news / tech talk

Traveling Safely

by Lee LeClair
08/15/2008
As seen in Inside Tucson Business

Travel in any airport in the US and you will note the incredible number of people using laptop computers in lounges, waiting areas, restaurants, etc. Sometimes they are working on a document or spreadsheet, but often they are checking their email or surfing the web. When they are, they are typically connecting via a wireless network local to the airport. While there is a trend towards the use of “air cards” which provide data connectivity through mobile telephone networks (often referred to as 3G networks), wireless hotspots are still the most common method of connection for traveling users.

Some airports offer free service, others host pay networks from T-Mobile, AT&T, Boingo, etc. Similarly, many hotels offer either free or charge wireless connectivity and most businesses reimburse fees for wireless connectivity so it is highly prevalent in the business market. People are quite familiar with firing up their operating system's wireless detection utilities and choosing the strongest node to connect. However, using unsecured wireless networks is dangerous in that it is trivially easy for an attacker to establish his own wireless device (laptop or router) as a wireless node with the same name as legitimate nodes in the area. When a user attaches to the attacker's node, he will get connectivity to the Internet and proceed with whatever business he was intent on. However, all the traffic will pass through the attacker's system first though, and it can be easily recorded for later mining of interesting data.

Is that necessarily a big loss? Certainly not if you enable a company Virtual Private Network (VPN) first; these create an encrypted tunnel to your company's network. Also, most web sites have enabled SSL/TLS for their login/password pages; HTTPS creates an encrypted connection for web traffic though not for SMTP or other protocols. Having no encryption may not be an issue if you are conscious of what data you are sending and receiving, whether and when it is being protected (either by VPN, SSL, or a similar mechanism), and whether it could be of any value to anyone. For example, you may know that both Yahoo and Google encrypt their login-password pages via SSL/TLS but neither encrypts any subsequent communications so any email you read from these services will be visible to a wireless man-in-the-middle attacker, including attachments. Again, maybe there's nothing of any value in your typical communications and if that's the case, then you have nothing to worry about.

On the other hand, if you tend toward the paranoid like I do then you consider the alternatives for obtaining some privacy. If its corporate business you're up to and your company has a VPN, then that is the safest way to go. If its personal business that you'd prefer your employer remain unaware of (or if your employer has content filters and/or personal use clauses), then you can use an anonymizer service, setup a personal VPN to a personal location (like your home), use remote desktop display (RDP, VNC, etc.), or get fancy with a web proxy and an encrypted tunnel. I use a Linux server with a protected proxy that I tunnel my web traffic to via SSH. I use this rather than a simpler OpenVPN setup for an odd set of reasons related to the nature of my work. The point is that there are a variety of ways to keep your data confidential and you should explore some alternatives to ensure you always have a way to keep yourself safe.

In general, I prefer wired network communications for reliability and performance but its a wireless world out there so it pays to work with it safely. For travel, I recommend using disk for file encryption on your notebook or, better yet, an external 2.5” USB hard drive (check out Truecrypt on Google), having access to an encrypted communications channel (e.g., VPN, TLS, SSH, etc.), and carefully keeping your notebook with you at all times during travel. It astounds me every time I read about some company losing tons of sensitive data through a lost laptop. Stay safe out there.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business