Web Surfing in Public Places Is A Way to Court Trouble

We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

Public websurfing

[SoVeryTired]

Public websurfing is an inherently dangerous thing to do. If you don't believe me, check out the "security now" article on ARP cache poisoning.

http://www.grc.com/nat/arp.htm [grc.com]

It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.

TFA is uninformed

[Facekhan]

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Virtual *Private* Network

[NixLuver]

It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.

Re:Denver Airport

[Crisavec]

He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.

Re:Interesting question

[MMC Monster]

If you are that essential to a business that you need your email while on vacation, you can afford a mobile phone and have a secretary read you the highlights. If you need network access for work while on a trip, you should have the work get you a laptop. They're cheap enough.

Re:Public computers

[ConceptJunkie]

Since when does VPN = Encryption?

Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.

Re:Utter garbage, Redux

[NixLuver]

Man-in-the-middle is not that trivial, my friend.

From SANS WhitePaper:

"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."

So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.

But there is some truth to your assertion, if you are of the Windows Ilk:

"One faulty SSL client implementation, Microsoft's Internet Explorer, allows for transparent SSL MITM attacks when the attacker has any CA-signed certificate."

Sweet! ANOTHER reason I can't wait to run Boot Camp and install Windows.

Consider the three basic VPN security methods

[postbigbang]

PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.

IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.

SSL uses a nice scheme that's difficult to crunch.

NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.

Re:Denver Airport

[Alkivar]

it was "Denver" last time I went through that airport...

and people don't realize it

[phorm]

I got a call from my uncle recently asking if (during his upcoming trip to Thailand /w his wife) he should bring his laptop so that he could get online, or whether he might be able to connect from public terminals. After discussing what he wanted to do, he indicated that he would like to get online to do his internet banking so that they could handle any bills etc while away.

My answer was of course: neither

Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).

The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.

Re:Utter garbage

[gnomeza]

Even wired switches are vulnerable to ARP cache poisoning [wikipedia.org].

Re:It's not the security I'm worried about....

[wx327]

I installed OpenVPN on my home desktop machine, and whenever I am on the road I connect my laptop to whatever available internet connection and VPN back to my home network. Configuration is set so ALL of my traffic is automatically routed through the home network then back onto the internet. No proxy changes needed as the OpenVPN config can be set to make your computer use the VPN as the default gateway. If you want to try something like this, send me a note and I'll dig up the URL that was the most useful when I was setting this up.

Hotel and Airport hygiene

[SallyShears]

From hotel rooms: I do use the hotel LAN with my laptop. I immediately create a SSH tunnel to my own server and handle mail through the tunnel. I surf the web on my laptop. I will enter name, userid, password on familiar sites with SSL protecting the connection from my laptop to the known server.

At public computers: I assume that the machine has a keystroke logger. Never enter anything remotely sensitive on such machines. Never login to anything from a public computer.

Now, I often want to print a boarding pass or a document of mine. Here's my routine: Print to PDF on my laptop, upload the PDF from my laptop to my own web server with sftp. Name these a.pdf,, b.pdf, etc. The web server is set up so no one can get a file list for any directory. On the public machine, point the browser to www.mydomain.com/a.pdf and print. Later, from my laptop I'll login and delete the files.

Most airlines let you get a boarding pass with conf number and name, no login required. The confirmation number is like a one-time password. Someone was thinking.

    -- Sally