Wireless Security on the Road Without a VPN
Pages: 1, 2

Be Strong

Anything that you cannot secure should not be used during your travel. Why? Because any information can be used, whether it is against you or not. That family site login you do through HTTP (why enable SSL on such a site, right?), that XML-RPC posting interface for your blog, that special FeedBurner URL, all allow an attacker to learn something about you.

Forget about them, update them, do whatever you need to but do not assume that something is "unimportant." Open the service door and the entrance hall will get invaded, one way or the other -- many a castle was burned down that way in the Middle Ages.

Of course, sometimes, there is nothing to be done. Most applications, for example, will always contact their update servers over HTTP as part of their daily or weekly "phoning home" scheme. If you do not wish to block these connections with LittleSnitch (or disable the corresponding preference), systematically refuse any update that is offered to you while browsing on the untrusted network.

Make It a Snap

Of course, we all know that security exists. But being secure is a different matter. This is why it is important to make it easy for you to use these secure protocols: update your Mail configuration, update your browser bookmarks to point toward to the HTTPS URLs, and setup your weak email accounts to forward to stronger ones.

With the exception of public site browsing (such as the O'Reilly Network, FJZone.org, TheDigitalStory.com, etc.), no insecure URLs should subsist in your bookmarks or aggregator. It takes a while, of course, but it is worth it!

The idea here is to "port," so to speak, your entire computing routing into the secure area without changing your habits. Whatever cannot be secured needs either to be disabled during your travels or altered so that you can secure it somehow.

The most careful among us will want to keep two user accounts on their machines, each with a matching application selection in the dock. Others will simply want to remove their chat application, XML-RPC blog updater, etc. from their dock while traveling so as to avoid opening them by mistake.

Protect Yourself

Securing your communications with the outside won't do you much good if your computer and the servers you connect to are full of holes. In that light, be sure to secure your Mac properly (but prefer a more modern anti-virus solution to what is described in our 2004 article).

If some of the servers you connect to are yours, make sure they are up to date and patched. Remember that anyone who wants to can see what you are connecting to and even get a list automatically compiled on his machine. Hence, every time you make a connection to a server that looks interesting, so to speak, you are offering good target points to your neighbors on a silver platter. In circumstances like this, you often wish you hadn't named a server "staff.example.com" or "accounting.example.com," since such names are the equivalent of leaving a cherry pie to cool down on the window ledge -- cartoon fanatics will understand.

Before leaving, it may be a good idea to rotate all your passwords too and make sure they would resist a brute force attack. Keychain Access' Password Assistant will help you greatly in that task. The same should be done once you come back. If someone gained access to some of your passwords, the good rotation at the end will help kick them out, unless, of course, the account they gained access to has administrative privileges. If that is the case, they could just use it to open an account of their own or, worse, a backdoor somewhere.

Mind the DNS

Although some may deem this precaution exaggerated, it cannot hurt to rely as little as possible on the DNS of the network you are connecting to. Indeed, it is not out of the realm of possibilities that someone would poison the network's DNS to redirect popular banking or auction sites to a destination of their own.

Of course, the use of authenticated protocols should raise an error or a warning, which you should read especially carefully when traveling. But what if something fails? What if the attack is particularly well executed and relies on a weakness within the legitimate site? For such attacks, using your own DNS server might help.

Some companies provide high-quality hardened recursive DNS services that may be worth looking into. Once subscribed, you usually need to keep your Mac pointed toward these DNS servers, which you do through the "Network" preference pane (the TCP/IP tab of your port configuration of choice, more precisely). Most such systems require that your computer sends an authenticated message to the servers first to ascertain that you can use the account you subscribed to, which, as long as no passwords are transmitted in the clear, should be reasonably safe.

If at all possible (and especially if using an updating mechanism as described above), try replacing URLs by IP addresses. For example, if you connect to your server through "myserver.example.com," try replacing this line in your SFTP client with the IP address of that machine. The most reliable way to know the address is to ask the machine's administrator, although LittleSnitch and the Terminal's "dig" command should provide you with this information too.

When you are not traveling, a good recursive DNS service may considerably speed up your connections since most ISPs do not invest heavily in the DNS service they provide to their users.

Before returning to your wired network, quit all your web applications and enter lookupd -flushcache in your Terminal, which will clear your Mac's DNS cache, potentially leaving in the dust any incorrect entries it may have handled.

Online/Offline

In most WiFi-enabled areas, you will see little signs inviting you to "just open your browser" or, worse, you may be tempted to go ahead and pick a plausible-sounding network in your AirPort menu at random. This, unfortunately, is the wireless equivalent of Russian Roulette since absolutely nothing guarantees your computer is using the right network. Even I can, on a whim, create a network called "T-Mobile", "Orange," or "O'Reilly's Free WiFi" wherever I go.

Hence, it is essential you rely as much on alternate means of authentication before connecting to the network for the first time. This is not always possible but there are a few simple ways to go about it.

First, ascertain the name of the network you need to connect to -- and once again, don't make any assumptions. Although someone could indeed create a rogue network with the same SSID (name) as the one of the legitimate network, it would require using antennas powerful enough to fool your computer into thinking their network provides a better signal than the genuine one. Doable, certainly, easy if someone wants to target you personally (they could rent the room next door) but then, if you are working for the Secret Service, you're probably not strolling around a hotel using their WiFi network.

What is one supposed to do? In some places, the name of the network will be written somewhere on a plaque or a sign. Most of the time however, you will have to locate the customer support phone number printed on whatever leaflet the hotel has given you or left in your room and ask the friendly attendant. Sounds silly? Well, it often helps avoiding mistakes and it doesn't cost much to place a 10 second call. Some companies operate under different names at different locations so, again, knowing the name of a network in one place doesn't mean you know what it is called in others.

Then there is the question of purchasing your access. Usually, you are instructed to login, let the provider's catch-all firewall block you, and instruct you to punch in your credit card number. Very convenient indeed -- to steal credit card numbers, that is. Instead, prefer purchasing a pass at the front desk or through the telephone. Also, pay cash if you can since your credit card number will not be kept on file. Then, should the catch-all fail to accept your login, this may well mean you have hit a fake login page but all your attacker will have in its possession are 90 minutes of wireless access.

Of course, this changes dramatically if your login is linked to an email service or offers personalized pages, in which case your attacker could gain access to those too. Another reason to not use an ISP's email servers.

Sure, one could create a successful man-in-the-middle attack by creating a fake login page then passing the login on to the real one and transparently routing your connections. This is why it is essential you make sure the page uses SSL -- here comes Opera again. Also, verify that it is a catch-all. If the leaflets left in the hotel room specify you should type "wifi.oreillynet.com" to login, try entering something else like "apple.com." Yes, any pirate worth its salt could operate its own catch-all system but that is one extra step to go through and it is a lot more difficult than enabling web sharing and setting up a website that answers to the correct URL.

Final Thoughts

We have, in these few lines, brushed the surface of precautions that should be taken when using WiFi networks. These are inherently insecure and, unless you invest in a VPN, any attempt to turn them around will fail. However, you can make them more secure, perhaps even secure enough to work for you, at least from time to time.

All in all, the best advice I can give you is to be on the lookout. Social engineering with a dash of technology can be highly effective, especially on networks where the vast majority of users just do not care. Hence, a little thinking will go a long way, especially as you login.

When in doubt, think tarsier and snails. Oh, and have fun!

FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.

Return to the Mac DevCenter.

Post your questions and comments here.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 9 of 9.

• 802.1X any good?
  2006-10-08 16:33:19  theocmg [Reply | View]
  
  
  I find I can use my powerbook at US tmobile hotspots with 802.1x authentication. Is this helping me at all over the stadard browser sign-in and follow on (lack of) security? Thanks for the articles!
  
  Everett

• Hamachi...
  2006-06-24 11:23:21  EmiratesMac [Reply | View]
  
  
  Although there is no official MacOSX GUI yet, it's not that hard to install and use, and Hamachi (www.hamachi.cc) seem like a pretty good option.

• Use your own DNS
  2006-06-20 23:24:19  tegbains [Reply | View]
  
  
  If you are really worried about DNS spoofing, run your DNS server on your laptop. Of course, it's not the simplest thing, but it's not that hard (use Webmin or another DNS tool).
  
  And as for VPN, you can get a decent VPN router for under $300 (try the Netopia R910 family). Or use M0n0wall on an x86 box as your VPN server.
  
  Teg
• Use your own DNS
  2006-06-21 00:02:27  FJ de Kermadec | [Reply | View]
  
  
  Teg,
  
  All very true indeed. In my, obviously limited, experience however running and maintaining a DNS server on one's laptop goes beyond what most users are willing to invest in terms of learning, time and energy. As running a poorly maintained server on a laptop is more likely to raise issues than to solve them, I chose to leave that part to other, dedicated pieces.
  
  And as far as "home" VPN routers go, some do exist indeed but most of them still are quite expensive and there are questions of compatibility between vendor-specific services. I do agree however nothing replaces such a setup — and this is a point I attempted to repeatedly stress.
  
  I hope this answers your concerns,
  FJ

• A for effort, C for execution
  2006-06-20 17:54:07  chris_barker [Reply | View]
  
  
  All of this is good advice and as the previous poster brought up should be followed wherever you are, but I think the article as a whole kind of missed its intended point. Also it seems a little insincere for the author to ask us to trust O'Reilly and its authors personal sites blindly.
  
  If the target audience is readers who dont have access to or cant figure out how to setup VPNs, most of the advice presented here probably wont make much sense and some of it is actually wrong. Using the "secure" (encrypted) version of any protocol helps a little bit but honestly your messages are going to end up unencrypted somewhere so its not a cure-all by any means.
  
  Additionally due to the way DNS really works, the advice presented here is just hogwash. DNS is in no way a "standalone" thing, even the best servers almost always depend on as many as 40 other servers which are outside of the "good" server admin's control. If one of those gets compromised, you still get "bad" DNS.
  
  Using IP addresses instead of URLs is also pretty much useless. If someone is monitoring your web access they can capture and check the IP address of a server just as easily as reading an interesting URL.
  
  OK having said that, if readers are interested in setting up "stronger" connectivity for email, ask the people who take care of your mail service if they support SSL (sometimes called TLS) for POP and SMTP (recieving and sending) and ask them for the details you will need to use SSL/TLS. Once thats done, if you are using Mail.app, go into the preferences and account settings to enter these changes for each of your accounts. If you check the checkboxes for SSL/TLS in your preferences, Mail.app will change the port numbers used to connect to your mail server(s). The numbers it uses are the standard ones, but make sure they match what your provider told you for the details of their servers. Some providers may try and tell you these things only work with MS Outlook, but I've found that Mail.app does SSL/TLS for POP & SMTP just fine. Dont forget that this connection is only "secure" between your computer and the mail server itself. Once your mail leaves the server its sent in the clear.
  
  In any case, the advice to look for https in a URL or to use SFTP, SSH, etc is good. Just remember that its still not any kind of guarantee of security.
  
  If you are even mildly serious about security when traveling for business, make your techies setup an IPSEC VPN. Almost every firewall on the market includes this feature and your Mac has the client software built in. There are plenty of good books about setting up IPSEC VPNs out there for less than the cost of a business dinner. Unfortunately the first and second edition of the O'Reilly VPN books cost more than a pizza and were far less satisfying.
• A for effort, C for execution
  2006-06-21 00:10:54  FJ de Kermadec | [Reply | View]
  
  
  Chris,
  
  I am afraid I wasn't clear: in no way am I asking you to trust O'Reilly or its authors blindly. The examples I quote are simply URLs of "general purpose" sites that do not make logging into a system or passing along confidential information mandatory. You'll notice I rely on good old "*.example.com" a couple times in the article but, for the sake of diversity, thought I should also quote some real world examples.
  
  Encrypted protocols certainly do not encrypt the message on the destination server. That is not what they are intended to do. In that, I do not believe recommending that they be used be "wrong". If one cannot expect one's email provider or host to take reasonably good care of one's accounts, then the problem goes beyond what most users would be able to solve by themselves.
  
  As far as DNS goes, I agree as well: the way it works makes it easy for one bad server to poison a great many downstream servers. Yet, if one is on a particularly weak link, it cannot hurt to bypass that one, which brings the odds of a "bad server" back to those one would encounter on a home or small business connection.
  
  I also agree about the IP. On a moderately busy WiFi network however, access logs can be pretty large. Conducting a reverse DNS lookup, no matter how easy, is an additional step to take for someone who will, anyway, normally have a great deal of addresses to look up. Also, note I am not recommending one uses IP addresses to thwart shoulder surfers but simply as a way to avoid relying on the local DNS server.
  
  All in all, we seem to agree! Remember this article is intended for readers who do not have a "techie" at hand, which is a vast majority of users. And as far as firewalls including VPN servers, I am afraid this is not the case: most of them allow for VPN pass-through but they do not act as servers themselves.
  
  FJ

• I don't understand....
  2006-06-20 15:53:04  brocklee [Reply | View]
  
  
  Why do these tips only apply while traveling and using a public wifi connection? What is it about using one's own broadband connection in one's own home that makes one immune from these very same issues?
  
  If you're connecting to any machine/service that's not on your local area network, that information is going across the internet, with many, many opportunities for it to be sniffed.
  
  Sure, using a public wifi connection enlarges your security profile. But I object to the implication in the article that using the internet from your own home or your own place of work is safe (or substantially safer).
• I don't understand....
  2006-06-20 23:59:21  FJ de Kermadec | [Reply | View]
  
  
  Brocklee,
  
  The advice you read here certainly applies to home broadband connections too. The reason I chose to give it a "public" angle is that dangers increase tenfold on a public network, where one has no knowledge of the surroundings, the others on the network, etc…
  
  Your private WiFi network can be just as well the target of attacks. However, within the Mac community, one can reasonably expect users to enable at least basic security, as per Apple's advice, which cleans things up a great deal.
  
  I hope this answers your question,
  FJ
• I don't understand....
  2006-06-20 15:57:54  Derrick Story | [Reply | View]
  
  
  I think you can apply these techniques anywhere they seem appropriate. Have a great day!