is privacy the only risk in using a public wifi?

[her34]

when you use a public untrusted source for wifi, is privacy the only risk? are you only in danger of having all your internet activity looked at?

if someone sets up a router with malicious intent, what is the worst possible thing that can happen?

from reading around it seems the only thing that can happen is a person sees your passwords. is it possible to get malware/virus?

 

[Lean L]

Well could be attacked by computers on the lan if your computer is not secure... ie shares, open ports

although I'd think privacy is the main concern as you are sending out your forms without encryption, SSL should save you assuming that the pc is secured.

 

[JackMDS]

Public Hot Spot are un-protected if your computer's HD is set to share your HD content is open to the world.

 

[spidey07]

Everything you send and receive can be captured and understood. There are tools out there to effectively act as a man in the middle where another computer is answering your requests and capturing cookies, passwords, e-mail, passwords, etc. HTTPS/SSL "should" keep you secure but I won't do any banking or financial stuff on public wifi, I only use it for basic browsing and I stay logged off any forums as it's extremely easy to capture your cookie and hijack your account.

Also your computer is exposed to anybody that wants to try to access it so you have to make sure the PC itself is patched and locked down.

 

[Engineer]

Originally posted by: spidey07
Everything you send and receive can be captured and understood. There are tools out there to effectively act as a man in the middle where another computer is answering your requests and capturing cookies, passwords, e-mail, passwords, etc. HTTPS/SSL "should" keep you secure but I won't do any banking or financial stuff on public wifi, I only use it for basic browsing and I stay logged off any forums as it's extremely easy to capture your cookie and hijack your account.

Also your computer is exposed to anybody that wants to try to access it so you have to make sure the PC itself is patched and locked down.

With that said, I run a SSH tunnel back to my home router with 1024 bit RSA encryption/key for ALL of my surfing from public spots. While I understand that the laptop ports can be open an possibly hacked (hence the firewall), does the SSH encryption actually help? I would think that the data can be sniffed out but would need to be decrypted (on top of adding HTTPS/SSL) before it could be looked at or used, yes?

To me, it's a must to run a virus scanner with continuous detection as well as a firewall and possibly adware scanners as well. Firewall and virus scanner to stop them from getting in (updated files of course) and the adware scanner to catch the crap that gets in from installs of others stuffs (I hate that stuff).

 

[spidey07]

SSH will encrypt everything. Your still at risk from a man in the middle if they can get your key, pretty unlikely...they'd have to be able to steal it from the server itself.

 

[Engineer]

Originally posted by: spidey07
SSH will encrypt everything. Your still at risk from a man in the middle if they can get your key, pretty unlikely...they'd have to be able to steal it from the server itself.

Would need the key and passphrase to use it. Let's just hope that none of the router Linux coders left a backdoor to the router, lol! 😛

By the way, if they had the key, what would they need to have to look at SSL/HTTPS pages that were being used?

 

[her34]

if you download a file (suppose firefox from mozilla), is it possible for the rogue hotspot to inject a virus/malware into the file?

 

[spidey07]

Originally posted by: her34
if you download a file (suppose firefox from mozilla), is it possible for the rogue hotspot to inject a virus/malware into the file?

Yes

 

[her34]

How difficult is it for a rogue hotspot to switch a file a user wants to download? Is it trivial like hacking wep, or does it take some advanced knowledge

Being from a trusted source (like mozilla) doesn't make a difference?

 

[Emulex]

not that hard to do for someone that can code a proxy.

that's why you never use a ssid called "FREE WIFI" it's a trap !

 

[Gillbot]

I'd like to see a writeup or how-to on setting up a SSH to a home network. I'd like to do that myself so my wife quits using every "free wifi" hotspot she sees.

 

[Engineer]

Originally posted by: Gillbot
I'd like to see a writeup or how-to on setting up a SSH to a home network. I'd like to do that myself so my wife quits using every "free wifi" hotspot she sees.

I'll see what I can write up for you. I'm using Putty to SSH into the router. I generated the key (1024 bit) using PuttyGen and then pasted a copy into the router (Using Tomato, it's on the administration menu). I took the generated key file and then use the putty to connect. I'll work on it when I get a chance. For added security, I added a passphrase that I must type in just to use the key file with Putty.

Edit: I have to do this at home. Websense has been upgraded at work and it has the most ridiculous set of rules that I've ever saw. Can't go anywhere with the damn thing (lucky AT is even working).

By the way, what browser are you using? (Please be FireFox or IE as that's the only two that I've done, lol).

Articles collected below...will put them together when I have them all (from home later)..


Guide to using Putty with router flash with Tomato for an SSH tunneled connection.

<<<<<Step 1: Download Putty.exe (Telnet and SSH client) and Puttygen.exe (SSH key generator) from here:

Click me (Putty.exe and Puttygen.exe).


These are stand alone applications (not zipped) so store them in a folder that you can use permanently (i.e. C:\Program Files\Putty or something similar to fit your needs). You probably want to create a shortcut to Putty.exe on your desktop.

<<<Step 2: Generate and save your key using puttygen.exe:

PuttyGenerator.jpg

PuttyGeneratorwithkey.jpg

Open the program and select the <Generate> button. The program will instruct you to move the mouse randomly around the pad area. As you move the mouse around, you'll notice the green progress bar fill from left to right until complete. Once complete, the key screen will be displayed. If desired, you can type a "Key passphrase" into the box and confirm (recommended - the passphrase must be entered to use the key with Putty when running).

Hi-light the "Public key for pasting into OpenSSH authorized_keys file:" and copy (<CTRL><C> ).

Click on the <Save private key> file and enter the name you wish the save the .ppk file. This is your key file that will be used within Putty (or any other SSH client) to allow connection and encryption between the PC and the server (router in this case).

<<<Step 3: Setup of SSH Daemon (server):

Server_router_setup.jpg (No, that is not my key! 😛 )

Open your browser and enter the Tomato setup page. Go to the Administration page and then select the "Admin Access" submenu. Under the SSH Daemon section, check the "Enable at Startup" box and then the "Remote Access" box. Enter the port that you wish to use from the Wan (Internet) into the "Remote Port" box. Check the "Remote Forwarding" box and leave the "Port" box at 22. Uncheck "Allow Password Login" and finally, paste your key (copied from step #2 above) into the Authorized Keys box. Select <Save> at the bottom of the page. After saving, you may wish to click on the <Start Now> box or you can simply reboot to start the SSH Daemon.

Your SSH Daemon (server) is now set up and functioning. Time to get the client running, set up the tunnel and then set your browser to use the proxy tunnel to surf the web encrypted.

<<<Step 4: Setup of SSH authorization and proxy tunnel using Putty.exe.

Putty.jpg

Open Putty.exe. From the "Session" page, enter the Host Name (or IP) of your server (just set up in step 3 - External WAN Internet address). Set the Port to the "Remote Port" that you entered during Step #3. Make sure connection type is set to SSH.

Click on the "SSH" section and then on the "Auth" subsection. Click on the <Browse> button under "Private key file for authentication". Select the .ppk file that you created in step #2 above.

Click on the "Tunnels" subsection. You will now enter a local port (your choice) that will be used to proxy the PC (8080 for example).

1. Source Port: Fill in a port number that will be used locally, on the laptop, for this connection. For instance, you might use port 8080 for forwarded HTTP requests.

2. Destination: Leave the text field empty. Select the Dynamic and Auto options.

Now click the <Add> button to add the port for tunneling.

Return to the "Session" page and name your newly created SSH tunnel. Enter a name in the box "Saved Sessions" and click the <Save> button. Your tunnel configuration should now be ready to run.


<<<Step 5: Set your browser to use the newly created SSH tunnel above (step 4).

Proxysettings.jpg

Open your browser, select the "Tools" menu and then "Options". Now select the "Connections" tab and click on the <LAN settings> button. Check the "Use a proxy server for your LAN" box. Now click on the <Advanced> button. From there, enter the following in the SOCKS field:

127.0.0.1 and port 8080 (as created above). Note: This is a SOCKS5 proxy if using Firefox (see guide below for FF details). Now click on <OK> and then <OK> until back to the broswer main page.

Your browser is now ready to use the SSH proxy tunnel.


<<<Step 6: Start the SSH client (Putty) and get the tunnel started.

Open Putty.exe. Select the Saved Session that you created earlier and select <Load>. Now click on the <Open> button. This will open Putty and, if everything is OK, you should be greeted with a black box with a "Login" prompt. At the login, enter root. You should be greeted with the passphrase (if used during key generation). Enter your passphrase. If everything is OK, the box will indicate that you have now logged on and have a tunnel.

Puttyafterlogin.jpg

Note: You will need to do this each time you wish to start a connection. As long as you keep the connection (or don't lose signal), you will not need to repeat this step to browse.[/b]


<<<Step 7: Browse

If everything worked OK, you should now be browsing your newly created 1024 bit (or whatever you used when generating the key) SSH tunnel.




Good writeup on the "proxy" portion of Putty.


Please note: This is not intended to firewall your PC on a public connection from hacks. You still need a good firewall to make sure that your ports are closed down to the general public. A good virus checker is also a good idea. The use of the SSH tunnel is to encrypt all internet traffic by using the public wifi to tunnel to your router (SSH Daemon server) with 100% encrypted traffic. If you have open ports that can be exploited, your PC will be at risk no matter the use of SSH or not. Please make sure that you are protected with a good firewall (not sure if windows firewall is good enough or not).

 

[Modelworks]

One of the biggest things you can do when using a public wifi is to know who the person is providing the service. Don't just use any connection if you don't know who the provider is. It is very trivial to set up a wifi AP then connect it to your own personal pc and monitor the traffic of people that connect to the AP. So make sure you know who you are connecting to.

 

[Engineer]

Guide to SSH with Putty and Tomato router up (see above). Please leave comments (both good and bad) so that I can make it better. I didn't have much time after putting it together to read it many times. I will have more time later.

 

[her209]

Originally posted by: Engineer

Originally posted by: Gillbot
I'd like to see a writeup or how-to on setting up a SSH to a home network. I'd like to do that myself so my wife quits using every "free wifi" hotspot she sees.

I'll see what I can write up for you. I'm using Putty to SSH into the router. I generated the key (1024 bit) using PuttyGen and then pasted a copy into the router (Using Tomato, it's on the administration menu). I took the generated key file and then use the putty to connect. I'll work on it when I get a chance. For added security, I added a passphrase that I must type in just to use the key file with Putty.

Edit: I have to do this at home. Websense has been upgraded at work and it has the most ridiculous set of rules that I've ever saw. Can't go anywhere with the damn thing (lucky AT is even working).

By the way, what browser are you using? (Please be FireFox or IE as that's the only two that I've done, lol).

Articles collected below...will put them together when I have them all (from home later)..

<snip>

Please note: This is not intended to firewall your PC on a public connection from hacks. You still need a good firewall to make sure that your ports are closed down to the general public. A good virus checker is also a good idea. The use of the SSH tunnel is to encrypt all internet traffic by using the public wifi to tunnel to your router (SSH Daemon server) with 100% encrypted traffic. If you have open ports that can be exploited, your PC will be at risk no matter the use of SSH or not. Please make sure that you are protected with a good firewall (not sure if windows firewall is good enough or not).

YouTube Video

 

[Engineer]

Originally posted by: her209
<snip> [/b]
YouTube Video

While that's OK for showing some of the setup stuff, it doesn't show the key generator (that I saw). Seemed like a simple password login with no real authentication (did I miss it?)?!?

To me, the key (1024 bits baby! 😛 ) is an important part of the setup. However, the videos are pretty cool (but some are meant to show bypassing a proxy/firewall at work/school. I can tell that some networks sniff this kind of stuff out and block it (even on standard ports like 443, etc).