security at public internet points

Discussion in 'Computer Security' started by Manlio, Sep 20, 2007.

  1. Manlio

    Manlio Guest

    When I use a public internet access point
    is it possible to scan ( or do any other check) the PC in order to
    verify if the entry is going to be background monitored ?

    Thanks
    Manlio
     
    Manlio, Sep 20, 2007
    #1
    1. Advertising

  2. Manlio

    Todd H. Guest

    Manlio <> writes:

    > When I use a public internet access point
    > is it possible to scan ( or do any other check) the PC in order to
    > verify if the entry is going to be background monitored ?
    >
    > Thanks
    > Manlio


    Hi Manlio,

    I am not exactly sure what you're asking, but I can guess that your
    native tongue is not english.

    When using a public internet access point, it is wise to use a virtual
    private network (VPN) connection to somewhere you trust. There are service
    providers that will sell you VPN accounts for this purpose
    (http://www.hotspotvpn.com/ came up on top of a quick google search),
    but if you have a server on the internet anywhere, you can do this
    yourself with openvpn software (free). Virtual private servers
    (VPS) are handy for this sort of thing, but you will need to be linux
    or freebsd savvy to configure and run one by yourself.

    The issue is that free unencrypted public internet allows everyone
    that can hear your radio to see all of your internet traffic,
    including all domain name lookups (e.g. what sites you are surfing
    to), all your email unless you use SSL connections to your server,
    etc. Worse still, you might be conencting to a rogue access point
    that will impersonate the servers you are trying to reach and
    potentially spoof password entry pages, and cheerfully gather whatever
    usernames and passwords you might type into them.

    Unfortunately there isn't often a good way to strongly verify that you
    are connecting to the real free public internet access point versus a
    rogue access point.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Sep 20, 2007
    #2
    1. Advertising

  3. Manlio

    Manlio Guest

    Followup to msg on 20 Sep 2007 11:35:10 -0500,
    (Todd H.) :


    >Manlio <> writes:
    >
    >> When I use a public internet access point
    >> is it possible to scan ( or do any other check) the PC in order to
    >> verify if the entry is going to be background monitored ?
    >>
    >> Thanks
    >> Manlio

    >


    Hi,
    thanks for your answer.

    >Hi Manlio,
    >
    >I am not exactly sure what you're asking, but I can guess that your
    >native tongue is not english.


    of course you're right .. I am italian and may be my question can be
    misunderstood ..

    I dont really think there is a solution to my problem and
    I think your suggestion works only when you use your personal PC or
    portable.


    My specific problem arise as sailing around with my boat it happens I
    need to use a public Internet Point (Cyber Caffe ..), and its
    hardware, I may find ashore, to verify emails and bank expenses. As I
    am sure any my keyboard stroke can be background monitored I cannot
    use any password protected operation .. and there comes out my
    question !!

    Thanks for your attention

    Manlio
     
    Manlio, Sep 20, 2007
    #3
  4. Manlio

    nemo_outis Guest

    Manlio <> wrote in news:2625f3dt13m4ju0fvcusvgu3q26qu7pv8o@
    4ax.com:

    > When I use a public internet access point
    > is it possible to scan ( or do any other check) the PC in order to
    > verify if the entry is going to be background monitored ?



    No, you don't scan them.

    The key is to connect *through* a public internet access point, not *to*
    one.

    Use VPN, Tor, etc. to *tunnel through* the access point to a trusted server
    elsewhere (e.g., a third-party server or even just one's home machine that
    has been set up appropriately for this purpose.)

    Regards,
     
    nemo_outis, Sep 20, 2007
    #4
  5. Manlio

    nemo_outis Guest

    Manlio <> wrote in news:qta5f3l334ag6rsoi8a3iu208jl7p47nke@
    4ax.com:

    >
    > My specific problem arise as sailing around with my boat it happens I
    > need to use a public Internet Point (Cyber Caffe ..), and its
    > hardware, I may find ashore, to verify emails and bank expenses. As I
    > am sure any my keyboard stroke can be background monitored I cannot
    > use any password protected operation .. and there comes out my
    > question !!


    If you use their hardware all bets are off - you are vulbnerable. It is far
    better to use your own computer (perhaps a notebook) and only use their
    network for accessing the internet.

    In short, you should use *your* computer, not theirs, and everything that
    leaves or enters it over the network should be encrypted. Use their
    network, not their computers.

    Regards,
     
    nemo_outis, Sep 20, 2007
    #5
  6. Manlio

    VanguardLH Guest

    "Manlio" wrote ...
    > When I use a public internet access point
    > is it possible to scan ( or do any other check) the PC in order to
    > verify if the entry is going to be background monitored ?



    Everything you pass between your host and through theirs can be
    monitored with a packet sniffer, same as when you use your own ISP.
    You could try using encrypted connections to the target host (but it
    is possible to use an intervening proxy that looks like the target to
    your host, accepts the SSL connect, sniffs the traffic, and then does
    an SSL connect with the real target host). However, when you sit in
    that Internet cafe and drink your latte which was paid with a credit
    card then why would they need to sniff your web traffic?
     
    VanguardLH, Sep 20, 2007
    #6
  7. Manlio

    Fenny Fox Guest

    That depends: Are you talking about public, unsecured wireless Internet
    (at a hot-spot, where you have your own laptop/PDA with you); or are you
    talking about wired, public hardware you don't control (like in some
    cybercafes, in libraries, or at public kiosks)?

    If you're talking wireless Internet, then the advice about using VPNs
    posted by others here, would apply (don't forget a software firewall for
    your machine, though).

    If you mean a public kiosk or public *hardware* - assume that the entire
    planet is reading everything you type. Don't type anything that you
    wouldn't want published in the Associated Press, because AFAIK, there's
    NO way to ensure the system hasn't been compromised - either by hardware
    or software.

    Fenny Fox
    http://fenrisfox.livejournal.com


    Manlio wrote:
    > When I use a public internet access point
    > is it possible to scan ( or do any other check) the PC in order to
    > verify if the entry is going to be background monitored ?
    >
    > Thanks
    > Manlio
     
    Fenny Fox, Sep 22, 2007
    #7
  8. Manlio

    Fenny Fox Guest

    Replies inline:

    VanguardLH wrote:
    >(but it is
    > possible to use an intervening proxy that looks like the target to your
    > host, accepts the SSL connect, sniffs the traffic, and then does an SSL
    > connect with the real target host).


    AFAIK, this is only possible if you install their certificate in your
    machine, as an authority; this is, for example, how some corporate
    proxies can "transparently proxy" SSL traffic.

    Don't install any weird certificates, and - AFAIK - this attack is useless.

    > However, when you sit in that
    > Internet cafe and drink your latte which was paid with a credit card
    > then why would they need to sniff your web traffic?
    >


    Private/sensitive != financial/ID-theft-valued.

    I'm sure many people have lifestyles online, which they don't want the
    whole world to know about (and no, I don't just mean porn-surfers).


    Fenny Fox
    http://fenrisfox.livejournal.com
     
    Fenny Fox, Sep 22, 2007
    #8
  9. Manlio

    Fenny Fox Guest

    Clarification:

    "...this is, for example, how some corporate proxies can "transparently
    proxy" SSL traffic."

    "Transparently proxy" = spy on. =:eek:D

    Fenny Fox
    http://fenrisfox.livejournal.com
     
    Fenny Fox, Sep 22, 2007
    #9
  10. Manlio

    Beachcomber Guest


    >Use VPN, Tor, etc. to *tunnel through* the access point to a trusted server
    >elsewhere (e.g., a third-party server or even just one's home machine that
    >has been set up appropriately for this purpose.)
    >


    Can someone recommend a good VPN client for a Windows PC?

    I am assuming that I would have to installer companion server software
    on my machine and have some sort of semi-public access, at least to
    the point of the encrypted server. Is that right?
     
    Beachcomber, Sep 23, 2007
    #10
  11. Manlio

    nemo_outis Guest

    (Beachcomber) wrote in
    news::

    >
    >>Use VPN, Tor, etc. to *tunnel through* the access point to a trusted
    >>server elsewhere (e.g., a third-party server or even just one's home
    >>machine that has been set up appropriately for this purpose.)
    >>

    >
    > Can someone recommend a good VPN client for a Windows PC?


    OpenVPN: server & client

    The best! And you can't beat the price: free!

    http://openvpn.net/


    > I am assuming that I would have to installer companion server software
    > on my machine and have some sort of semi-public access, at least to
    > the point of the encrypted server. Is that right?


    Yep. OpenVPN is pretty straightforward but if you have a NAT router etc.
    to futz with, figure on taking a Saturday afternoon to get everything set
    up right (configure a TAP driver, make a certificate, setup the server &
    client conf files, etc.).

    Regards,

    PS And not just for Windows - also Linux, *BSDs, Mac, etc.
     
    nemo_outis, Sep 24, 2007
    #11
  12. Manlio

    nemo_outis Guest

    "nemo_outis" <> wrote in
    news:Xns99B4AE85B179Eabcxyzcom@204.153.245.131:

    Afterthoughts:

    1. Mastering OpenVPN is time well spent. It's damned versatile (even for
    100% legit uses such as a road warrior connecting back home encrypted
    through a hotel network access point).

    2. It's easiest to set up OpenVPN with two computers at home (the main
    one for the server, the other as a test client). It can take several
    days if you try to futz about with client software at work and then have
    to wait until you go home to make a tweak to the server and then back
    again to tweak the work machine, and then...

    3. You may have to futz about slightly with the client and server once
    you try it from work even if it works perfectly at home. For instance,
    you may need to communicate on the non-standard (for OpenVPN) port of
    443, depending on how fascist the company firewall is).

    4. OpenVPN only gives you an encrypted tunnel; how to use the tunnel is
    a separate question. For instance, you can set up a http proxy at home
    and tunnel to it (and an ftp one, and...). CCproxy (or analogx) is a
    good choice if you go this route. Or you can use one of the VNCs (for
    Windows, I like ultravnc) and just run a "virtual session" from work as
    if you were seated at your own home computer. Or...

    In short, think of openVPN as "joining" your home network (even if it is
    just one computer) with your work network - this is actually what it
    does. Now decide how you would use your work computer to "talk" to your
    home computer which is now "network accessible" (over an encrypted
    channel and only to you).

    Regards,

    PS You can get fancy and examine the "routing table" on your work
    computer once it is set up to make sure there is no leakage for shit like
    DNS, etc. but I'll leave this to another day.
     
    nemo_outis, Sep 24, 2007
    #12
  13. Manlio

    Manlio Guest

    Followup to msg on 23 Sep 2007 23:38:14 GMT, "nemo_outis"
    <> :
    (Original msg on bottom)

    >"nemo_outis" <> wrote in
    >news:Xns99B4AE85B179Eabcxyzcom@204.153.245.131:
    >
    >Afterthoughts:
    >



    Thanks to everyone for the answers, particularly to "nemo_outis" for
    the conclusive issues.
    Nevertheless I have just found a confirmation to my presumed "no
    solution" to the problem .. using other's hardware .. as I am
    oblidged to do for practical reasons.
    Anyhow VPN use is worth to make experience on ... !
    Thanks again
    Manlio
     
    Manlio, Sep 25, 2007
    #13
  14. Manlio

    Jim Watt Guest

    On Sun, 23 Sep 2007 18:37:00 GMT, (Beachcomber)
    wrote:

    >Can someone recommend a good VPN client for a Windows PC?


    W2k and XP come with one built in.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 25, 2007
    #14
  15. Manlio

    Jim Watt Guest

    On Sun, 23 Sep 2007 18:37:00 GMT, (Beachcomber)
    wrote:

    >I am assuming that I would have to installer companion server software
    >on my machine and have some sort of semi-public access, at least to
    >the point of the encrypted server. Is that right?


    Not if you get an ADSL modem that suports VPN
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 25, 2007
    #15
  16. Manlio

    nemo_outis Guest

    Jim Watt <_way> wrote in
    news::

    > On Sun, 23 Sep 2007 18:37:00 GMT, (Beachcomber)
    > wrote:
    >
    >>I am assuming that I would have to installer companion server software
    >>on my machine and have some sort of semi-public access, at least to
    >>the point of the encrypted server. Is that right?

    >
    > Not if you get an ADSL modem that suports VPN
    > --
    > Jim Watt
    > http://www.gibnet.com



    While that might be a good solution for some situations, it has the
    following disadvantages wrt the OP's problem:

    1. He can hardly install it at work.
    2. Such a modem costs considerably more then OpenVPN (which is free).
    3. Even for legit uses, it will frequently not work for the "road
    warrior" scenario (e.g., someone wishes to connect securely to the
    company network - or his home computer - from a hotel room *through* a
    hotel network).

    OpenVPN is arguably much better than most other VPNs implemented in
    software (ipsec, pptp, etc.) and except in industrial load situations
    (many users, etc.) will even give most vpn hardware implementations a
    pretty good run for the money.

    Regards,
     
    nemo_outis, Sep 25, 2007
    #16
  17. Manlio

    Jim Watt Guest

    On 25 Sep 2007 16:31:17 GMT, "nemo_outis" <> wrote:

    >Jim Watt <_way> wrote in
    >news::
    >
    >> On Sun, 23 Sep 2007 18:37:00 GMT, (Beachcomber)
    >> wrote:
    >>
    >>>I am assuming that I would have to installer companion server software
    >>>on my machine and have some sort of semi-public access, at least to
    >>>the point of the encrypted server. Is that right?

    >>
    >> Not if you get an ADSL modem that suports VPN
    >> --
    >> Jim Watt
    >> http://www.gibnet.com

    >
    >
    >While that might be a good solution for some situations, it has the
    >following disadvantages wrt the OP's problem:
    >
    >1. He can hardly install it at work.
    >2. Such a modem costs considerably more then OpenVPN (which is free).
    >3. Even for legit uses, it will frequently not work for the "road
    >warrior" scenario (e.g., someone wishes to connect securely to the
    >company network - or his home computer - from a hotel room *through* a
    >hotel network).
    >
    >OpenVPN is arguably much better than most other VPNs implemented in
    >software (ipsec, pptp, etc.) and except in industrial load situations
    >(many users, etc.) will even give most vpn hardware implementations a
    >pretty good run for the money.


    is open vpn a server or a client or both ?

    Anyway, w2k and XP come with a built in client and
    using a router means you do not need a server running
    so your home Adsl connection can be used from wherever
    with a secure tunnel through whatever dodgy infrastructure
    might be around in other peoples offices, hotels etc

    The additional cost of a router with the functionality
    is offset by the cost of electricity running a server
    pretty quickly.

    The only snag I found is that you need to have your
    network on an infrequently used private IP address
    block so there is no clash with the hotel wireless
    LAN side. 192.168.1.x is not a good choice.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 27, 2007
    #17
  18. Manlio

    nemo_outis Guest

    Jim Watt <_way> wrote in
    news::

    >
    > is open vpn a server or a client or both ?


    Both

    > Anyway, w2k and XP come with a built in client and
    > using a router means you do not need a server running
    > so your home Adsl connection can be used from wherever
    > with a secure tunnel through whatever dodgy infrastructure
    > might be around in other peoples offices, hotels etc


    Yep, should work. I haven't used a Windows VPN client since the old
    insecure PPTP days so I don't know how tricky setup is, compatibility
    issues, etc. They've certainly had enough time to work them out so
    presumably Ipsec is not too hard to set up and is robust, etc.

    > The additional cost of a router with the functionality
    > is offset by the cost of electricity running a server
    > pretty quickly.


    Not all that quickly. A home computer acting as server with monitors,
    etc. asleep/disconnected should burn only 100W (or so). With electricity
    at $0.10/kW-hr (or so) it would take over a year of incremental uptime to
    burn the $100 (or so) that a VPN router might add.

    And it is frequently the case that when you connect remotely you want to
    download/upload files from your home network. In that case the home
    computer would need to have been left running anyway.

    > The only snag I found is that you need to have your
    > network on an infrequently used private IP address
    > block so there is no clash with the hotel wireless
    > LAN side. 192.168.1.x is not a good choice.
    > --


    Good point.

    Regards,
     
    nemo_outis, Sep 28, 2007
    #18
  19. Manlio

    Jim Watt Guest

    On 28 Sep 2007 02:09:23 GMT, "nemo_outis" <> wrote:

    <snip>

    Setting up the MS VPN client is very easy, and takes
    a few clicks.

    Electricity running costs of course vary depending
    where you live, and mine is not cheap, its around
    $10 per month to run a computer 24/7 plus the noise
    and heat.

    a solar powered laptop is the green solution
    for a home server :)

    The payback on a VPN router over 'el cheapo' is
    around six months

    Its the solution I currently use for myself and
    to provide remote support to clients.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Sep 28, 2007
    #19
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page