Recently, I attended a conference on computer security in another city. While there, I discovered a coffee shop that could loosely be termed an Internet cafe. They had big comfy overstuffed chairs and couches, free wireless Internet access and the kind of table you used to do your second-grade homework on in your parents’ kitchen.
I spent quite a bit of time at this cafe, working on notes from the conference and taking care of responsibilities at the office. I also spent a great deal of time scrutinizing the clientele there and thinking about the likelihood of someone examining packets as they crossed the wireless network.
Examining packets — more commonly called sniffing traffic — is an exercise in simplicity. Download the appropriate software off the Internet, turn it on, configure it to see everything that goes by, and then save it in a file or look at it in real time. It would be possible for anyone within signal strength range to see everything I was doing over the Internet.
Since signal strength there at the cafe might have been strong enough to carry as far as a city block, the people in the restaurant aren’t the only threats. Anyone within that range might be listening in.
If you were to meet me on the street, you’d see a well-dressed woman — clean-cut, respectable, mid-thirties to forties. It would probably never occur to you that I am capable of sniffing your traffic. After all, I use a Mac, and aren’t those for people who can’t handle the complexities of the Windows operating system? No one would think twice about the solitary woman editing photos.
But it’s a mistake to dismiss me, or anyone who doesn’t match that ‘hacker’ profile, as a non-threat. It is trivial for me to start up my virtual PC, and use whatever tool I like to capture all the packets floating around above our heads.
Know what’s the best part?
I can start it up, and let it run while I edit photos, and then go back to my hotel room and reconstruct packet data to look for interesting tidbits like user/password pairs, credit card numbers, or other financial data. Web, AIM, email — as long as it’s not encrypted, I’m going to be able to read it. And if it’s encrypted with something lame like ROT13, I’ll be able to read it anyway.
OK, you say, but you don’t use any public wireless networks. You check your email every once in a while over at your friend’s house, but that’s it. And besides, you only check your junk email account on Hotmail. You don’t do anything that could remotely endanger your personal data.
Fine. Let’s look at that for a second.
This friend of yours… is she paying for her Internet access? Is she running wireless? Or maybe, she doesn’t really know that much about computers and networks. Is she shrewd enough to keep her computer patches up-to-date, and does she have her firewall turned on? Does she get all sorts of junk mail that she clicks on, along with little programs that she installs, infesting her computer with spyware and adware and any number of little malicious tidbits? If she’s running wireless, does she have her data encrypted? Is her wireless password protected, or is she naively beaming access to the entire apartment building?
Now let’s think about something else.
Let’s think about this junk email account of yours on Hotmail. Let me guess: You only use this for eBay, uBid, and onsale.com. This is the account you use for stuff you don’t want coming to your work email address. Maybe you even use it for your PayPal account. And you’re thinking that even if your [email protected] address is compromised, no harm will come to you.
But don’t forget that, most likely, all of your transactions are on that server, allowing any intruder to reconstruct your account numbers, or possibly even get your passwords, or at the very least your password hint question. It’s always a possibility.
Now, Microsoft suggests you use a firewall. This doesn’t protect your data after it leaves the machine. The company also suggests ”hiding your files”. I won’t even dignify that with a comment. Finally, Microsoft suggests you not send credit card numbers or passwords over a public network. Certainly, the most effective protection against an untrusted public network is to not use it.
The Virtual Private Network (VPN) is probably the best answer easily available. A VPN works by building an encrypted tunnel back to your home network (either your office or your ISP), and then forwards all your traffic from there, as if it were originating on your trusted network. The idea is that the path from the VPN to mail server or web server is on a trusted path and not likely to be sniffed.
If you don’t know whether you have access to a VPN, you should go speak to your most trusted IT guru. He will either get you hooked up with a VPN or let you know that it’s unavailable. If it’s unavailable, contact your ISP and ask them about availability.
The moral of the story is that you might never guess who is capable of digital snooping, of sniffing your wireless traffic.
Who can you trust to not sniff your traffic? Can you trust that guy hunched over his computer in the corner? How about the chick playing with her PDA? (Yes, they make sniffer packages for PDAs.) What about the person in the back room who fires up his laptop, sets it to full promiscuous mode to save-to-file everything that goes by, before he puts on his cheerful uniform and comes out to make your latte?
Face it, you can’t trust any of them.
Sometimes when I meet people for the first time and I try to explain to them what I do, just saying I’m a network security analyst isn’t sufficient. I try to explain that I look at the world in a way that allows me to see the hazards that might be used against my customers. Many think I’m paranoid, including my parents, who don’t really understand exactly what I do. But I’m not paranoid. I’m simply very pragmatic, and I’m very aware of the wolf in sheep’s clothing.
I believe if I can think it up, someone else has already thought it up and implemented it.