Slashdot Mirror
Network Security While Traveling?
truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."
> I will not have a system at home to connect through
Congratulation for not reading half of the summary.
I would recommend purchasing a shell account from a reputable host that will allow you to tunnel your internet traffic over an SSH tunnel/SOCKS proxy. It's really easy to set up using Putty or OpenSSH.
All network security is for naught when someone can just steal your netbook and read all the passwords and form data that firefox helpfully remembers for you. You have to make sure that your firefox profile directory (as well as all other confidential data, like passwords and bank statement pdfs) is stored on an encrypted block device. On Linux, a loopback device encrypted with dm-crypt works well.
rent a $10/mo VPS and then tunnel?
To where? As he said in the summary, "I will not have a system at home to connect through."
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
I've been stuck in the ICU's of local hospitals for the past month in a similar circumstance. I've been doing bills and banking from my system at home via FreeNX.
You might want to use a service like
http://alwaysvpn.com
or
strongvpn
Set up a server at home or rent one where you can run OpenVPN and/or SSH and tunnel your traffic through it. OpenVPN supports LZO compression aswell, which might help a bit when you're low on bandwidth. I would also suggest that you encrypt the drive on your netbook with TrueCrypt or similar software in case you loose it.
Most Ask Slashdot problems are solved by throwing out the most ridiculous requirement. Usually this is because the poster has logic-ed themselves into a blind spot. The classic where-are-my-glasses-I've-searched-everywhere-oh-here-they-are-in-my-hand kind of a thing.
In this case, the "no system at home" requirement is the offender. Just set up an old linux box with a friend, and like the GP said, VPN to it. You do have friends, don't you? Family? Non-tech savvy coworkers who won't question that computer case with the post-it note that says DO NOT DISCONNECT?
"why on earth you feel a need to access your investment account from the depths of south america, i'm not sure."
Wait until you figure out you lost half of your portfolio in 24 hours then you know why.
New Economic Perspectives
From summary - "Keep in mind that many places have very poor bandwidth and latency."
VNC and SSH are out of question.
Assume you will lose your netbook at some point: encrypt the entire thing using truecrypt or similar, and make sure you can access vital data from somewhere else: either use dropbox, or use google docs, or whatever.
So it needs to be said regardless, but I feel VPN probably should have sufficed.
There are two solutions to this issue:
a) Do it Yourself!
In this scenario, the individual purchases a term contract with a hosting provider and proceeds to install a VPN solution. This is the most flexible plan available and can be achieved for roughly 10$ or less per month (plus domain costs). The down side to such a solution is that if there is maintenance that must be performed there is really only one mechanic. (unless the mechanic has very good friends or if he is a heartless bastard with no relations to the external world then perhaps a fellow slashdoter will land the man a vpn solution. Never mind he is a freeloader... roaming from country side to country side... possibly infecting your server... and you were just trying to be a nice guy. shame on you)
b) Rent a VPN!
There are countless VPN solutions available for seemingly random values. I have little doubt that an equally cost effective solution can be found. This has the obvious advantage of not having to maintain the VPN solution. The obvious con when compared to solution "A" is that there is certainly no flexibility in this offering. You get what you get. With the economy falling into the virtual comode it is quite likely that any business you place your trust in will either lose all of your information or sale it on the black market. By the time you return you will likely be spammed, identity thieved and otherwise placed with the very best experiences the awful inky darkness that is the bad side of the humanity offers.
Invariably there will be suffering no matter what option you choose.
Regardless, ensure your netbook is protected and if you may wish to utilize a solution I myself rather enjoy. In rather horrible untrusted networks I rely on a lovely Fedora live distribution over usb flash. It doesn't offer much in the way of persistent storage, but for one time transactions it's quite useful.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
There is nothing you can do. Keep strangers away from your machine. If you use SSL, check certificates or maybe even remember signatures of most important certs.
Check the time mentioned in the summary. I would normally agree with you, and don't typically even use internet cafes while gone for a few weeks. However, I can't imagine being totally unconnected to email for a whole year. Yes, I could do without Slashdot, but just checking the news back home and following up with friends and family would be mandatory.
Agreed. If he doesn't want to host it at home for whatever reason (I imagine being gone for a year he may be having his Internet service turned off), he should find a friend or relative who is willing to host the box for him. Provided he uses a modern CPU with decent power management features (or a low-power CPU like Atom), idle power usage should not be a concern.
Once you've got an always-on *NIX server you can connect to, it is a simple matter to use SSH's built-in SOCKS capability to securely tunnel your TCP traffic. This is precisely what I do when I travel.
Wait until you figure out you lost half of your portfolio in 24 hours then you know why.
Well, if he doesn't access his investment account while he's there, he won't know. Problem solved.
Change is inevitable, except from a vending machine -- Robert C. Gallagher
He should buy some decent fraud/identity theft insurance and just use a reasonably secured distro. All the anguish spent on perfect security is for naught anyway - if someone wants to rob you down there, they're more likely to beat you over the head or hold you hostage than hack into your computer.
Oblig. XKCD: 538
"I will not have a system at home to connect through."
Then get one if you're concerned about your privacy. Really, are your bank details not worth ten or twelve bucks a month for a virtual server somewhere?
"And the meaning of words; when they cease to function; when will it start worrying you?"
Going traveling for 5 weeks in south america as well. Just bought a netbook. Every single person I've talked to says "blog about it! we want to see your pictures!" -- the truth of the matter is that a netbook is pretty damn tiny and takes up little space (2800 cu in pack) and definitely qualifies as "personal gear". Might as well take it along. Makes backing up my digital pics easier, and makes it easier to check the news (you never know what's going to happen next in venezuela) and communicate with couch surfers. You don't NEED one, but it damn well makes things easier in a pinch.
moox. for a new generation.
I see nothing wrong with traveling with a netbook - they weigh next to nothing - or even better, something like a Nokia N800/N810. There are plenty of down times where I can see wanting to check email, get in touch with family, whatever.
Having a piece of technology with you while traveling certainly doesn't prevent you from experiencing different cultures and peoples.
There's not much you can do, this is why SSL saves millions of people's asses everyday - just be ultra-suspicious of any warnings that you don't normally get. This is why everyone has a "trusted" network piped into their house by their ISP, and why they get so uppity when that trust is abused (DNS redirection, deep packet inspection, traffic analysis, advertisement insertion etc).
Have a software firewall at *ALL* times that distrusts everything... on Windows I use Zonealarm with everything set to "Internet" and all the high-security settings for that (only exception is an OpenVPN interface which can *obviously* only be my remote access into my trusted networks at home - I let OpenVPN - the program - connect to the Internet and I let the OpenVPN interface do whatever the hell it wants ["trusted"], and obviously have all the checks enabled for certificate-authentication to get onto my home network). On Linux, that's just bog-standard iptables doing its job the same as ever.
I don't expect anything non-SSL to be secure by default. I treat it as if I was using Tor in that respect. Make sure you have Gmail or whatever set to "always use https". If you want anything better than that (i.e. email, IM, http, etc. traffic), or better assurance overall, you have to have a VPN to be safe.
My OpenVPN automatically deletes other routes except for the essential ones and adds a default route through my VPN interface so when connected to home I *know* everything has to be using the VPN to communicate in that instance (hate the idea that if OpenVPN dies, there might be "another" route lurking which sends things out on another interface - I've seen it happen with some "automatic" configurations on Windows).
I often game over an OpenVPN instance, even when playing locally, so don't take heed of the rubbish about it being too costly in latency terms - of course, if you are in a foreign country and relaying to another, it will lag, but the actual overhead is not much worse than just ordinary IP routing to your destination.
Basically - SSL in some form or another, whether that's direct or over a VPN... otherwise you cannot trust things. Of course, millions of people trust ordinary wifi points all over the world, all day, every day. If you decide to follow their lead, that's up to you.
I've tried SwissVPN (http://www.swissvpn.net/) and had good experiences (about 6$/month on a prepaid basis, no limits).
Ideally, you want this to be a remote machine, either cloud or at home, with your Notebook acting as a gateway.
Be aware of potential vectors of attack (mostly wireless / network based, but don't forget physical access) and have a defense against them.
Ideally, everything (and, more practically, everything sensitive) will pass through some pipe that uses the strongest available encryption.
Here is a general set of guidelines that I use:
As others here have mentioned, having pre-exchanged SSH keys and doing all of your sensitive browsing / business over an SSH-tunneled Proxy to a machine back home will do wonders to help with any inherent wi-fi (or untrustworthy ISP) issues.
Get your system hardened before you start your journey. Make sure you're running the latest operating system versions with the latest security patches. Make sure you've configured your firewall and updated your antivirus software. Pick a secure software suite to use for your important actions. For any OS, shut down daemons and services that you're not going to need, as each is a potential point of attack.
Buy a USB-based wireless device (they're only $20 or so). Disable the wireless device on your Notebook's OS. Before you leave, build a Virtual Machine running an OS of your choice (Linux works nicely). Install the OS from scratch, boot it, update it, and then open up a browser instance. Configure it so that the USB wireless device is forwarded directly to the VM, and install its drivers in the VM. Snapshot the Virtual Machine's state. When you're travelling, turn off your Notebook's wireless signal the entire time. If you want to use the Internet, plug in the USB wireless device, start your VM, and use the Internet through it. When you're done, shut down the VM and revert its state to the saved snapshot state that you made before you started your trip. This should help ensure that any viruses you are hit with only survive the duration of that single VM session.
The options vary based on your OS. Any standard encryption scheme will do - complete drive encryption, partition encryption, filesystem-based encryption, etc. The real goal here is to make sure that neither your private files nor your runtime-generated files (Internet history, cookies, etc.) are accessible.
Buy some cheap USB stick to store your SSH and/or Hard Drive encryption keys separately, and carry it with you at all times. If you're truly paranoid, you can even encrypt its filesystem with a password-based key for extra protection.
Fully power down your Notebook when you're not using it. If you Suspend / Hibernate, not only will memory-resident viruses etc. still be running when you resume, but decrypted information is accessible in-memory, should it be seized in this state.
There are a lot of threats you can face in another country, but it's wisest to stay away from the government-level threats. Don't give them a reason to seize your laptop and you'll have mitigated many truly serious issues.
If you have a portfolio in which your risk/exposure is such that you could lose half during your trip, you shouldn't be taking a trip away from your portfolio.
Two choices.
1) Sell your entire portfolio. Cash doesn't go up or down.
2) Invest the entire portfolio in some equity that doesn't move (like CDs).
Just leave your laptop at home. Enjoy your trip to the jungle and avoid having to bring your laptop around with you, through the rain, and having it potentially stolen while you sit at some cafe drinking your rainforest destroying frappacino'.
If someone is truly smart enough to crack your system and steal your bank account info - when you are a fairly intelligent tech-savvy guy who uses SSL and won't just click the first open wifi network that pops up like 90% of the population would - what the heck are they doing in the jungles of South America where maybe 5 students with negative bank balances pass through every year? "The same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students". Do you honestly think 99% of them have a clue? And yet 99% of them make it home perfectly fine. As someone with an above-average IT security knowledge, you will be fine. Seriously, while I don't advocate writing your bank details in 10-foot high letters of fire on Macchu Picchu, the chances of anything happening are infinitesmal. By the way, South America is awesome to backpack through. And not being tethered to the Interwebs is a good thing.
I'd tell a UDP joke, but you may not get it. I'd tell a TCP joke, but I'd have to keep repeating it until you got it.
I just returned from my backpacking trip. So here are my tips... If you are using your own laptop, an effective firewall, a patched system, and the use of SSL is all you need. Since you are posting on Slashdot, I assume you are capable of keeping your own laptop clean and secured. In reality the risk of someone stealing your laptop is much higher than the risk of anyone breaking into your laptop, so... 1) Some sort of chains/locks on your backpack is much more important than a VPN. 2) Do not store any password, sensitive documents on your laptop. In case it will be stolen later.. 3) Keep backup of important documents (e.g. scan copy of your travel insurance) in a gmail account... 4) Do not keep all your vacation photos in one laptop, copy it to CD/DVD/cheap USB devices and send it home every few months. 5) Bring a USB drive and backup everything on your harddrive (including your vacation photos), store the USB drive in a different location (e.g. inside your main backpack) If you are really desperate and have to access your bank in an internet cafe, here's what you can do... 1) To make it harder for key loggers to steal your password, scramble your url/password using your mouse. e.g. if your password is ILovePizza, you can type IHatePizza, highlight the word "Hate" with your mouse, click delete and type "Love" instead. It's not 100% secured, but it's better than nothing. 2) As soon as you reach a safe location, change your password.
Why on Earth you feel the need to tell a perfect stranger how to travel, I'm not sure. Why not just trust the guy and answer the question instead of responding in a smug condescending manner?
I'd suggest booting a security-oriented "live" linux distro from a CD/DVD/thumb drive when accessing untrusted networks. This means caches are gone when the power is turned off - no passwords/account numbers/etc floating around on the hard drive. If the distro boots with sane firewall settings, has ssh installed, etc, the poster should be fine.
Backpacking through south america doesn't mean OP is spending 5 months in the middle of the Amazon. Besides, how does internet access limit it? Oh, right, it doesn't. And phones aren't technology? Is this slashdot or some sort of faux-luddite assembly.
Whenever I travel, I wipe my harddrive and put a clean install of Windows. This protects both against border protection and thieves. It's not that I have something highly confidential or illegal on there, I just don't want my data stolen by anyone. While encryption will protect you against thieves, you're likely to be in more trouble if border protection finds it and you're never going to be able to prove you have no hidden encrypted partitions on there. To make sure no sensitive usage data is left on the device, run everything in a sandbox and wipe the sandbox contents afterwards.
Whenever I use a network, I use a trusted VPN service.
For homebanking and similar sites, in order to prevent man-in-the-middle attacks, make sure you bookmark the HTTPS URL, so the first hit on the bank's httpd is HTTPS and not HTTP. Also, add the address of your homebanking to /etc/hosts, so you don't really rely on DNS for that.
When you're backpacking through South America, "at home" can mean anywhere in your country of origin or current residence. That covers anything from a $100/month blade server at a hosting company to a $30 dd-wrt router in a friend's basement. Either way, please keep the ad hominem attacks out of it, okay? We're all just trying to help here.
I've spent a month in Ecuador, and in my experience, the OP is focusing on the wrong problem. Backpacking in South America means being around a lot of people who make less money in a year than you make in a week. On this trip, I had a pair of prescription sunglasses and a pair of nice gore-tex hiking boots, and they constantly made me the focus of attention from people who wanted to know how much they cost, etc. One time coming down a trail in the Andes, I passed a kid who looked like he was about 12, chopping bananas with a machete. He said, "Dime los lentos," meaning "Give me the glasses." I just increased my hiking speed, and it turned out that he didn't hack me to death. So carrying a netbook in this social environment does bring up a whole bunch of issues about being victimized, but they aren't issues with having your PayPal password stolen, they're issues with getting mugged by someone who wants your computer, which is worth more than they make make in several months. My advice is not to bring the netbook. If you're worried about keyloggers in internet cafes, bring a bootable CD.
Find free books.
My credit union still has a system for doing much of my banking over a phone line. I'd rather take my bets on the security through the phone lines than the interwebs.
Because touch tones are so much more difficult to intercept than 128 bit SSL secured connections??
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
If he is going to be away and there is no one left at home (or at least no one sufficiently techie) to fix the setup if something goes wrong then the arrangement is stuff, so "a friend's house" is more the way to go.
Though as poor latency is already going to be an issue I recommend a rented VM on a properly hosted server - then the extra latency of a residential connection will not compound the issue. Also, it might mean more than on VM location during the trip if he is traveling far, so at each location latency can be minimised by keeping the other end of the VPN relatively topologically local (within reason, of course, as he'd have to keep the other end of the VPN somewhere he considers safe enough).
Also if using OpenVPN or similar setup both TCP and UDP endpoints - UDP is preferable (TCP wrapped in TCP can cause noticable efficiency issues for some traffic patterns and network issues) but sometimes a TCP OpenVPN connection works better if only because it can get through bad NAT arrangements more easily. Also setup an extra endpoint on port 80 or 433 as well as the standard OpenVPN port in case of firewall issues, just for good measure in case of strict outgoing port use limitations. For extra paranoia/completeness setup a HTTP-to-generic-TCP gateway too, that way you can connect to the VPN through that if everything but port 80 is blocked and the ISP are using DPI to ensure that traffic on port 80 really is HTTP traffic (far from efficient, but maybe better than nothing at all if that is the only option). This may of course all be far too much work depending on how much the security of the information you are sending is if you can't simply avoid sending it until you get back to your home turf or some other location you consider sufficiently secure.
Given the current unstable nature of the world economic system, is it a sane move to ignore your investments for a year?
No, it isn't. But also taking into account the sporadic nature of connectivity while backpacking, it probably is a good idea to exit any stock holdings and leave your investment capital as cash in the bank for a year. Sure, it's a lower interest rate, but you can rest easy in the knowledge that your capital won't decrease.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
You should check to make sure that any encryption software you use or bring is legal in the areas you will be traveling in. I know that the legal standards are different between, for example, the US and France (or it was last time I read about it). I have no idea about specifics of different countries, but it is something that you should know before you set out. And not just the laws, but also look into what to expect when you go through checkpoints - I have no idea if I am actually required to reveal an encrypted volume on my laptop when going through customs coming into the US. And what do I do if the person checking says that they require all of my passwords? (My only thought here would be to make a set of temporary passwords while going through, and then to change them all back after) Sorry I do not have any helpful links. I figure that the time I could spend looking would be a good bit more than the time spent by the person who knows what country to actually look at. Hope it helps.
you're going travelling, to experience new cultures, people and ideas
put down the computer; the world won't end if you can't access slashdot and your email for a few months
And how does he keep all his friends updated on his Facebook?
I went on a cross country trip on a motorcycle. I posted on my blog at every stop along with a GPS coordinate. It made my family and friends happier and they knew that if I did not post the next morning to contact the authorities along my path.
It's just a smart thing to do. When I do backwood backpacking I email friends every 2 hours... I use a http://www.gadgetvenue.com/spot-satellite-gps-emergency-beacon-07231020/
SPOT personal location beacon. when I press OK it sends a nice email to family of my location and "I'm OK" works great and needs no cellphone coverage. I can press the help button when I break an ankle and know that someone knows I need help and my exact location.
Do not look at laser with remaining good eye.
http://www.gadgetvenue.com/spot-satellite-gps-emergency-beacon-07231020/
Screw internet security.. I prefer to have a way to let someone know my ass is in a bind and I need help RIGHT NOW!..
I use mine to keep family happy on cross country motorcycle rides or when I go backwoods backpacking. I press the "I'm ok" button at every break.
Do not look at laser with remaining good eye.
You said you don't have anything at home to tunnel through. Assuming that VPN really isn't a viable option, you can use ssh with a hosting provider like dreamhost (or a buddy's state-side server) to run a SOCKS proxy. The downside is that whatever app you're running (afaik) needs to understand how to use a SOCKS proxy, which Firefox/Safari/IE all do, as well as several of the more well-known IM apps like GAIM.
from your local system: $ ssh -D1080 yourserver.dreamhost.com (or use PuTTY if you're on windows, and set up a dynamic port forward)
If you're in OS X, use your system>network settings to set up a global SOCKS proxy, which Safari will automagically use. If you're in Windows, use Firefox's proxy settings (Tools > Options > Advanced > Network > Settings > Manual Proxy Config)
your SOCKS host is localhost, and the port is 1080 (or whatever you pick when you're creating the tunnel).
There are a couple of tricks to this. One is that you can't connect to anything as long as your settings specify to use a SOCKS proxy and the tunnel isn't open. For the places that have the "welcome to our intarweb access" redirects, you'll want to disable the SOCKS proxy settings until you get through that finished. Otherwise, you won't be able to open the tunnel, and it will appear as if you can't connect to anything. Firefox has a QuickProxy addon which makes this easier.
The second is that you can make sure that the proxy is active by a) visiting a "check my IP address" site to make sure it is showing up as your hosting provider or b) killing the tunnel and all web traffic should stop working.
more info
There is very little future in being right when your boss is wrong.
Congratulation for not reading half of the summary.
To be fair, it was the bottom half.
#DeleteChrome
He could always torrent 30 GB of porn onto a couple of flash drives, then he wouldn't need internet access.
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
He'll be away for a long time and can't come home ever once in a while. What if there is a power outage or something and the computer needs to be rebooted? Can't be left home alone.
Next option is family but if there is anything more than rebooting, most parents probably don't know how to deal with it.
Only option for depending on a computer at "home" is to leave it to some computer literate friend. But even so there can be problems in troubleshooting why something doesn't work, trying to call the friend only to find out that he is totally wasted/high/visiting relatives somewhere/etc. when you need to use the computer... Those are unlikely to be constant problems and might be that they don't occur at all (if you are very lucky) but they are very existent risk. Enough that I wouldn't prefer such option.
And then there is of course the extra latency from routing your traffic one more step. Usually not a problem but I could imagine it could sometimes be.
IronKey is an encrypted USB drive--strong encryption (i.e. passes DoD standards). The drive will allow you to store all of your personal data. In addition the drive has a a Firefox Web browser installed, so you never have to run a hotels (etc..) software. With the embeded browser you connect to the IronKey's Secure Sessions service. The service acts like a proxy Web server and triple encrypts your surfing traffic. The service also uses secure DNS services. One of the coolest features is that it stores all of your passwords on the drive. You never have to worry about keystroke logging because the IronKey This product sounds like a wini-win for the global traveler, or even a modest business traveler.
http://www.hotspotshield.com/ . I use them all the time when I am traveling. They have a nice free client on their site and if you do not want to install their client you can just configure a vpn link manually.
Witopia is what you need.
$40/year. Use it!
You're welcome.
In the past I've never brought a computer. And I don't plan to be attached to my laptop. It's a matter of being able to research destinations, book hostels, send email to family so they know I'm not dead, offload my photos from my digital camera to a larger storage device, etc. Plus, consider that if accessing my bank account on my own netbook over wireless is risky, accessing the same account in some guy's internet cafe is much more dangerous - who knows what keyloggers and spyware could be running on that.
I've been to South America several times on short trips, so I know how to let go of home and just enjoy myself. In fact that's why I'm going for a year this time...I'm quitting my job, selling everything I own, and I'll have nothing on my mind but the present. For the first time since...middle school maybe? I'm 29 now so I'm not sure what it's even going to be like to have no plans for the future!
...and do your bank-business with this person via email or telephone.
And yes, you should keep notes of all the expenses you make with your credit-card and communicate this with your trusted person. A debit-card and ATM-machines work better, most of the times. (Mastercard or Visa). Use only ATM-machines in banks during office-hours.
If you want to be connected:
In most of the Latin countries you can get prepaid "Banda Hancha". Most of them work with a Huawei-modem.
"Keep in mind that many places have very poor bandwidth and latency."
I don't know what this has to do with security of your data.
It is also not my personal experience. (I live in rural South Chile). To get a new release of my OS takes 24 hours on broadband. If I go to the next village, I'm ready in an hour by hooking up my laptop to the Internet-Cafe infrastructure.
If you want to keep a blog, do it via http://www.posterous.com./ Blogging via email, perfect if you don't know when you will hook up to the Internet again. Of course you use an email-client.
Don't let them steal your netbook but realize it can happen.
I have a simple suggestion that eliminates all the security risks you are worrying about: write an expiring power of attorney for your mom (or other trusted friend or relative). It will be cheaper and more reliable, and mom might even like to get the occasional phone call while you're backpacking across the continent.
Then get one if you're concerned about your privacy. Really, are your bank details not worth ten or twelve bucks a month for a virtual server somewhere?
And how does that help? Lets assume that he manually assigns DNS servers (so that no local server being compromised would be a problem), and that the computer itself isn't compromised, how would a virtual server somewhere improve security? It's an encrypted connection to his bank. It's an encrypted connection to his email. It's an encrypted connection to his bills. If he only uses SSL, and the computer isn't stolen or infected, what possible means of attacks do you think will be done? Sure, there are some possible. But actually being exploited in third world countries waiting for the rare traveler who thinks their SSL is unbreakable? Really? I'd bet that he could have all of his communications be unencrypted and wouldn't have a problem. The largest problem is having the computer stolen and something in cache or a password manager falling into the wrong hands. The "possible" attacks that are never done shouldn't be considered. Good security is knowing that nothing is ever 100% safe and allocating resources intelligently to reduce the risk. Making a checklist with no regard to the likelihood of attack then working down the list in alphabetical order is *bad* security. Even if effective, it is a bad policy and not how things should be done.
Learn to love Alaska
I've lived (not backpacked, lived) in South America for about two and a half years - the slums on the outskirts of Buenos Aires for two years, a couple of months in Lima and three months in a nice spot in Santiago.
The IT issues have been covered well enough. Here are a few additional ideas:
- Ditch the nice, expensive backpack and luggage. Go to the Army surplus store and buy your luggage there. Or something like this for walking around and day to day use. Avoid military emblems, but definitely go for that "beat to hell" look. Big expensive North Face bags draw the eyes of thieves. Dusty old rucksacks don't. The same goes for looking like a walking, talking North Face commercial with your clothing.
- Learn the language. Spanish and Portuguese are the obvious two. Know the basics, and be sure you can ask directions.
- Check visa requirements for each country and register with the State Department to receive travel and security updates on each country. These are immensely useful for avoiding difficult situations.
- Understand what the embassy can do for you. If you get arrested, mugged, or run into most problems overseas, the answer is "not much".
- Be VERY careful with taxis. "Express" kidnappings are quite common through most of South America - haggle for taxis and always, always use a service if you can, just to be on the safe side. Most major shopping centers and many big commercial bus stops have their own services. They cost about double what others charge, but it's worth it to avoid getting robbed.
- Ignore touts and always make your lodging arrangements in advance.
- Keep your eyes open and, if you can, travel in a group.
Have a lot of fun and do me a favor - walk down 9 de Julio while eating a good Havana alfajor ;-)
Whether you go with Truecrypt, LUKS, or some other solution, encrypt the entire main hard disk/SSD/flash drive. Theft, loss, or breakage is an obvious possibility when traveling around a foreign country for an extended period of time, and you'll feel better knowing that if you lose control of your netbook's storage device for any reason, that there's no way anyone can get your passwords or financial info from it, even if if breaks and someone dumpster dives for it. Make sure the swap file or partition is encrypted, too.
I doubt DNSSEC will be widely available before your trip, but if you can find a service that will provide it to you, use it. Never trust new SSL certificates while you are on your trip. If you visit sites with self-signed certificates, get them all trusted by your browser before you leave. I've seen a few anecdotal reports from people who complain that their bank suddenly begins asking them to a trust a new SSL certificate (which is a bad sign in the first place, since it should be trusted by one of the built-in CAs) when they were using a particular free wireless hot spot that was apparently trying to spoof SSL certificates for phishing. Make sure none of your netbook software is vulnerable to the null-prefix attack on SSL certificates. Watch out for shoulder-surfers when using your banking/financial sites. Use full HTTPS URLs when accessing sites, e.g. "https://www.bank.com" and bookmark them to avoid simple mistakes like typing "bank.com" in a browser, getting a poisoned DNS record for an attacker's site that is then fetched via HTTP and begins a man-in-the-middle attack on you.
Don't install new software unless you can be absolutely certain that it hasn't been modified during download. If you use Windows, about the best you can do is only download software over HTTPS and then check the md5sum if it's also published via HTTPS. AFAIK, Windows Update and the Firefox automatic-update process are secure. Most Linux package managers use PGP keys to verify packages downloaded from repositories, so if you use Linux on your netbook make sure you have all the PGP keys of the repositories you are going to use installed before you leave for your trip. Bring a fresh copy of the installation media (including necessary drivers and the latest version of Firefox) for the netbook, just in case the OS does get compromised or corrupted for some reason and you have to start from scratch. If you have anything you can't stand losing, back it up to an online service whenever you have the chance. Make sure those backups are encrypted.
Beware of drive-by installs of malware from MITM (man in the middle) modified HTTP sites. Avoid enabling flash, if you can, considering that every few months there's a new remotely exploitable hole found in it. Ad, javascript and flash blockers would be a good idea for all but trusted sites. If you think your email should be private, use PGP/gpg. If you think your email should be semi-private (e.g. the local ISP/hot spot can't read it, but just about anyone else could if they wanted), use webmail over HTTPS. Occasionally check major security sites in case a new zero-day exploit comes out that your software/OS is vulnerable to.
A remote hosted VPN that others suggested will be useful for pretending that your netbook is connected to the Internet in a country of your choosing. DNS might be a little more trustworthy over a VPN, but attacks can be staged against the box running your VPN, too. There are some poorly designed "secure" sites that download some content (images, scripts, flash, who knows) over HTTP instead of HTTPS, and a VPN can protect you from locally injected attacks against those broken sites. Beware of HTTP pages that submit login credentials via javascript or a form to an HTTPS page; the HTTP site can be modified in transit to submit the credentials to an attacker. The more popular and valuable a site is, the more likely there is some scumbag running an attack for it on their free wireless, so double check the SSL protection
You missed my point, yes you can route all your traffic through OpenVPN but what does that accomplish? Yes people people on the wifi can no longer sniff your traffic but it's an utter joke to think you have solved your security woes with that. What happens is you have a encrypted connection of all traffic from the wifi to your home/VPS/office/whatever but every hop on the route between your endpoint on the route is a spot where your traffic can be sniffed. If you don't appreciate the security concern here then you might as well not bother protecting yourself on the wifi in the first place. SSL will stop people at a wifi location just as well as it will stop people at your home/office/VPS/whatever and if you are using SSL to connect to these locations then the VPN is pointless for security and if you are not using SSL then the VPN is still pointless for security. As I already mentioned "OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own."
Just as a follow up to myself here. To assume your home/office/VPS/whatever is a secure connection to begin with is ignorant. A VPN from the WiFi to your home/office/VPS/whatever and then routing out over the internet like normal from your endpoint is simply moving the location where your data is at the most risk and doing nothing to mitigate that risk. Again, the VPN was not designed for this type of security nor does it provide it. Etch it into your heads, the VPN provides only a secure connection to the endpoint and once it leaves there then the VPN is in no way whatsoever protecting your data.
I agree completely but then again I would never expect a kiosk to be safe. Also regarding my previous posts, perhaps a lot of people will find me paranoid and I may be but I also work exclusively in security and I think it's important people weigh how secure they really are vs. how important the information being transmitted is. The poster mentions using a laptop (which excludes kiosks) but if he is connecting to banks and creditors then SSL is almost always guaranteed. SSL moots the point of a VPN to begin with. I wish people would stop posting so many comments that VPN is a security solution because in this instance it is not and I am amazed how many people seem to believe that a VPN will somehow protect the traveler when they know that data _WILL_ be traveling out of the VPN. What is it these people think a VPN is going to provide here?
(This is of course assuming you have any family, friends or a FB and you trust them)
1) Buy a pen and paper .. phone your family member/friend/FB and have them transfer it
2) Write how much you have free on your credit card at the top.
3) Every time you buy something subtract the amount from the amount left on your credit card
4) Have you credit card statements go to your family member, trusted friend or FB
5) Authorize with the bank your family member/friend/FB to handle payments of your credit card from your bank account
6) If you need extra money
If you really want, you could always learn the PGP algorithm and apply it to the numbers written on your paper manually.
Now is that so hard ?
Backing up your digital pics isn't that hard anyway. Any city will have loads of shops where you can get the contents of your SD card burned to CD while you wait. Get two copies and you can post one home (or to parents or a friend) as a precaution against physical loss.
Data theft should be your last worry.
First worry: Physical item security (your wallet, your mobile phone, your netbook, your backpack)
Second worry: Self security (getting kidnapped for ransom/assaulted/mugged after being seen with all of above)
They are not gonna sit around trying to crack your SSL connection. They are gonna notice your netbook and mobile phone and the fact that you are staying at a hotel that offers WiFi to its guests and they are gonna come steal all your stuff or worse, you.
Stop thinking like a geek and start thinking like a traveler.
STOP . AMERICA . NOW
Lots of recommendations here for encrypted VPN tunnels. But assuming the bank uses HTTPS, why would you need the extra layer of encryption?
I don't agree with those who say leave the netbook at home. Using a live-CD to avoid keyloggers in internet cafes is not always possible. Often the CD drive and USB ports are removed or defunct. Come to think of it, the keyboards are often defunct too. With wired or wireless connections increasingly available, a netbook can be very useful. Just keep a copy of any important data on a memory card in your money-belt.
I'm not a legal expert (nor have I read all the way down the comments), but just so OP is aware some countries place restrictions on what encryption can and cannot be used on computers within the country. Wherever you go, if you are planning on using encryption of some form (which you should) be aware of the local laws. Its pretty unlikely that the secret police are gonna haul you off to jail, but your computer may get confiscated if it is found to have illegal encryption on it.
I have my netbook using full system encryption with TrueCrypt, with KeyPass for a further level of safe password storage. I also now have an OpenVPN server at home I can connect through.
However before I set up the OpenVPN server I used an IronKey flash drive for safer and more anonymous web browsing. This is a flash drive with built in hardware AES encryption. It comes with a modified version of Mozilla Firebird set up to use that encryption to go through a private TOR network gateway set up by the company. A subscription is included free with the IronKey. It slowed things down a bit but seemed to work. http://www.ironkey.com/personal/.
- Tom
3G service is everywhere down here. I don't know where you will be, how many countries you'll visit, etc. If you're going to spend a significant amount of time in specific countries consider getting a pre-paid 3G USB modem when you're going to be in one for a while. In Argentina Claro (http://www.claro.com.ar) offers such a service, I pay about $50 per month for unlimited data, I'm not sure how economical the pre-paid options are. Telecom costs very widely between countries down here, Argentina tends to be one of the most expensive. Some good countermeasures have been suggested: firewall, patches, antimalware are all critical. Its a hassle but if you're using public WiFi you should change passwords for your financial accounts frequently. You should encrypt your sensitive data, and backup to an external disk regularly, laptop theft is fairly common.
You need a home base. A $50-60 OpenWRT box is enough if you don't have a spare PC laying around. I'd suggest running the following servers:
OpenSSH + Squid (or tinyproxy) - SSH:22 and basic HTTP proxying via an SSH tunnel
OpenVPN - for an easier remote experience (both UDP:1194 and TCP:443)
HttpTunnel - When only HTTP:80 requests are allowed from your AP
iodine - When only DNS:53 requests are allowed (eg. captive portal)
I'd also suggest full disk encryption on your PC/Mac.