Open Networks & Security?

Hey guys. I just bought my first lappy . Its on its way. I plan to starting to do a lot of traveling. Since i will be connecting to networks that i have no control over the security i am somewhat concerned.

First of all. Since i haven't ever used a hotel's internet services i am new to this. I think most hotels have a rj45 in each room that you can plug into your ethernet adapter to get internet access correct? Is there any Firewalls especially made for this situation? Maybe a usb firewall that you can plug into your laptop then plug the other end into the rj45? Sure you could take a full fledged router but it would be a pain to carry. Just a FYI i generally don't like the software firewalls. They are just bloatware i think. I just tried kaspersky internet security because i have much respect for their antivirus product. Well i didn't like it very much. Maybe just the default XP firewall would be good enough. I don't know.

Second if your in places where they have wireless access (cafe/pub/ect..). Is there anything you can do to protect yourself in these open wireless networks? I seen a video somewhere how it was so easy to grabs someones session on gmail if they were logged in through one of these open wireless networks and have full access to their email. Anything you can do to protect yourself in open wireless networks? I would assume there is some type of assymetric key encryption system (private/public) key pairs to protect yourself in these situations but maybe i'm wrong.

I would assume just as long as your using web site that are encrypted then you would be safe. Even if they grab the packets then they would be encrypted. I will definitely use opendns rather than their dns servers because i trust dns far more than their dns servers.

Any help would be appreciated.

thanks,
Ncage

 

http://www.oldapps.com/old_version_sygate_firewall.php

This is a very good firewall for Windows XP.

 

I use the comodo FW, the older version requires less resources. Make sure you keep you AV and adware/spyware up to date.

XP FW is pretty useless.

Just remember that any open network is subject to man in the middle attack. So using a VPN is very good against that.

They do make a portable FW that you can take with you, but I do not recall who makes it.

 

First, Windows XP firewall is not that bad like everyone thinks it is. Windows XP firewall is bidirectional, which is blocking only inbound. In contrast, Vista has two ways firewall, which mornitor inbound and out bound trafffic. Why MS inplemented Windows XP firewall that way? Well, MS wants to reduce the complication on the end users, and doesn’t user to worry too much about managing network traffic. Is Windows XP firewall secure? The answer is yes and no. The firewall will protect users from melicous attacks , but it won’t protect the users if the users already have some melicous codes installed on their computers. In general, Windows XP Firewall provides enough protection for general users. You will be surprise that a lot of corporates are using Windows XP firewall as supplement to their big boys, which are Cisco PIX, Sonic Wall, ISA, and etc. The only thing you should worry is antivirus, and spyware.

You have to understand that firewall doesn’t work wonder. Either harware or software firewall works on the same principle, which is traffic monitoring. It will make a decision to block incomming or outgoing traffic based on the rules. The user still have to make some decisions anyway. You have to remember that firewall doesn’t blcok worm, trojan, virus, and spyware because it just monitors the traffic, but doesn’t analyze the traffic packet.
Second, your question is about security on the public network. Well, security is depend on what are you doing on the network. If you are login into gmail, hotmail or shopping on the internet. I do believe that the traffic is secured.Why? because you use SSL session, the traffic on SSL is encrypted and it can’t be cracked. Well, it can be cracked, but it will take 200-400 years to hash mathematic algrolithms. By the time the hacker crack the packet, the datas is no used anyway. You see my point? If you just surf the internet, there is nothing to worry about anyway because the packet that you send to request the webpage is no use for anybody.

Third, just read the second answer. Now, take me out to lunch, and you pay. Am I sound like an expert?

 

To blue68f100

Why do you think Windows XP firewall in useless? It blocks anonymous outbound traffic, and that how firewall supposes to do anyway.

Man in the middle attack is easier to say than done. Yes, VPN is the one way to protect it, but if you just surf the internet. There is nothing to attack. Most of the shopping websites are using SSL anyway. They encrypt AH and encapsulation payload at the same time. I never personally see anyone can decrypt those traffics. You must be a very high level hacker to do that.

 

Actually, that would be unidirectional, not bidirectional. Bidirectional means two-way.

Would I use a public network for online shopping? No. Would I check any sensitive email accounts? No. Would I do anything more than surfing in a public hotspot? No. Here's why: it is very simple to capture all unsecured (or WEP secured) data and quickly dissect usernames and passwords (the quickest I've read is 6 minutes - the caffe latte attack). Would you want someone to have access to your email accounts, read sensitive emails, and do a little bit of social engineering to get your credit card number(s)? I wouldn't. You know what's even easier than packet sniffing? Looking over your shoulder and watching what you're doing.

 

Thank!! You are right. I think I mess up. I think, you are a little too paranoid in my opinon. If you check POP3 email on public network, I would worry because POP3 passes username and password in clear text. I would not worry about gmail, yahoo, or shhopping because you have secure session through SSL. You can sniiff the packets all you want, but you can’t hash it anyway, so there is no use. Yes, looking over your shoulder would be something that really bad if it happens.

 

The gmail analogy isn't quite correct. Do you use iGoogle? Many people do, and I would wager that most of those people also have gmail included on that page. The gmail/Google username and password are not sent over SSL, which means it's very easy to pick that username/password out of the unencrypted data.

I would also not shop, since there is the possibility of sending a username/password over an unencrypted connection. That username/password would also be easy to pick out of the packets, which means an attacker would be able to log into the storefront, and then have access to any stored credit card information, home address, shipping address, etc.

Too paranoid? No, I think I have just the right amount of paranoia - it keeps my identity from being stolen.

 

gmail is using SSL if you go to the webpage directly. I am not sure about iGoogle, so I can't comment on it.

If your browser shows https, you are in secure session. Most of the well known merchandises use it. When you are in secure session, your browser and the server must have two ways hand shake to authenticate the packets. I don't use the word "frame" here because we deal with layer 3 protocol and up. I am not going to go over the detail, but it is very secure. SSL uses TLS, which is Transport Layer Security. How do I know it secure? I used to deploy the certificate server for SSL before and you can trust me that we had security audit before we deployed it to the public. I can tell you that US Army is using the same type of technology too. For example, US army personels are using smart card to check email or access data over public internet. Commercial websites are using the same principle but a little different way to implement.

This is the reason why I know that it is so secure.

 

Yes, I am well aware of SSL and TLS. I believe you are missing my point. There are many commercial websites that do not use SSL until the actual purchase is being made. You can log into your account via cookies and/or a standard non-SSL webpage. If you can do that, any attacker can grab your username and password. Once they have that information, they can access your saved credit card information, your address, your password, etc. It doesn't matter if the actual page uses SSL, it's everything up to the actual purchase that can be captured, evaluated, and exploited.

This is especially dangerous, since many people use the same login and password for multiple sites. The attacker can see every site you visit, and then try any captured usernames and passwords on those sites.

 

Well, I am talking about industry standard. I am not talking about those unsecure comercial websites. What you say about insecure username and password session are very rare. Can you give me one website that doesn't use SSL and still be on business on internet? I wonder myself if it ever had one.

Most of the web programming doesn't store username and password in the cookies anymore, and I don't think it ever done on it. At least it is on my watch. I don't know about the old day, but today is none. The only thing we use are just session cookies and that it. The users can use same usernames and passwords on mutiple website aren't my concern. Those are the end user problems, but most of the system administrators have their ways to work around those problems. Of course it is a trade secret and we don't share on public forum.

 

Umm no he is not. Here is a tutorial on hacking gmail on a wireless hotspot. Takes a little work but anyone could figure out out. Just not high level hackers:
http://www.tgdaily.com/content/view/34324/108/

 

I guess the point to this is not to be lazy and make sure when you are entering any sensitive information (username/password,CC#, ect...) look to make sure its encrypted every time. If it is not and your on a public network (heck i won't even do it on my own unless its a simple forum or something like that) then don't log in. I'm going to have to review that gmail video above how they did it. I think they stole their session state. I thought at first that maybe gmail was encrypting when you enter your username/password and then everything was clear text so they had the ability to steal the session state but i just tested this out and thats not true. Everything is encrypted. Maybe they have changed it since the airing of this video. I don't know i'll have to go watch it again.

 

OK, correction for myself. I do agree with ncage1974 that you can hack gmail. Why? gmail only encrypt the traffic on the username and password session after that the packets is passing in clear texts. Of course, the replay of the packets would work on those type of traffics. Well, I just login and check gmail myself that found out that too. Normailly, I use POP3 over SSL on my gmail. I didn't pay attention to that. Well, I know that people are interesting in my post then.

Anyone else has any more comments because I want want to hear more from people. I wonder anyone else can find an error on my post.

 

I couldn't find any of my usual web commerce stores that don't log in with SSL, but at least one only used SSL during the login procedure - after that, it drops out and doesn't jump back in until it's time to check out. I believe that means that any other traffic could be captured and examined, and usernames/passwords could be retrieved. However, since I'm no expert, I don't know that for sure.

I did run across a theater website that didn't use SSL during the login process, but it's been such a long time that I don't recall the website. At the time, I brought it to the admin's attention, so I hope it was fixed at some point.

I agree that you must be aware of everything you do when on an open hotspot, but I'm sure everyone knows that the majority of hotspot users probably aren't worried about or don't realize the importance of being aware. Those are the people that hackers look for and exploit.