I reread Andy's post, and I don't see the he was assuming 'she's only visiting HTTPS sites so, she doesn't need encryption'. He stated if that was the case, then a VPN wasn't needed. If it's not the case, use a VPN. Although, probaly not a likely case I agree.
You are correct to not underestimate the value of leaked information and I would point out that not even a VPN, a firewall, HTTPS, etc. can protect her 100%. Set aside all the data encryption for a minute and all that other stuff us geeks always migrate to when as about security and focus on her physical surroundings. If I'm sitting in Panera and the guy behind me can see everything on my screen, and perhaps what I type, no amount of encryption and/or tunneling is going to help. And yes there are people out there that can read keystrokes as you type in your password. Just a reminder that your data is not the only thing in the public when using hotspots. You are in public as well. Be sure no one is "looking over your shoulder." Social engineering is just as big a threat. Although personally I think in this case it's more like "stalking engineering"... Brady McClenon Systems Administrator State University College at Oneonta > -----Original Message----- > From: James Harless [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 20, 2006 9:27 AM > To: [EMAIL PROTECTED]; [email protected] > Subject: Re: Internet security on "hotspots" > > Personal firewalls had already been covered by many posts > including the Original Poster. I didn't see any need to > reiterate that since the post asked for 'other ideas or > thoughts'. I assume that everything mentioned is in addition > to a personal firewall. > > Also, it's dangerous to assume that 'she's only visiting > HTTPS sites so, she doesn't need encryption'. Are you sure? > Is she going to check/send email? > POP3? SMTP? Is there anything I, as an attacker, can gain > by learning her email address/password + the fact that she > visits www.herpersonalbank.com? > Can I do anything with that information? What if I also > learn the email addresses of trusted senders? What if she > fires up SSH to her home? Is her username the same as her > email address, per chance? A lot of users will use the same > or similar passwords, even. > > I would never underestimate the value of 'leaked' > information. Potential attackers would even be sizing her up > as a target based on how she dresses and the type of tech > she's carrying. > > > -- > James Harless > Network Security Engineer > > Kidwell Companies > kCOM kE kTECH > 900 S. 26th Street > Lincoln, NE 68510 > > 13336 Industrial Road > Suite 101 > Omaha, NE 68137 > > Main: 402-475-9151 > Fax: 402-475-9186 > [EMAIL PROTECTED] > www.kidwellcompanies.com <http://www.kidwellcompanies.com/> > > > > On 4/19/06 12:38 PM, "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> wrote: > > > A VPN would work well for keeping her traffic safe but if > her laptop > > wasn't safe then the VPN would be moot. I think using a VPN is > > complicating the situation beyond what the user maybe was > looking for. > > The two places to secure would be the end node and the traffic in > > between. The traffic could be secured by a VPN, but that > would still > > leave the end node vulnerable to attack. I think with the > amount of > > threats currently in the wild, browsing the internet without a > > personal firewall can be a dangerous venture. > > > > If she's looking for the most secure approach I would say a > personal > > firewall and a VPN connection to a trusted source. If she is just > > looking for machine security I think a personal firewall would be > > plenty. I would steer towards a firewall with good reviews > that looks > > at more than just ports, like IE requests and such. If she > used SSL > > sites anytime she was divulging personal information her > traffic would > > be encrypted and there wouldn't really be a need for a VPN. > > > > Andy Kitzke > > Network Engineer > > In-Sink-Erator > > > > -----Original Message----- > > From: James Harless [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 19, 2006 8:53 AM > > To: [email protected] > > Subject: Re: Internet security on "hotspots" > > > > Have her connect to a VPN that is available to her. If her company > > doesn't have one available, there are many easy to > implement solutions > > for setting up a PPTP VPN. Then, she can connect to an insecure > > Wireless AP but, all of her traffic would flow encrypted to the VPN > > and out to the 'net from that remote location. > > > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
