Web Surfing in Public Places Is A Way to Court Trouble

We had a story come in from the New York Times reminding people that web surfing in public places Is a way to court trouble. There's nothing in the story that is anything hugely new - but it does lead to an interesting question. What's the worst "on the road" security setups you've seen?

classic diligence, albeit in a modern world

[yagu]

I remember sitting behind (I discovered later) an attorney on a business trip once. It was business class, and he had laid out all around him paperwork and documents busily reading and making notes. In addition to being behind him, I was beside myself with curiosity -- what kind of "stuff" would an attorney read on a plane?

I succumbed and started reading. Interesting, I was reading the IPO strategies and schedules for a startup company in the bio-medical field. And coincidentally in minutes I realized these were notes for the IPO of a bio-med company I was consulting for in my personal time! Probably mostly no harm, no foul, but it was an eye-opener for me to realize what kind of information people expose unwittingly, technology or not.

While wireless could make for more surreptitious spying, it seems to me once again (just like "security") the biggest risk and danger is from the lack of due diligence... striking up a conversation in the concourse bar and saying a little bit more than you probably should would be my bet on spilled beans.

I could even think it might be safer with everyone traveling with laptops, I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers.

Now all you need..

[Channard]

Is a video camera built into your glasses, with a wire that goes down into your pocket to the battery and 30GB hard drive. Hey presto, inside information that can be reviewed at a later date.

Re:

[meringuoid]

a video camera built into your glasses, with a wire that goes down into your pocket to the battery and 30GB hard drive. Hey presto, inside information that can be reviewed at a later date.

That, and a bowel disruptor, several drug habits, and two filthy assistants.

Re:classic diligence, albeit in a modern world

[gEvil (beta)]

So how much money did you make on that particular IPO? :-D

Re:

[ronanbear]

Or how much money didn't you lose?

Or how might it have helped negotiating your consulting fees? What would you have done if you heard that there had been trouble over a leak of information?

Re:

[Hoi Polloi]

"I once did an informal (and anecdotal) caucus, and on one business trip observed about 95% of any laptop users playing solitaire or some game with their computers."

I needed a laptop for a biz trip to a software convention in SF CA. I was giving a talk and was reviewing my notes. But the thing the laptop was best for was killing the time during the flight. I was playing Nethack and even got a double take and knowing smile from a fellow techy who was walking down the aisle.

Re:

[networkBoy]

I had someone ask "what's that" to which I replied "nethack". They instant assumed I was some evil hacker and informed the gate personel. Sucky day for me.

I had to explain that it was a game "see it's in my games folder" and that it was also available as a GUI "see here it is with pictures". Wasen't till I showed them my badge and business cards from the multinational that I work for that they started beliving me.

After that I only played in GUI mode while in public. (ASCII at work though, 'cause anyone

Re:classic diligence, albeit in a modern world

[Control Group]

This reminds me of an anecdote I read somewhere, the details of which I mostly forget. So I wouldn't believe it, if I were you, but it's still amusing.

Dr. Smith is a medical researcher, helping run one end of a typical double-blind clinical trial of Unobtainasil, a new drug which is hoped to treat a severe condition. He's flying to Switzerland for a conference of some kind.

While in the airport, he happens to sit down next to Dr. Jones, whom he met a while back at another conference. They get to talking shop, as is not surprising - and it eventually comes out that Dr. Jones is also working on the clinical trials of Unobtainasil.

With great dismay, they realize they've just compromised the trial, and all the data will probably need to be thrown out.

Whoops.

Moral of the story: never talk about anything with anyone.

Denver Airport

[Anonymous Coward]

North Concourse - Baggage Claim WiFi. 100 percent open SSID. You can easily Guess the password. Took 1 try for me. Then you have access to the entire net, as well as (i can imagine) some other wonderful things that I did not choose to endevour into...

Re:

[ScottyH]

"bags"?

Re:Denver Airport

[Crisavec]

He wouldn't have seen/done much, as there is NO North Concourse at DIA. There's Terminal East and West(same building, different sides) and then Concourses A, B and C. Baggage is in the main Terminal.

Re:

[XMyth]

No, it's 'terrorist' obviously.

Re:Denver Airport

[__aaclcg7560]

"snakes" :P

Re:

[Alkivar]

it was "Denver" last time I went through that airport...

Public computers

[spineboy]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer. It's too easy for someone else to install a key logger program, etc. I'm always amazed at the number who access their on-line banking from a terminal in the nurses lounge, etc.

I still won't access it from work from my personal office computer, cause ; 1) it runs Windows, and 2) it's on a network and the security guys are always running "updates" -who knows what's in there.

Re:Public computers

[denebian devil]

My biggest issue has always been what am I willing to do or not do when I'm in various situations: on a friend's computer, a wired kiosk, a non-secured wireless connection using my own computer, etc., and the heartache that comes with those decisions.

I find this comment in the article very interesting:

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office's server, where it is decoded before going to its destination.

Technically, putting in your bank information or credit card information at most respectable websites should be more secure than checking email, because most major banking institutions or sites that accept credit card numbers do so using SSL, which should be safe even if being broadcast over any wireless connection. And they even accept the secure nature of VPN encryption, but don't bother mentioning the encryption available for most banking/CC transactions. On the other hand, most people don't check their email over a secure connection, because either secure email is unavailable to them, or secure email is not the default and they don't know better than to use the default, or only the password is broadcast securely while the emails themselves are still sent in plain text.

That being said, I still avoid sending banking records, CC numbers, and even secure email over non-secure wireless connections, unless it is absolutely necessary, and tend to be very choosy about which of my friends' computers I will use to access my most valuable information. Guess I just can't take off that tin-foil hat!

Re:Public computers

[jonwil]

SSL doesnt help when the machine you are using is running a software or hardware keylogger.

Re:

[Brickwall]

I find this comment in the article very interesting: "Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again. That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between

Re:

[account_deleted]

Comment removed based on user account deletion

Virtual *Private* Network

[NixLuver]

It's not a VPN if it's not encrypted, it's just a tunnel. The Private is the important thing. A VPN is a system for creating secure private networks over 'unfriendly' or 'unsecured' networks.

Re:

[ConceptJunkie]

Since when does VPN = Encryption?

Well, if it's a Virtual Private Network, I'd hardly see how it could be unencrypted.

Re:

[ConceptJunkie]

When I'm in the bathroom, I'd really appreciate some privacy, but it's not like nobody knows what I'm doing in there!

Posting to /., of course.

Consider the three basic VPN security methods

[postbigbang]

PPTP uses a hash. It's tough to crack, save very early editions, which were like wet paper.

IPSec VPNs use a seed of some kind (they vary according to the implementation) or use a temporal key.

SSL uses a nice scheme that's difficult to crunch.

NONE OF THEM, however, protect against keyloggers and their variants. If you look at the wire or air with a sniffing device, however, you'll need to have cracked whatever encryption scheme has been implemented. IPSec with a TKIP/RADIUS-based authentication method is pretty tough to break.... unless you have a keylogger someplace or you can dictionary-attack weak stuff.

Re:

[Fred_A]

Since we're on the topic of comments, I particularly liked that one from some guy from the Federal Bureau of Made-up Statistics :

Still, the most recent computer crime and security survey, conducted annually by the Computer Security Institute with the Federal Bureau of Investigation, found that the average loss from computer security incidents in 2005 was $167,713 per respondent (based on 313 companies and organizations that answered the question).

Wow, you could buy that 911 document [wikipedia.org] that got leaked a few ye

Re:

[Angostura]

I would hope that your bank has a Web site immune from threat by key-loggers. If not, change banks.

Re:

[CastrTroy]

How exactly do you propose to stop this? How do you make a web site that's immune to the threat of keyloggers, or in the more general sense, programs on client's machine that monitor what they do, either keypresses, or mouse clicks and screenshots?

Re:Public computers

[bsane]

The login process an ING would stop keyloggers. Kind of hard to explain, but basically you have to enter a piece of your authentication info using an onscreen keypad. The numbers on the keypad are mapped to keys (the change every time), so you can use a keyboard to enther the info, but the keystrokes would be different everytime.

Re:Public computers

[CastrTroy]

This solution, and the one your sibling poster pointed out, do stop keyloggers, but don't stop the general case of software on the client machine that monitors what they are doing. You could just as easily write a program that records mouse clicks, and screen shots, to see what they are clicking on. Maybe just record a square 128x128 pixels centred around the cursor, and save it compressed in 16 colours so you wouldn't have to store so much information. Maybe they could just attach something to whatever module is being called to encrypt the information for sending it over ssl, so they record all the information that you are sending out over ssl. The point is, is that it's impossible for the person designing the website to protect against malicious software running on the users machine. If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

Re:Public computers

[pclminion]

If the machine is insecure enough to have a keylogger, it's hard to say what other kinds of software may be presesnt on the machine.

We Have The Solution: Announcing the CryptoGoggle 9000. Supported by dozens of popular websites, our technology causes websites to be displayed as a random mash of blended colors. By donning the CryptoGoggle 9000, this incomprehensible mishmash can be magically unscrambled before your very eyes! Take the CryptoGoggle 9000 everywhere you go! Weight 26.4 pounds, shipped weight 34.1 pounds. And as a bonus, you get to look like a special forces secret operative while using it! Only $1,999.99, while supplies last! Order yours today!

Re:

[Hobbled Grubs]

One solution is a box with numbers randomly distributed inside it. You click on the numbers to enter your password. Saving mouse clicks will not work because the box never has the same distribution of numbers. You would have to screen capture all the time which isn't feasible. Of course, you could combine a mouse click monitor with a screen capture of the region around the mouse.

Re:

[NMerriam]

I would hope that your bank has a Web site immune from threat by key-loggers. If not, change banks.

I'm not even sure what that means. Most banks (here in the US) just use a user/password combination that it easily logged if your system is compromised. I know elsewhere many banks have smart cards with one-time use PINs and such, which we'd love to have, but it just isn't an option for most Americans.

Re:

[Compulsion]

You mean captchas? captchas won't fool a keylogger. The important stuff will already have been recorded.

However if the captcha is "Which one of these is your mother?" or some other piece of info that is specific to you, then that would make the data thief's job a little harder.

The using the randomly-ordered on-screen keypad to enter data is a pretty clever solution, though.

Re:

[caluml]

I won't do anything on a computer that requires a password that I care about from a 'puter that isn't my home computer.

Carry round Knoppix/Ubuntu/Gentoo Live CD. Boot off that, and you're safe. Apart from hardware nonsense, which you're probably OK with at a friends house. Depending on your kind of friends.

Re:

[caseih]

While that does decrease the risk somewhat, the risk is still there. My friend once showed me a keylogger he designed that would fit right inside the old AT-style keyboard plug. No software required. Of course that was years ago, but it's still possible that something like this could happen on computers in public places. This is a bit paranoid, granted. Maybe you can use knoppix and then change your bank passwords shortly after.

Best security ever

[protocoldroid]

The worst security? Man, it might be easier to say the best security. At a cellphone store with my brother, he looks at a blackberry and says "...it's overkill, but, probably handy if you need to get online all the time, check email etc". So, I take my PSP out of my pocket, and in about 15 seconds, I show him gmail. Every idiot seems to have unsecured wireless.

The best security ever, was with my same brother. I woke up early while staying at his place, and wanted to check my mail. I dipped outside to see

Cheap software

[crazyjeremy]

It's fun to connect with my ipaq... then use VMNet browser to search for other machines with shares and no security... I find all kinds of "shareware" in their public folders but I do not risk getting bitten by win32 viruses since I'm on a pocketpc machine.

I have found sales documents, salary proposals, resumes and even documents discussing why or why not people should be fired from their company.

Sensationalist, at least about wireless

[markov_chain]

From TFA:

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels.

Have these guys heard of SSL? SSH? Can you say overkill? And who is this Sellitto guy, sounds like a liberal arts major that can't cut it in a real security field. *breathes into paperbag*

Re:Sensationalist, at least about wireless

[timeOday]

Exactly. I think this article is extremely ignorant:

Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay. "Where I'd draw the line is putting in your bank account information or credit card number," he said

You will have a very hard time finding any online shopping site that transmits a credit card number without SSL. If you find one, you shouldn't be entering your credit card number there, either from home or at the airport it makes no difference. (All this is assuming you're using your own laptop; you can't trust a publicly accessible Internet terminal for anything). Anyways, people don't steal credit card numbers by going to the airport and sitting around waiting for somebody to send one unencrypted; they steal them by breaking into a website and grabbing its database so they can get thousands at a time. Or they buy them at a few cents per, from somebody who already did that.

Re:Sensationalist, at least about wireless

[freeweed]

These guys must be part of my upper level of management.

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

I ended up installing the damn thing anyway, confirmed my suspicions, and saved myself and several hours many days of hunting around. Didn't tell them that, though :)

Every news story that tries to use the fear of "packet sniffers" as a dangerous tool can pretty much be dismissed out of hand. Watching the data flow in and out of your own computer is never a security risk.

Re:Sensationalist, at least about wireless

[nine-times]

I tried to install Ethereal to diagnose some issues on the LAN that normal host-based diagnostics would never catch. Had to do with EBCDIC-ASCII translations, so each host always disagreed with what was sent out on the wire. IT security freaked, calling it a "hacker's tool". I explained patiently that our LAN was segmented enough that they needn't worry, I wasn't about to be stealing the CEO's password. Still no go.

You know, having worked in IT, my inclination is to say that users shouldn't be doing that stuff. You're network is segmented enough? Unless you're in charge of IT security, it's not your job to decide that. I don't know what you're background in particular was, but I used to work for an engineering firm that made software (among other things). The programmers were constantly telling us that they needed to be able to install software, that they knew how to run their own machines, that they understood software better than we did, etc. And guess what? Those were the same guys whose computers were *constantly* broken. They did tons of stupid stuff because they didn't know what they were doing. Some of the best guys were tinkerers, who had been fixing computers for years, but didn't understand that working IT is different. In a business setting, mistakes and errors can have totally different ramifications.

So I'm not saying you did the wrong thing, but that it should have been your IT staff to do it. If you have a bad IT staff, that's a separate problem, but they're right to try to discourage you from tinkering around on your own. Being your own IT person is like being your own doctor, or a lawyer representing himself in court. It's just a bad idea.

Personally, I sometimes wish I had someone else who would lock me out of administering my own machine to keep me from fucking around and breaking things.

Re:

[Xugumad]

In particular, now he's got his traffic encrypted all the way to the HotspotVPN people... who then send it out as cleartext on the Internet. Sure, it's less risky than broadcasting it over Wi-Fi in plaintext, but it's not a solution.

Gyah. Reminds me of a website I used briefly. Their custom security solution turned out to be server side crypto (of some unproven variety), through to the back office server.

Think about that a second.

The traffic went as clear text through the Internet, arrived at their server,

It's not the security I'm worried about....

[HikingStick]

It's the level of user trust. I travel to Chicago frequently, and every time I've been there recently I've seen ad-hoc networks bearing the names of some of the common hotel access points in the Loop. How many uneducated digiots actually connect to those thinking they've found the hotel's hotspot (especailly in hotels that don't offer Wi-Fi!).

Re:It's not the security I'm worried about....

[Geoffreyerffoeg]

Yes, but are you sure those are necessarily evil networks?

Your post reminded me of the ad-hoc "Free Public WiFi" that I've been seeing a lot of, and I've never gotten a connection through. A quick Google revealed that this seems to be a case of computers picking up that ad-hoc network from other computers and rebroadcasting that name for the next while. TechBlog: "Free Public WiFi"? Not! [chron.com]

And yes, I don't have a problem connecting to sketchy networks. Other people can always associate with the legitimate network I'm on and try attacks, and my firewall's decent. And if I'm worried about sniffing I'll launch a VPN.

Re:

[Intron]

Like many people, I have a home computer attached to broadband, with a dynamic domain name and always on. It seems like I ought to be able to use it as a secure encrypted web proxy so that I can use my laptop on the road without worrying about eavesdropping. One method I can think of is to connect via a VPN and then configure my home address as the HTTP proxy in firefox, but I'm not sure how to guarantee that everything is going through the VPN and not through the insecure local net.

Re:

[XSforMe]

"I'm not sure how to guarantee that everything is going through the VPN and not through the insecure local net."

Assuming you are using Windows 2K-XP, open the VPN connection's properties, select TCP/IP properties (networking properties), click on advanced options and click "use as default gateway..." checkbox.

My system is in spanish, so some some of the labels might not match on a word-per-word basis, but I'm sure you can sort out the differences.

Re:

[Intron]

So as long as setting that default guarantees that all software uses it, I'm OK.

Re:

[SCHecklerX]

That's a well-known problem. Simple Nomad did a talk about it at schmoocon this past winter in DC. I believe M$ fixed the problem, but if you are seeing it, have fun with the other holes that are likely also on those laptops.

search "hacking the friendly skies" on google for the presentation.

The virus of Troy wooden horse type

[Anonymous Coward]

Worst I have seen is a Hellokitty branded computer in Asia that was installed in a hotel room.
If was free for guests to use and had windows XP (no service packs) with admin.
It also came with 75 pieces of Asian spyware (not stuff I am familiar with) and a whole bunch of trojans.

The trojans were in a delicate balance, and once removed the computer stopped booting.
Assuming all the computers in the hotel were pwned to the same or a greater degree, that was about 1000 3ghz machines with insane bandwidth pumping out all sorts of garbage. Extremely irresponsible.

ALWAYS carry a knoppix or damnsmall CD with you when travelling. If the system isn't locked down enough to stop you booting linux then it won't be locked down enough to stay clean.

Re:The virus of Troy wooden horse type

[Anonymous Coward]

Only in Asia will you find hotel rooms with both a Hello Kitty branded computer and a bunch of Trojans.

Public websurfing

[SoVeryTired]

Public websurfing is an inherently dangerous thing to do. If you don't believe me, check out the "security now" article on ARP cache poisoning.

http://www.grc.com/nat/arp.htm [grc.com]

It's the scariest thing I've seen since the last time I was tricked into clicking a link to Goatse.

See, now I'm scared to click on that link...

[benhocking]

It sounds safe, but you never know...

Re:

[Beryllium Sphere(tm)]

Glad Gibson is discussing this. He used to tell people that Ethernet switches, in contrast to hubs, were an absolute guarantee that nobody could sniff your packets.

Irrelevant to WiFi, though.

Re:

[Chris Pimlott]

Because if I can make your PC think my PC is amazon.com, it doesn't matter if your credit card transaction is using SSL.

Re:

[markov_chain]

Before someone complains that ARP only works for addresses on the same subnet as the original host (which amazon.com wouldn't be) let me point out the missing first step of making your PC think my PC is the default gateway, which means my PC gets to respond to DNS lookups, which means I get to tell your PC my PC is amazon.com.

It seems that an access point could easily defend from this attack by validating the destination IP addresses, instead of just blindly switching by MAC address. I wonder if we will se

Re:

[RESPAWN]

That's actually not a bad idea, but is that a feature that we will ever see make it down to the consumer level APs? I mean, how many people purchasing consumer level APs will be that interested in security that they will look for a router with that feature? I would imagine that subset of security concious people will also be the same people who turn off SSID broadcasting, enable WPA encryption, and utilize MAC Address filtering. IE, these are the same kinds of people who wouldn't have any untrusted compu

Re:

[ceoyoyo]

Mirroring Amazon on your laptop and impersonating a certificate authority seems like an awfully involved way to steal a credit card number or two.

Sometimes OTT

[16K Ram Pack]

I've locked down people's home office PCs for their 3 man company systems (offices at home) with WPA and MAC address blocking, and they still want to know what else they can do in case someone wants to get their information.

It's not like they were trading invention information pre-patent, more things like memos about (small) customers. It would have cost someone more to hire a detective to snoop on them than what the information was worth.

Worst

[crossmr]

Worst security?I was referrered to a sports medicine doctor. I was early as I'd never been to that part of town before. I opened up my laptop for fun and scanned and found two networks. 1 from the gym in the building and a "linksys". No wep, default passwords on the router, and net access. there were 7 machines connected, myself, a printer, 4 others that had no name listed, and one that had the full name of one of the other doctors in the office. I wasn't able to easily view any shares at least. I recommend

Re:

[DrSkwid]

printing stuff out on the printer is always fun, I used to do it regularly before people got NATs & Firewalls behind their cable modems

"They Know"

or

"We're on to you"

are among my favourites

Re:

[Dunbal]

Give the guy a break, he is a sports medicine doctor,

      Ahh, the motor neuron...

The worst place? That's easy

[Rik Sweeney]

The Apple Store on Regent Street in London. People use it as a glorified internet cafe. No one in there is actually trying out a Mac, they're checking their Hotmail, bidding on something on eBay, advertising a room in the classifieds... The staff don't care what people are doing just as long as they're fiddling with the Macs. The funny thing is that if they catch you looking at their screen, they give you a look along the lines of "excuse me, I'm doing something private"

YOU'RE IN A F CKING SHOP!

The only thing that went through my mind when I first saw people taking advantage of Apple's generosity was

I wonder how many people here are actually just using these computers to do something sinister?

Amusing/Lesson in boredom

[Mr Krinkle]

So the usual sitting in the gate waiting for the plane to board.
I happen to be happily on my laptop, doing those Oh so critical things like, well, /., The Register, various other random boards that all have the same PW etc. (Go ahead, login and post on /. as me. In fact, do that meta mod thing for me while you're at it)
I hear the guy behind me start speaking VERY loudly on his phone.
He then tells some guy repeatedly an IP to "just login to"
I'm amused, since it sounds like it could be an external IP even, so I try it. Figure why not. It responds to ping. Hmmmm
Wondering what type of login, I get it answered, when he says, "Ok choose Domain ________ and then use administrator and 12BlahBlah for the password"
I'm like you HAVE to be joking.
No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.
Oops.
(I'm not saying which company's server it was, but it was a smaller company, but not so small that they should be dumb enough to do something like that.) I also quickly disconnected, and shutdown my laptop. :)

Other amusing anecdotes are if you get carried away discussing work. Wife works for a DoD software contractor. They get to talking about bombs/blowing things up regularly, in fact, that's part of their job. Now, put them on a flight, and they start arguing over which type of charge would be more effective at dropping a building or how much of a yield would come from a certain explosive. For some reason, they get right back off the plane. :)

Re:

[Kjella]

No one would just shout out their windows domain admin password. Nope, I was wrong, as it happily logged in.

I'm not saying it was very smart but I can understand... you're out on a trip, someone calls and needs to fix something. You're already annoyed you're being disturbed. Apparently the other guy isn't too bright or you have a bad line, since he talked loud and repeated it multiple times. Particularly if it's the kind you need to handhold, hanging up to send him via SMS and then dialing him up again is n

Re:

[Mr Krinkle]

hehe
Not that it really matters, but SOMEONE has to do the modeling to figure out how effective those bombs are going to be. And where to drop that MOAB on the wooden shack in the desert to ensure it is destroyed. :)
Same thing as with CAD work kind of stuff. Eventually you have to build stuff, but there is a lot of design and testing before building now.

Utter garbage

[gnomeza]

[Packet sniffers] are typically set up to capture passwords, credit card numbers and bank account information ... "Where I'd draw the line is putting in your bank account information or credit card number."

Robert Vamosi, Senior Editor at CNET, you are an idiot. (Or maybe Susan Stellin is a terrible journalist - I suspect both.)

Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users unde

Re:

[jimicus]

If it's a public computer, it would be quite possible for an enterprising cybercafe owner to set up a proxy server which sets up the SSL connection itself, decrypts everything, then presents a self-signed certificate to the client PC. The upshot is that data is nicely encrypted to the proxy, whereupon it's decrypted, logged for later use, then re-encrypted to do the actual banking.

If properly set up, you wouldn't see any error messages on the client PC as it would have the root CA for the self-signed cert

Re:Utter garbage, Redux

[NixLuver]

Man-in-the-middle is not that trivial, my friend.

From SANS WhitePaper:

"The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properly configured client SSL implementation would warn the user about problems with the server certificate."

So a good SSL client will alarm, because you cannot own the correct CA certificate for the site in question, if the target site does already.

But there is some truth to your assertion, if you are of the Wi

Re:

[arth1]

Saying entering your credit card number on a public computer is dangerous because someone's watching network packets is ridiculous. Just goes to show how little average users understand about online safety, despite efforts to educate them about SSL...

The above sentence shows how little average users like you understand about online safety, yes.

SSL isn't safe on a public computer. A previous user might have installed (accepted) a Certificate Signing Authority cert, and set the browser to use a remote proxy

Re:

[scharkalvin]

Unless the access point is actually connected to a true "hub" (rather than a switch)
I don't think you can see all the network traffic that isn't actually addressed
to the connection that the packet sniffer is attached to.

At least I've tried this while debugging software. I had to hunt around for
an old style "hub" as opposed to a "switching hub" to connect together all the computers
under test to or I couldn't see any network traffic not addressed to the computer
running the sniffer. I'm not sure how this appl

VPN

[radarsat1]

I pretty much always connect to my university's VPN server whenever I connect to an unencrypted wireless access point.

Mostly just so my email doesn't go over the airwaves unencrypted, otherwise I don't care much, since most sites I use that ask for passwords use SSL at least for transmitting the password.

Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not jus

Re:

[Chris Pimlott]

Why is it that more sites don't operate completely on SSL, by the way? I've noticed that a lot of sites use SSL just for the password and then drop to a regular HTTP connection after you log in. Why not just keep the encryption for the entire session?

Because it takes much more CPU to encrypt every connection. Keep in mind you also have to encrypt every image and included file that you use on an encrypted page. Trying to mix encrypted and unecrypted content will, at the least, give the user a warning dialo

Re:

[LunaticTippy]

SSL adds a lot of overhead. You can serve 10 plain pages or more for every 1 encrypted page. Plus, it's pretty stupid to encrypt myspace browsing or slashdot or whatever the kids do these days. You can't throw server hardware at it either. The performance degradation is on both client and server, and is pretty severe.

CC numbers? Bank details?

[el_nino]

I'd have a hard enough time finding an online store I would like to buy anything from that doesn't utilise encryption for the credit card process. Finding a bank that would allow me to give my credentials in cleartext would be even harder.

The big issue is probably email which most people still access without encryption.

Re:CC numbers? Bank details? email?

[woodsrunner]

No kidding! I just sold some property and the realtor wanted me to email the title company my social security number so they could process the paperwork. I had a hard time explaining to them that I would only telephone or mail the number since email was insecure. Finally they emailed me their telephone number. I just can't imagine what a treasure trove their email account would be for identity thieves.

Re:

[jimicus]

Agreed. IME the places where you're most likely to be asked to email credit card numbers are smaller organisations and organisations which still do a lot of business face to face - places where the person you're dealing with can't say "Do it through our website".

My g/f booked a small hotel recently and they asked her to email a credit card number across. Thankfully she refused, but apparently the hotel was rather surprised at this.

Right Here in My Own Neighborhood

[beadfulthings]

One can count at least seven unsecured wireless routers, presumably sitting in peoples' houses since this is a fairly residential area. I'd have to say that for some folks, the least secure setting might be the one that literally offers all the comforts of homes. What can they be thinking? I guess the trouble is they're not thinking.

The Newspaper of Record

[value_added]

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information...

Sounds scary. Maybe there oughta be a law. On the other hand, since when did a tool like, say, tcpdump, typically used for networking troubleshooting, monitoring and analysis, become a tool that's "typically" used for something else?

I have to wonder. The quality of writing in a publication like The New York Times

Re:

[Dunbal]

Sounds scary. Maybe there oughta be a law.

      There already is a law. Several in fact. Just goes to show how unenforceable they are.

TFA is uninformed

[Facekhan]

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information -- which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

"Where I'd draw the line is putting in your bank account information or credit card number," he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

When you shop on the web, nearly all online stores will be encrypting your credit card and other information needed to checkout. There may be some debate as to whether they implemented it properly and one should use caution but in general SSL is gonna have you covered. Checking your email, at least with a pop3 client is among the worst things you can do on an unsecured hotspot because far too many email services still don't use encryption for the password exchange. In addition very few email services pop3 or webmail encrypt the messages so basically if you are reading your email, so is someone else. Email is one of the few services that you can still expect to see someones password come up in plaintext. Even AIM doesn't do that anymore although the messages are in plaintext unless SecureIM has been turned on for you and the person you are chatting with.

Re:

[DrSkwid]

TFP is uninformed, using a random computer with random browser to enter your CC details, the SSL padlock cannot be trusted.

Logging in to your bank account from random, out of your control computers is equally risky.

Self signed SSL proxies are not that difficult to set up if you think the effort would be worth it.

Of course, the converse applies too...

[gjuk]

Should I ever need to do anything a bit cheeky, I just pop out to the street, find an unsecured wifi, and do anything I like, safe in the knowledge that the cops will have someone else's IP address, and that they'll find it rather hard to find me. Should I say that?

Defcon - Wall of Sheep

[xrayspx]

How many people, knowing they were on a very hostile network, still logged into slashdot, livejournal, ftp sites, webmail, all in the clear...

Internet cafes, gaming stores

[argStyopa]

I find it amusingly that people believe that they can login and play World of Warcraft anywhere - gaming cafes, etc. - and then are shocked that their accounts are hacked by keyloggers.

Not sure if it's naivete, or simply an absence of logic. Yes, one would HOPE that such sites routinely sweep their systems for unauthorized software, but frankly, short of re-imaging the hard drive after every user, I'm not sure how they could entirely prevent it.

EVDO

[TrappedByMyself]

FTW

Terminal rooms in schools

[Anonymous Coward]

Back in the 80's when terminals and mainframes still ruled universities (don't know if they still do) students in CS classes still had to use the public terminals to do school work. Many of the students (especially in the introductory courses) seemed to be incapable of remembering to log out. The terminals were VTs so they didn't time you out or lock the screen. I was regularly logging people out when I saw them grab their stuff and leave. I finally got sick of it and started encouraging them to log out

Re:

[DrSkwid]

The SunOS terminals in my Comp-Sci room were unsecure, even in user mode you could capture the keyboard/serial and log what you like.

The solution? A memo : "No Redirecting the Keyboard"

Problems with the article

[RT Alec]

I had a few problems with the article:

• I don't think the article made it clear enough the difference between using your own laptop versus using a kiosk. Obviously, never enter ANYTHING, even your name, into a kiosk. Period.
• When you are using your laptop in a public hotspot, only enter personal information on web sites that use SSL. That excludes Slashdot, MySpace, and many web-mail sites... but still allows the use of many well designed and secure systems (Amazon, PayPal, eBay).
• Using a VPN absolutely eliminates the danger of sniffing, even if the "VPN" is merely SSL webmail.

However, the biggest omission is mentioning the danger of using a Windows laptop on a public network-- just turning it on! Remember blaster, et. al.? Try running ethereal at a busy hotspot-- not only can you see user names and passwords, but you can watch as infected Windows laptops attempt to wiggle in using Windows network stack bug <insert favorite zero day exploit here>. Imagine if the infection attempt was successful, and you brought that laptop back to the office, inside the corporate firewall.

Airport Talk

[Necroman]

The president of my division (about 1000 people) was flying from our main business office to our main engineering facility. When he was waiting in the airport for a flight, you overheard a conversation between 2 people sitting near him that were getting on the same flight as him. He later called someone in my office and reported back what he heard.

The people he listened to were engineers for one of our suppliers talking about the problems with a product that they were flying down to present information to us about (I was sitting in on these meetings). They were having reliability problems that they never reported to us in the way they talked about it.

You should always be careful what you talk about in public places, you never know who is around and listening.

Conference Call

[onkelonkel]

Similar situation - except it was a conference call between us and a supplier (10 people in our office on a speakerphone talking to 10 people in their office). At some point we needed to discuss something amongst ourselves so we told the suppliers we were going "off the air" for a minute and put the phone on mute. To our amazement, the suppliers thought that because they could no longer hear us that we could no longer hear them. Their mic was still open and we heard the talking as if we were no longer listening. They were quite candidly discussing flaws in their equipment that we hadn't found yet, and trying to decide which imaginary ship date they were going to tell us given that their product wasn't really going to be ready for 4 more months.

Needless to say, we made the "off the air" discussion a part of every call we had with them.

and people don't realize it

[phorm]

I got a call from my uncle recently asking if (during his upcoming trip to Thailand /w his wife) he should bring his laptop so that he could get online, or whether he might be able to connect from public terminals. After discussing what he wanted to do, he indicated that he would like to get online to do his internet banking so that they could handle any bills etc while away.

My answer was of course: neither

Doing your banking through a public terminal or even with a personal laptop on an untrusted internet connection in a foreign country is just not a good idea. With a public terminal, you're dealing with keyloggers, spyware, and who knows what else. With the untrusted connection, you're dealing with man-in-the-middle attacks, proxies, and various other issues (and a user who doesn't know that the little messages about unknown authentication are likely indicating an https hijacking attempt).

The added danger of surfing on an insecure, untrusted wifi is even bigger. I would recommend that anyone using a connection not-their-own either refrain from doing anything financial or overly personal online. In my case, I have SSH and VPN tunnels I can setup to my home server for a semi-secure connection, but depending on the location I might not trust even these.

Last login time feature

[bigberk]

I think an often overlooked "intrusion detection" system is the last login time feature that you'll find in a lot of online services like web email, and banks. Monitor that value and make sure you're the only person logging on. I've also asked my bank to show the IP addresses logging in (a history) but they haven't done that. I wish they would, so simple

Stupidest security policy on the road

[Roadkills-R-Us]

A friend of a friend was recently in Asia (don't recall whether this incident occurred in Cambodia or Thailand). He went to an internet cafe, where he had to pay in advance for the amount of time he wanted. But regardless of how much time he bought (1/2 hour in his case) the email client was set up to require you to log back in every 5 monutes. So he started hitting "save" at the end of every line.

wap + no password + old OS = owned

[v1]

A business in my town did several stupid things that led to disaster.

1. run windows 98 as your server (in 2005)
2. no passwords on anything
3. lets install a wap
4. passwords are inconvenient on a wap, turn them off

2am Sunday morning, janitorial staff notice a kid in the parking lot sitting next to his bike, typing on a laptop.

Next day, all gone. Except one rude note left on what was left of the fileserver. He basically deleted everything that he could, which was just about everything.

Darwin at work I suppose.

Re:Interesting question

[Atheose]

I stopped at a cyber cafe while on vacation in St. Maartin last March to check my work email, and the computer I was at had a Key Logger installed and active in the system tray! I switched to another computer and, sure enough, same thing.

The kicker--the manager of the place made the customers pay for the computer time by entering your credit card information into the computers themselves! Needless to say the only thing that kept me from leaving immediately was the 5 minutes I took to laugh in his face.

Re:

[ubergenius]

I never use internet kiosks where you have to pay to use the systems. Ever. I can not for the life of me fathom a circumstance where I couldn't just wait until I got home to check something online. Bank account balance? ATM. E-mail? Mobile phone, or just be patient and wait.

Re:

[Gulthek]

What if you're traveling, esp. in a foreign country?

Always pay cash though.

Re:

[MMC Monster]

If you are that essential to a business that you need your email while on vacation, you can afford a mobile phone and have a secretary read you the highlights. If you need network access for work while on a trip, you should have the work get you a laptop. They're cheap enough.

Re:

[libkarl2]

This is the first time I have ever heard of a keylogger that actually broadcasts it's presence in the system tray, althought I can see how that would be useful for non-malicious purposes.

The typical keyloggers I have dealt with operate as a standard process in the background. Most do not show up on the taskbar but can be stopped from the Process Manager (the Ctrl+Alt+Del applet).

The nastier ones either replace, or patch the keyboard driver. Upon reboot, they run at all times and can only be found by AV s

Re:Interesting question

[justinbach]

Wow, that's a sure sign I've had a rough weekend; my last post on Friday afternoon was a +5 Funny, and here I am Monday morning with a 0, Troll. I guess I need a hug... :-(

Re:

[bennomatic]

> Except maybe all the key tapping and mouse clicking.

...and the fact that they have to say your name three times to get your attention.

...and the fact that you are laughing out loud as they are announcing the worst quarterly results ever.

...and the fact that your boss might be on /., too, and those posts are time-stamped.

...and the fact that you are unwilling to stand up right after the meeting.

Just a few possible problems with surfing during meetings.