Network Security While Traveling?

truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."

Re:OpenVPN

[Anonymous Coward]

> I will not have a system at home to connect through

Congratulation for not reading half of the summary.

SSH & SOCKS Proxy

[chazchaz101]

I would recommend purchasing a shell account from a reputable host that will allow you to tunnel your internet traffic over an SSH tunnel/SOCKS proxy. It's really easy to set up using Putty or OpenSSH.

Re:OpenVPN

[Anonymous Coward]

Then he should set up a cheap Linux server. Is his security worth so little to him?

openvpn service

[Anonymous Coward]

You might want to use a service like
http://alwaysvpn.com
or
strongvpn

Tunnel the traffic

[gertin]

Set up a server at home or rent one where you can run OpenVPN and/or SSH and tunnel your traffic through it. OpenVPN supports LZO compression aswell, which might help a bit when you're low on bandwidth. I would also suggest that you encrypt the drive on your netbook with TrueCrypt or similar software in case you loose it.

Re:hello world!

[tokul]

Use VNC? :)

From summary - "Keep in mind that many places have very poor bandwidth and latency."
VNC and SSH are out of question.

Re:dm-crypt

[tuffy]

Enabling Firefox's master password causes it to encrypt one's saved passwords and form data.

Re:OpenVPN

[Cylix]

So it needs to be said regardless, but I feel VPN probably should have sufficed.

There are two solutions to this issue:

a) Do it Yourself!

In this scenario, the individual purchases a term contract with a hosting provider and proceeds to install a VPN solution. This is the most flexible plan available and can be achieved for roughly 10$ or less per month (plus domain costs). The down side to such a solution is that if there is maintenance that must be performed there is really only one mechanic. (unless the mechanic has very good friends or if he is a heartless bastard with no relations to the external world then perhaps a fellow slashdoter will land the man a vpn solution. Never mind he is a freeloader... roaming from country side to country side... possibly infecting your server... and you were just trying to be a nice guy. shame on you)

b) Rent a VPN!

There are countless VPN solutions available for seemingly random values. I have little doubt that an equally cost effective solution can be found. This has the obvious advantage of not having to maintain the VPN solution. The obvious con when compared to solution "A" is that there is certainly no flexibility in this offering. You get what you get. With the economy falling into the virtual comode it is quite likely that any business you place your trust in will either lose all of your information or sale it on the black market. By the time you return you will likely be spammed, identity thieved and otherwise placed with the very best experiences the awful inky darkness that is the bad side of the humanity offers.

Invariably there will be suffering no matter what option you choose.

Regardless, ensure your netbook is protected and if you may wish to utilize a solution I myself rather enjoy. In rather horrible untrusted networks I rely on a lovely Fedora live distribution over usb flash. It doesn't offer much in the way of persistent storage, but for one time transactions it's quite useful.

Re:OpenVPN

[Just Brew It!]

Agreed. If he doesn't want to host it at home for whatever reason (I imagine being gone for a year he may be having his Internet service turned off), he should find a friend or relative who is willing to host the box for him. Provided he uses a modern CPU with decent power management features (or a low-power CPU like Atom), idle power usage should not be a concern.

Once you've got an always-on *NIX server you can connect to, it is a simple matter to use SSH's built-in SOCKS capability to securely tunnel your TCP traffic. This is precisely what I do when I travel.

Really

[copponex]

He should buy some decent fraud/identity theft insurance and just use a reasonably secured distro. All the anguish spent on perfect security is for naught anyway - if someone wants to rob you down there, they're more likely to beat you over the head or hold you hostage than hack into your computer.

Oblig. XKCD: 538 [xkcd.com]

Re:are you sure you're asking the right question?

[Hadlock]

Going traveling for 5 weeks in south america as well. Just bought a netbook. Every single person I've talked to says "blog about it! we want to see your pictures!" -- the truth of the matter is that a netbook is pretty damn tiny and takes up little space (2800 cu in pack) and definitely qualifies as "personal gear". Might as well take it along. Makes backing up my digital pics easier, and makes it easier to check the news (you never know what's going to happen next in venezuela) and communicate with couch surfers. You don't NEED one, but it damn well makes things easier in a pinch.

This "eithier/or" advice is pretty silly

[IANAAC]

Much like the rest of life, it's not simply a "do this, don't do that" thing.

I see nothing wrong with traveling with a netbook - they weigh next to nothing - or even better, something like a Nokia N800/N810. There are plenty of down times where I can see wanting to check email, get in touch with family, whatever.

Having a piece of technology with you while traveling certainly doesn't prevent you from experiencing different cultures and peoples.

Re:Why?

[Anonymous Coward]

Posting Anonymously to not break my mods... I just had to say something about these posts... f-ing recockulous. Yeah "don't be the one at the back of the room with a laptop. Be at the bar talking to people." Dude if you managed to even read the summary, the guy is going away for a year. One year. 365 days. I'm sure he's going to see more of the great outdoors then one would see in 5 years working 9-5...and not too mention that I am a very heavy partier who likes to get down with the get down but even I am not going to drink every night for a year straight. Who are you to tell him that he shouldn't have access to whateverthefuck he wants technology wise and he should drop off the grid? This is a valid question and concern when planning to travel. Don't dumb it down with hypocritical quazi-luddite responses.

Maybe you should take your own advice and get back to us on 11/29/10. Let us know how your non-connected ass is doing. His question was a security model for traveling, but as I see it, you are probably a hell of a lot less secure right this second then he will be in eastbumfuck if he follows some of the good advice posted here. So do us all a favour, put the laptop down and go to a bar.

~cez

Some Advice

[Jahava]

Really, security is best done in layers. The tightest system will be burdensome to operate, so don't take every suggestion you see. Instead, evaluate some basic thoughts, such as:

• Where will my sensitive data be stored?

  Ideally, you want this to be a remote machine, either cloud or at home, with your Notebook acting as a gateway.

• What am I exposing to attackers?

  Be aware of potential vectors of attack (mostly wireless / network based, but don't forget physical access) and have a defense against them.

• How am I protecting my data?

  Ideally, everything (and, more practically, everything sensitive) will pass through some pipe that uses the strongest available encryption.

Here is a general set of guidelines that I use:

1. Are you sure you can't have a computer at home? A cheap decade-old server with a constant internet connection? How about trusted family or friends?

   As others here have mentioned, having pre-exchanged SSH keys and doing all of your sensitive browsing / business over an SSH-tunneled Proxy to a machine back home will do wonders to help with any inherent wi-fi (or untrustworthy ISP) issues.

2. Protect In Advance

   Get your system hardened before you start your journey. Make sure you're running the latest operating system versions with the latest security patches. Make sure you've configured your firewall and updated your antivirus software. Pick a secure software suite to use for your important actions. For any OS, shut down daemons and services that you're not going to need, as each is a potential point of attack.

3. If you are worried about viruses on your machine, only let Virtual Machine snapshots connect to a network

   Buy a USB-based wireless device (they're only $20 or so). Disable the wireless device on your Notebook's OS. Before you leave, build a Virtual Machine [virtualbox.org] running an OS of your choice (Linux works nicely). Install the OS from scratch, boot it, update it, and then open up a browser instance. Configure it so that the USB wireless device is forwarded directly to the VM, and install its drivers in the VM. Snapshot the Virtual Machine's state. When you're travelling, turn off your Notebook's wireless signal the entire time. If you want to use the Internet, plug in the USB wireless device, start your VM, and use the Internet through it. When you're done, shut down the VM and revert its state to the saved snapshot state that you made before you started your trip. This should help ensure that any viruses you are hit with only survive the duration of that single VM session.

4. Encrypt your Hard Drive

   The options vary based on your OS. Any standard encryption scheme will do - complete drive encryption, partition encryption, filesystem-based encryption, etc. The real goal here is to make sure that neither your private files nor your runtime-generated files (Internet history, cookies, etc.) are accessible.

5. Store your Keys Externally

   Buy some cheap USB stick to store your SSH and/or Hard Drive encryption keys separately, and carry it with you at all times. If you're truly paranoid, you can even encrypt its filesystem with a password-based key for extra protection.

6. Don't Suspend / Hibernate your Machine

   Fully power down your Notebook when you're not using it. If you Suspend / Hibernate, not only will memory-resident viruses etc. still be running when you resume, but decrypted information is accessible in-memory, should it be seized in this state.

7. Don't Do Anything Stupid / Illegal

   There are a lot of threats you can face in another country, but it's wisest to stay away from the government-level threats. Don't give them a reason to seize your laptop and you'll have mitigated many truly serious issues.

Keep it simple

[teadrop]

I just returned from my backpacking trip. So here are my tips... If you are using your own laptop, an effective firewall, a patched system, and the use of SSL is all you need. Since you are posting on Slashdot, I assume you are capable of keeping your own laptop clean and secured. In reality the risk of someone stealing your laptop is much higher than the risk of anyone breaking into your laptop, so... 1) Some sort of chains/locks on your backpack is much more important than a VPN. 2) Do not store any password, sensitive documents on your laptop. In case it will be stolen later.. 3) Keep backup of important documents (e.g. scan copy of your travel insurance) in a gmail account... 4) Do not keep all your vacation photos in one laptop, copy it to CD/DVD/cheap USB devices and send it home every few months. 5) Bring a USB drive and backup everything on your harddrive (including your vacation photos), store the USB drive in a different location (e.g. inside your main backpack) If you are really desperate and have to access your bank in an internet cafe, here's what you can do... 1) To make it harder for key loggers to steal your password, scramble your url/password using your mouse. e.g. if your password is ILovePizza, you can type IHatePizza, highlight the word "Hate" with your mouse, click delete and type "Love" instead. It's not 100% secured, but it's better than nothing. 2) As soon as you reach a safe location, change your password.

Clean install WITHOUT encryption

[Anonymous Coward]

Whenever I travel, I wipe my harddrive and put a clean install of Windows. This protects both against border protection and thieves. It's not that I have something highly confidential or illegal on there, I just don't want my data stolen by anyone. While encryption will protect you against thieves, you're likely to be in more trouble if border protection finds it and you're never going to be able to prove you have no hidden encrypted partitions on there. To make sure no sensitive usage data is left on the device, run everything in a sandbox and wipe the sandbox contents afterwards.

Whenever I use a network, I use a trusted VPN service.

Re:dm-crypt

[grouchyDude]

Great idea if you don't do much. If you have multiple banks or other equivalently-important accounts then it's very tricky. If you use long secure non-algorithmic passwords and won't be able to visit the bank to re-init them, the keeping them recorded in encrypted form would be my choice. That way if you can't recall them all, or briefly forget one, you can recover them so long as you remember at least the master password.

Re:SSH & SOCKS Proxy

[emj]

Remember to tunnel the DNS requests over the SSH connection as well, in firefox after setting up Socks5 proxy goto about:config. Change this to true: network.proxy.socks_remote_dns

For homebanking, etc..

[nunoloureiro]

For homebanking and similar sites, in order to prevent man-in-the-middle attacks, make sure you bookmark the HTTPS URL, so the first hit on the bank's httpd is HTTPS and not HTTP. Also, add the address of your homebanking to /etc/hosts, so you don't really rely on DNS for that.

Re:Why will you not have a system at home?

[phantomcircuit]

Possibly because he won't have a 'home' during his travels? I mean why pay rent when you're not there?

wrong question

[bcrowell]

I've spent a month in Ecuador, and in my experience, the OP is focusing on the wrong problem. Backpacking in South America means being around a lot of people who make less money in a year than you make in a week. On this trip, I had a pair of prescription sunglasses and a pair of nice gore-tex hiking boots, and they constantly made me the focus of attention from people who wanted to know how much they cost, etc. One time coming down a trail in the Andes, I passed a kid who looked like he was about 12, chopping bananas with a machete. He said, "Dime los lentos," meaning "Give me the glasses." I just increased my hiking speed, and it turned out that he didn't hack me to death. So carrying a netbook in this social environment does bring up a whole bunch of issues about being victimized, but they aren't issues with having your PayPal password stolen, they're issues with getting mugged by someone who wants your computer, which is worth more than they make make in several months. My advice is not to bring the netbook. If you're worried about keyloggers in internet cafes, bring a bootable CD.

Re:SSH & SOCKS Proxy

[z0idberg]

Second this option. Quite easy to setup, this guide spells it out:
http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ [thinkhole.org]

Re:SSH & SOCKS Proxy

[Niten]

That's a good thought, but the problem is that tunneling TCP over TCP (such as HTTP over SSH) is subject to the TCP retransmission cascading effect, a.k.a. TCP-over-TCP meltdown [sites.inka.de], which is particularly likely to be a problem for him given the kind of Internet connections he may be stuck with on his travels.

It would be better to tunnel over a protocol that does not attempt to ensure reliable transport, such as UDP or pure IPsec. So I agree with you that he should find some inexpensive, reputable host to use as his endpoint, but I recommend that he use OpenVPN over UDP rather than SSH over TCP for his tunnel. OpenVPN is easy to set up, penetrates NATs well, and will be compatible with pretty much any inexpensive VPS provider (but be sure to check with potential hosts' terms of services first to make sure they're OK with tunneling your personal web browsing traffic through their servers).

Dreamhost + SSH

[horatio]

You said you don't have anything at home to tunnel through. Assuming that VPN really isn't a viable option, you can use ssh with a hosting provider like dreamhost (or a buddy's state-side server) to run a SOCKS proxy. The downside is that whatever app you're running (afaik) needs to understand how to use a SOCKS proxy, which Firefox/Safari/IE all do, as well as several of the more well-known IM apps like GAIM.

from your local system: $ ssh -D1080 yourserver.dreamhost.com (or use PuTTY if you're on windows, and set up a dynamic port forward)

If you're in OS X, use your system>network settings to set up a global SOCKS proxy, which Safari will automagically use. If you're in Windows, use Firefox's proxy settings (Tools > Options > Advanced > Network > Settings > Manual Proxy Config)

your SOCKS host is localhost, and the port is 1080 (or whatever you pick when you're creating the tunnel).

There are a couple of tricks to this. One is that you can't connect to anything as long as your settings specify to use a SOCKS proxy and the tunnel isn't open. For the places that have the "welcome to our intarweb access" redirects, you'll want to disable the SOCKS proxy settings until you get through that finished. Otherwise, you won't be able to open the tunnel, and it will appear as if you can't connect to anything. Firefox has a QuickProxy [mozilla.org] addon which makes this easier.

The second is that you can make sure that the proxy is active by a) visiting a "check my IP address" site to make sure it is showing up as your hosting provider or b) killing the tunnel and all web traffic should stop working.

more info [livejournal.com]

Re:Why?

[Anarchduke]

He could always torrent 30 GB of porn onto a couple of flash drives, then he wouldn't need internet access.

IronKey

[medotsteve]

IronKey is an encrypted USB drive--strong encryption (i.e. passes DoD standards). The drive will allow you to store all of your personal data. In addition the drive has a a Firefox Web browser installed, so you never have to run a hotels (etc..) software. With the embeded browser you connect to the IronKey's Secure Sessions service. The service acts like a proxy Web server and triple encrypts your surfing traffic. The service also uses secure DNS services. One of the coolest features is that it stores all of your passwords on the drive. You never have to worry about keystroke logging because the IronKey This product sounds like a wini-win for the global traveler, or even a modest business traveler.

Use hotspot shield. Its free and secure.

[circuitworx]

http://www.hotspotshield.com/ [hotspotshield.com] . I use them all the time when I am traveling. They have a nice free client on their site and if you do not want to install their client you can just configure a vpn link manually.

Witopia

[madfilipino]

Witopia [witopia.net] is what you need.

$40/year. Use it!

You're welcome.

Re:wrong question

[dalmiroy2k]

"Dame los lentes"

Re:are you sure you're asking the right question?

[truesaer]

In the past I've never brought a computer. And I don't plan to be attached to my laptop. It's a matter of being able to research destinations, book hostels, send email to family so they know I'm not dead, offload my photos from my digital camera to a larger storage device, etc. Plus, consider that if accessing my bank account on my own netbook over wireless is risky, accessing the same account in some guy's internet cafe is much more dangerous - who knows what keyloggers and spyware could be running on that.

I've been to South America several times on short trips, so I know how to let go of home and just enjoy myself. In fact that's why I'm going for a year this time...I'm quitting my job, selling everything I own, and I'll have nothing on my mind but the present. For the first time since...middle school maybe? I'm 29 now so I'm not sure what it's even going to be like to have no plans for the future!

Give power of attorney to a trusted person

[watergeus]

...and do your bank-business with this person via email or telephone.

And yes, you should keep notes of all the expenses you make with your credit-card and communicate this with your trusted person. A debit-card and ATM-machines work better, most of the times. (Mastercard or Visa). Use only ATM-machines in banks during office-hours.

If you want to be connected:
In most of the Latin countries you can get prepaid "Banda Hancha". Most of them work with a Huawei-modem.

"Keep in mind that many places have very poor bandwidth and latency."

I don't know what this has to do with security of your data.

It is also not my personal experience. (I live in rural South Chile). To get a new release of my OS takes 24 hours on broadband. If I go to the next village, I'm ready in an hour by hooking up my laptop to the Internet-Cafe infrastructure.

If you want to keep a blog, do it via http://www.posterous.com./ [www.posterous.com] Blogging via email, perfect if you don't know when you will hook up to the Internet again. Of course you use an email-client.

Don't let them steal your netbook but realize it can happen.

Re:Evil is behind every corner

[Anonymous Coward]

I've been living in South America (Argentina) for about 4 years and I can tell you that every time that I run my netbook in some cafe or McDonalds I can see plenty of rogue APs running Karma + metasploit doing nasty things (probably SSLStrip+ettercap too).

Just using SSL won't save you, even here.

Other Security Tips

[ChePibe]

I've lived (not backpacked, lived) in South America for about two and a half years - the slums on the outskirts of Buenos Aires for two years, a couple of months in Lima and three months in a nice spot in Santiago.

The IT issues have been covered well enough. Here are a few additional ideas:

- Ditch the nice, expensive backpack and luggage. Go to the Army surplus store and buy your luggage there. Or something like this [amazon.com] for walking around and day to day use. Avoid military emblems, but definitely go for that "beat to hell" look. Big expensive North Face bags draw the eyes of thieves. Dusty old rucksacks don't. The same goes for looking like a walking, talking North Face commercial with your clothing.
- Learn the language. Spanish and Portuguese are the obvious two. Know the basics, and be sure you can ask directions.
- Check visa requirements for each country and register with the State Department to receive travel and security updates on each country. These are immensely useful for avoiding difficult situations.
- Understand what the embassy can do for you. If you get arrested, mugged, or run into most problems overseas, the answer is "not much".
- Be VERY careful with taxis. "Express" kidnappings are quite common through most of South America - haggle for taxis and always, always use a service if you can, just to be on the safe side. Most major shopping centers and many big commercial bus stops have their own services. They cost about double what others charge, but it's worth it to avoid getting robbed.
- Ignore touts and always make your lodging arrangements in advance.
- Keep your eyes open and, if you can, travel in a group.

Have a lot of fun and do me a favor - walk down 9 de Julio while eating a good Havana alfajor ;-)

Re:OpenVPN

[jetole]

You missed my point, yes you can route all your traffic through OpenVPN but what does that accomplish? Yes people people on the wifi can no longer sniff your traffic but it's an utter joke to think you have solved your security woes with that. What happens is you have a encrypted connection of all traffic from the wifi to your home/VPS/office/whatever but every hop on the route between your endpoint on the route is a spot where your traffic can be sniffed. If you don't appreciate the security concern here then you might as well not bother protecting yourself on the wifi in the first place. SSL will stop people at a wifi location just as well as it will stop people at your home/office/VPS/whatever and if you are using SSL to connect to these locations then the VPN is pointless for security and if you are not using SSL then the VPN is still pointless for security. As I already mentioned "OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own."

Re:are you sure you're asking the right question?

[pjt33]

Backing up your digital pics isn't that hard anyway. Any city will have loads of shops where you can get the contents of your SD card burned to CD while you wait. Get two copies and you can post one home (or to parents or a friend) as a precaution against physical loss.

Re:Use hotspot shield. Its free and secure.

[AugustFalcon]

I went to the link you provided and looked at two pages served up by their website and after reading their terms of use I am not so sure that I would trust them for the following reasons:

1. They provide no way to contact them directly from their website and no FAQ. Perhaps they do with their client software but I don't think it is very smart to download and install it blind.

2. In paragraph numbered 1 of their Terms of Use they claim that they have a Privacy Policy because "my privacy is important"and that it is linked from the bottom of each page on their site. Well neither of the pages I viewed had such a link! And, of course, by merely accessing their site I agree to their terms of use including their un-findable and therefore unreadable Privacy Policy.

3. Their Terms of Use also includes language basically designed to prevent the posting of any information critical of the site.

4. Finally their Terms of Use seem to prevent the posting of a url pointing to their site without their express written consent. So, unless you had that when you posted the link you may be in violation of their Terms of Use if you are a user of their site. (Of course, maybe I'm wrong about that portion of their Terms of Use but I don't want to go back to their site and check because I might be correct since I now know what their Terms of Use include and I do not wish to be bound by them.)

Conclusion - probably over-lawyered and sloppy site design, i.e., they haven't followed their own rules. So, why would I want to trust them?

Encryption Legal Issues

[internetsdave]

I'm not a legal expert (nor have I read all the way down the comments), but just so OP is aware some countries place restrictions on what encryption can and cannot be used on computers within the country. Wherever you go, if you are planning on using encryption of some form (which you should) be aware of the local laws. Its pretty unlikely that the secret police are gonna haul you off to jail, but your computer may get confiscated if it is found to have illegal encryption on it.

IronKey

[trbarry]

I have my netbook using full system encryption with TrueCrypt, with KeyPass for a further level of safe password storage. I also now have an OpenVPN server at home I can connect through.

However before I set up the OpenVPN server I used an IronKey flash drive for safer and more anonymous web browsing. This is a flash drive with built in hardware AES encryption. It comes with a modified version of Mozilla Firebird set up to use that encryption to go through a private TOR network gateway set up by the company. A subscription is included free with the IronKey. It slowed things down a bit but seemed to work. http://www.ironkey.com/personal/ [ironkey.com].

- Tom

3G!

[kismet666]

3G service is everywhere down here. I don't know where you will be, how many countries you'll visit, etc. If you're going to spend a significant amount of time in specific countries consider getting a pre-paid 3G USB modem when you're going to be in one for a while. In Argentina Claro (http://www.claro.com.ar) offers such a service, I pay about $50 per month for unlimited data, I'm not sure how economical the pre-paid options are. Telecom costs very widely between countries down here, Argentina tends to be one of the most expensive. Some good countermeasures have been suggested: firewall, patches, antimalware are all critical. Its a hassle but if you're using public WiFi you should change passwords for your financial accounts frequently. You should encrypt your sensitive data, and backup to an external disk regularly, laptop theft is fairly common.

Iodine

[PetiePooo]

You need a home base. A $50-60 OpenWRT box is enough if you don't have a spare PC laying around. I'd suggest running the following servers:
OpenSSH + Squid (or tinyproxy) - SSH:22 and basic HTTP proxying via an SSH tunnel
OpenVPN - for an easier remote experience (both UDP:1194 and TCP:443)
HttpTunnel - When only HTTP:80 requests are allowed from your AP
iodine - When only DNS:53 requests are allowed (eg. captive portal)

I'd also suggest full disk encryption on your PC/Mac.