Here is a report from the recent Black Hat DC Conference on the dangers of public open WiFi hotspots, from Network World

Public Wi-Fi networks such as those in coffee shops and airports present a bigger security threat than ever to computer users because attackers can intercede over wireless to "poison" users' browser caches in order to present fake Web pages or even steal data at a later time.That's  according to security researcher Mike Kershaw, developer of the Kismet wireless network detector and intrusion-detection system, who spoke at the Black Hat conference

http://www.networkworld.com/news/2010/020310-black-hat-wi-fi-attackers.html

Parts 1 and 2 of this series focused on how to protect your computer and your information. The focus of this post is to cover how to protect your information and security when using a public computer such as those at Internet cafes, hotel business centers, airline clubs and public kiosks.

There are three major concerns when using a computer you don't control:

1. Having your information intercepted while you're working. This could be from a keystroke logging program hidden on the computer or data interception on an insecure network.

2. Leaving behind information that a subsequent user can steal; or

3. Having the files or accounts you access compromised by malware on the machine you're using.

The first is probably the most out of your control, especially the risk of keystroke logging (recording the actual typing you do on the computer; a very good way to steal account passwords). Standard security software can guard against this on your own computers; there is a nice writeup on InternetSecurity101.com. But it's not so simple on a public machine.

You can visually check for a hardware logging device – if there's an extra unknown device between the machine and the mouse or keyboard cable, then assume your keystrokes are being logged.

Short of installing your own security software, which is probably not going to be allowed, there is little you can do to detect software keystroke logging. You can thwart it to some degree by using the mouse to vary the order in which you enter characters in your user name, password or account number.

Use common sense to protect yourself. Do you really need to check your bank balance right now if there's a chance your login details will be stolen?

To guard against data being stolen off the network consider using VPN software, or software that passes data in encrypted form, or encrypting files before passing them across the Internet. Keep in mind that while these techniques can protect your data your login details may still be vulnerable.

Protecting yourself against leaving information behind is easier to do.

• Be sure to erase any files you download – that means deleting them from the computer, not just moving them to the trash or recycle bin. It's best to empty the recycle bin when you're done working.

• Before you close the browser on a public machine use the browser's own tools for erasing browsing history, tracking cookies and temporary files. The choices to do this vary a bit with the browser version but it's generally under the Tools menu choice.

Finally, consider if you may be compromising your own systems from what you do on a shared computer. If you create a document on a virus-infected computer and then upload it to a shared document system (Quickr, Sharepoint, etc.), or to a company shared folder via your VPN, that file can then infect the next machine that opens it if that machine doesn't have adequate protection. Using remote control or shared desktop solutions, such as pcAnywhere, GoToMyPC or Windows Remote Desktop, also risk spreading a virus or other malware from the computer you're using to the computer you're accessing.

Google Docs may provide a good way to protect yourself here. When the file is uploaded into Google Docs it is converted into their proprietary format, presumably losing any virus affecting the file. You can safely access the file via Google Docs from any computer and then download it to your desired format on a computer you control. (Google Docs is not very precise as to what features are retained on upload. You may to experiment if you're concerned about macro viruses in Office documents.)

Unfortunately there are many more warnings in this area than there are good practices to protect yourself. You need to rely on having strong passwords – and preferably frequently changed passwords – and good security on the machines and accounts you do control to minimize the risk that a problem with the shared computer will come back to bite you.

David Schaffer

There Must Be A Better Way

Prepared for

A previous post, Computer Security Around the World, highlighted the dangers to be aware of when working on your computer away from the home or office. The next posts talk about some of the things you can do to protect yourself from those dangers.

First let's consider what you can do on your own portable computer. In the next post we'll look at what to do when you're using an unknown computer, such as at an Internet cafe, hotel business center or airline club.

Protect Your Computer

Two key pieces of software are an absolute requirement for any computer connecting the Internet from outside the corporate firewall: A personal firewall and antivirus.

A personal firewall is software on your computer that controls what connections the computer will accept, and sometimes what connections the computer may initiate. Newer operating systems ship with a some firewall capability. The standard Windows firewall provides good protection on incoming connections. Third-party products provide added features. Most also monitor connections your computer initiates. This is helpful both as protection against your own carelessness and as an added protection if your computer is running unwanted or unsafe software which might try to send out information you didn't intend to share.

Antivirus software does just what it says, check files before they're read or executed to ensure they don't contain a computer virus that will infect your computer.

Often firewall and antivirus are combined in a security suite along with software to prevent phishing attacks and monitor for unsafe websites. Some also include SPAM filtering or other protection for your e-mail.

If your software allows configuration, be sure to tell it that you will be using an untrusted network. That will turn off features that are only appropriate on a secure local area network, such as file sharing.

Here's a typical example:

You should also think about physical security.

Make sure your computer needs a password to log in. That provides protection if the computer is lost or stolen. Remember that if somebody can log in to your computer as you not only can they read all your files but they can access any service for which you've let the browser or the program store your password!

For added security some computers let you set a BIOS password without which the computer won't start up at all. Be very careful using this feature as a lost or corrupted password can make the computer inoperable.

Keep your computer away from extremes of humidity and temperature. When the computer has been transported in extreme conditions let it adjust to room temperature before starting it up. Also avoid operating the computer in very dusty conditions. More powerful portable computers tend to have cooling fans which will suck in the dust.

If you anticipate extreme conditions you can buy a specially hardened computer, such as a Panasonic Toughbook, or consider a netbook style machine with no fan and fewer moving parts. For travel with lots of hard bumps look for a machine that locks the disk drive if the computer drops. For added protection you might choose a solid state drive rather than a conventional disk drive.

Happy travels.

David Schaffer

There Must Be A Better Way

Prepared for

How safe is your computer and your data when you use your desktop computer at home? Are you protected by up-to-date and properly maintained antivirus, antispyware, antiphishing and firewall software? Are you being a NAT router so that your computer cannot be directly accessed from the public Internet? Most folks reading this would probably answer yes.

Now, supposing you have a laptop? Same protection at home? Should be.

Now take your laptop out to a public hotspot in your home town. No more NAT to hide your computer. No control over what's running on the local subnet. Still safe?

What have you exposed yourself to? You need to worry about other users on the same subnet, and possibly, depending on how the hotspot owner has protected the local network, about every user machine on the Internet. Are you allowing NetBIOS connections? Have shared folders without password protection? Do you have a software firewall to protect your computer if the network owner isn't?

Now go to a developing country and connect to a hotspot there. Or perhaps sit down at a computer at an Internet cafe. No longer so certain?

Besides all of the issues of being on a public IP address you don't know if you can trust the local network or ISP. They may be propagating botnets or serving up viruses or spyware. The cafe's machine may have a keylogger installed or be infected with a virus. You may unwittingly transmit malware to your own mail server or to a recipient by sending from that machine.

As detailed by the Electronic Frontier Foundation “Malware is a catch-all term referring to software that runs on a computer and operates against the interests of the computer's owner. Computer viruses, worms, trojan horses, "spyware", rootkits and key loggers are often cited as subcategories of malware.”

A report released by antivirus software vendor Panda Security in September 2009 found slightly more than 58% of the PCs in the US infected with some type of malware, placing the US 9^th among 29 countries surveyed. The highest was Taiwan with 69% infected, followed closely by Russia with 68%. This report covered mainly North America, Europe and the major industrial countries of East Asia and Latin America. How do you imagine poorer and more remote countries would fare in comparison?

The bottom line: Make a credit card purchase or pay some bills from an infected computer – one you control or a public one – and your accounts and passwords may be compromised. Check your e-mail and your account and address book may be enlisted in a SPAM or phishing campaign.

What can you do to protect yourself? Stand by for Part 2.

David Schaffer

There Must Be A Better Way

Prepared for

Remember Nettiquette? The idea was that if everyone who used the Internet followed a set of conventions then everything would work smoothly and there would be no conflict. It was a perhaps naive idea even back when the Internet was a fairly obscure place frequented by a small self-selecting group possessing some shared technical knowledge. The notion has pretty much dropped from discussion now that everyone and her grandmother is using the Internet -- and often not even aware that that's what they're doing.

The Internet from the beginning was based on trust, cooperation and consensus. If you missed it, check out Steven Crocker's reminiscence in the New York Times, "How the Internet Got Its Rules". A brief excerpt:
Everyone understood there was a practical value in choosing to do the same task in the same way. For example, if we wanted to move a file from one machine to another, and if you were to design the process one way, and I was to design it another, then anyone who wanted to talk to both of us would have to employ two distinct ways of doing the same thing. So there was plenty of natural pressure to avoid such hassles. It probably helped that in those days we avoided patents and other restrictions; without any financial incentive to control the protocols, it was much easier to reach agreement.

As financial and other incentives became stronger the spirit of cooperation and consensus waned. Today SPAMers, botnet operators, perpetrators of DOS attacks, government censors, content providers and ISP's do not feel bound by nettiquette, the RFC process, or any restrictions other than "what can I get away with?"

I was recently struck by a parallel to the Internet situation. In a series of articles on the problems related to too much boating traffic and development on Candlewood Lake in western Connecticut, the News-Times interviewed the commodore of the lake's last yacht club who lamented that people didn't know or didn't follow the "rules of the road". Maritime "rules of the road", having been developed over hundreds of years, are quite complex and at times obscure compared to the rules of netiquette. But the dynamic seems identical: The rules held as long as they only needed to govern the behavior of a relatively small, self-selecting and technically proficient group. To that group, the need for and benefits of the rules seemed self-evident.As soon as anyone with the price of a speedboat could get out on the water the rules fell aside.

I'm sure others can come up with similar examples.

So how do we adapt when our domain -- be it the Internet, the water, or anything else -- stops being private and clubby and starts being more subject to the general rules of public behavior? I'm not offering any answers, just hoping that it's helpful to frame the question.

(Originally posted at Bloginprogress.us)