Web Surfing in Public Places Is A Way to Court Trouble

We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

classic diligence, albeit in a modern world

[yagu]

I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?

I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.

While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.

I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.

Re:classic diligence, albeit in a modern world

[gEvil+(beta)]

So how much money did you make on that particular IPO? :-D

Re:classic diligence, albeit in a modern world

[Control+Group]

This reminds me of an anecdote I read somewhere, the details of which I mostly forget. So I wouldn't believe it, if I were you, but it's still amusing.

Dr. Smith is a medical researcher, helping run one end of a typical double-blind clinical trial of Unobtainasil, a new drug which is hoped to treat a severe condition. He's flying to Switzerland for a conference of some kind.

While in the airport, he happens to sit down next to Dr. Jones, whom he met a while back at another conference. They get to talking shop, as is not surprising - and it eventually comes out that Dr. Jones is also working on the clinical trials of Unobtainasil.

With great dismay, they realize they've just compromised the trial, and all the data will probably need to be thrown out.

Whoops.

Moral of the story: never talk about anything with anyone.

Denver Airport

North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...

Re:Denver Airport

[Crisavec]

He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.

Re:Denver Airport

[__aaclcg7560]

"snakes" :P

Re:Interesting question

[Atheose]

I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.

The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.

Public computers

[spineboy]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.

I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.

Re:Public computers

[denebian+devil]

My biggest issue has always been what am I willing to do or not do when I'm in various situations: on a friend's computer, a wired kiosk, a non-secured wireless connection using my own computer, etc., and the heartache that comes with those decisions.

I find this comment in the article very interesting:

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office's server, where it is decoded before going to its destination.

Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.

That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!

Re:Public computers

[jonwil]

SSL doesnt help when the machine you are using is running a software or hardware keylogger.

Re:Public computers

[CastrTroy]

This solution, and the one your sibling poster pointed out, do stop keyloggers, but don't stop the general case of software on the client machine that monitors what they are doing. You could just as easily write a program that records mouse clicks, and screen shots, to see what they are clicking on. Maybe just record a square 128x128 pixels centred around the cursor, and save it compressed in 16 colours so you wouldn't have to store so much information. Maybe they could just attach something to whatever module is being called to encrypt the information for sending it over ssl, so they record all the information that you are sending out over ssl. The point is, is that it's impossible for the person designing the website to protect against malicious software running on the users machine. If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

Cheap software

[crazyjeremy]

It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.

I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.

Sensationalist, at least about wireless

[markov_chain]

From TFA:

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels.

Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*

Re:Sensationalist, at least about wireless

[nine-times]

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

You know, having worked in IT, my inclination is to say that users shouldn't be doing that stuff. You're network is segmented enough? Unless you're in charge of IT security, it's not your job to decide that. I don't know what you're background in particular was, but I used to work for an engineering firm that made software (among other things). The programmers were constantly telling us that they needed to be able to install software, that they knew how to run their own machines, that they understood software better than we did, etc. And guess what? Those were the same guys whose computers were *constantly* broken. They did tons of stupid stuff because they didn't know what they were doing. Some of the best guys were tinkerers, who had been fixing computers for years, but didn't understand that working IT is different. In a business setting, mistakes and errors can have totally different ramifications.

So I'm not saying you did the wrong thing, but that it should have been your IT staff to do it. If you have a bad IT staff, that's a separate problem, but they're right to try to discourage you from tinkering around on your own. Being your own IT person is like being your own doctor, or a lawyer representing himself in court. It's just a bad idea.

Personally, I sometimes wish I had someone else who would lock me out of administering my own machine to keep me from fucking around and breaking things.

It's not the security I'm worried about....

[HikingStick]

It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).

Re:It's not the security I'm worried about....

[Geoffreyerffoeg]

Yes, but are you sure those are necessarily evil networks?

Your post reminded me of the ad-hoc "Free Public WiFi" that I've been seeing a lot of, and I've never gotten a connection through. A quick Google revealed that this seems to be a case of computers picking up that ad-hoc network from other computers and rebroadcasting that name for the next while. TechBlog: "Free Public WiFi"? Not!

And yes, I don't have a problem connecting to sketchy networks. Other people can always associate with the legitimate network I'm on and try attacks, and my firewall's decent. And if I'm worried about sniffing I'll launch a VPN.

The virus of Troy wooden horse type

Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.

The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.

ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.

Re:The virus of Troy wooden horse type

Only in Asia will you find hotel rooms with both a Hello Kitty branded computer and a bunch of Trojans.

Re:Interesting question

[justinbach]

Wow, that's a sure sign I've had a rough weekend; my last post on Friday afternoon was a +5 Funny, and here I am Monday morning with a 0, Troll. I guess I need a hug... :-(

Public websurfing

[SoVeryTired]

Public websurfing is an inherently dangerous thing to do. If you don't believe me, check out the "security now" article on ARP cache poisoning.

http://www.grc.com/nat/arp.htm

It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.

The worst place? That's easy

[Rik+Sweeney]

The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"

YOU'RE IN A F CKING SHOP!

The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was

I wonder how many people here are actually just using these computers to do something sinister?

Amusing/Lesson in boredom

[Mr+Krinkle]

So the usual sitting in the gate waiting for the plane to board.
I happen to be happily on my laptop, doing those Oh so critical things like, well, /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it)
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop. :)

Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane. :)

TFA is uninformed

[Facekhan]

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.

Of course, the converse applies too...

[gjuk]

Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?

Problems with the article

[RT+Alec]

I had a few problems with the article:

• I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
• When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
• Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.

However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.

Virtual *Private* Network

[NixLuver]

It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.

Consider the three basic VPN security methods

[postbigbang]

PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.

IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.

SSL uses a nice scheme that's difficult to crunch.

NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.

Airport Talk

[Necroman]

The president of my division (about 1000 people) was flying from our main business office to our main engineering facility. When he was waiting in the airport for a flight, you overheard a conversation between 2 people sitting near him that were getting on the same flight as him. He later called someone in my office and reported back what he heard.

The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.

You should always be careful what you talk about in public places, you never know who is around and listening.

Conference Call

[onkelonkel]

Similar situation - except it was a conference call between us and a supplier (10 people in our office on a speakerphone talking to 10 people in their office). At some point we needed to discuss something amongst ourselves so we told the suppliers we were going "off the air" for a minute and put the phone on mute. To our amazement, the suppliers thought that because they could no longer hear us that we could no longer hear them. Their mic was still open and we heard the talking as if we were no longer listening. They were quite candidly discussing flaws in their equipment that we hadn't found yet, and trying to decide which imaginary ship date they were going to tell us given that their product wasn't really going to be ready for 4 more months.

Needless to say, we made the "off the air" discussion a part of every call we had with them.