Linked by Igor Ljubuncic on Mon 2nd Apr 2012 15:41 UTC
Features, Office You have just bought tickets to an exotic vacation spot. You board the flight, you land safely, you pull your netbook from your backpack, fire it up, and then check if there are any available Wireless networks. Indeed there are, unencrypted, passwordless, waiting for you. So you connect to the most convenient hotspot and start surfing. Being addicted as you are, you want to login into your email or social network just to check if something cardinal happened in the world during your four-hour flight. You're about to hit the sign in button. Stop. What you're about to do might not be safe.
Order by: Score:
I thought...
by Tuishimi on Mon 2nd Apr 2012 15:45 UTC
Tuishimi
Member since:
2005-07-06

From the title I thought this was going to be something completely different and was even thinking "why on earth would OSnews be posting an article like this??" ;)

Nice article.

Reply Score: 6

Nice article
by pcunite on Mon 2nd Apr 2012 16:37 UTC
pcunite
Member since:
2008-08-26

Nice article ... but setting up a secure Windows 7 box using SRP and Limited User Account is really trivial these days; more so than Linux I would say.

Reply Score: 1

Security on the road
by chandler on Mon 2nd Apr 2012 16:38 UTC
chandler
Member since:
2006-08-29

As the author suggests, using a VPN provides the best available security while travelling and on others' networks, whether open or secured. Unfortunately most OSes these days tend to do a lot of phoning home before they even allow you to establish a VPN connection, and on most open hotspots you'll have to go through a captive portal before being able to establish your VPN tunnel.

What I've done on my personal Linux systems is to set up HTTP and SOCKS proxies on the VPN server and point everything on the local machine at those proxies. Be sure to use the system firewall to prevent traffic to those proxies from escaping unencrypted when the VPN link is not up! When I encounter a hotspot with a captive portal, I run a separate instance of Firefox with a different profile that is configured to always use private browsing, has plugins disabled, and has no proxy set. Once I log in, the OpenVPN tunnel establishes automatically. I do not have the tunnel take over the default route, since almost everything is configured to use the proxies; however, you can set that up easily enough too.

This configuration has the advantage that it is fail safe; that is, if I happen to leave a program running and connect to an untrusted network, the program won't automatically start communicating on that network until the VPN link is up. I could imagine other ways to obtain this fail-safe configuration, but any of them would be much more difficult to implement.

Here's how I accomplished this on Ubuntu; these instructions should work on Debian too, and will be very similar on other distributions.

To prevent VPN traffic from escaping on the wireless interface when the VPN is not up using the "ufw" firewall management script:

ufw deny out on wlan0 from any to 192.168.202.0/24

Adjust as appropriate for your VPN address range and network interface.

Place your OpenVPN configuration in /etc/openvpn/myvpn.conf , then edit /etc/default/openvpn and set AUTOSTART="myvpn". Be sure to use proto udp in your OpenVPN configuration if possible.

I use squid and dante on my VPN host to provide HTTP and SOCKS proxies, respectively. On the client side, these proxies are configured as the default through the desktop environment's controls. To make Thunderbird use a SOCKS proxy, go to Edit -> Preferences -> Advanced -> General and choose Config Editor. In the config editor, set network.proxy.socks and network.proxy.socks_port as appropriate, then enable network.proxy.socks_remote_dns and set network.proxy.type to 1. All other proxy settings should be the default.

For SSH, I use a program called connect-proxy which is available in the Debian and Ubuntu repositories. Instructions on configuring it are available in the man page.

I've added the proxy to /etc/environment so that programs like curl automatically use it on all user accounts:

http_proxy="http://192.168.202.1:8080"
HTTPS_PROXY="http://192.168.202.1:8080"
FTP_PROXY="http://192.168.202.1:8080"
ALL_PROXY="http://192.168.202.1:8080"
NO_PROXY="localhost,.local"

In addition, I've configured sudo to use a separate environment file /etc/environment.sudo so that commands like sudo apt-get update use the proxy as well. The contents of /etc/environment.sudo are the same as what I added to /etc/environment. To configure sudo, run visudo and add the following line near the beginning of the file:

Defaults env_file=/etc/environment.sudo

Be careful when editing the sudo configuration, since one mis-edit can ruin your day.

Reply Score: 7

ssh -D for the win
by tidux on Mon 2nd Apr 2012 17:18 UTC
tidux
Member since:
2011-08-13

Using OpenSSH's -D flag and a high port number (I usually use something in 8xxx), you can hack together your own SOCKS proxy with a shell one-liner. This is great if, like me, everything you use but HTTP is secure by default anyway (IMAPS, SSH, IRC over SSL) and you don't have OpenVPN running on your server. I can then use FoxyProxy Standard, a great FOSS Firefox add-on, to tunnel my web traffic.

Reply Score: 2

RE: ssh -D for the win - works very well
by jabbotts on Mon 2nd Apr 2012 18:53 UTC in reply to "ssh -D for the win"
jabbotts Member since:
2007-09-06

I did this for the last family vacation and it worked perfectly; routed all my traffic back through my home machine thanks to SSH and socks proxy settings.

For programs that do not recognize proxy settings, there is a handy little tcp2proxy utility that captures all of a program's network traffic and redirects it through the proxy. Very handy little helper that one.

Reply Score: 3

tidux Member since:
2011-08-13

There's also "tsocks" for *nix. Just type "tsocks foo" instead of "foo" on the command line, and it sets up tunneling, iirc through LD_PRELOAD.

Reply Score: 1

RE: ssh -D for the win
by Sodki on Mon 2nd Apr 2012 19:27 UTC in reply to "ssh -D for the win"
Sodki Member since:
2005-11-10

A better solution is to use sshuttle:

https://github.com/apenwarr/sshuttle

You just need an SSH server with Python. sshuttle then redirects all your traffic, including DNS, if you want to, trough your SSH server. It's extremely simple to use and extremely useful.

Reply Score: 3

Linux most secure
by lucas_maximus on Mon 2nd Apr 2012 18:06 UTC
lucas_maximus
Member since:
2009-08-18

Oh comon the last bit was just pro linux FUD. Otherwise an interesting article.

Windows 7 and Vista both run under a "power user account", even if you are Admin and have UAC turned it works exactly like Sudo does on Ubuntu (which was pictured) and/or OSX.

Also Sudo can be setup not to require a password (I do this on my OpenBSD VM).

Yes I know there are a ton of Viruses for Windows, but an up2date browser, AV and some common sense and you are fine.

Edited 2012-04-02 18:09 UTC

Reply Score: 3

RE: Linux most secure
by sparkyERTW on Mon 2nd Apr 2012 20:22 UTC in reply to "Linux most secure"
sparkyERTW Member since:
2010-06-09

Oh comon the last bit was just pro linux FUD. Otherwise an interesting article.

It may have been somewhat biased, but I think it's stretching to call it FUD.

Windows 7 and Vista both run under a "power user account", even if you are Admin and have UAC turned it works exactly like Sudo does on Ubuntu (which was pictured) and/or OSX.

Asking me whether I want to do something dangerous provides little security from an outside attacker who is already working under my account, as there is no need to enter a password.

Also Sudo can be setup not to require a password (I do this on my OpenBSD VM).

You can also set up your user account not to require a password either. Very convenient, saves a lot of time. Perhaps you should do that as well.

Yes I know there are a ton of Viruses for Windows, but an up2date browser, AV and some common sense and you are fine.

That last one eliminates 99.9% of your risk right there. Sadly, it's not used as often as it should be.

Reply Score: 2

RE[2]: Linux most secure
by WereCatf on Mon 2nd Apr 2012 21:46 UTC in reply to "RE: Linux most secure"
WereCatf Member since:
2006-02-15

Asking me whether I want to do something dangerous provides little security from an outside attacker who is already working under my account, as there is no need to enter a password.


It can be configured to require a password, and in that case it'll require administrator password, not the same one you use to log in, ie. it's actually a tad bit safer then than the Ubuntu default-behaviour. Just be sure to use such a password for admin that you don't use anywhere else and which is hard to guess and you're more-or-less set.

Reply Score: 2

RE[2]: Linux most secure
by lucas_maximus on Tue 3rd Apr 2012 08:07 UTC in reply to "RE: Linux most secure"
lucas_maximus Member since:
2009-08-18

If the attacker already is in your account you obviously allowed some dodgy code to run in the past ... the same would happen if you used Sudo on a *nix system.

Reply Score: 2

RE: Linux most secure
by B. Janssen on Mon 2nd Apr 2012 20:41 UTC in reply to "Linux most secure"
B. Janssen Member since:
2006-10-11

Yes I know there are a ton of Viruses for Windows, but an up2date browser, AV and some common sense and you are fine.

Unfortunatly this is not the case anymore. Just recently I had to clean out a large scareware infestation that sneaked in by drive-by-download from a trusted supplier site. Our Enterprise McAfee solution was totally useless, too. I now mandated RequestPolicy but there is little you can do when the malicious software comes from a trusted source ;)

Reply Score: 2

RE[2]: Linux most secure
by WereCatf on Mon 2nd Apr 2012 21:43 UTC in reply to "RE: Linux most secure"
WereCatf Member since:
2006-02-15

McAfee


To be honest, that right there is usually more than enough of a reason to pull out your hair and a 10kg sledgehammer out of your closet.

Reply Score: 4

RE[3]: Linux most secure
by B. Janssen on Tue 3rd Apr 2012 12:58 UTC in reply to "RE[2]: Linux most secure"
B. Janssen Member since:
2006-10-11

I anticipated such an answer and I agree that McAfee Enterprise may not be the best security solution available and certainly is a pain to administer. But our other branch office is running Sophos and they have had the exact same situation.

It is too convenient to blame such an occurence on a single piece of software and be done with it. We need to understand that being prepared and smart has stopped to be a reliable precaution against malware. That's the unfortunate reality of today's networks and we must learn to understand that. Leaning back and saying "common sense will prevail" is not going to help us.

Edited 2012-04-03 12:59 UTC

Reply Score: 2

RE[4]: Linux most secure
by lucas_maximus on Tue 3rd Apr 2012 14:21 UTC in reply to "RE[3]: Linux most secure"
lucas_maximus Member since:
2009-08-18

However the article isn't about corporate networks ... it about taking your laptop on Holiday.

Reply Score: 2

RE[5]: Linux most secure
by B. Janssen on Tue 3rd Apr 2012 15:56 UTC in reply to "RE[4]: Linux most secure"
B. Janssen Member since:
2006-10-11

However the article isn't about corporate networks ... it about taking your laptop on Holiday.

How does this invalidate the statement that common sense is not going to protect you from malware?

Reply Score: 2

RE[6]: Linux most secure
by lucas_maximus on Tue 3rd Apr 2012 17:59 UTC in reply to "RE[5]: Linux most secure"
lucas_maximus Member since:
2009-08-18

It doesn't ... however it isn't really wasn't the context of what I was saying or the article was talking about.

What I mean about common sense is that 95% of the time you will be fine with only it, but the other 5% of the time the AV will be there to pick up when you have slipped up. So I'd rather have both. MSE doesn't seems to have any significant performance penalty on my computer and seems pretty good, others have other preferences.

Linux is pretty good on the whole with Security (better than Mac in my opinion). But the whole system is designed to protected the system not the users data. Which is fine if you have lots of people using a system, this doesn't help you however if you use it as a personal system.

Also Linux users are more Savvy on the whole, to even consider contemplating using Linux you need to understand to some degree what an Operating System actually is.

People on this website tend to be fairly savvy and have installed one or more Operating systems themselves, and I am sure most of the people on here could run a Windows system and not get viruses for years if they had to.

In any case people are far more savvy than they used to be, I work with many that are as good at using a modern PC as I am (I learn't a few things watching the testers tear apart my pages) and I been using computers since the BBC Micro Model B (though the mac guys crap themselves when I open up the terminal, which is always fun).

My brother and sister who aren't computer savvy at all understand not to download crap from dodgy websites and can spot something dodgy from a mile off ... because it is something they have been brought up with.

Lots of people now have been brought up with PCs and aren't dumb enough to fall for scams, they are however clever enough to get around Enterprise security which is an entirely different thing all together.

However this is somewhat aside from Corporate Security which is a totally different thing. Corporate Security is about protecting the network and the companies data, and most places I have worked that are fairly large have very locked down PCs and Laptops.

The article is about arming yourself with knowledge so you can spot dodgy stuff on a network. If you have read this you are probably savvy enough to know how to protect yourself when using a Windows system.

Edited 2012-04-03 18:12 UTC

Reply Score: 2

RE[7]: Linux most secure
by B. Janssen on Wed 4th Apr 2012 10:23 UTC in reply to "RE[6]: Linux most secure"
B. Janssen Member since:
2006-10-11

Thank you for your answer. I think I understand where you are coming from and I agree. People have become much better in avoiding pitfalls and every ounce of common sense certainly helps. However...

My brother and sister who aren't computer savvy at all understand not to download crap from dodgy websites and can spot something dodgy from a mile off ... because it is something they have been brought up with.


... I can't stress enough that being savvy is not enough anymore. Modern malware sneaks onto your system via totally legitimate and non-fishy vectors. All I really want to do here is to raise awareness of that fact. And telling ourselves that we are competent enough to avoid this or that is just creating a false sense of security. That's something we need to be aware of, too.

Reply Score: 2

RE[3]: Linux most secure
by Lennie on Wed 4th Apr 2012 11:43 UTC in reply to "RE[2]: Linux most secure"
Lennie Member since:
2007-09-22

The last investation I investigated I uploaded the file to virustotal.com and virscan.org

Of all the (up to date) virusscanners at those sites only 7 out of 35 or so detected it. And onle one of the well known brands detected it. So actually the ones I had never heared of recognized them.

But this has been knowns in the security community for years.

Of most of the virusses these days are just regenerated varients every 15 minutes or so.

And viruscanners only have blacklists, they can't block virusses they don't know about.

As an other example I administrate some Linux mailservers which obviously also need to do viruscanning.

If there was a new e-mail virus the person who was sending out these virusses was obviously using a botnet and just pressing a button every 15 minutes to generate a new variant. By the time the virusscanner was updated the variant was already not being send anymore.

I don't even run any antivirus anymore on Windows. On Linux I've never run antivirus. I've decided virusscanners are not for me.

I keep my software up to date, don't download anything stupid, etc. Disable most plugins in the browser (only Flash is enabled).

Reply Score: 2

Firefox and Chrome
by WereCatf on Mon 2nd Apr 2012 21:52 UTC
WereCatf
Member since:
2006-02-15

One thing that I personally like to use even at home is HTTPS Everywhere; an addon that tries to always use HTTPS on every possible site so that none of your details actually go over the wire in plaintext. I'm fairly certain most of the people here have heard of e.g. the Firefox addon that allows you to browse Facebook as an another user as long as the user is logged in on the same network. Well, this addon thwarts that one and many similar ones.

Good thing about this addon is that it requires no set-up, can be safely installed on computer-luddites' devices, and atleast so far I have not found a single website that would've experienced any glitches due to it.

Reply Score: 2

RE: Firefox and Chrome
by rhavenn on Tue 3rd Apr 2012 00:05 UTC in reply to "Firefox and Chrome"
rhavenn Member since:
2006-05-12

Do you actually look at the certs given to your HTTPS connections? In a "hostile" environment trusting HTTPS to be secure isn't much better and often gives a false sense of security. It's pretty trivial to just proxy any HTTPS traffic for a user and unless you actually look at the cert you'll never know. I will admit that if your data stream between you and siteA is legit that people in between can't sniff it, but if you're starting out in a hostile area it can't be trusted.

The only way to be secure in a hostile environment is a key based structure (SSH, VPN, etc..) where you already know the key on the other end. ie: you SSH to your home box and get a prompt for a new key, that you know you've been to before, one would be a fool to continue.

A bootable CD distro and a USB key with your various keys (SSH, VPN, etc...) pre-setup is a good way to go.

I'm not saying this isn't a pain in the ass, but unfortunately real security normally is these days.

Reply Score: 2

RE[2]: Firefox and Chrome
by WereCatf on Tue 3rd Apr 2012 03:04 UTC in reply to "RE: Firefox and Chrome"
WereCatf Member since:
2006-02-15

Do you actually look at the certs given to your HTTPS connections? In a "hostile" environment trusting HTTPS to be secure isn't much better and often gives a false sense of security. It's pretty trivial to just proxy any HTTPS traffic for a user and unless you actually look at the cert you'll never know. I will admit that if your data stream between you and siteA is legit that people in between can't sniff it, but if you're starting out in a hostile area it can't be trusted.


How do you plan to proxy SSL traffic without having the browser complain about incorrect certificate? Besides, you'd need to actually be able to intercept the data stream first to even set up a proxy, meaning that you'd need to be in control of the wifi hotspot, the machine issuing dhcp replies, or one of the machines between the user and the target website. A random machine in the same network can't just start routing your traffic.

Reply Score: 2

RE[3]: Firefox and Chrome
by rhavenn on Tue 3rd Apr 2012 06:11 UTC in reply to "RE[2]: Firefox and Chrome"
rhavenn Member since:
2006-05-12

Well, yeah. In some random "hotspot" that you pick up while on the road the scenario that a DHCP server and/or router is compromised or maliciously setup is rather high. That's the point.

So, getting a proxy setup where the user gets certificate warnings is trivial and most people "need" to check their facebook or whatever and would just click continue. Also, plenty of CAs around the world aren't all that great and you could probably finagle a trusted cert out of many of them and use something like Squid and its SSLbump feature to just invisible proxy the SSL traffic for you.

Reply Score: 1

RE[3]: Firefox and Chrome
by Alfman on Tue 3rd Apr 2012 08:05 UTC in reply to "RE[2]: Firefox and Chrome"
Alfman Member since:
2011-01-28

WereCatf,

"...you'd need to actually be able to intercept the data stream first to even set up a proxy, meaning that you'd need to be in control of the wifi hotspot, the machine issuing dhcp replies, or one of the machines between the user and the target website. A random machine in the same network can't just start routing your traffic."

Actually there are some attack vectors where a random machine in the same network can just start intercepting traffic. These aren't theoretical either, they work on many LANs.

Many wifi routers don't firewall users from each other (though commercial hotspots should). Consequently this opens up a few attacks. DHCP is extremely vulnerable to race conditions where a client joins the wrong subnet or uses the wrong gateway. I've studied this method and it is pretty reliable.

With no inter-peer firewall, arp spoofing is just as feasible with WIFI as it is on a LAN. The wrong client claims ownership of another's IP address and then forwards the packets to the real owner.

Another possibility, though this one requires some sophistication, is to spoof the hotspot's own DNS server from the wan interface. I've never tried it as it requires non-egress-filtered internet access, but if you can flood the hotspot's public ip with DNS responses before the real DNS server responds, there's a chance it will accept the fraudulent answer, and will begin feeding the wrong IP address to hotspot clients. If I remember correctly, the odds of success were maybe only 1 in 10000 due to sequence number probabilities.

Another obvious problem with public wifi hotspots in particular is that it's hard to verify that you are connected to the service you think you connected to. It's easy to impersonate an SSID and even BSSID whether encrypted or not.

This says nothing of passive wireless snooping, or heck even physical wire snooping of the hotspot's cable connection.



I usually don't care though, it's nice just to have internet access on the road regardless of who's watching. I don't particularly trust my own ISP anyways.

Edited 2012-04-03 08:12 UTC

Reply Score: 2

RE[3]: Firefox and Chrome
by chandler on Tue 3rd Apr 2012 13:42 UTC in reply to "RE[2]: Firefox and Chrome"
chandler Member since:
2006-08-29

Several certificate authorities were just revealed to have been selling subordinate roots to IT organizations which would allow them to do just that. Here's the letter that Mozilla sent out to all their registered CAs about this issue:

https://groups.google.com/group/mozilla.dev.security.policy/msg/57b1...

So I'm afraid that trusting SSL to prevent MITM attacks is no longer possible. You should inspect certificates or use an addon like Certificate Patrol to help automate the process, and if you are connecting to an untrusted network, consider using your own VPN as well.

Reply Score: 1

Certificate warning = GTFO
by siraf72 on Tue 3rd Apr 2012 12:32 UTC
siraf72
Member since:
2006-02-22

That's kind of my rule of thumb if i'm on a public wifi network.

Reply Score: 1

Ubuntu and no listening services ?
by Lennie on Wed 4th Apr 2012 12:18 UTC
Lennie
Member since:
2007-09-22

Actually Ubuntu has Avahi-daemon listening on the network and I'm sure a lot of people install OpenSSH-server for remote administration.

Avahi is used to discover services on the network. It is an implementation of Apple's ZeroConf and similair: http://en.wikipedia.org/wiki/Zero_configuration_networking

While the developers of Avahi put a lot of effort in making it secure (use a chroot for part of the system, set up rlimits, run it as a seperate user, etc.) mistakes are still possible.

The configuration file of Avahi-daemon is /etc/avahi/avahi-deamon.conf

The configuration file of OpenSSH-server is /etc/ssh/sshd_config

Some tips:
- make sure your Ubuntu version you have installed is still supported and all the software is up to date.

- if you don't need compatibility with certain old Apple systems, you can disable the 'enable-wide-area' in Avahi. This is especially useful when you are connected somewhere when IPv6 is enabled.

- Something else I haven't tried is to just remove Avahi-daemon as a whole, I think it should be possible, I don't think any other part of Ubuntu depends on it. I've just disabled IPv6 and IPv4 is behind NAT.

- I think it is the default, but I also always set: disabled-publishing=yes in Avahi. This makes sure that any software you install on your Ubuntu installation does not announce on the network it existence.

- For SSH I always use a non-standard port, if only to prevent a lot of automated break-in attempt.

- SSH should be setup to only allow Protocol 2 (default in newer installations): Protocol 2

- SSH should be setup to not allow root logins: PermitRootLogin no (I have no idea why this still isn't the default)

- I always setup SSH to only allow certain users with: AllowGroups sshusers
or:
AllowUsers username1 usernam2

- If you do want to enable root-login for SSH, atleast set it up to only allow from a certain IP-address by adding this to the end of the configuration file:
Match address 12.12.12.12
{tab-for-readability}PermitRootLogin yes

- And a non-security tip: to speed up SSH-login I also disable DNS, which could really help if 'reverse DNS' is broken or slow:
UseDNS no

(which is something which could really help if you have setup your own router and use SSH to login to your router. You don't want your router to depend on DNS)

Edited 2012-04-04 12:19 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

"SSH should be setup to not allow root logins: PermitRootLogin no (I have no idea why this still isn't the default)"

Being able to rsync over SSH as root can be very convenient since rsync via user accounts doesn't preserve ownership. Do you know of an alternative?


"And a non-security tip: to speed up SSH-login I also disable DNS, which could really help if 'reverse DNS' is broken or slow:
UseDNS no"

Also removing / disabling the following feature can eliminate a few second delay that happens on every single login (disable it in the server or client). It won't affect anyone using password and/or RSA authentication.

GSSAPIAuthentication yes

I honestly don't know why it's always so slow even on fresh installs, but LOG_LEVEL Debug confirms it's the culprit. Don't know if it's a bug or if it's normal, but the following indicates it's been a problem since 2007.

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/84899

Edited 2012-04-04 13:50 UTC

Reply Score: 2

rhavenn Member since:
2006-05-12

"SSH should be setup to not allow root logins: PermitRootLogin no (I have no idea why this still isn't the default)"

Being able to rsync over SSH as root can be very convenient since rsync via user accounts doesn't preserve ownership. Do you know of an alternative?


Yes, use: without-password for the PermitRootLogin and passwords will be disabled, but you can use keys. Your rsync is most likely setup with keys anyway that don't have passwords set for them, if it's a automated type of solution.

Reply Score: 1

Lennie Member since:
2007-09-22

GSSAPI is Kerberos authentication, I think it only causes problems when you install the libraries you need for Kerberos authentication but don't actually configure it.

Reply Score: 2

Alfman Member since:
2011-01-28

Lennie,

"GSSAPI is Kerberos authentication, I think it only causes problems when you install the libraries you need for Kerberos authentication but don't actually configure it."

That's possible, however like everyone else in the earlier linked thread I wonder why a distro would come prepackaged that way considering the annoyance it causes the majority of users. Or why they don't fix the source of the delay in kerberos itself. Unless it's a deliberate connection throttling mechanism?

Just now I looked for kerberos packages and lib files, but I don't see anything installed. Granted I don't know what I'm looking for, but disabling it works well enough.

Reply Score: 2

Lennie Member since:
2007-09-22

Probably because large organisations, which do use Kerberos, need a default install to be able to allow people to login.

If there is no Kerberos installed, how can SSH be used to login ?

Most be some reasoning like that.

Reply Score: 2