7379126
story
Comments: 312 +- Ask Slashdot: Network Security While Traveling? on Sunday November 29, @04:08PM
Posted
by
kdawson
on Sunday November 29, @04:08PM
from the moving-duck dept.
from the moving-duck dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
truesaer writes "I'll be spending all of next year backpacking through South America. In the past I've used Internet cafes while away, but this time I plan to bring a netbook and rely primarily on Wi-Fi hotspots. I'll be facing the same issues and risks that business travelers in hotels and airports face, as well as those encountered by millions of other backpackers, gap-year travelers, and students. Since my trip is so long I'll have no choice but to access my banking, credit card, and investment accounts on public networks. I will not have a system at home to connect through. Other than an effective firewall, a patched system, and the use of SSL, what else should I do to protect my information? Keep in mind that many places have very poor bandwidth and latency."
Related Stories
Necessity is a mother.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
SSH & SOCKS Proxy (Score:5, Informative)
Re:SSH & SOCKS Proxy (Score:5, Informative)
Parent
Re: (Score:3, Informative)
Second this option. Quite easy to setup, this guide spells it out:
http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/ [thinkhole.org]
Re:SSH & SOCKS Proxy (Score:4, Informative)
That's a good thought, but the problem is that tunneling TCP over TCP (such as HTTP over SSH) is subject to the TCP retransmission cascading effect, a.k.a. TCP-over-TCP meltdown [sites.inka.de], which is particularly likely to be a problem for him given the kind of Internet connections he may be stuck with on his travels.
It would be better to tunnel over a protocol that does not attempt to ensure reliable transport, such as UDP or pure IPsec. So I agree with you that he should find some inexpensive, reputable host to use as his endpoint, but I recommend that he use OpenVPN over UDP rather than SSH over TCP for his tunnel. OpenVPN is easy to set up, penetrates NATs well, and will be compatible with pretty much any inexpensive VPS provider (but be sure to check with potential hosts' terms of services first to make sure they're OK with tunneling your personal web browsing traffic through their servers).
Parent
Re:SSH & SOCKS Proxy (Score:4, Insightful)
Except SSH tunneling or SOCKS proxying (over SSH) don't do TCP-over-TCP. Instead, using an SSH tunnel, the application creates a TCP connection to localhost, the SSH program then takes the data from that connection and forwards it to the destination over its own TCP connection, where the SSH daemon makes a connection on your behalf. No TCP-over-TCP, just handing data over multiple TCP links.
Ditto with a proxy - the app connects to the proxy server, the server makes a new connection on your behalf, and bridges the data between your application and the destination.
In fact, if you can properly buffer the connections, this can lead to higher throughput as a high latency link can be hidden by the proxy servers which locally ACK the packets, and the high-latency link can have data blasted through with different TCP settings that allow for high bandwidth-delay products.
Parent
Re: (Score:3, Insightful)
Your biggest security concerns while on travel should be more along the lines of getting your immunizations up to date and avoiding staying out after dark.
dm-crypt (Score:5, Insightful)
All network security is for naught when someone can just steal your netbook and read all the passwords and form data that firefox helpfully remembers for you. You have to make sure that your firefox profile directory (as well as all other confidential data, like passwords and bank statement pdfs) is stored on an encrypted block device. On Linux, a loopback device encrypted with dm-crypt works well.
Re:dm-crypt (Score:5, Informative)
Enabling Firefox's master password causes it to encrypt one's saved passwords and form data.
Parent
Re:dm-crypt (Score:5, Insightful)
Parent
Re: (Score:3)
Ahh, good security. There was a "what's the best way to store my passwords" thread a few weeks ago, and I said the same thing. It doesn't really matter, I give this guy a week before his laptop, phone, and wallet are stolen, and his body is tossed out in god forsaken nowhere. They'll have free reign on his accounts for weeks before anyone realizes that he hasn't checked in, and even longer before his next of kin convince the banks to lock down his accounts.
Why will you not have a system at home? (Score:3, Interesting)
Re: (Score:3, Informative)
Possibly because he won't have a 'home' during his travels? I mean why pay rent when you're not there?
Re:Long trips... It's more difficult (Score:5, Interesting)
That sums it up pretty well...no home, parents that can only operate a power button, and troubleshooting via phone from Guyana could be tricky even if I were to leave a machine with a tech-savvy friend. VPNing to a hosted machine didn't occur to me for whatever reason, I'll probably look into that. This is probably an area where compromises will have to be made, but my first step is to avoid any potential complications because they'll be a real pain to deal with.
Parent
openvpn service (Score:4, Informative)
You might want to use a service like
http://alwaysvpn.com
or
strongvpn
Tunnel the traffic (Score:4, Informative)
Encrypt your netbook, park data in the cloud (Score:3, Interesting)
Assume you will lose your netbook at some point: encrypt the entire thing using truecrypt or similar, and make sure you can access vital data from somewhere else: either use dropbox, or use google docs, or whatever.
Privacy has some monetary cost, just like travel! (Score:5, Insightful)
"I will not have a system at home to connect through."
Then get one if you're concerned about your privacy. Really, are your bank details not worth ten or twelve bucks a month for a virtual server somewhere?
Not a lot (Score:5, Interesting)
There's not much you can do, this is why SSL saves millions of people's asses everyday - just be ultra-suspicious of any warnings that you don't normally get. This is why everyone has a "trusted" network piped into their house by their ISP, and why they get so uppity when that trust is abused (DNS redirection, deep packet inspection, traffic analysis, advertisement insertion etc).
Have a software firewall at *ALL* times that distrusts everything... on Windows I use Zonealarm with everything set to "Internet" and all the high-security settings for that (only exception is an OpenVPN interface which can *obviously* only be my remote access into my trusted networks at home - I let OpenVPN - the program - connect to the Internet and I let the OpenVPN interface do whatever the hell it wants ["trusted"], and obviously have all the checks enabled for certificate-authentication to get onto my home network). On Linux, that's just bog-standard iptables doing its job the same as ever.
I don't expect anything non-SSL to be secure by default. I treat it as if I was using Tor in that respect. Make sure you have Gmail or whatever set to "always use https". If you want anything better than that (i.e. email, IM, http, etc. traffic), or better assurance overall, you have to have a VPN to be safe.
My OpenVPN automatically deletes other routes except for the essential ones and adds a default route through my VPN interface so when connected to home I *know* everything has to be using the VPN to communicate in that instance (hate the idea that if OpenVPN dies, there might be "another" route lurking which sends things out on another interface - I've seen it happen with some "automatic" configurations on Windows).
I often game over an OpenVPN instance, even when playing locally, so don't take heed of the rubbish about it being too costly in latency terms - of course, if you are in a foreign country and relaying to another, it will lag, but the actual overhead is not much worse than just ordinary IP routing to your destination.
Basically - SSL in some form or another, whether that's direct or over a VPN... otherwise you cannot trust things. Of course, millions of people trust ordinary wifi points all over the world, all day, every day. If you decide to follow their lead, that's up to you.
Any VPN provider will do (Score:4, Insightful)
I've tried SwissVPN (http://www.swissvpn.net/) and had good experiences (about 6$/month on a prepaid basis, no limits).
Re: (Score:3, Funny)
I heard it was full of holes! ;)
Some Advice (Score:5, Informative)
Ideally, you want this to be a remote machine, either cloud or at home, with your Notebook acting as a gateway.
Be aware of potential vectors of attack (mostly wireless / network based, but don't forget physical access) and have a defense against them.
Ideally, everything (and, more practically, everything sensitive) will pass through some pipe that uses the strongest available encryption.
Here is a general set of guidelines that I use:
As others here have mentioned, having pre-exchanged SSH keys and doing all of your sensitive browsing / business over an SSH-tunneled Proxy to a machine back home will do wonders to help with any inherent wi-fi (or untrustworthy ISP) issues.
Get your system hardened before you start your journey. Make sure you're running the latest operating system versions with the latest security patches. Make sure you've configured your firewall and updated your antivirus software. Pick a secure software suite to use for your important actions. For any OS, shut down daemons and services that you're not going to need, as each is a potential point of attack.
Buy a USB-based wireless device (they're only $20 or so). Disable the wireless device on your Notebook's OS. Before you leave, build a Virtual Machine [virtualbox.org] running an OS of your choice (Linux works nicely). Install the OS from scratch, boot it, update it, and then open up a browser instance. Configure it so that the USB wireless device is forwarded directly to the VM, and install its drivers in the VM. Snapshot the Virtual Machine's state. When you're travelling, turn off your Notebook's wireless signal the entire time. If you want to use the Internet, plug in the USB wireless device, start your VM, and use the Internet through it. When you're done, shut down the VM and revert its state to the saved snapshot state that you made before you started your trip. This should help ensure that any viruses you are hit with only survive the duration of that single VM session.
The options vary based on your OS. Any standard encryption scheme will do - complete drive encryption, partition encryption, filesystem-based encryption, etc. The real goal here is to make sure that neither your private files nor your runtime-generated files (Internet history, cookies, etc.) are accessible.
Buy some cheap USB stick to store your SSH and/or Hard Drive encryption keys separately, and carry it with you at all times. If you're truly paranoid, you can even encrypt its filesystem with a password-based key for extra protection.
Fully power down your Notebook when you're not using it. If you Suspend / Hibernate, not only will memory-resident viruses etc. still be running when you resume, but decrypted information is accessible in-memory, should it be seized in this state.
There are a lot of threats you can face in another country, but it's wisest to stay away from the government-level threats. Don't give them a reason to seize your laptop and you'll have mitigated many truly serious issues.
Re:Some Advice (Score:4, Insightful)
Or #1. SSL to a bank site is insecure, but SSH to your home system is more secure? By a difference enough to make it worth the trouble setting it up? Really?
#5 What keys? He knows his passwords. He has sites like Bank of America where they authenticate themselves to him with pictures to make sure he's on the right site, so he's not getting fished. Maybe have a DNS server of his own manually coded, and could even run occasional traceroutes to make sure there isn't something doing a DNS redirect. But to have to carry keys with you to check a couple secure sites? Overkill.
#6. You think a virus will infect your machine, and a reboot will clear it? Then we should be free of viruses everywhere on the planet if we just all reboot our computers at midnight tonight. And this is the guy you are claiming is informative? Reboots as a security measure? And if you are worried about resuming from suspend, put a stupid password on it. There isn't much commercially available that will beat that (in terms of gaining access to the contents of RAM, programs open and such, not in terms of compromising the machine). Sure, if the US government were after him and willing to spend millions, I'm sure they could read the RAM state of a computer without logging in after a resume.
#7. Irrelevant to the issue of keeping his bank account secure. Sure, they'll get his computer, but if you have the governments start breaking into people's private bank accounts across international lines, they'll be opening a huge can of worms. That's a completely useless piece of advice in terms of protecting the account details he types into the computer for the bank sites and bills he was talking about. Unless you are worried Chile will break into his phonebill and pay it.
Parent
Evil is behind every corner (Score:5, Funny)
Keep it simple (Score:5, Informative)
wrong question (Score:5, Informative)
Re: (Score:3, Informative)
"Dame los lentes"
Get one of these... (Score:3, Interesting)
http://www.gadgetvenue.com/spot-satellite-gps-emergency-beacon-07231020/ [gadgetvenue.com]
Screw internet security.. I prefer to have a way to let someone know my ass is in a bind and I need help RIGHT NOW!..
I use mine to keep family happy on cross country motorcycle rides or when I go backwoods backpacking. I press the "I'm ok" button at every break.
Dreamhost + SSH (Score:3, Informative)
from your local system: $ ssh -D1080 yourserver.dreamhost.com (or use PuTTY if you're on windows, and set up a dynamic port forward)
If you're in OS X, use your system>network settings to set up a global SOCKS proxy, which Safari will automagically use. If you're in Windows, use Firefox's proxy settings (Tools > Options > Advanced > Network > Settings > Manual Proxy Config)
your SOCKS host is localhost, and the port is 1080 (or whatever you pick when you're creating the tunnel).
There are a couple of tricks to this. One is that you can't connect to anything as long as your settings specify to use a SOCKS proxy and the tunnel isn't open. For the places that have the "welcome to our intarweb access" redirects, you'll want to disable the SOCKS proxy settings until you get through that finished. Otherwise, you won't be able to open the tunnel, and it will appear as if you can't connect to anything. Firefox has a QuickProxy [mozilla.org] addon which makes this easier.
The second is that you can make sure that the proxy is active by a) visiting a "check my IP address" site to make sure it is showing up as your hosting provider or b) killing the tunnel and all web traffic should stop working.
more info [livejournal.com]
Use hotspot shield. Its free and secure. (Score:4, Informative)
Re: (Score:3, Informative)
> I will not have a system at home to connect through
Congratulation for not reading half of the summary.
Re: (Score:3, Interesting)
rent a $10/mo VPS and then tunnel?
Re:OpenVPN (Score:4, Insightful)
Most Ask Slashdot problems are solved by throwing out the most ridiculous requirement. Usually this is because the poster has logic-ed themselves into a blind spot. The classic where-are-my-glasses-I've-searched-everywhere-oh-here-they-are-in-my-hand kind of a thing.
In this case, the "no system at home" requirement is the offender. Just set up an old linux box with a friend, and like the GP said, VPN to it. You do have friends, don't you? Family? Non-tech savvy coworkers who won't question that computer case with the post-it note that says DO NOT DISCONNECT?
Parent
Re:OpenVPN (Score:5, Funny)
Congratulation for not reading half of the summary.
To be fair, it was the bottom half.
Parent
Re:OpenVPN (Score:4, Informative)
Agreed. If he doesn't want to host it at home for whatever reason (I imagine being gone for a year he may be having his Internet service turned off), he should find a friend or relative who is willing to host the box for him. Provided he uses a modern CPU with decent power management features (or a low-power CPU like Atom), idle power usage should not be a concern.
Once you've got an always-on *NIX server you can connect to, it is a simple matter to use SSH's built-in SOCKS capability to securely tunnel your TCP traffic. This is precisely what I do when I travel.
Parent
And the assumptions continue! (Score:4, Insightful)
Parent
Re: (Score:3, Interesting)
If he is going to be away and there is no one left at home (or at least no one sufficiently techie) to fix the setup if something goes wrong then the arrangement is stuff, so "a friend's house" is more the way to go.
Though as poor latency is already going to be an issue I recommend a rented VM on a properly hosted server - then the extra latency of a residential connection will not compound the issue. Also, it might mean more than on VM location during the trip if he is traveling far, so at each location la
Re:OpenVPN (Score:5, Informative)
So it needs to be said regardless, but I feel VPN probably should have sufficed.
There are two solutions to this issue:
a) Do it Yourself!
In this scenario, the individual purchases a term contract with a hosting provider and proceeds to install a VPN solution. This is the most flexible plan available and can be achieved for roughly 10$ or less per month (plus domain costs). The down side to such a solution is that if there is maintenance that must be performed there is really only one mechanic. (unless the mechanic has very good friends or if he is a heartless bastard with no relations to the external world then perhaps a fellow slashdoter will land the man a vpn solution. Never mind he is a freeloader... roaming from country side to country side... possibly infecting your server... and you were just trying to be a nice guy. shame on you)
b) Rent a VPN!
There are countless VPN solutions available for seemingly random values. I have little doubt that an equally cost effective solution can be found. This has the obvious advantage of not having to maintain the VPN solution. The obvious con when compared to solution "A" is that there is certainly no flexibility in this offering. You get what you get. With the economy falling into the virtual comode it is quite likely that any business you place your trust in will either lose all of your information or sale it on the black market. By the time you return you will likely be spammed, identity thieved and otherwise placed with the very best experiences the awful inky darkness that is the bad side of the humanity offers.
Invariably there will be suffering no matter what option you choose.
Regardless, ensure your netbook is protected and if you may wish to utilize a solution I myself rather enjoy. In rather horrible untrusted networks I rely on a lovely Fedora live distribution over usb flash. It doesn't offer much in the way of persistent storage, but for one time transactions it's quite useful.
Parent
Re: (Score:3, Insightful)
To where? As he said in the summary, "I will not have a system at home to connect through."
Re:are you sure you're asking the right question? (Score:5, Interesting)
Check the time mentioned in the summary. I would normally agree with you, and don't typically even use internet cafes while gone for a few weeks. However, I can't imagine being totally unconnected to email for a whole year. Yes, I could do without Slashdot, but just checking the news back home and following up with friends and family would be mandatory.
Parent
Really (Score:3, Informative)
He should buy some decent fraud/identity theft insurance and just use a reasonably secured distro. All the anguish spent on perfect security is for naught anyway - if someone wants to rob you down there, they're more likely to beat you over the head or hold you hostage than hack into your computer.
Oblig. XKCD: 538 [xkcd.com]
Re:are you sure you're asking the right question? (Score:5, Informative)
Going traveling for 5 weeks in south america as well. Just bought a netbook. Every single person I've talked to says "blog about it! we want to see your pictures!" -- the truth of the matter is that a netbook is pretty damn tiny and takes up little space (2800 cu in pack) and definitely qualifies as "personal gear". Might as well take it along. Makes backing up my digital pics easier, and makes it easier to check the news (you never know what's going to happen next in venezuela) and communicate with couch surfers. You don't NEED one, but it damn well makes things easier in a pinch.
Parent
This "eithier/or" advice is pretty silly (Score:3, Informative)
I see nothing wrong with traveling with a netbook - they weigh next to nothing - or even better, something like a Nokia N800/N810. There are plenty of down times where I can see wanting to check email, get in touch with family, whatever.
Having a piece of technology with you while traveling certainly doesn't prevent you from experiencing different cultures and peoples.
Re:are you sure you're asking the right question? (Score:5, Insightful)
Backpacking through south america doesn't mean OP is spending 5 months in the middle of the Amazon. Besides, how does internet access limit it? Oh, right, it doesn't. And phones aren't technology? Is this slashdot or some sort of faux-luddite assembly.
Parent
Re: (Score:3, Interesting)
you're going travelling, to experience new cultures, people and ideas
put down the computer; the world won't end if you can't access slashdot and your email for a few months
And how does he keep all his friends updated on his Facebook?
I went on a cross country trip on a motorcycle. I posted on my blog at every stop along with a GPS coordinate. It made my family and friends happier and they knew that if I did not post the next morning to contact the authorities along my path.
It's just a smart thing to do. W
Re: (Score:3, Informative)
In the past I've never brought a computer. And I don't plan to be attached to my laptop. It's a matter of being able to research destinations, book hostels, send email to family so they know I'm not dead, offload my photos from my digital camera to a larger storage device, etc. Plus, consider that if accessing my bank account on my own netbook over wireless is risky, accessing the same account in some guy's internet cafe is much more dangerous - who knows what keyloggers and spyware could be running on t
Re: (Score:3, Funny)
Wait until you figure out you lost half of your portfolio in 24 hours then you know why.
Well, if he doesn't access his investment account while he's there, he won't know. Problem solved.
Sell your portfolio... (Score:3, Funny)
If you have a portfolio in which your risk/exposure is such that you could lose half during your trip, you shouldn't be taking a trip away from your portfolio.
Two choices.
1) Sell your entire portfolio. Cash doesn't go up or down.
2) Invest the entire portfolio in some equity that doesn't move (like CDs).
Just leave your laptop at home. Enjoy your trip to the jungle and avoid having to bring your laptop around with you, through the rain, and having it potentially stolen while you sit at some cafe drinking
Re:Phone banking? (Score:4, Insightful)
My credit union still has a system for doing much of my banking over a phone line. I'd rather take my bets on the security through the phone lines than the interwebs.
Because touch tones are so much more difficult to intercept than 128 bit SSL secured connections??
Parent
Re: (Score:3, Interesting)
Given the current unstable nature of the world economic system, is it a sane move to ignore your investments for a year?
No, it isn't. But also taking into account the sporadic nature of connectivity while backpacking, it probably is a good idea to exit any stock holdings and leave your investment capital as cash in the bank for a year. Sure, it's a lower interest rate, but you can rest easy in the knowledge that your capital won't decrease.
Re: (Score:3, Informative)