The Problems of Web Surfing in Public Places 176
Krishna Dagli writes to mention a New York Times article about the dangers of public web surfing. The article looks at the sloppy habits people have when using public terminals, and the issues that using a wireless signal in a public place. From the article: "Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels. 'The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,' Mr. Sellitto said. 'Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.'"
Reading sensitive information in public places? (Score:5, Insightful)
Yeah, but while in a public place, someone looking over your shoulder might be a more realistic worry.
Re:Reading sensitive information in public places? (Score:4, Interesting)
Re: (Score:3, Insightful)
Which solves only half of the problem of course, people can still easily observe and record your typing.
For the technically uninformed that believe the internet is inherently safe to surf and operate on this article may come as a surprise.
True.
What worries me more is the fact that people regard personal/delicate information as just "something they work with". Reminds me of the day we found social security numbers and copies of
Technically unaware on slashdot? (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
I also find it highly amusing that people used to complain about glare from a screen until suitable anti-reflective coatings were developed. Now they pay extra for the Sony X-brite screens (or whatever it's called these days) that look great but reflect a lot.
Re: (Score:2)
Auto-login anybody? (Score:3, Insightful)
Bet it's most.
How many average users do you suppose won't bother/remember to uncheck it?
Re:Auto-login anybody? (Score:4, Informative)
What gets me... (Score:5, Funny)
How many websites you use have a "log me in automatically" checkbox, ticked by default?
What gets me is sitting down to a mocha double soy and finding all these post it notes under the table with elegantly written little bits like 'bad1983girl', 'iluvpuppies' and 'password'...
Re: (Score:2, Informative)
Everyone, even the contractors know the password, and they refuse to change it, Dolts.
Re: (Score:3, Funny)
Re: (Score:2, Interesting)
XP Home needs a couple more steps, but it's just as bad.
Kinda makes any additional security measures pretty futile.
Glaring technical errors (Score:5, Informative)
Who wrote this crap?
Re:Glaring technical errors (Score:4, Informative)
Mind you, I SSL protect my webmail, too.
When used properly (Score:4, Interesting)
It wouldn't be very difficult for a net cafe owner to set up an MIM attack and have their own self-signed certificate. Your browser *should* throw a warning, but most users will happily accept the extra risk without thinking twice (or even reading the error message).
A more involved attack might involve getting a certificate issued for AMAZ0N.COM and the chances are good that you could stage a MIM attack without even a certificate warning appearing.
I also suspect that a fair chunk of users would happily type their information into an order form on Amazon.com even if the connection to them wasn't even https. I'm sure if it "looks like amazon" that'd probably suffice.
Not just the owner (Score:5, Insightful)
That way they can make themselves into the gateway and from there it's trivial to screw with your traffic.
Re:When used properly (Score:5, Insightful)
Um, excuse me? All the workstations in the net cafe will have the cafe owner's CA certificate installed, which will validate all the MIM attack certificates for them (assuming that they didn't just have a modified version of firefox installed that lied about the SSL status). SSL is completely and totally worthless when the attacker controls the workstation you are using.
The only thing SSL does is to ensure that communication between two secure endpoints cannot be accessed by somebody who merely controls the channel between them. It cannot be of any use to you if your endpoint is not secure.
Re: (Score:2)
I'd like to assume my laptop is secure, and I have a certificate based VPN that can get me somewhere else if i need security.
Re: (Score:2)
And since the owner of that net cafe would have full control over those browsers, it wouldn't be too difficult to install their own 'root certificate' and get rid of the warnings.
You'd have to take a close look at the certificate to spot this.
Re: (Score:2)
There's no way at all that you can trust their machine, even if you have the root certificate fingerprints memorized they could still trick you.
Re:Glaring technical errors (Score:5, Informative)
Sounds complicated to do in reality - well there are tools readily available that does EXACTLY what I described above and just about anybody can use them with a few hours of playing around.
So - you do your SECURE SSL encrypted bank transactions over a public or semi public WIFI network. Anybody with a bit of knowledge can crack the wireless encryptions in a matter of 10 minutes, and sniff ALL traffic - including SSL without you having a clue what is going on.
without you having a clue what is going on? (Score:2)
If I am asked about the certificate when I am buying something online or visiting my bank I probably won't read all the details but I will surely be clicking no.
Accessing an SSL site over wireless is perfectly fine if you aren't a cretin.
Re: (Score:2)
Popup warnings from every secure site you attempt to access is become
meaningfull even for the clueless.
Further, the chances of the MITM attacker being ready and prepared to
intercept the particular site you chose to access at that particular
time at that particular Starbucks is pretty small.
(Unless of course you were buying from that Starbuck's website for delivery at table 2, in
which case how many of your Mochas can the MITM at table 5 d
Re:Glaring technical errors (Score:5, Interesting)
Yes - if I had started the attack in the middle of a session it would probably have been obvious, but no - since ettercap was running before I even started logging on - there was no warnings of any kind - just a request from my browser if I wanted to accept the cert or not. Even looking at the cert for Joe Six-pack I would bet it looked pretty ok. You would need to understand the technology behind certificated to know that a self signed certificate is not secure - and honestly - while you and I might do that, how many users of on-line banking know? I am fairly sure that most - if not all - non-IT educated people would readily accept such a cert and therefore in reality browse in the open.
Regarding pop-ups on man in the middle attacks. Well - obviously I went through quite a lot of testing - mostly because I wanted to know what was possible and - if possible - how to prevent it. I did experience a few switches (and that is 2 to be exact out of at least 15 I tried with) that for some reason was not prone to the ARP poisoning, BUT I in those cases the attempt just quietly failed. In all other cases - ettercap happily sniffed just about any connection I tried to make without any hint on the client. The truly scary part is that ettercap can run pretty much unattended and just log whatever passwords it comes across, so I would say it was/is pretty viable to bring a laptop to a Starbucks and let it run for a few hours while I had a cup of coffee - then go home and see what I got. From the ettercap manual:
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real ssl
certificate with its own. The fake certificate is created on the fly
and all the fields are filled according to the real cert presented by
the server. Only the issuer is modified and signed with the private key
contained in the 'etter.sll.crt' file. If you want to use a different
private key you have to regenerate this file.
The key here is that I do not agree with you that the chances of someone being there and ready is pretty small. Someone doesn't need to be ready - just run an application and wait - that is ALL it takes.
So why is this not rampant (as someone else was commenting). Well - I wouldn't know. What I do know is that I just selected ettercap from the standard list of Debian packages and did no configuration whatsoever. I wouldn't know if it run on Windows or if it is hard to install and/or use. I guess in the Starbucks scenario I mentioned, the hard part would be the wep keys, last time I checked that still did require some knowledge and wasn't fully automated, but once on a shared network it does not require much skills.
Screenshots? (Score:2)
Re: (Score:2, Interesting)
Actually I did consider writing that the only reason I could think of was that people are still essentially honest with only a few crooks around - but I decided against it
Re: (Score:2)
If by "reading email", you mean downloading messages from a POP or IMAP server, you're quite right. But that's only a tiny part of the problem. Most email messages can be easily intercepted, not just when the read or sent, but at several points in between.
People seem to be pretty ignorant of this fact. When I worked the help desk for an ISP, I got complaints from folks because we didn't support SSL connections to our email servers. That would be like
Re: (Score:3, Insightful)
I wasn't aware that every email I send and receive has my account password attached to it. Oh, they don't? Then I should probably use SSL to connect to my email server. SSL isn't about protecting the message, it's about protecting the client login.
Re: (Score:2)
Type of data (Score:2)
Neither is good from an information-theft perspective, but dealing with sites that have your financial info generally requires more security.
I read your traffic (Score:5, Funny)
Re:I read your traffic (Score:4, Informative)
However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords. Once they nail a CC#, they can examine the surrounding packets to find expiration dates, names and addresses, and that stupid "security code". MMO passwords can be used to empty a user's inventory for real money.
How many people shop from Starbucks? I dunno. I bet quite a few do. How many play WoW at Starbucks? Probably some.
Re:I read your traffic (Score:4, Informative)
However, the real problem is that someone will set up a laptop to sniff an open wireless network and then grep the output for credit-card numbers and MMO passwords.
While this is somewhat of a concern, the risk is greatly reduced by the fact that the vast majority of shopping sites use SSL to encrypt transactions where credit card numbers are being sent. That would make any sniffing attempts useless.
Hell, even Yahoo has a secure login for email these days.
Re: (Score:2)
The real problem is DHCP/DNS hijacking. With that, your bookmarked www.bankofamerica.com might resolve to MY server. Or better yet, all your HTTPS traffic will be routed through MY server complete with the man-in-the-middle setup.
Sure the certificates will not match or give a self-issued warning. But how many people surfing at StarBucks care about those broken lockpad symbols?
Re: (Score:3, Interesting)
Sure the certificates will not match or give a self-issued warning. But how many people surfing at StarBucks care about those broken lockpad symbols?
Well, the browers should bring up a message that says the certificate isn't valid. That might be a red-flag to a lot of people, especially when visiting their bank. Some people might ignore the popup message like they ignore every message.
But in general I agree that online banking could be a problem at your local Starbucks. I've felt for a long time that ban
Re:I read your traffic (Score:5, Informative)
As far as I know, this is more popular in Europe, and few, if not none of the American banks use this system...
Re: (Score:2)
Re: (Score:2)
Or they could just add a response key for the one time pad the server sends back.
User: 43242efsdfs
Server: 523erfwerwe
Ok, no they both know who they are talking to (at least the end points) so you can login with user/pass under SSL.
Unless you are going to get both a cracked or spoofed (again, the ONE fucking thing the normals got right is looking for a certificate and the lock symbol) and do it in _real_time_ it's easy.
In fact, I like the scratch card idea so much I am going to pitch it to my CU.
Plus
Re: (Score:3, Interesting)
Actual numbers. Google it for yourself.
Man-In-The-Middle Attacks (Score:2, Informative)
Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect. SSL is fundamentally broken. Consider every SSL connection you send wirelessly (short of using WPA) to be plaintext. Don't even dare connecting to your bank with it.
Re:Man-In-The-Middle Attacks (Score:4, Insightful)
Maybe you don't know, but SSL is useless vs local sniffing because of things like ARP Poisonning ect.
That's why SSL certificates are signed. As long as the certificate issuers are doing their jobs and only giving out signed certificates for www.myURLNameHere.com to the actual owner of www.myURLNameHere.com, and people actually don't complete transactions when a warning of a self-signed certificate comes up, you're fine. The cert issuers are pretty good (I haven't heard of any real problems). Some people do ignore cert warnings, but that's the risk they take. I know to take cert warnings seriously when entering in secure information, so the risks to me are minimal.
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Keystroke Recorder
You could have a 42 layer vpn/xyz/hypercryption tunnel but if the keystrokes are being logged then you are Foxtrot Uniform Charley Kilo Echo Delta #Bang #Bang
Re:I read your traffic (Score:4, Funny)
Hardware keyloggers suck. (Score:3, Interesting)
Re: (Score:3)
Yes you can, with a virtual keyboard. xvkbd works for me.
Re: (Score:2, Interesting)
Nobody ever logs out. (Score:5, Funny)
I used to work at an Apple store across the street from a high school. I would estimate that 75% of the packets coming into that store came from myspace.com. Of course, these kids would never log out, which meant you could walk up to just about any computer, launch safari, go to myspace and start editing the profile of whomever last used the computer. Favorite edits included
Re: (Score:2)
Re: (Score:2)
We did something similiar when I was in Kosovo. Hotornot was all the rage and 9 times out of 10 the last guy to use a computer in the internet center wouldn't log out. Change his preference from Heterosexual to Homosexual and the guy would check his account the next day and have 10 messages addressed to Cute Sold
Re:Nobody ever logs out. (Score:4, Funny)
Shouldn't you be practicing homosexuality, doing drugs, or checking your myspace at the Apple store right now?
Re: (Score:3, Funny)
AC said: So when you see open windows in houses, you just jump in and trash things, I take it?
No, but I would think it was funny to rearrange a church's "Bingo night" sign to say "Bong night."
Oh, grammar nerds, was the period in the last sentence supposed to be inside or outside the quotes. I don't need any more kickings.
Re: (Score:3, Funny)
Re:Nobody ever logs out. (Score:5, Interesting)
Hackers tend to use quotes as balanced delimiters like parentheses, much to the dismay of American editors. Thus, if "Jim is going" is a phrase, and so are "Bill runs" and "Spock groks", then hackers generally prefer to write: "Jim is going", "Bill runs", and "Spock groks". This is incorrect according to standard American usage (which would put the continuation commas and the final period inside the string quotes); however, it is counter-intuitive to hackers to mutilate literal strings with characters that don't belong in them. Given the sorts of examples that can come up in discussions of programming, American-style quoting can even be grossly misleading. When communicating command lines or small pieces of code, extra characters can be a real pain in the neck.
Consider, for example, a sentence in a vi tutorial that looks like this:
Then delete a line from the file by typing "dd".
Standard usage would make this
Then delete a line from the file by typing "dd."
but that would be very bad -- because the reader would be prone to type the string d-d-dot, and it happens that in vi(1), dot repeats the last command accepted. The net result would be to delete two lines!
[...]
Interestingly, a similar style is now preferred practice in Great Britain, though the older style (which became established for typographical reasons having to do with the aesthetics of comma and quotes in typeset text) is still accepted there. Hart's Rules and the Oxford Dictionary for Writers and Editors call the hacker-like style 'new' or 'logical' quoting. This returns British English to the style many other languages (including Spanish, French, Italian, Catalan, and German) have been using all along.
Re:Nobody ever logs out. (Score:4, Funny)
Funny you should mention that, I used to do that too. I worked for a porn hosting company (imagine how much different it was to work for Apple) where people on different shifts shared the same Windows 2000 workstations. IIRC, the registry had a different key for each user on the box, so we would go in and change other people's wallpaper to Tiger-beatesque Backstreet Boys wallpaper and such. I often thought about doing the screenshot of the desktop thing, I bet it was awesome.
Pagers were the other key element of office fun. The back page of the Phoenix New Times used to have these local numbers that would play a recording that told you all the 1-900 numbers for whatever kind of phone sex floated your boat. I would page the engineers sitting in the next desk with those numbers and listen when they called. When they got confused it was funny, when they used the speakerphone it was epic.
I think I might have figured out why the job search is taking so long.
What was this story about again?
Re: (Score:3, Interesting)
Now, for whatever reason, my Powerbook with OpenVPN will, with seemingly random frequency, crash all but the most industrial-strength access points. Iowa State University wireless was about the only
Re: (Score:2)
Obligatory.. (Score:5, Funny)
Next we're going to look at the issues that posting without editing.
Re: (Score:2, Funny)
Re: (Score:2)
More reason to listen to the End-to-End Argument (Score:4, Informative)
That's all the more reason to listen to The End-to-End Argument [mit.edu] [PDF]. (Wiki link [wikipedia.org] if you don't want a PDF.)
Never trust the network!
Although, I suppose VPNs technically don't adhere to the end-to-end argument, exactly..
Anyone recommend VPN provider? (Score:3, Interesting)
1. Will provide a static IP address so I can run services like SMTP and HTTP
2. Will easily work with some version of firmware on my wireless router, a WRT-54G. This way I can provide
seemless access to the rest of the machines on my network without running VPN software on them.
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:3, Informative)
You could get a cheap hosting account that offers SSH and open a SOCKS tunnel on your machine or router and point your browser at that. DNS will be resolved on your hosting company's server (for SOCKS 4a and 5), and everything will be encrypted until it leaves the hosting company's server, at which point it will about as secure as any other wired connection (which is to say, not at all to the determined cracker). You also get the benefit of the static IP address and ability to run mail and web servers. C
Re: (Score:2)
I'd move. (Really. What the hell is this world coming to?)
Joe
Re: (Score:3, Interesting)
Re: (Score:2)
Really. I live in a small town. Everyone knows everything about everyone, even if it isn't something that you will read in the paper; who is doing and selling drugs, where you can place a bet, who the corrupt and or inept folks in government are, who Jimmy's real daddy is. I've lived in larger cities; I like leaving my door unlocked. I trust my neighbors. (yes, I trust that the corrupt will bend to the highest bidder.)
How will
Re: (Score:2)
So you trust anonymous ISP employees and unknown website owners, but you don't trust your neighbors?
Basically, yes. ISPs have policies against looking at peoples internet traffic without reason, and have penalties like getting fired for sniffing internet traffic. My neighbors have no policies, no penalties, and no monitoring of what they're sniffing. I don't particularly want them reading all my email. There's nothing all that particularly interesting to see, but I value my privacy.
security in internet cafees (Score:4, Interesting)
Assuming I cannot trust the browser on that pc to correctly encrypt my traffic even on https sites, I cannot install any vpn software, and I cannot be sure that there are no keyboard loggers.
So, somthing like a java applet (stored on a secure webserver), that I can load, and that opens a browser-in-a-browser, encrypting all traffic, with an added on-screen-keyboard to defeat keyboard loggers?
It would not be absolutely safe, since a good sniffer could also monitor the screen and the mouse movements, but it would be better than nothing.
In case you are interested... (Score:3, Funny)
And people call *ME* paranoid
Re:In case you are interested... (Score:4, Funny)
Re: (Score:2, Insightful)
Re: (Score:2, Interesting)
Short answer: No (Score:2)
Re: (Score:2)
didnt read tfa (Score:2, Interesting)
this is a good one, anyone buy any amazon books lately? take a look here.
At first glance. (Score:5, Funny)
When I first read that, I thought it was going to talk about people picking their nose/teeth/ears while using the terminals. I wonder what those dangers are? "What's that green thing on the key there? EWWWWWWWWWWWWWWwwwww..."
I just happened to write about that (Score:2)
http://www.micheldonais.com/archives/44 [micheldonais.com]
I guess I wasn't the only one that got interested in that. That's not counting books on the topic, or anything.
Look At All Of These Passwords! (Score:2, Informative)
The Bottom Line (Score:3, Interesting)
As for Wireless networks. Look, if it's broadcast, ANYONE, can pick it up. The right person, with the right skills, and the right motivation, and the right amount of time, can do whatever they want with the contents of said broadcast.
Your cell phone conversations are not secure, your computer's files and transmissions over a wireless network are not secure. Granted cracking certain types of wireless encryption may be impossible from a practicle standpoint, but that doesn't mean it's safe. Capture the packets, and crack them at your leisure.
Want security? Stick with Ethernet, just don't let anyone too close to the cables, or the equipment.
Re: (Score:2)
4096-bit RSA for key exchange. Blowfish for stream encryption. lzo compression before encryption.
How long will that take to break? I think we're approaching theoretical impossibility. And how many packets can you really capture? I send DVD images over my VPN, over the wireless. Unless Google or Microsoft desperately wants so
Re: (Score:2)
A lot.
For my info to be compromised, that means you have to capture enough of my packets for it to matter, and then there has to be a significant breakthrough in crypto tech. Which means that the storage space starts to get prohibative unless you're specifically targeting me. If you are, that almost certainly means there has to be some financial gain to you -- that is, you must be looking for, say, access to company servers, or credit
Just wondering... (Score:5, Interesting)
I'm not asking because it can't be done. Obviously unsecured wireless networks are very easy to monitor. But the issue here is I'm constantly amazed at the focus people have on the security of transmission, rather than spyware on their machines or the potential security of end servers which seem to me to be a lot more vulnerable and ripe for attack on the kind of scale that's actually useful to criminals.
Often the same people will happily hand over their credit cards to be taken out the bank of a resturaunt, fax or phone cc details through to businesses or throw out printed receipts with their full details (and signature).
Why this obsession with HTTPS?
Re: (Score:2)
All the CC company knows is that last week you placed an order for that anime keychain your friend showed you while you were surfing on the 's wifi connection, and three hours later you ordered an Alienware machine and had it shipped to a place you didn't live.
Its clear after the frantic calls and sleepless nights that someone spoofed your credentials, but how they did it is another story. Using a wifi connection or a public terminal always has s
Re:Just wondering... (Score:4, Insightful)
They same reason people buy car alarms that will be ignored when they go off, or guns that they don't have the training to use. People want some technological solution to their security problems. They don't want to go through the hassle of doing a real security strategy. The real purpose of most security technology is not to provide security, but to provide the feeling of security.
Re: (Score:2)
There was the Salcedo-Botbyl case involving an unsecured wireless network at Lowe's, but it's kind of marginal: they apparently modified software on the Lowe's network as opposed to passively scanning, their modified software only logged half a dozen credit card numbers, and they got caught before they retrieved them.
There's more worry about Internet traffic because croo
Re: (Score:2)
Re: (Score:2)
Why this obsession with HTTPS?
Because computers are evil so of course they are unsafe. Who would dream that just by swiping a cc at a gas station pump your card's data could be stolen? There have been organized rings that intercepted all the cc data of the "pay at the pump" info. You aren'
SOCKS proxies rock. (Score:3, Informative)
I just use an SSH-based SOCKS proxy for my secure wireless surfing needs. I've got a Linksys router set up back at home that I loaded with Linux.
You can read a guide I wrote a while back on how to do this here [the-engine.org]. FF, Thunderbird, and GAIM all support SOCKS proxies, so it works out great for me. Only problem is your DNS traffic goes out unencrypted, but that isn't necessarily a big deal, unless you are visiting something along the lines of www.penisland.net.
Re: (Score:2, Funny)
Am I missing something?
JB
Cain-n-Able (Score:3, Interesting)
Police scanners (Score:2, Interesting)
Getting a URL wrong in a public place embarresment (Score:2, Funny)
I was at a public access terminal in an airport. The terminal was set up so no new windows could be opened. Ever heard of the web comic Sinfest [sinfest.net] ? I read it daily. Did you know there is also a sinfest.org ? I got confused. Never have I had to close so many pop-up windows so quickly while also trying to click on the HOME button
Open WiFi Cafe' - opinion (Score:2, Insightful)
The Cafe has one 1 public PC for the use of anybody (also on wireless network)
What i told her is to never do anything critical on the public PC. Then i showed her from my flash drive how fast i could install Cain+Able (or similar) and extract protected passwords to a
I would never abuse patron's info, because it is
Re: (Score:2)
Re: (Score:2)
http://www.vmware.com/vmtn/appliances/directory/c
Re: (Score:2)
The story is getting out. One of our local TV stations set up a guy with a sniffer in a coffee shop. "Someone -- I suspect that girl in the corner -- is messaging her boyfriend right now."
Re: (Score:3, Funny)