[ISN] Web Surfing in Public Places Is a Way to Court Trouble

From: InfoSec News (alerts@private)
Date: Tue Aug 22 2006 - 23:57:46 PDT


http://www.nytimes.com/2006/08/22/technology/22secure.html

By SUSAN STELLIN
August 22, 2006

Any business traveler who has logged on to a wireless network at the 
airport, printed a document at a hotel business center or checked e-mail 
messages at a public terminal has probably wondered, at least 
fleetingly, "Is this safe?"

Although obsessing about computer security is a bit like worrying about 
a toddler potential hazards lurk everywhere and you can drive yourself 
crazy trying to avoid them the fact is, business travelers take certain 
risks with the things they do on most trips.

"If you go into the average hotel and sit down in the business center 
and have a look at their computer, I'm sure you'll find some interesting 
things that people shouldnt have left behind," said Paul Stamp, a 
security analyst with Forrester Research.

"The first step companies need to do is to educate people about how 
valuable the data is and also how small the circles are in which they 
travel," he said, noting how loudly many people discuss business on 
cellphones, without a thought for who may be nearby.

Or what may be in the air. Robert Vamosi, a senior editor with the 
online technology publisher CNET, said wireless networks at airports - 
or for that matter, hotels or cafes - are not as secure as most people 
think.

"Someone may have some software on their computer that allows them to 
look at all the wireless transactions going on around them and capture 
packets that are floating between the laptop and the wireless access 
point," he said.

These software programs are called packet sniffers and many can be 
downloaded free online. They are typically set up to capture passwords, 
credit card numbers and bank account information - which is why Mr. 
Vamosi says shopping on the Web is not a great way to kill time during a 
flight delay.

"Where I'd draw the line is putting in your bank account information or 
credit card number," he said, adding that checking e-mail messages 
probably is not that risky, but if you want to be cautious, change your 
password once you are on a secure connection again.

That said, if you gain access to your corporate network through a 
V.P.N., or virtual private network, you are safer using public hot 
spots, because your data is encrypted as it travels between Gate 17 and 
your offices server, where it is decoded before going to its 
destination.

In other words, your communications are automatically encoded by 
software on your computer so the data looks like gibberish to anyone 
trying to intercept it. If your company does not offer a V.P.N. for 
employees working away from the office, there are services you can 
subscribe to for about $10 a month that do the same thing.

Michael Sellitto, a graduate student studying international security at 
Harvard, said that even though he encrypted any sensitive data on his 
laptop, he planned to sign up for a service like HotSpotVPN to add 
another level of security when he is traveling, especially when using 
poorly protected networks at cafes and hotels.

"The problem is, the really good people have written sniffer programs so 
that the less-sophisticated people have access to the same technology," 
Mr. Sellitto said. "Say a Microsoft Word document gets transmitted. The 
sniffer program will collect that and someone could open it up on their 
computer."

While it is hard to say how likely it is that someone is lurking on a 
public network, many public networks do not have adequate security.

Last fall, InfoWorld magazine published an article about a security 
researcher who managed to collect more than 100 passwords, per stay, at 
hotels with lax security (about half the hotels she tested).

Gathering reliable statistics about security breaches is notoriously 
difficult, since companies are reluctant to reveal this information. 
Still, the most recent computer crime and security survey, conducted 
annually by the Computer Security Institute with the Federal Bureau of 
Investigation, found that the average loss from computer security 
incidents in 2005 was $167,713 per respondent (based on 313 companies 
and organizations that answered the question).

As Jim Louderback, editor of PC Magazine, noted, the statistics may not 
matter given the problems one data breach can cause.

"Even if its 1 or 2 percent," he said. "You dont want to run that risk."

Using a public computer can also mean courting trouble, because data 
viewed while surfing the Web, printing a document or opening an e-mail 
attachment is generally stored on the computer - meaning it could be 
accessible to the next person who sits down. (To remove traces of your 
work, delete any documents you have viewed, clear the browser cache and 
the history file and empty the trash before you walk away.)

"You also run the risk that somebody has loaded a program on there that 
can capture your log-ins and passwords," Mr. Louderback said, recalling 
an incident a few years ago when a Queens resident was caught installing 
this type of "key logger" software on computers at several Kinkos 
locations in New York.

One way to foil these programs, which record what you type and can send 
the transcript to a hacker, is to use a password manager like RoboForm. 
This $30 software encrypts all your user names and passwords for various 
Web sites, then enters the data at the click of a mouse when you are 
prompted to log in.

There is a mobile version that can be stored on a flash drive that plugs 
into a U.S.B. port - making your passwords secure and portable.

There are also simple measures you can take to protect your hardware, 
like using a cable lock to secure your laptop in a hotel room or even a 
cafe (in case you leave the table for any reason), and making sure you 
lock your computer bag in the trunk rather than leaving it on the back 
seat.

For travelers who do carry around sensitive data, it is worth looking 
into programs like Absolute Softwares LoJack for Laptops, which can help 
recover a missing computer. The software reports its location when 
connected to the Internet and some versions can even be programmed to 
destroy data if a computer is reported lost or stolen.

But perhaps the most common snoop that business travelers encounter is 
someone nearby "shoulder surfing" to see what is on a laptop, out of 
curiosity or mere boredom.

To foil prying eyes, 3M sells a Notebook Privacy Filter, a plastic film 
that makes it impossible to view a laptop screen from an angle.

Trevor Stromquist, a sales analyst for a manufacturing company in 
Minneapolis, has been using one for the last two years to dissuade nosy 
neighbors on the road, but he has noticed an added benefit back at the 
office.

"To be honest, its kind of a nice thing when youre sitting in one of 
those long drawn-out meetings," he said. "You can do what you need to do 
and no one will notice."

Copyright 2006 The New York Times Company


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Wed Aug 23 2006 - 00:10:00 PDT