Protecting Your Passwords and Confidential Information
We all know how important a password can be. This is especially true when that password is used on multiple systems. In my past articles I have talked about how to protect one’s passwords from compromised machines that could have Trojans installed on them.
There are however many more risks to this.
Wireless access points
We’ve all been at an airport waiting for hours for our connection flight. In most cases we have laptops, PDAs or even mobile phones that can connect wirelessly to the internet provided we find an access point to use. Sometimes you find a paid service that allows you to access cyberspace, whilst other times you hit the jackpot and find a free access point. The same happens at bars and restaurants, but what’s the implication of this? The truth is that you do not really know what you’re connecting to! It could very easily be a malicious person sitting nearby with his laptop, providing an open access point in order to sniff everything that he proxies through.
Even with paid services, one isn’t necessarily safe. It might be a scheme to get your credit card details. One small PDA in a hand luggage, a laptop for a casual person doing whatever while his PC is waiting to capture the credit card details entered by a victim who believes that he’s buying wireless access from some major vendor only to be told that the transaction failed. No big deal, when he checks the balance he will not have been charged, that is until his stolen credit card is used. However it’s likely to happen months later and even if you remember this particular incident and make the connection you’re surely not going to remember the face of every person with a laptop at the airport on that day!
Even at shops, bars and restaurants you don’t really know what’s happening to your data as you surf away. It might be that some employee at that establishment is logging all traffic going through its network. It’s quite likely that a bar providing free internet access will not monitor his systems closely so it might have been compromised and a malicious hacker could be monitoring all that is going through the network. It could also not be the bar’s wireless network at all, maybe it’s the hacker next door who sets up an open relay to exploit his optimum location close to a bar to be able to spy on anyone who happens to connect to his system.
In any case it is essential to keep in mind that whenever you log in to a wireless access point that you do not control, you are taking a security risk.
Internet Cafés
With internet Cafés it’s mostly the same story as with the internet access points above. While it is less likely that the establishment is spying on you intentionally, it is quite possible that someone who used the system before you actually managed to compromise it and install key loggers / Trojans to monitor whatever you will be doing.
Satellite Systems
In this modern age satellites are being used for everything; from television to radio, positioning data and even providing internet access to remote areas. In most cases satellite internet is pretty fast and its only technical draw back is latency and some way to upstream. There is also a pretty nasty security issue with it as well. Wireless sniffing has made it easier to penetrate networks by allowing people to gain physical access to your network connection by proximity, instead of either needing physical access to the wire or a point between you and the destination. Satellite makes the situation worse because whatever you access though a satellite connection is transmitted to everyone in a geographical range the size of a continent! Anyone with a satellite dish can sniff any satellite transmission (some are encrypted but the majority are not and there is a technical reason for this) and they do this from the comfort of their home without any risk whatsoever.
Workplace
This one is probably the least obvious. Your passwords are at risk on your Work network as well. If a disgruntled employee is running a sniffer on his machine it is possible that he might sniff passwords or confidential information that is traveling along the network. The amount here could vary depending on the network topology and infrastructure. We already discussed in a previous article how it is possible to sniff printouts which can then be replayed to any printer and reprinted. Passwords, confidential emails, confidential documents and even chats can provide a wealth of information that in some cases could possibly be valuable to a disgruntled employee who might want to get back at his employer.
What to do about it?
Now that we’re aware of the risks what can we do about them? There is no straight answer for this. The best thing is to not access any confidential data on an open connection such as wireless and Satellite. Use systems that require authentication only if the connection is encrypted. Internet cafés are another story; here encryption does not provide enough security. It is quite possible they might have key loggers and that your encryption will not protect your passwords at all. It might be safer to connect your own laptop whenever this is allowed, although there is still another risk because it might open you up to virus attacks since some machines on the network might be infected. Ultimately one must always be aware of security threats and avoid any potentially harmful scenarios wherever possible.
Users concerned with security away from the home and office might want to consider using a VPN service to protect their information, including their passwords. These services offer a secure Internet connection from wherever they’re used. Encryption in VPN tunnel can vary from as low as 128 bits to as high as 2048 bits. Users should understand, though, that the higher the bit rate, the slower the connection will behave. Since these services open up the entire Internet to its clients, network administrators should carefully review any service chosen to insure that employees won’t use it to circumvent corporate policies governing Internet usage. For example, blocked sites will no longer be blocked using these services. In addition, some services offer USB thumb drive versions of their wares, which may allow some travelers to leave their laptops at home where they may be less likely to be stolen. Pricing for the services varies from $100 a year to $15 a month to $4 or $5 for shorter periods of time. Of course, if a computer is infected with keyboard logger or other such pest, not even a VPN is going to keep a user’s passwords safe.
I completely agree with John, VPN Tunnel is a great way to mitigate the risks when connecting through a wireless connection from your own laptop while at the airport or at a hotel or any other place really. However you still need to ensure that there are no key loggers, although using your own hardware, if it’s adequately protected, the risk should be minimal.
I totally agree with you guys, some ideas to sum up to your thoughts. It’s always best to use secure connections as HTTPS and virtual keyboards when the application allows them (to prevent key logging).
If you can choose the auth method for your application there is always a good idea to use a 2 factor authentication like RSA or Tokens. There is an excellent method by Steve Wibson called PPP (Perfect Paper Passwords) which is completely free and as secure as many of the commercial solutions.
Best regards
Leandro
Virtual Keyboard is actually a brilliant idea, Thanks Leandro. Two Factor authentication using tokens is also a good option against key loggers, provided that whatever you do after logging in will not be confidential since a key logger will log anything that one types and not just the password.
Correct me if I am wrong but the perfect paper passwords is an implementation of the One Time Password (OTP) concept right? Where you have a number of passwords printed out and you use them sequentially? While it’s great against key loggers it might be a small security risk if someone gets access to that list. Maybe a more secure way to do it could be by simply phoning the administrator for a One Time Password whenever one needs to log on from an Internet cafe or other unsecured terminals. Still I guess if the user takes adequate precautions such as ensuring that no one is shoulder surfing him/her or that s/he is not being watched by some camera, it should be safe enough.
Again thanks for the Virtual Keyboard option, it’s actually a great idea!
The PPP is a two factor authentication, so you need something you know (your everyday password) and something you have (the paper with the second password). So in case that the users lost list list the attacker still needs the password for the account.
It’s great to interact with you guys, it always make me think about new ideas for my every day job
Ah I was missing that detail
didn’t know PPP is a two factor authentication system. Yes in that case it’s pretty robust and quite an elegant solution too!
Glad you’re finding this useful, this is exactly was I hoping for too; that the articles generate discussion and ideas