Network Security While Traveling? 312
truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."
dm-crypt (Score:5, Insightful)
All network security is for naught when someone can just steal your netbook and read all the passwords and form data that firefox helpfully remembers for you. You have to make sure that your firefox profile directory (as well as all other confidential data, like passwords and bank statement pdfs) is stored on an encrypted block device. On Linux, a loopback device encrypted with dm-crypt works well.
Re:OpenVPN (Score:1, Insightful)
I'm sure that the GP read the summary - what he's really saying is "you don't have a system at home to connect through, so time to get one".
Re:hello world! (Score:3, Insightful)
To where? As he said in the summary, "I will not have a system at home to connect through."
are you sure you're asking the right question? (Score:1, Insightful)
you're going travelling, to experience new cultures, people and ideas
put down the computer; the world won't end if you can't access slashdot and your email for a few months
i'm sure there are many ways to get around not having internet access - use phone banking, get your bank to automatically pay off your c card, use internet cafes for email (if you really must), or use a phone to call people.
why on earth you feel a need to access your investment account from the depths of south america, i'm not sure.
Re:OpenVPN (Score:4, Insightful)
Most Ask Slashdot problems are solved by throwing out the most ridiculous requirement. Usually this is because the poster has logic-ed themselves into a blind spot. The classic where-are-my-glasses-I've-searched-everywhere-oh-here-they-are-in-my-hand kind of a thing.
In this case, the "no system at home" requirement is the offender. Just set up an old linux box with a friend, and like the GP said, VPN to it. You do have friends, don't you? Family? Non-tech savvy coworkers who won't question that computer case with the post-it note that says DO NOT DISCONNECT?
Why? (Score:1, Insightful)
Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks.
If you're stuck in the middle of Machu Picchu do you really want to be looking for a Wifi network so that you can poke around with your "investment accounts"?
When you're at the lodge after a hard day's sightseeing, don't be the one at the back of the room with a laptop. Be at the bar talking to people.
You've only had the option to stay connected in this way for the last few years or so - why not think back to how people used to manage 10 years or more ago? The answer then was to set stuff up before you set off and relied on that.
Re:dm-crypt (Score:5, Insightful)
Privacy has some monetary cost, just like travel! (Score:5, Insightful)
"I will not have a system at home to connect through."
Then get one if you're concerned about your privacy. Really, are your bank details not worth ten or twelve bucks a month for a virtual server somewhere?
Any VPN provider will do (Score:4, Insightful)
I've tried SwissVPN (http://www.swissvpn.net/) and had good experiences (about 6$/month on a prepaid basis, no limits).
Re:are you sure you're asking the right question? (Score:2, Insightful)
Why on Earth you feel the need to tell a perfect stranger how to travel, I'm not sure. Why not just trust the guy and answer the question instead of responding in a smug condescending manner?
I'd suggest booting a security-oriented "live" linux distro from a CD/DVD/thumb drive when accessing untrusted networks. This means caches are gone when the power is turned off - no passwords/account numbers/etc floating around on the hard drive. If the distro boots with sane firewall settings, has ssh installed, etc, the poster should be fine.
Re:are you sure you're asking the right question? (Score:5, Insightful)
Backpacking through south america doesn't mean OP is spending 5 months in the middle of the Amazon. Besides, how does internet access limit it? Oh, right, it doesn't. And phones aren't technology? Is this slashdot or some sort of faux-luddite assembly.
And the assumptions continue! (Score:4, Insightful)
Re:Phone banking? (Score:4, Insightful)
My credit union still has a system for doing much of my banking over a phone line. I'd rather take my bets on the security through the phone lines than the interwebs.
Because touch tones are so much more difficult to intercept than 128 bit SSL secured connections??
Re:Keep it simple (Score:2, Insightful)
I just returned from my backpacking trip. So here are my tips... If you are using your own laptop, an effective firewall, a patched system, and the use of SSL is all you need. Since you are posting on Slashdot, I assume you are capable of keeping your own laptop clean and secured.
It can be rather difficult keeping your system up to date with only sporadic and slow internet available though.
Something to check on (Score:2, Insightful)
Re:dm-crypt (Score:2, Insightful)
The entire point of encrypting personal passwords is to keep Larry-the-thug from casually reading them, he doesn't have the resources (or even the inclination!) to brute force them. If someone interested in brute forcing AES has your laptop, it is likely that you also have some bigger problems than worrying about whether they can actually do it.
Re:SSH & SOCKS Proxy (Score:3, Insightful)
Your biggest security concerns while on travel should be more along the lines of getting your immunizations up to date and avoiding staying out after dark.
Re:are you sure you're asking the right question? (Score:2, Insightful)
Every single person I've talked to says "blog about it!. . ."
Are they paying you?
Re:dm-crypt (Score:1, Insightful)
If the thief can't monetize the files withint 5 minutes he won't bother. That's how locks work. No lock in the world can stand a dedicated thief. But if they can't enter your house within 5 minutes they go to your neighbor.
You don't have to outrun the lion, only the guy next to you.
Forget all these technical solutions (Score:3, Insightful)
I have a simple suggestion that eliminates all the security risks you are worrying about: write an expiring power of attorney for your mom (or other trusted friend or relative). It will be cheaper and more reliable, and mom might even like to get the occasional phone call while you're backpacking across the continent.
Re:Privacy has some monetary cost, just like trave (Score:3, Insightful)
And how does that help? Lets assume that he manually assigns DNS servers (so that no local server being compromised would be a problem), and that the computer itself isn't compromised, how would a virtual server somewhere improve security? It's an encrypted connection to his bank. It's an encrypted connection to his email. It's an encrypted connection to his bills. If he only uses SSL, and the computer isn't stolen or infected, what possible means of attacks do you think will be done? Sure, there are some possible. But actually being exploited in third world countries waiting for the rare traveler who thinks their SSL is unbreakable? Really? I'd bet that he could have all of his communications be unencrypted and wouldn't have a problem. The largest problem is having the computer stolen and something in cache or a password manager falling into the wrong hands. The "possible" attacks that are never done shouldn't be considered. Good security is knowing that nothing is ever 100% safe and allocating resources intelligently to reduce the risk. Making a checklist with no regard to the likelihood of attack then working down the list in alphabetical order is *bad* security. Even if effective, it is a bad policy and not how things should be done.
Re:Some Advice (Score:4, Insightful)
Or #1. SSL to a bank site is insecure, but SSH to your home system is more secure? By a difference enough to make it worth the trouble setting it up? Really?
#5 What keys? He knows his passwords. He has sites like Bank of America where they authenticate themselves to him with pictures to make sure he's on the right site, so he's not getting fished. Maybe have a DNS server of his own manually coded, and could even run occasional traceroutes to make sure there isn't something doing a DNS redirect. But to have to carry keys with you to check a couple secure sites? Overkill.
#6. You think a virus will infect your machine, and a reboot will clear it? Then we should be free of viruses everywhere on the planet if we just all reboot our computers at midnight tonight. And this is the guy you are claiming is informative? Reboots as a security measure? And if you are worried about resuming from suspend, put a stupid password on it. There isn't much commercially available that will beat that (in terms of gaining access to the contents of RAM, programs open and such, not in terms of compromising the machine). Sure, if the US government were after him and willing to spend millions, I'm sure they could read the RAM state of a computer without logging in after a resume.
#7. Irrelevant to the issue of keeping his bank account secure. Sure, they'll get his computer, but if you have the governments start breaking into people's private bank accounts across international lines, they'll be opening a huge can of worms. That's a completely useless piece of advice in terms of protecting the account details he types into the computer for the bank sites and bills he was talking about. Unless you are worried Chile will break into his phonebill and pay it.
Re:SSH & SOCKS Proxy (Score:4, Insightful)
Except SSH tunneling or SOCKS proxying (over SSH) don't do TCP-over-TCP. Instead, using an SSH tunnel, the application creates a TCP connection to localhost, the SSH program then takes the data from that connection and forwards it to the destination over its own TCP connection, where the SSH daemon makes a connection on your behalf. No TCP-over-TCP, just handing data over multiple TCP links.
Ditto with a proxy - the app connects to the proxy server, the server makes a new connection on your behalf, and bridges the data between your application and the destination.
In fact, if you can properly buffer the connections, this can lead to higher throughput as a high latency link can be hidden by the proxy servers which locally ACK the packets, and the high-latency link can have data blasted through with different TCP settings that allow for high bandwidth-delay products.
Encrypt everything, authenticate all you can. (Score:3, Insightful)
I doubt DNSSEC will be widely available before your trip, but if you can find a service that will provide it to you, use it. Never trust new SSL certificates while you are on your trip. If you visit sites with self-signed certificates, get them all trusted by your browser before you leave. I've seen a few anecdotal reports from people who complain that their bank suddenly begins asking them to a trust a new SSL certificate (which is a bad sign in the first place, since it should be trusted by one of the built-in CAs) when they were using a particular free wireless hot spot that was apparently trying to spoof SSL certificates for phishing. Make sure none of your netbook software is vulnerable to the null-prefix attack on SSL certificates. Watch out for shoulder-surfers when using your banking/financial sites. Use full HTTPS URLs when accessing sites, e.g. "https://www.bank.com" and bookmark them to avoid simple mistakes like typing "bank.com" in a browser, getting a poisoned DNS record for an attacker's site that is then fetched via HTTP and begins a man-in-the-middle attack on you.
Don't install new software unless you can be absolutely certain that it hasn't been modified during download. If you use Windows, about the best you can do is only download software over HTTPS and then check the md5sum if it's also published via HTTPS. AFAIK, Windows Update and the Firefox automatic-update process are secure. Most Linux package managers use PGP keys to verify packages downloaded from repositories, so if you use Linux on your netbook make sure you have all the PGP keys of the repositories you are going to use installed before you leave for your trip. Bring a fresh copy of the installation media (including necessary drivers and the latest version of Firefox) for the netbook, just in case the OS does get compromised or corrupted for some reason and you have to start from scratch. If you have anything you can't stand losing, back it up to an online service whenever you have the chance. Make sure those backups are encrypted.
Beware of drive-by installs of malware from MITM (man in the middle) modified HTTP sites. Avoid enabling flash, if you can, considering that every few months there's a new remotely exploitable hole found in it. Ad, javascript and flash blockers would be a good idea for all but trusted sites. If you think your email should be private, use PGP/gpg. If you think your email should be semi-private (e.g. the local ISP/hot spot can't read it, but just about anyone else could if they wanted), use webmail over HTTPS. Occasionally check major security sites in case a new zero-day exploit comes out that your software/OS is vulnerable to.
A remote hosted VPN that others suggested will be useful for pretending that your netbook is connected to the Internet in a country of your choosing. DNS might be a little more trustworthy over a VPN, but attacks can be staged against the box running your VPN, too. There are some poorly designed "secure" sites that download some content (images, scripts, flash, who knows) over HTTP instead of HTTPS, and a VPN can protect you from locally injected attacks against those broken sites. Beware of HTTP pages that submit login credentials via javascript or a form to an HTTPS page; the HTTP site can be modified in transit to submit the credentials to an attacker. The more popular and valuable a site is, the more likely there is some scumbag running an attack for it on their free wireless, so double check the SSL protection
Re:OpenVPN (Score:2, Insightful)
Wrong worry. (Score:3, Insightful)
Data theft should be your last worry.
First worry: Physical item security (your wallet, your mobile phone, your netbook, your backpack)
Second worry: Self security (getting kidnapped for ransom/assaulted/mugged after being seen with all of above)
They are not gonna sit around trying to crack your SSL connection. They are gonna notice your netbook and mobile phone and the fact that you are staying at a hotel that offers WiFi to its guests and they are gonna come steal all your stuff or worse, you.
Stop thinking like a geek and start thinking like a traveler.