news / tech talk
Traveling Safely
by Lee LeClair08/15/2008
As seen in Inside Tucson Business
- Arizona Daily Star
- BizPlanIt
- Linux World Expo
- 40 under 40
- They're on the A-List
- Dotche system built by Ephibian
- AzBusiness
- Arizona Daily Star
- Arizona Daily Star
- Phoenix Business Journal
- Ranking Arizona
- The Arizona Republic
- Hostingtech.com
- American City Business Journals Inc.
- AZtechBiz
- Inside Tucson Business
- Arizona Business Gazette
- Inside Tucson Business
- Fiesta Mall
- Arizona Daily Star
- .com Success!
- Business Wire
- Buck's Woodside Menu
- CRN
- Arizona Daily Star
- LocalBusiness.com
- The Business Journal - Phoenix
- Phoenix Business Journal
- LocalBusiness.com
- Business Wire
- Inside Tucson Business
- internet.com
- AzBusiness
- AZtechBiz
- designshops.com
- AZtechBiz
- BizAZ
- Virtualized Cloud
- Collaboration and Communication
- Personally Identifiable Information
- Cyberwarfare
- iPad and E-Readers
- Trusted Platform Module
- Smartphone Data Security
- Cyber-Espionage
- DTNs
- Have a Plan
- Cloud Computing - Part 2
- Impact of Technology on Existing...
- Data Archiving
- Mobile Telephony - Part 2
- Cloud Computing
- Social Networks
- Password Management
- Netbooks
- Microtargeting
- Packet Analysis
- IP v6
- Surge Protection
- Traveling Safely
- Thin Client
- Uptime
- Mobile Telephony
- Know Thy Programs
- Voice Over IP - Part 3
- Google Apps
- Virtual Computing
- Securing Users
- Simple Desktop Management
- Service Oriented Architecture
- Light-based Communication
- Data Mining
- Small Business Architecture
- Voice Over IP - Part 2
- Business Automation
- Database Needs
- DMZs
- CPUs
- SPAM & Botnets
- Security Testing
- Customer Advocacy
- Laptop Security
- Windows Vista
- Large Scale Deployment
- Network Access Control
- Generator Use
- Uninterrupted Power Supplies
- Web Site Security
- Blu-ray vs. HD-DVD
- Dual-Core Processors
- Business Security
- AJAX
- 3G Mobile Internet
- Apple Intel Processors
- Entertainment Tech
- Cafe Wireless
- Commercial Hosting
- Gaming Consoles
- Voice Over IP
- Blogging
- Is WI-FI Secure?
- OpenDocument Format
- Allured Publishing Changes Name to...
- Computer Model Can Help Prevent War?
- Defense contractors run gamut from...
- ASU gears on-site construction...
- The Cleveland Foundation Selects...
- Global Partners Join Forces to Speed...
- Intuit Completes Acquisition of...
- Strategy unveiled on how tobacco tax...
- Gaiam's, Real Goods' revenues increase...
- LSST Awarded Time on TeraGrid
- Aldine Independent School District...
- Miraval featured in Natural Solutions...
- Ventana Medical Systems Joins TSIA to...
- UA $3 Million Bioterrorism Grant...
- Arizona Center for Integrative...
Travel in any airport in the US and you will note the incredible number of people using laptop computers in lounges, waiting areas, restaurants, etc. Sometimes they are working on a document or spreadsheet, but often they are checking their email or surfing the web. When they are, they are typically connecting via a wireless network local to the airport. While there is a trend towards the use of “air cards” which provide data connectivity through mobile telephone networks (often referred to as 3G networks), wireless hotspots are still the most common method of connection for traveling users.
Some airports offer free service, others host pay networks from T-Mobile, AT&T, Boingo, etc. Similarly, many hotels offer either free or charge wireless connectivity and most businesses reimburse fees for wireless connectivity so it is highly prevalent in the business market. People are quite familiar with firing up their operating system's wireless detection utilities and choosing the strongest node to connect. However, using unsecured wireless networks is dangerous in that it is trivially easy for an attacker to establish his own wireless device (laptop or router) as a wireless node with the same name as legitimate nodes in the area. When a user attaches to the attacker's node, he will get connectivity to the Internet and proceed with whatever business he was intent on. However, all the traffic will pass through the attacker's system first though, and it can be easily recorded for later mining of interesting data.
Is that necessarily a big loss? Certainly not if you enable a company Virtual Private Network (VPN) first; these create an encrypted tunnel to your company's network. Also, most web sites have enabled SSL/TLS for their login/password pages; HTTPS creates an encrypted connection for web traffic though not for SMTP or other protocols. Having no encryption may not be an issue if you are conscious of what data you are sending and receiving, whether and when it is being protected (either by VPN, SSL, or a similar mechanism), and whether it could be of any value to anyone. For example, you may know that both Yahoo and Google encrypt their login-password pages via SSL/TLS but neither encrypts any subsequent communications so any email you read from these services will be visible to a wireless man-in-the-middle attacker, including attachments. Again, maybe there's nothing of any value in your typical communications and if that's the case, then you have nothing to worry about.
On the other hand, if you tend toward the paranoid like I do then you consider the alternatives for obtaining some privacy. If its corporate business you're up to and your company has a VPN, then that is the safest way to go. If its personal business that you'd prefer your employer remain unaware of (or if your employer has content filters and/or personal use clauses), then you can use an anonymizer service, setup a personal VPN to a personal location (like your home), use remote desktop display (RDP, VNC, etc.), or get fancy with a web proxy and an encrypted tunnel. I use a Linux server with a protected proxy that I tunnel my web traffic to via SSH. I use this rather than a simpler OpenVPN setup for an odd set of reasons related to the nature of my work. The point is that there are a variety of ways to keep your data confidential and you should explore some alternatives to ensure you always have a way to keep yourself safe.
In general, I prefer wired network communications for reliability and performance but its a wireless world out there so it pays to work with it safely. For travel, I recommend using disk for file encryption on your notebook or, better yet, an external 2.5” USB hard drive (check out Truecrypt on Google), having access to an encrypted communications channel (e.g., VPN, TLS, SSH, etc.), and carefully keeping your notebook with you at all times during travel. It astounds me every time I read about some company losing tons of sensitive data through a lost laptop. Stay safe out there.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business
Some airports offer free service, others host pay networks from T-Mobile, AT&T, Boingo, etc. Similarly, many hotels offer either free or charge wireless connectivity and most businesses reimburse fees for wireless connectivity so it is highly prevalent in the business market. People are quite familiar with firing up their operating system's wireless detection utilities and choosing the strongest node to connect. However, using unsecured wireless networks is dangerous in that it is trivially easy for an attacker to establish his own wireless device (laptop or router) as a wireless node with the same name as legitimate nodes in the area. When a user attaches to the attacker's node, he will get connectivity to the Internet and proceed with whatever business he was intent on. However, all the traffic will pass through the attacker's system first though, and it can be easily recorded for later mining of interesting data.
Is that necessarily a big loss? Certainly not if you enable a company Virtual Private Network (VPN) first; these create an encrypted tunnel to your company's network. Also, most web sites have enabled SSL/TLS for their login/password pages; HTTPS creates an encrypted connection for web traffic though not for SMTP or other protocols. Having no encryption may not be an issue if you are conscious of what data you are sending and receiving, whether and when it is being protected (either by VPN, SSL, or a similar mechanism), and whether it could be of any value to anyone. For example, you may know that both Yahoo and Google encrypt their login-password pages via SSL/TLS but neither encrypts any subsequent communications so any email you read from these services will be visible to a wireless man-in-the-middle attacker, including attachments. Again, maybe there's nothing of any value in your typical communications and if that's the case, then you have nothing to worry about.
On the other hand, if you tend toward the paranoid like I do then you consider the alternatives for obtaining some privacy. If its corporate business you're up to and your company has a VPN, then that is the safest way to go. If its personal business that you'd prefer your employer remain unaware of (or if your employer has content filters and/or personal use clauses), then you can use an anonymizer service, setup a personal VPN to a personal location (like your home), use remote desktop display (RDP, VNC, etc.), or get fancy with a web proxy and an encrypted tunnel. I use a Linux server with a protected proxy that I tunnel my web traffic to via SSH. I use this rather than a simpler OpenVPN setup for an odd set of reasons related to the nature of my work. The point is that there are a variety of ways to keep your data confidential and you should explore some alternatives to ensure you always have a way to keep yourself safe.
In general, I prefer wired network communications for reliability and performance but its a wireless world out there so it pays to work with it safely. For travel, I recommend using disk for file encryption on your notebook or, better yet, an external 2.5” USB hard drive (check out Truecrypt on Google), having access to an encrypted communications channel (e.g., VPN, TLS, SSH, etc.), and carefully keeping your notebook with you at all times during travel. It astounds me every time I read about some company losing tons of sensitive data through a lost laptop. Stay safe out there.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business