Slashdot Mirror
Network Security While Traveling?
truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."
I would recommend purchasing a shell account from a reputable host that will allow you to tunnel your internet traffic over an SSH tunnel/SOCKS proxy. It's really easy to set up using Putty or OpenSSH.
All network security is for naught when someone can just steal your netbook and read all the passwords and form data that firefox helpfully remembers for you. You have to make sure that your firefox profile directory (as well as all other confidential data, like passwords and bank statement pdfs) is stored on an encrypted block device. On Linux, a loopback device encrypted with dm-crypt works well.
You might want to use a service like
http://alwaysvpn.com
or
strongvpn
Set up a server at home or rent one where you can run OpenVPN and/or SSH and tunnel your traffic through it. OpenVPN supports LZO compression aswell, which might help a bit when you're low on bandwidth. I would also suggest that you encrypt the drive on your netbook with TrueCrypt or similar software in case you loose it.
Most Ask Slashdot problems are solved by throwing out the most ridiculous requirement. Usually this is because the poster has logic-ed themselves into a blind spot. The classic where-are-my-glasses-I've-searched-everywhere-oh-here-they-are-in-my-hand kind of a thing.
In this case, the "no system at home" requirement is the offender. Just set up an old linux box with a friend, and like the GP said, VPN to it. You do have friends, don't you? Family? Non-tech savvy coworkers who won't question that computer case with the post-it note that says DO NOT DISCONNECT?
So it needs to be said regardless, but I feel VPN probably should have sufficed.
There are two solutions to this issue:
a) Do it Yourself!
In this scenario, the individual purchases a term contract with a hosting provider and proceeds to install a VPN solution. This is the most flexible plan available and can be achieved for roughly 10$ or less per month (plus domain costs). The down side to such a solution is that if there is maintenance that must be performed there is really only one mechanic. (unless the mechanic has very good friends or if he is a heartless bastard with no relations to the external world then perhaps a fellow slashdoter will land the man a vpn solution. Never mind he is a freeloader... roaming from country side to country side... possibly infecting your server... and you were just trying to be a nice guy. shame on you)
b) Rent a VPN!
There are countless VPN solutions available for seemingly random values. I have little doubt that an equally cost effective solution can be found. This has the obvious advantage of not having to maintain the VPN solution. The obvious con when compared to solution "A" is that there is certainly no flexibility in this offering. You get what you get. With the economy falling into the virtual comode it is quite likely that any business you place your trust in will either lose all of your information or sale it on the black market. By the time you return you will likely be spammed, identity thieved and otherwise placed with the very best experiences the awful inky darkness that is the bad side of the humanity offers.
Invariably there will be suffering no matter what option you choose.
Regardless, ensure your netbook is protected and if you may wish to utilize a solution I myself rather enjoy. In rather horrible untrusted networks I rely on a lovely Fedora live distribution over usb flash. It doesn't offer much in the way of persistent storage, but for one time transactions it's quite useful.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Check the time mentioned in the summary. I would normally agree with you, and don't typically even use internet cafes while gone for a few weeks. However, I can't imagine being totally unconnected to email for a whole year. Yes, I could do without Slashdot, but just checking the news back home and following up with friends and family would be mandatory.
Agreed. If he doesn't want to host it at home for whatever reason (I imagine being gone for a year he may be having his Internet service turned off), he should find a friend or relative who is willing to host the box for him. Provided he uses a modern CPU with decent power management features (or a low-power CPU like Atom), idle power usage should not be a concern.
Once you've got an always-on *NIX server you can connect to, it is a simple matter to use SSH's built-in SOCKS capability to securely tunnel your TCP traffic. This is precisely what I do when I travel.
"I will not have a system at home to connect through."
Then get one if you're concerned about your privacy. Really, are your bank details not worth ten or twelve bucks a month for a virtual server somewhere?
"And the meaning of words; when they cease to function; when will it start worrying you?"
Going traveling for 5 weeks in south america as well. Just bought a netbook. Every single person I've talked to says "blog about it! we want to see your pictures!" -- the truth of the matter is that a netbook is pretty damn tiny and takes up little space (2800 cu in pack) and definitely qualifies as "personal gear". Might as well take it along. Makes backing up my digital pics easier, and makes it easier to check the news (you never know what's going to happen next in venezuela) and communicate with couch surfers. You don't NEED one, but it damn well makes things easier in a pinch.
moox. for a new generation.
There's not much you can do, this is why SSL saves millions of people's asses everyday - just be ultra-suspicious of any warnings that you don't normally get. This is why everyone has a "trusted" network piped into their house by their ISP, and why they get so uppity when that trust is abused (DNS redirection, deep packet inspection, traffic analysis, advertisement insertion etc).
Have a software firewall at *ALL* times that distrusts everything... on Windows I use Zonealarm with everything set to "Internet" and all the high-security settings for that (only exception is an OpenVPN interface which can *obviously* only be my remote access into my trusted networks at home - I let OpenVPN - the program - connect to the Internet and I let the OpenVPN interface do whatever the hell it wants ["trusted"], and obviously have all the checks enabled for certificate-authentication to get onto my home network). On Linux, that's just bog-standard iptables doing its job the same as ever.
I don't expect anything non-SSL to be secure by default. I treat it as if I was using Tor in that respect. Make sure you have Gmail or whatever set to "always use https". If you want anything better than that (i.e. email, IM, http, etc. traffic), or better assurance overall, you have to have a VPN to be safe.
My OpenVPN automatically deletes other routes except for the essential ones and adds a default route through my VPN interface so when connected to home I *know* everything has to be using the VPN to communicate in that instance (hate the idea that if OpenVPN dies, there might be "another" route lurking which sends things out on another interface - I've seen it happen with some "automatic" configurations on Windows).
I often game over an OpenVPN instance, even when playing locally, so don't take heed of the rubbish about it being too costly in latency terms - of course, if you are in a foreign country and relaying to another, it will lag, but the actual overhead is not much worse than just ordinary IP routing to your destination.
Basically - SSL in some form or another, whether that's direct or over a VPN... otherwise you cannot trust things. Of course, millions of people trust ordinary wifi points all over the world, all day, every day. If you decide to follow their lead, that's up to you.
Ideally, you want this to be a remote machine, either cloud or at home, with your Notebook acting as a gateway.
Be aware of potential vectors of attack (mostly wireless / network based, but don't forget physical access) and have a defense against them.
Ideally, everything (and, more practically, everything sensitive) will pass through some pipe that uses the strongest available encryption.
Here is a general set of guidelines that I use:
As others here have mentioned, having pre-exchanged SSH keys and doing all of your sensitive browsing / business over an SSH-tunneled Proxy to a machine back home will do wonders to help with any inherent wi-fi (or untrustworthy ISP) issues.
Get your system hardened before you start your journey. Make sure you're running the latest operating system versions with the latest security patches. Make sure you've configured your firewall and updated your antivirus software. Pick a secure software suite to use for your important actions. For any OS, shut down daemons and services that you're not going to need, as each is a potential point of attack.
Buy a USB-based wireless device (they're only $20 or so). Disable the wireless device on your Notebook's OS. Before you leave, build a Virtual Machine running an OS of your choice (Linux works nicely). Install the OS from scratch, boot it, update it, and then open up a browser instance. Configure it so that the USB wireless device is forwarded directly to the VM, and install its drivers in the VM. Snapshot the Virtual Machine's state. When you're travelling, turn off your Notebook's wireless signal the entire time. If you want to use the Internet, plug in the USB wireless device, start your VM, and use the Internet through it. When you're done, shut down the VM and revert its state to the saved snapshot state that you made before you started your trip. This should help ensure that any viruses you are hit with only survive the duration of that single VM session.
The options vary based on your OS. Any standard encryption scheme will do - complete drive encryption, partition encryption, filesystem-based encryption, etc. The real goal here is to make sure that neither your private files nor your runtime-generated files (Internet history, cookies, etc.) are accessible.
Buy some cheap USB stick to store your SSH and/or Hard Drive encryption keys separately, and carry it with you at all times. If you're truly paranoid, you can even encrypt its filesystem with a password-based key for extra protection.
Fully power down your Notebook when you're not using it. If you Suspend / Hibernate, not only will memory-resident viruses etc. still be running when you resume, but decrypted information is accessible in-memory, should it be seized in this state.
There are a lot of threats you can face in another country, but it's wisest to stay away from the government-level threats. Don't give them a reason to seize your laptop and you'll have mitigated many truly serious issues.
If someone is truly smart enough to crack your system and steal your bank account info - when you are a fairly intelligent tech-savvy guy who uses SSL and won't just click the first open wifi network that pops up like 90% of the population would - what the heck are they doing in the jungles of South America where maybe 5 students with negative bank balances pass through every year? "The same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students". Do you honestly think 99% of them have a clue? And yet 99% of them make it home perfectly fine. As someone with an above-average IT security knowledge, you will be fine. Seriously, while I don't advocate writing your bank details in 10-foot high letters of fire on Macchu Picchu, the chances of anything happening are infinitesmal. By the way, South America is awesome to backpack through. And not being tethered to the Interwebs is a good thing.
I'd tell a UDP joke, but you may not get it. I'd tell a TCP joke, but I'd have to keep repeating it until you got it.
I just returned from my backpacking trip. So here are my tips... If you are using your own laptop, an effective firewall, a patched system, and the use of SSL is all you need. Since you are posting on Slashdot, I assume you are capable of keeping your own laptop clean and secured. In reality the risk of someone stealing your laptop is much higher than the risk of anyone breaking into your laptop, so... 1) Some sort of chains/locks on your backpack is much more important than a VPN. 2) Do not store any password, sensitive documents on your laptop. In case it will be stolen later.. 3) Keep backup of important documents (e.g. scan copy of your travel insurance) in a gmail account... 4) Do not keep all your vacation photos in one laptop, copy it to CD/DVD/cheap USB devices and send it home every few months. 5) Bring a USB drive and backup everything on your harddrive (including your vacation photos), store the USB drive in a different location (e.g. inside your main backpack) If you are really desperate and have to access your bank in an internet cafe, here's what you can do... 1) To make it harder for key loggers to steal your password, scramble your url/password using your mouse. e.g. if your password is ILovePizza, you can type IHatePizza, highlight the word "Hate" with your mouse, click delete and type "Love" instead. It's not 100% secured, but it's better than nothing. 2) As soon as you reach a safe location, change your password.
Backpacking through south america doesn't mean OP is spending 5 months in the middle of the Amazon. Besides, how does internet access limit it? Oh, right, it doesn't. And phones aren't technology? Is this slashdot or some sort of faux-luddite assembly.
I've spent a month in Ecuador, and in my experience, the OP is focusing on the wrong problem. Backpacking in South America means being around a lot of people who make less money in a year than you make in a week. On this trip, I had a pair of prescription sunglasses and a pair of nice gore-tex hiking boots, and they constantly made me the focus of attention from people who wanted to know how much they cost, etc. One time coming down a trail in the Andes, I passed a kid who looked like he was about 12, chopping bananas with a machete. He said, "Dime los lentos," meaning "Give me the glasses." I just increased my hiking speed, and it turned out that he didn't hack me to death. So carrying a netbook in this social environment does bring up a whole bunch of issues about being victimized, but they aren't issues with having your PayPal password stolen, they're issues with getting mugged by someone who wants your computer, which is worth more than they make make in several months. My advice is not to bring the netbook. If you're worried about keyloggers in internet cafes, bring a bootable CD.
Find free books.
Congratulation for not reading half of the summary.
To be fair, it was the bottom half.
#DeleteChrome
http://www.hotspotshield.com/ . I use them all the time when I am traveling. They have a nice free client on their site and if you do not want to install their client you can just configure a vpn link manually.
That sums it up pretty well...no home, parents that can only operate a power button, and troubleshooting via phone from Guyana could be tricky even if I were to leave a machine with a tech-savvy friend. VPNing to a hosted machine didn't occur to me for whatever reason, I'll probably look into that. This is probably an area where compromises will have to be made, but my first step is to avoid any potential complications because they'll be a real pain to deal with.