Total Pageviews

Sunday, 13 November 2011

How do you secure yourself on public WiFi?

For an active attack, see airpwn - http://www.evilscheme.org/defcon/ If you think that's rather benign, consider the ssl cert checking flaw (http://hackaday.com/2009/07/29/black-hat-2009-breaking-ssl-w...). Put the two together, with a bit of paranoia, and the result is I never surf unsecured wifi without some sort of protection.-----
theBobMcCormick 384 days ago | link

I guess I don't so much disagree with the idea of being careful on an unsecure public wifi, as I am concerned that so many people seem to think they only have to concerned about the unsecured wifi, not all the other hops on their connection. You know what I mean?-----
fragmede 384 days ago | link

Oh absolutely. And heres why: http://www.wired.com/threatlevel/2008/08/revealed-the-in/ . In short, the researchers demonstrated that they could poison the upstream provider for Defcon's internet, such that all Defcon traffic went first through their server, before reaching the internet at large.-----
whyleyc 384 days ago | link

I don't think people here are suggesting that this is the only vector of attack against your system, rather that given the proliferation of unsecured WiFi networks it's just one of the more common.When someone brings out the "ARP poisoning" add-on for Firefox maybe it will fuel debate on other types of attack :)
-----
carbon8 384 days ago | link

For the past 4 or 5 years I've been using SSH tunneling. I set up a location in OS X network preferences using the exact technique described in this comment http://news.ycombinator.com/item?id=1828631. I usually tunnel through my router at home which runs DD-WRT. I use SSH Tunnel manager to manage the tunnel http://projects.tynsoe.org/en/stm/.Once it's set up, all you need to do is switch your network location to the tunnel location before you leave the house, then when you want to get online, press the button for the appropriate tunnel in SSH Tunnel Manager.
-----
whyleyc 384 days ago | link

Thanks - I'd missed that comment you mentioned. Any thoughts on the pros and cons of using this vs a dedicated VPN ?-----
carbon8 384 days ago | link

This is much easier to set up and works well. The router or server you are tunneling to needs no extra configuration beyond having ssh set up. On a VPS it will already be running and with router firmware like DD-WRT or Tomato it's just a checkbox in the settings.VPN makes more sense if you need to access things on another network, like shared drives, and can be difficult to configure.I've been working completely mobile and using tunneling for years. It works well. Set sshd on the router/server to use port 443 and you won't have issues with port restrictions.
-----
JoeBracken 384 days ago | link

I've got a similar setup using SSH Tunnel Manager to tunnel to a co-located Linux machine running squid proxy. All my applications used the proxy connection via the tunnel (browsers, IM clients, etc.).Took some initial configuration time to get things setup but now its just one click in the SSH Tunnel Manager widget to get things going anytime I'm working remote.VPN may be easier but an SSH tunnel gets it done.
-----
iuguy 384 days ago | link

You don't need to run squid to use an SSH tunnel as a proxy. If you set up a dynamic tunnel (not sure how to do this in SSH Tunnel Manager but it's fairly straightforward in putty) you point your clients at the local side and use it as a SOCKS proxy.-----
runjake 384 days ago | link

SSH, with SOCKS tunneling (and the FoxyProxy extension with Firefox, although I normally use Google Chrome). Works on Windows/Mac OS X/Linux. Note that this doesn't necessarily fix DNS sniffing and whatnot.If I was paranoid, I'd bother to set up a VPN and use that.If I'm extremely paranoid, I use Tor (which may have some security concerns).
-----
fragmede 384 days ago | link

Set
  network.proxy.socks_remote_dns to true
in about:config for Firefox to do DNS requests over SOCKS.
-----
runjake 384 days ago | link

Thank you!!!-----
ronnier 384 days ago | link

I loaded Tomato on my Linksys router, then enabled SSH. I proxy through that when on public wifi. This is the best method for me because my Linksys router is always on and uses very little power.It's also setup so I can use remote desktop through the proxy to my desktop at home. I wrote up some instructions on how I did it here:http://ronnieroller.com/articles/rdp_over_ssh_with_a_linksys...
-----
scraplab 384 days ago | link

I use an L2TP/IPSEC VPN on a Linode VPS. It works great with OS X and iOS devices - I've not tried anything else. There's a simple toggle switch on iOS in Settings to activate the VPN, or a one-click menu item in OSX.It's pretty easy to set up, if you're comfortable with Linux. I'm using it on Ubuntu 9.10, and I followed the guide here:http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/
-----
jsz0 384 days ago | link

Usually I just avoid using public wifi. Tethering is practical enough these days. Worse case I have a few VPN endpoints to fall back on but if I'm going to be using HTTPS sites I don't even bother connecting.-----
ax0n 384 days ago | link

I also tether a lot. Usually, the speed is better and more reliable than the over-crowded crap provided by businesses. The added layer of protection is just icing on the cake most of the time.-----
retroafroman 384 days ago | link

I have a very cheap, small, Linux VPS for ssh tunneling via SOCKS proxy. It's a couple bucks a month, and it can also host my blog/app prototype/whatever when I get around to putting it up.-----
epochwolf 384 days ago | link

Easy, I open up a terminal and type:
    start_vpn
It's a script which fires up an openvpn connection to a vps I have.
Getting openvpn working took about a day of hacking around on my vps and my mac. (just read the openvpn tutorial and follow the steps.) I still haven't gotten openvpn working on Windows but it's not something I've never needed.
-----
mikeyur 384 days ago | link

I just use Viscosity which is a menubar app that lets you easily connect to an OpenVPN connection (you punch in the address, authentication type, etc and it lets you just click the server name from your menubar to connect).I don't host my own server though, I use http://witopia.net I think I pay like $50-60/yr. But they give you a bunch of servers to connect to worldwide: http://cl.ly/2zEY
-----
fragmede 384 days ago | link

There's also Tunnelblick as a free and open source alternative to Viscosity - http://code.google.com/p/tunnelblick/-----
symesc 384 days ago | link

I use Witopia from Canada.In addition to helping secure my connection to the Internet at all times, it enables access to online services that are otherwise unavailable.
These services include BBC iPlayer out of the UK, and Hulu and other streaming services from the US, like sporting events.
I have found Witopia to be extremely reliable and fast.
I recommend their service.
-----
iuguy 384 days ago | link

For quick and dirty connections out, I use PuTTY to Set up a dynamic local SSH tunnel to a host of mine on the Internet. Then I use the tunnel as a SOCKS proxy. It's fairly straightforward to set up.For remote access and Internet access over wifi for non-SOCKSable stuff I use Strongswan. I have a small scale darknet set up with it (just me and a few friends) so it's already there for me, but I wouldn't recommend it unless you know your stuff.
-----
mitchellhislop 384 days ago | link

I have a marcopolo setting on my mac that, if none of my usual networks are found, fires up an ssh tunnel to a vps I have just for that, and turns on my socks proxy.This takes me remembering to do it out of the equation
-----
tomfakes 384 days ago | link

Here's a different approach to this problem - Take your home network with you!I recently signed up for Clearwire's CLEAR service. They have a MiFi component that does "4G" with fallback to 3G if necessary. This gives me up to about 3MBs, with portability (up to 3 hours on battery). There is no data limit for "4G", and you get 5GB per month on the 3G fallback network.Anywhere I travel inside the US, I'm using my home network, and isolated from public networks.
-----
PStamatiou 384 days ago | link

I use a simple OpenVPN or L2TP/IPSec provider + client app on OS X. Minimal setup and I can switch it on/off easily. I reviewed the one I use earlier this year, though this it now outdated because at the time they didn't offer OpenVPN and that was my biggest beef with it: http://paulstamatiou.com/how-toreview-surf-securely-with-vyp...-----
gaoshan 384 days ago | link

I give an example of my quick and dirty solution here: http://news.ycombinator.com/item?id=1828631For more robust solutions I set up my own openvpn instance on a home server which I can use that from any coffee shop and I have a Witopia account (which I use when abroad as they have servers all over the world which speeds things up a bunch). I make the greatest use of Witopia from within China as they have servers in Hong Kong.
---------------------------------------------------------------------------------------
I guess if you really wanted to you could run a GUI tool like Cain (http://oxid.it/), but most people doing this type of thing would use something like Scapy or at worst, Yersinia.
So I'd agree, more complex definitely, significantly not as much perhaps (it depends on the type of attack as tool), as for deliberation I'd say about the same as the firefox plugin.
If you do run tcpdump you do pick up broadcasts and such, one of our VPS instances actually sees a load of DNS traffic for our subnet, which we think is the other VPS instances.

No comments:

Post a Comment