hotel LAN with my laptop. I immediately create a SSH tunnel to my own server and handle mail through the tunnel. I surf the web on my laptop. I will enter name, userid, password on familiar sites with SSL protecting the connection from my laptop to the known server.

At public computers: I assume that the machine has a keystroke logger. Never enter anything remotely sensitive on such machines. Never login to anything from a public computer.

Now, I often want to print a boarding pass or a document of mine. Here's my routine: Print to PDF on my laptop, upload the PDF from my laptop to my own web server with sftp. Name these a.pdf,, b.pdf, etc. The web server is set up so no one can get a file list for any directory. On the public machine, point the browser to www.mydomain.com/a.pdf and print. Later, from my laptop I'll login and delete the files.

Most airlines let you get a boarding pass with conf number and name, no login required. The confirmation number is like a one-time password. Someone was thinking.

    -- Sally

wap + no password + old OS = owned

[v1]

A business in my town did several stupid things that led to disaster.

1. run windows 98 as your server (in 2005)
2. no passwords on anything
3. lets install a wap
4. passwords are inconvenient on a wap, turn them off

2am Sunday morning, janitorial staff notice a kid in the parking lot sitting next to his bike, typing on a laptop.

Next day, all gone. Except one rude note left on what was left of the fileserver. He basically deleted everything that he could, which was just about everything.

Darwin at work I suppose.