warning when using open wifi while traveling

 

A lot of us use coffee shops, hotel open wifi networks while on the road.

Unfortunately there is a new hacking too called "Firesheep" that can let anyone with Firefox and this add-on to read, intercept and control any unencrypted web pages you are reading.

For example, your unencrypted hotmail or yahoo mail pages can be easily "side-jacked" by another person who is sniffing the traffic, and take control of your email accounts and lock you out.

Other examples are "my eBay" pages, Facebook, twitter, and pretty much any web page that requires a log on but does not fully encrypt the entire session. This includes the POI Forums accounts as well.

So to combat this I'm using my Android wifi tether, with WPA2 encrypted security for browsing while I'm traveling.

Gmail offers HTTPS searching, and email by default, so you're protected.

Hotmail just introduced HTTPS email session, which has to be turned on manually: http://windowsteamblog.com/windows_live/b/windowslive/archiv...

Yahoo mail has no such protection, so users of that email are vulnerable until Yahoo takes steps to offer HTTPS.

Be careful about what you expose on open wifi networks!

--
http://www.poi-factory.com/node/21626 - red light cameras do not work

Thanks Nuvic

That's always a good reminder smile

--
Nüvi 255WT with nüMaps Lifetime North America born on 602117815 / Nüvi 3597LMTHD born on 805972514 / I love Friday’s except when I’m on holidays ~ canuk

Use Outlook

If you use Outlook for reading and replying to email, you don't have that vulnerability. Outlook has a plug-in for hotmail. I don't use gmail or ymail, so I don't know about those.

--
Zumo 550 & Zumo 665 My alarm clock is sunshine on chrome.

Hotmail

Noticed this warning for Hotmail.

Using HTTPS will help keep your account secure from hackers-especially if you commonly use public computers or unsecure wireless connections.

Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:
Outlook Hotmail Connector
Windows Live Mail
The Windows Live application for Windows Mobile and Nokia

--
Charlie. Nuvi 265 WT and Nuvi 2597 LMT. Android Here WeGo - Offline Maps & GPS.

Great post! With how easy it

Great post! With how easy it can be for even a novice hacker to get your info through wifi, especially from people who don't know much about setting up their wifi securly, it almost seems like old-school wired internet is the better choice! Of course that doesn't help you if you want to connect with many of the devices out there today or if you're away from home.

Corporate E-mail

Almost all people who travel because of their job will have access to their corporate web site/e-mail through a Virtual Private Network (VPN) tunnel. This encrypts ALL of the traffic between their corporate server and their computer, not just e-mail. They won't have to worry about their traffic being intercepted if they only use their company's server to surf and read e-mail while connected to open WiFi networks. However their company's IT department will have access to their traffic and it WILL be archived. So don't go to places that you don't want your employer to know about.

https everywhere!

https://www.eff.org/https-everywhere

Points to a Firefox extension produced by EFF and the TOR project that uses an expandable ruleset to use secure (HTTPS) connections on the Web.

Using HTTPS Everywhere is not a panacea, but it is a good step towards more security. (You took the first step towards higher security by using Firefox instead of IE).

You might also want to look at extensions such as NoScript.

And remember the most important security software you have is the stuff between your ears -- think!

--
Nuvi 2460, 680, DATUM Tymserve 2100, Trimble Thunderbolt, Ham radio, Macintosh, Linux, Windows

Thanks

Thanks nuvic320 and k6rtm for the heads-up and info!

This sort of hits close to home with me since I recently had one of my credit card numbers stolen (still not sure where/how but it's one I've used online shock ).

Now I'm all about (but just starting) securing my home network and wireless info. As well as paying attention to where I use my card in the 'real world'.

Here is a nice article that puts Firesheep into reasonably easy to understand terms-
http://krebsonsecurity.com/2010/10/firesheep-baaaaad-news-fo...
and another nice one-
http://pandalabs.pandasecurity.com/firesheep-who-is-eating-m...

Note that one of the articles mentions that Firesheep can exploit unencrypted cookies from local networks as well as wireless.

--
It's about the Line- If a line can be drawn between the powers granted and the rights retained, it would seem to be the same thing, whether the latter be secured by declaring that they shall not be abridged, or that the former shall not be extended.

Thanks for this info

Thanks for this info

online credit cards

I may have posted this before, I don't remember, but as a heads up to JD4X4's having his credit card numbers stolen.

I have a card through Bank America which is the bank AAA uses. They have a free service called shopsafe which I use for all of my online buying. It works like this...you go online to their website and enter the amount you want the card to be good for, when you want the card to expire and it will spit you out a set of random credit card numbers complete with a security code. You give this set of numbers to the merchant and the only ones that knows the numbers aren't your real credit card numbers are you and Bank America. I think there are other banks that offer this service also under other names.

Using this service could also help the police catch con artists. I had someone try to scam me and get my credit card number over the phone. The police told me the only way they would have a chance of catching them is if I would have gave them my numbers which would have been a real hassle for me.

I called Bank America and asked them if I set up a number and someone tried to use it for more then I set it up for if they would still be able to find out who tried to use it. The lady said they would so I set up a number with one dollar in it to give to anyone that would try a scam again.

--
Anytime you have a 50-50 chance of getting something right, there's a 90% probability you'll get it wrong.

Citibank

Don B wrote:

I may have posted this before, I don't remember, but as a heads up to JD4X4's having his credit card numbers stolen.

I have a card through Bank America which is the bank AAA uses. They have a free service called shopsafe which I use for all of my online buying. It works like this...you go online to their website and enter the amount you want the card to be good for, when you want the card to expire and it will spit you out a set of random credit card numbers complete with a security code. You give this set of numbers to the merchant and the only ones that knows the numbers aren't your real credit card numbers are you and Bank America. I think there are other banks that offer this service also under other names.

Using this service could also help the police catch con artists. I had someone try to scam me and get my credit card number over the phone. The police told me the only way they would have a chance of catching them is if I would have gave them my numbers which would have been a real hassle for me.

I called Bank America and asked them if I set up a number and someone tried to use it for more then I set it up for if they would still be able to find out who tried to use it. The lady said they would so I set up a number with one dollar in it to give to anyone that would try a scam again.

Citibank had a similar feature. You could also set up one for recurring transactions, an put a seperate credit limit for each card generated.

Wired Internet is technically more secure...

@lizlovesmustangs

...in that you avoid all the problems associated with wireless, such as sharing a connection with those who might try to take advantage of the situation.

Yet, as you mentioned, if you want to access the Internet away from home, you generally need to use wifi. Https is definitely something to consider to be safe.

On the other hand, keep in mind also that even if you use https, whether with wifi or wired, your computer still needs to be regularly updated with security patches as new vulnerabilities are discovered (e.g., Windows, Linux or Mac operating system security updates.)

Using https alone is not sufficient to protect one from every form of harm from the Internet.

Thanks!

Thanks!

Blacksheep

nuvic320 wrote:

A lot of us use coffee shops, hotel open wifi networks while on the road.

Unfortunately there is a new hacking too called "Firesheep" that can let anyone with Firefox and this add-on to read, intercept and control any unencrypted web pages you are reading.

Thanks for the warning! I just installed Blacksheep to detect people using Firesheep in the network arrow https://addons.mozilla.org/en-US/firefox/addon/253994/

--
Garmin nuvi 1300LM with 4GB SD card Garmin nuvi 200W with 4GB SD card Garmin nuvi 260W with 4GB SD card r.i.p.

Blacksheep problems?

Thanos_of_MW wrote:
nuvic320 wrote:

A lot of us use coffee shops, hotel open wifi networks while on the road.

Unfortunately there is a new hacking too called "Firesheep" that can let anyone with Firefox and this add-on to read, intercept and control any unencrypted web pages you are reading.

Thanks for the warning! I just installed Blacksheep to detect people using Firesheep in the network arrow https://addons.mozilla.org/en-US/firefox/addon/253994/

From what I saw, blacksheep is causing problems with the latest versions of Firefox. How's it working out for you?

--
GPSMAP 76CSx - nüvi 760 - nüvi 200 - GPSMAP 78S

VPN the only way to go for WiFi security

That's what I understand from my reading. If you use a VPN through a public WiFi connection, the only part of your WiFi traffic that would be clearly readable is the part where you sign on the whatever network you are connecting to. After that point you route all your internet traffic through the VPN of your choice, this traffic is encrypted & of little use to anyone monitoring your WiFi signals.
There are both free and paid VPN's available to the general public.
Here's a blog post on 7 free services, with comments
http://www.makeuseof.com/tag/7-completely-free-vpn-services-...
There are lots of paid VPN services, among which is http://www.witopia.net, which sells yearly subscriptions ranging from $40-$60-$70.

@artfd

Good information.Thanks.

--
Charlie. Nuvi 265 WT and Nuvi 2597 LMT. Android Here WeGo - Offline Maps & GPS.

No problems

thrak wrote:
Thanos_of_MW wrote:
nuvic320 wrote:

A lot of us use coffee shops, hotel open wifi networks while on the road.

Unfortunately there is a new hacking too called "Firesheep" that can let anyone with Firefox and this add-on to read, intercept and control any unencrypted web pages you are reading.

Thanks for the warning! I just installed Blacksheep to detect people using Firesheep in the network arrow https://addons.mozilla.org/en-US/firefox/addon/253994/

From what I saw, blacksheep is causing problems with the latest versions of Firefox. How's it working out for you?

I just got out of a 6 hour session in the test pc, doing my normal browsing, and no problems at all. I run quite a bit of add-ons as well, but I haven't encountered any clashing between them.

--
Garmin nuvi 1300LM with 4GB SD card Garmin nuvi 200W with 4GB SD card Garmin nuvi 260W with 4GB SD card r.i.p.

any luck testing firesheep?

nuvic320 wrote:

Other examples are "my eBay" pages, Facebook, twitter, and pretty much any web page that requires a log on but does not fully encrypt the entire session. This includes the POI Forums accounts as well.

Yahoo mail has no such protection, so users of that email are vulnerable until Yahoo takes steps to offer HTTPS.

I've been trying to use firesheep to see it for myself that it does what it claims to do. I can't get it to start sniffing traffic. Problem is my Intel Pro 2200 WiFi NIC won't go into promiscuous mode. I've also tried WiFi NIC with Atheros chip (can't remember the model number) on a different netbook device. That failed too. If any of you got it working, would you mind posting your WiFi NIC make and model? Thanks. Btw, don't try to use firesheep at public places. It's illegal (can't remember where I read it).

Btw, yeah Yahoo sucks. The rest of them have gone full time https, not just the login part. Yahoo is still stuck in the 90s. I hope they offer https soon. AFAIK, POI factory doesn't even route logins through https. Everything here is unsecured but that's ok. I have nothing important to protect on this site smile

Https-everywhere

I tried that extension on my XP.pro laptop and found that it prevents Update Notifier from getting updates. I get the notification that an update is available, but it is unable to obtain the update with https-everywhere enabled. So I killed it.

--
nuvi 1690 with ecoRoute HD, SP2610 (retired), Edge 305, Forerunner 405

Mine works

speedlever wrote:

I tried that extension on my XP.pro laptop and found that it prevents Update Notifier from getting updates. I get the notification that an update is available, but it is unable to obtain the update with https-everywhere enabled. So I killed it.

Adobe Reader just updated yesterday and had no problems, HTTPS-everywhere was running. Don't know about Windows update or any of the others. I've only had HTTPS-everywhere running for a few days. Windows 7/64 bit OS on an AMD processor.

FireFox add-ons

In my case, the update notifier is a FireFox extension which helps me keep my FF add-ons updated. I've not had any other update issues with other non-FF programs.

--
nuvi 1690 with ecoRoute HD, SP2610 (retired), Edge 305, Forerunner 405

Something

Wouldn't it be something if some day we all decide that the safest way (non interceptable) to communicate is via U.S. Postal service snail mail? Talk about going full circle. LOL LOL LOL Notice, I did't say fastest.

thanks

thanks all for a most interesting threads

Warning when using open wifi while traveling

This is a great reminder as to how vulnerable we are when using free unsecured wifi on the road or at home.

Of course at home I have my router set to the highest encryption level possible.

On the road I use a free program called Anchorfree Hotspot Shield. It establishes a VPN type of connection that encrypts the connection between your laptop and the wifi source. This makes a secure wall between you and an intruder.

This program is compatible with all versions of Windows. I have used this program for 3 years now. They release new versions 3 or 4 times a year or as needed. Very easy to setup and use.

Pop goes the bubble

raven1948 wrote:

This is a great reminder as to how vulnerable we are when using free unsecured wifi on the road or at home.

Of course at home I have my router set to the highest encryption level possible.

On the road I use a free program called Anchorfree Hotspot Shield. It establishes a VPN type of connection that encrypts the connection between your laptop and the wifi source. This makes a secure wall between you and an intruder.

This program is compatible with all versions of Windows. I have used this program for 3 years now. They release new versions 3 or 4 times a year or as needed. Very easy to setup and use.

I hate to burst your bubble but this looks like snake oil. There isn't any information on the website telling how this works. The website says that it uses HTTPS but all modern browsers can use HTTPS so what does it do? If it is like HTTPS-everywhere then it request the website to encrypt it's transmission to you. But it can't hide your IP address or the site you communicate with won't know where to send the data. HTTPS is strong encryption and it is almost impossible to break.

Thank you

Thank you

--
nüvi 1490T, V1, Sanyo PRO-700a, maps, sunglasses, hot co-pilot, the open road

What the nice folks at cnet have to say about "Hotspot Shield".

jackj180 wrote:
raven1948 wrote:

This is a great reminder as to how vulnerable we are when using free unsecured wifi on the road or at home.

Of course at home I have my router set to the highest encryption level possible.

On the road I use a free program called Anchorfree Hotspot Shield. It establishes a VPN type of connection that encrypts the connection between your laptop and the wifi source. This makes a secure wall between you and an intruder.

This program is compatible with all versions of Windows. I have used this program for 3 years now. They release new versions 3 or 4 times a year or as needed. Very easy to setup and use.

I hate to burst your bubble but this looks like snake oil. There isn't any information on the website telling how this works. The website says that it uses HTTPS but all modern browsers can use HTTPS so what does it do? If it is like HTTPS-everywhere then it request the website to encrypt it's transmission to you. But it can't hide your IP address or the site you communicate with won't know where to send the data. HTTPS is strong encryption and it is almost impossible to break.

To me, sounds kinda kookie. To see what the far more knowledgeable folks at cnet have to say, see:
http://download.cnet.com/hotspot-shield/

Thanks......

....for sharing.

--
GPSmap76Cx handheld, Nuvi 2557LMT, Nuvfi 2598LMTHD

local network

If you want to secure your local network a bit more, you can tunnel your traffic through ssh. Try this, http://www.playingforoctober.com/blogs/main/wp-content/uploa... the section "SSH tunneling with Mozilla Firefox" covers this.

Thanks. very useful info. I

Thanks. very useful info.
I just turned on HTTPS for my hotmail.

...

I use OpenVPN set up on my router, so the connection is always encrypted.

--
Michael (Nuvi 2639LMT)

Encryption

jackj180 wrote:

HTTPS is strong encryption and it is almost impossible to break.

I hate to burst YOUR bubble, but, it's only as strong as the password used... anything less then 12 random characters and it'll be brute-forced in no time.

--
nüvi 3790T | nüvi 775T | Those who make peaceful revolution impossible, will make violent revolution inevitable ~ JFK

wifi when traveling

scary stuff, especially if u access your bank account and stuff like paypal.

HTTPS is a good step, but

HTTPS is a good step, but don't be lulled into a false sense of security when using it. A hacker need only create her own https enabled webpage that looks like the real one and obtain your password. So if you see any certificate warnings, beware!

They are two

Juggernaut wrote:
jackj180 wrote:

HTTPS is strong encryption and it is almost impossible to break.

I hate to burst YOUR bubble, but, it's only as strong as the password used... anything less then 12 random characters and it'll be brute-forced in no time.

Different things, passwords and encryption. I might also point out that you DO NOT choose a password when using HTTPS. A public key is sent to the other end and used by that end to encrypt the data. The private key (which never leaves the computer) is used at the receiving end to decrypt the data. But there is no password, just the exchange of public keys.

Update

nuvic320 wrote:

Other examples are "my eBay" pages, Facebook, twitter, and pretty much any web page that requires a log on but does not fully encrypt the entire session. This includes the POI Forums accounts as well.

Be careful about what you expose on open wifi networks!

Facebook just rolls out new security feature, SSL encryption for the entire Facebook session. I'm waiting for Yahoo to follow suit.

Credit card stolen

JD4x4 wrote:

Thanks nuvic320 and k6rtm for the heads-up and info!

This sort of hits close to home with me since I recently had one of my credit card numbers stolen (still not sure where/how but it's one I've used online shock ).

Now I'm all about (but just starting) securing my home network and wireless info. As well as paying attention to where I use my card in the 'real world'.

Here is a nice article that puts Firesheep into reasonably easy to understand terms-
http://krebsonsecurity.com/2010/10/firesheep-baaaaad-news-fo...
and another nice one-
http://pandalabs.pandasecurity.com/firesheep-who-is-eating-m...

Note that one of the articles mentions that Firesheep can exploit unencrypted cookies from local networks as well as wireless.

Just had my card that I use only online stolen. Went on a trip to NY and booked a trip through Grayline before I left home to go to the omish country. Friends of ours booked the same trip through Grayline and their card was stolen and used at the same shopping spots that ours was. I use Verizon Broadband wireless at home and he uses a land line. It shows you that anywhere your card can be stolen. Not just over wifi. Probably a person working for Grayline lifted the cards. This can happen anywhere. I only use the one card online and never use my debit card on line.

Getting back to this post, If I use Norton and use wifi while traveling and log on to my airline and check in can this be hijacked? I do this while out, also see if I have any bills that need to be paid at my bank. Is this a bad idea while traveling or does Norton protect me while I am on wifi just like it does at home?

Thanks

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Credit Cards

Most credit cards now allow you to create virtual card numbers for online purchases. The benefit of the virtual card number is that if its stolen you don't need to go through the hassle of closing your account and getting a new card.

Whenever I make an online purchase I first create a virtual card number with both an expiration date and a purchase limit.

.

mgarledge wrote:

Just had my card that I use only online stolen. Went on a trip to NY and booked a trip through Grayline before I left home to go to the omish country. Friends of ours booked the same trip through Grayline and their card was stolen and used at the same shopping spots that ours was. I use Verizon Broadband wireless at home and he uses a land line. It shows you that anywhere your card can be stolen. Not just over wifi. Probably a person working for Grayline lifted the cards. This can happen anywhere.

You don't need a computer to steal credit cards. In your case, it doesn't sound like computers have anything to do with it.

mgarledge wrote:

Getting back to this post, If I use Norton and use wifi while traveling and log on to my airline and check in can this be hijacked? I do this while out, also see if I have any bills that need to be paid at my bank. Is this a bad idea while traveling or does Norton protect me while I am on wifi just like it does at home?

Thanks

Norton or any other security software protection won't help in this scenario. You are safe as long as the connection to your bank or airlines is secure (over https). All online banking transactions are secure as far as I know.

Pay attention to all sorts of things

New hacking tools just make it easier for people to invade your machine, there are always vulnerabilities to people who know what they are doing and want to cause harm.

First, if it isn't your machine, you have to determine if it can be trusted. Keyloggers, etc are way to common and easy to install but not easy to detect.

Second, you should consider how much you can trust the network through which you are connecting. Traffic going through the router is a lot less private than you think. Logging into the admin panels of the router, I can see every connection that is made by IP address, web search queries, and more details of traffic without doing anything fancy to monitor the connection.

Third, you absolutely need to use a decent WIFI security protocol. WPA2-AES is far more secure than WPA-TKIP which is practically infinitely more secure than anything WEP.

HTTPS should be used whenever possible, as should disposable online credit card numbers, VPN, etc, but in the end nothing is 100% secure. Any networked computer can be compromised, so you should be very careful.