Re: OT By a mile in parts comments on Viet Nam
- From: usenet@xxxxxxxxxxxxxxxxxxxxxxxxxxx (James Taylor)
- Date: Sun, 27 May 2007 23:37:04 +0700
iBallooka <kamtek@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Also wireless in the hotel is now available where we stay in Thailand,
anything I need look out for security wise if we take one of the
iBooks, I am a little paranoid about wireless but it would be nice to
check bank accouts etc etc whilst away but is safe to do so over
wireless and using the hotel network..
Most hotel networks are a ripe ground indeed for hackers and snoopers,
and this is quite independent of whether they are wi-fi or wired. There
are some additional risks with wi-fi, of course, but they're not big
compared with the risks already inherent in the average hotel network.
Either way, you should regard your connection as insecure and use some
form of encryption to protect your passwords and privacy.
Your bank is likely to use a proper encrypted connection anyway, so
you're likely to be safe by default, although the name of the website
you visit will be visible to snoopers. You should of course ensure that
Apple Mail is configured to use an encrypted connection for sending and
receiving your mail, or otherwise use an encrypted webmail system
instead. Some instant messaging systems (eg. MSN, AOL/iChat) leak
information obviously in the clear too, so beware of using them. I think
Skype is fairly well encrypted by default, although it's proprietary so
who knows what backdoors exist.
My recommendation would be to set up a VPN endpoint in the UK that you
can connect to while you are travelling. This has the benefit that
everything you do on the net (not just banking) will be encrypted
through the VPN "tunnel" as it passes over wi-fi, through the hotel
network, through the Thai "Big Brother" system, and over half the
planet's dictatorships and crimal-friendly regiemes until it gets back
to the relative civilisation of the UK. If your home router has a VPN
endpoint function you could use that to allow yourself roaming access to
your home network along with any networked file storage, or desktop
computers you may have. You'll need a fixed IP address at home for this
to work easily, but if you can't wring a fixed IP address out of your
ISP there are ways around this (eg. DynDNS, IPmenu, or a home-brewed
equivalent).
It's worth noting that here in Thailand the military junta is further
tightening the screws of censorship on the Internet. A few months ago
they completely banned YouTube access within Thailand because YouTube
allowed someone to put up a video mocking the (justifiably) revered Thai
king, and to this date the ban has not been lifted. (Technically this is
achieved by having a transparent HTTP proxy inject HTTP redirects in
place of the actual content that would have come from YouTube. The
redirect takes you to a government web page written in large Thai
lettering with a logo that looks like the all-seeing Eye of Sauron.
Creepy!) It's a shame because YouTube was one of the ways I used to keep
up with British television culture. VPN allows me to bypass the Thai
junta's censorship, but I have to pause YouTube videos until they've
fully downloaded because VPN is much slower than a direct unencrypted
connection. This inconvenience means I visit YouTube very rarely these
days. I believe Thai web censorship is also used against seditious,
criminal, and pornographic sites, but I wouldn't know anything about
that of course.
Whether you're using a VPN connection or not, you should turn off all
the services you may be sharing in the "Sharing" section of system
preferences (you won't need them on your laptop while travelling
anyway), and you should ensure that your firewall is running (also set
in the "Sharing" section). This is because, even with a VPN connection
in place, your computer will be exposing those services to anyone on the
hotel network, which you obviously don't want.
The other thing to bear in mind is that it is necessary to establish a
network connection *before* you can start the VPN connection that
tunnels over it. This means that there will be a short period of time
between when Mac OS X knows it has an Internet connection, and when the
VPN takes over. In that intervening time any networked applications
you've left running such as your IM clients, Mail app, etc will
immediately try to make a direct non-VPN connection, and in doing so
they may give away your passwords and other private details before the
VPN can take over to protect everything. You should quit these types of
applications, and only run them once the VPN connection is up and
running. Better, would be to set Mail to only fetch manually, and even
better would be to ensure Mail uses an encrypted connection of its own
regardless of the VPN.
Now, I mentioned additional wi-fi vulnerabilities. Some wi-fi networks
are encrypted, but bear in mind that weak encryption like WEP is only
about one minute better than no encryption at all because that's all the
time it takes to crack it these days. Just think of WEP as being
equivalent to an open network except that it makes it harder for a
legitimate user to log on than it does for a hacker to log on. WPA
encryption is a lot better and with a long random password it's as good
as it gets for the moment. *BUT* even if there is some kind of
encryption on the wi-fi network itself, this only protects the data as
far as the wi-fi access point and from there it joins the wired hotel
network with all the possibilities for snooping and subversion that this
entails. Note that a hotel wi-fi network is unlikely to be encrypted
anyway because it requires too much technical support on their behalf.
Hotels, airports, and similar public hotspots generally use unencrypted
wi-fi with a transparent web proxy that intercepts any attempt to open a
web page (eg. Google) and replaces it with the hotel's own login page
(in pretty much the same way the Thai government censor websites in
fact). Once you've logged in you can then freely access the rest of the
Internet.
Now, obviously, with an unencrypted network, anyone with a laptop and
the right software can snoop on what people are doing from anywhere in
the area. Of course, this is only slightly worse than the default
condition of the hotel's wired network anyway, so there's simply no
substitute for applying your own encryption (VPN, HTTPS, etc) to protect
your passwords and privacy as mentioned above.
The second issue is the "Evil Twin" problem. If an attacker creates a
wi-fi network with the same name as the hotel's wi-fi (even if the hotel
wi-fi is encrypted), then your laptop may connect to it in preference or
switch to it at some later time simply because the signal is stronger
than the hotel's signal. This can happen without your knowledge, and it
gives the attacker easy access to all your data as it passes over the
air. Worse, it's even possible for such an attacker to use the
transparent proxy technique mentioned above to intercept and modify your
web traffic on-the-fly, and this can allow them to act as a "man in the
middle" listening to both sides of a communication, or present you with
what looks like your banking site, or what looks like the hotel's login
page, but which is in fact just the attacker. The best way around this
is to use a VPN, but another way is to ensure you're using an HTTPS
(rather than just HTTP) connection to any websites where money, or
passwords are involved. The VPN is better because once it is connected
you don't need to worry about it. Checking for HTTPS needs to be done
very frequently because a man in the middle could step in with a
malicious page at some later point when your guard is down.
Wi-fi networks at airports, hotel lounges, libraries, cafes and similar
public places are prime fishing grounds for Evil Twin attackers. Where
else do you get the greatest number of people blithely connecting to a
network they're not too familiar with? Evil Twins can put up a login
page that looks identical to the legitimate one. The last time I was
waiting a few hours in an airport I found a wi-fi hotspot and tried
connecting, got redirected to their login page, and it was immediately
asking me to enter my credit card details to pay for my time online! But
that could have been *anyone* else in the area with a laptop, and there
were quite a few. I sure as hell wasn't going to enter my credit card or
any other details on a web page that popped up at a public hotspot! What
kind of idiot do they take me for? What I was expecting was to be told
to pay at a desk or kiosk somewhere and be given a password to login
with. That way, even if there was an evil twin, they'd have to work a
bit harder to get at my money. Make sure you don't get caught out by
this. DON'T enter credit card details into random web pages over open
wi-fi even if they look identical to the official page. Get a password
from hotel reception if possible and, if that's not possible, use their
wired connection or simply go elsewhere.
Oh dear, I seem to have rambled on too much. Hope some of it was useful.
--
James Taylor
.
- Follow-Ups:
- Re: OT By a mile in parts comments on Viet Nam
- From: iBallooka
- Re: OT By a mile in parts comments on Viet Nam
- From: PeterD
- Re: OT By a mile in parts comments on Viet Nam
- References:
- OT By a mile in parts comments on Viet Nam
- From: iBallooka
- OT By a mile in parts comments on Viet Nam
- Prev by Date: Re: New accessory for iPod
- Next by Date: Re: OT By a mile in parts comments on Viet Nam
- Previous by thread: Re: OT By a mile in parts comments on Viet Nam
- Next by thread: Re: OT By a mile in parts comments on Viet Nam
- Index(es):
Relevant Pages
|
