Web Surfing in Public Places Is A Way to Court Trouble 274
We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?
classic diligence, albeit in a modern world (Score:5, Interesting)
I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?
I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.
While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.
I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.
Now all you need.. (Score:2)
Re: (Score:3, Funny)
That, and a bowel disruptor, several drug habits, and two filthy assistants.
Re:classic diligence, albeit in a modern world (Score:5, Funny)
Re: (Score:2)
Or how might it have helped negotiating your consulting fees? What would you have done if you heard that there had been trouble over a leak of information?
Re: (Score:3, Interesting)
I needed a laptop for a biz trip to a software convention in SF CA. I was giving a talk and was reviewing my notes. But the thing the laptop was best for was killing the time during the flight. I was playing Nethack and even got a double take and knowing smile from a fellow techy who was walking down the aisle.
Re: (Score:3, Funny)
I had to explain that it was a game "see it's in my games folder" and that it was also available as a GUI "see here it is with pictures". Wasen't till I showed them my badge and business cards from the multinational that I work for that they started beliving me.
After that I only played in GUI mode while in public. (ASCII at work though, 'cause anyone
Re:classic diligence, albeit in a modern world (Score:5, Funny)
Dr. Smith is a medical researcher, helping run one end of a typical double-blind clinical trial of Unobtainasil, a new drug which is hoped to treat a severe condition. He's flying to Switzerland for a conference of some kind.
While in the airport, he happens to sit down next to Dr. Jones, whom he met a while back at another conference. They get to talking shop, as is not surprising - and it eventually comes out that Dr. Jones is also working on the clinical trials of Unobtainasil.
With great dismay, they realize they've just compromised the trial, and all the data will probably need to be thrown out.
Whoops.
Moral of the story: never talk about anything with anyone.
Denver Airport (Score:5, Interesting)
Re: (Score:3, Funny)
Re:Denver Airport (Score:5, Informative)
Re: (Score:2)
Re:Denver Airport (Score:5, Funny)
Re: (Score:3, Informative)
Public computers (Score:5, Insightful)
I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.
Re:Public computers (Score:5, Interesting)
I find this comment in the article very interesting:
Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.
That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!
Re:Public computers (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2, Informative)
Virtual *Private* Network (Score:5, Informative)
Re: (Score:3, Informative)
Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.
Re: (Score:3, Funny)
Posting to
Consider the three basic VPN security methods (Score:5, Informative)
IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.
SSL uses a nice scheme that's difficult to crunch.
NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.
Re: (Score:3, Insightful)
Wow, you could buy that 911 document [wikipedia.org] that got leaked a few ye
Re: (Score:2)
Re: (Score:2)
Re:Public computers (Score:4, Interesting)
Re:Public computers (Score:5, Insightful)
Re:Public computers (Score:4, Funny)
If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.
We Have The Solution: Announcing the CryptoGoggle 9000. Supported by dozens of popular websites, our technology causes websites to be displayed as a random mash of blended colors. By donning the CryptoGoggle 9000, this incomprehensible mishmash can be magically unscrambled before your very eyes! Take the CryptoGoggle 9000 everywhere you go! Weight 26.4 pounds, shipped weight 34.1 pounds. And as a bonus, you get to look like a special forces secret operative while using it! Only $1,999.99, while supplies last! Order yours today!Re: (Score:2, Interesting)
Re: (Score:2)
I'm not even sure what that means. Most banks (here in the US) just use a user/password combination that it easily logged if your system is compromised. I know elsewhere many banks have smart cards with one-time use PINs and such, which we'd love to have, but it just isn't an option for most Americans.
Re: (Score:3, Interesting)
However if the captcha is "Which one of these is your mother?" or some other piece of info that is specific to you, then that would make the data thief's job a little harder.
The using the randomly-ordered on-screen keypad to enter data is a pretty clever solution, though.
Re: (Score:3, Insightful)
Carry round Knoppix/Ubuntu/Gentoo Live CD. Boot off that, and you're safe. Apart from hardware nonsense, which you're probably OK with at a friends house. Depending on your kind of friends.
Re: (Score:3, Interesting)
Best security ever (Score:2, Interesting)
The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see
Cheap software (Score:5, Interesting)
I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.
Sensationalist, at least about wireless (Score:5, Funny)
Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*
Re:Sensationalist, at least about wireless (Score:4, Insightful)
Re:Sensationalist, at least about wireless (Score:4, Interesting)
I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.
I ended up installing the damn thing anyway, confirmed my suspicions, and saved myself and several hours many days of hunting around. Didn't tell them that, though
Every news story that tries to use the fear of "packet sniffers" as a dangerous tool can pretty much be dismissed out of hand. Watching the data flow in and out of your own computer is never a security risk.
Re:Sensationalist, at least about wireless (Score:5, Insightful)
You know, having worked in IT, my inclination is to say that users shouldn't be doing that stuff. You're network is segmented enough? Unless you're in charge of IT security, it's not your job to decide that. I don't know what you're background in particular was, but I used to work for an engineering firm that made software (among other things). The programmers were constantly telling us that they needed to be able to install software, that they knew how to run their own machines, that they understood software better than we did, etc. And guess what? Those were the same guys whose computers were *constantly* broken. They did tons of stupid stuff because they didn't know what they were doing. Some of the best guys were tinkerers, who had been fixing computers for years, but didn't understand that working IT is different. In a business setting, mistakes and errors can have totally different ramifications.
So I'm not saying you did the wrong thing, but that it should have been your IT staff to do it. If you have a bad IT staff, that's a separate problem, but they're right to try to discourage you from tinkering around on your own. Being your own IT person is like being your own doctor, or a lawyer representing himself in court. It's just a bad idea.
Personally, I sometimes wish I had someone else who would lock me out of administering my own machine to keep me from fucking around and breaking things.
Re: (Score:2)
Gyah. Reminds me of a website I used briefly. Their custom security solution turned out to be server side crypto (of some unproven variety), through to the back office server.
Think about that a second.
The traffic went as clear text through the Internet, arrived at their server,
It's not the security I'm worried about.... (Score:5, Interesting)
Re:It's not the security I'm worried about.... (Score:5, Interesting)
Your post reminded me of the ad-hoc "Free Public WiFi" that I've been seeing a lot of, and I've never gotten a connection through. A quick Google revealed that this seems to be a case of computers picking up that ad-hoc network from other computers and rebroadcasting that name for the next while. TechBlog: "Free Public WiFi"? Not! [chron.com]
And yes, I don't have a problem connecting to sketchy networks. Other people can always associate with the legitimate network I'm on and try attacks, and my firewall's decent. And if I'm worried about sniffing I'll launch a VPN.
Re: (Score:2)
Re: (Score:2)
Assuming you are using Windows 2K-XP, open the VPN connection's properties, select TCP/IP properties (networking properties), click on advanced options and click "use as default gateway..." checkbox.
My system is in spanish, so some some of the labels might not match on a word-per-word basis, but I'm sure you can sort out the differences.
Re: (Score:2)
Re: (Score:2)
search "hacking the friendly skies" on google for the presentation.
The virus of Troy wooden horse type (Score:5, Interesting)
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.
The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.
ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.
Re:The virus of Troy wooden horse type (Score:4, Funny)
Public websurfing (Score:5, Informative)
http://www.grc.com/nat/arp.htm [grc.com]
It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.
See, now I'm scared to click on that link... (Score:2)
Re: (Score:2)
Irrelevant to WiFi, though.
Re: (Score:2)
Re: (Score:2)
It seems that an access point could easily defend from this attack by validating the destination IP addresses, instead of just blindly switching by MAC address. I wonder if we will se
Re: (Score:3, Interesting)
Re: (Score:2)
Sometimes OTT (Score:2, Insightful)
It's not like they were trading invention information pre-patent, more things like memos about (small) customers. It would have cost someone more to hire a detective to snoop on them than what the information was worth.
Worst (Score:2)
Re: (Score:2)
"They Know"
or
"We're on to you"
are among my favourites
Re: (Score:2)
Ahh, the motor neuron...
The worst place? That's easy (Score:5, Interesting)
YOU'RE IN A F CKING SHOP!
The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was
I wonder how many people here are actually just using these computers to do something sinister?
Amusing/Lesson in boredom (Score:5, Interesting)
I happen to be happily on my laptop, doing those Oh so critical things like, well,
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop.
Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane.
Re: (Score:2)
I'm not saying it was very smart but I can understand... you're out on a trip, someone calls and needs to fix something. You're already annoyed you're being disturbed. Apparently the other guy isn't too bright or you have a bad line, since he talked loud and repeated it multiple times. Particularly if it's the kind you need to handhold, hanging up to send him via SMS and then dialing him up again is n
Re: (Score:2)
Not that it really matters, but SOMEONE has to do the modeling to figure out how effective those bombs are going to be. And where to drop that MOAB on the wooden shack in the desert to ensure it is destroyed.
Same thing as with CAD work kind of stuff. Eventually you have to build stuff, but there is a lot of design and testing before building now.
Utter garbage (Score:2)
Robert Vamosi, Senior Editor at CNET, you are an idiot. (Or maybe Susan Stellin is a terrible journalist - I suspect both.)
Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users unde
Re: (Score:2)
If properly set up, you wouldn't see any error messages on the client PC as it would have the root CA for the self-signed cert
Re:Utter garbage, Redux (Score:3, Informative)
From SANS WhitePaper:
"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."
So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.
But there is some truth to your assertion, if you are of the Wi
Re: (Score:2)
The above sentence shows how little average users like you understand about online safety, yes.
SSL isn't safe on a public computer. A previous user might have installed (accepted) a Certificate Signing Authority cert, and set the browser to use a remote proxy
Re: (Score:2)
I don't think you can see all the network traffic that isn't actually addressed
to the connection that the packet sniffer is attached to.
At least I've tried this while debugging software. I had to hunt around for
an old style "hub" as opposed to a "switching hub" to connect together all the computers
under test to or I couldn't see any network traffic not addressed to the computer
running the sniffer. I'm not sure how this appl
VPN (Score:2)
Mostly just so my email doesn't go over the airwaves unencrypted, otherwise I don't care much, since most sites I use that ask for passwords use SSL at least for transmitting the password.
Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not jus
Re: (Score:2)
Because it takes much more CPU to encrypt every connection. Keep in mind you also have to encrypt every image and included file that you use on an encrypted page. Trying to mix encrypted and unecrypted content will, at the least, give the user a warning dialo
Re: (Score:2)
CC numbers? Bank details? (Score:2)
The big issue is probably email which most people still access without encryption.
Re:CC numbers? Bank details? email? (Score:4, Insightful)
Re: (Score:2)
My g/f booked a small hotel recently and they asked her to email a credit card number across. Thankfully she refused, but apparently the hotel was rather surprised at this.
Right Here in My Own Neighborhood (Score:2)
The Newspaper of Record (Score:2)
These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information...
Sounds scary. Maybe there oughta be a law. On the other hand, since when did a tool like, say, tcpdump, typically used for networking troubleshooting, monitoring and analysis, become a tool that's "typically" used for something else?
I have to wonder. The quality of writing in a publication like The New York Times
Re: (Score:2)
There already is a law. Several in fact. Just goes to show how unenforceable they are.
TFA is uninformed (Score:5, Informative)
When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.
Re: (Score:2)
Logging in to your bank account from random, out of your control computers is equally risky.
Self signed SSL proxies are not that difficult to set up if you think the effort would be worth it.
Of course, the converse applies too... (Score:5, Insightful)
Defcon - Wall of Sheep (Score:2)
Internet cafes, gaming stores (Score:2)
Not sure if it's naivete, or simply an absence of logic. Yes, one would HOPE that such sites routinely sweep their systems for unauthorized software, but frankly, short of re-imaging the hard drive after every user, I'm not sure how they could entirely prevent it.
EVDO (Score:3, Funny)
Terminal rooms in schools (Score:2, Funny)
Re: (Score:2)
The solution? A memo : "No Redirecting the Keyboard"
Problems with the article (Score:5, Interesting)
I had a few problems with the article:
Airport Talk (Score:5, Interesting)
The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.
You should always be careful what you talk about in public places, you never know who is around and listening.
Conference Call (Score:5, Funny)
Needless to say, we made the "off the air" discussion a part of every call we had with them.
and people don't realize it (Score:4, Informative)
My answer was of course: neither
Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).
The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.
Last login time feature (Score:2)
Stupidest security policy on the road (Score:3, Funny)
wap + no password + old OS = owned (Score:4, Interesting)
1. run windows 98 as your server (in 2005)
2. no passwords on anything
3. lets install a wap
4. passwords are inconvenient on a wap, turn them off
2am Sunday morning, janitorial staff notice a kid in the parking lot sitting next to his bike, typing on a laptop.
Next day, all gone. Except one rude note left on what was left of the fileserver. He basically deleted everything that he could, which was just about everything.
Darwin at work I suppose.
Re:Interesting question (Score:5, Interesting)
The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.
Re: (Score:2, Interesting)
Re: (Score:2)
Always pay cash though.
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
The typical keyloggers I have dealt with operate as a standard process in the background. Most do not show up on the taskbar but can be stopped from the Process Manager (the Ctrl+Alt+Del applet).
The nastier ones either replace, or patch the keyboard driver. Upon reboot, they run at all times and can only be found by AV s
Re:Interesting question (Score:5, Funny)
Re: (Score:2)
Just a few possible problems with surfing during meetings.