Be Aware of Your Security at Internet Cafes

Bill Hutchison's picture

Ironically enough I am sitting in a coffee shop using their free open wifi to write this. Using any open wifi is not secure, but hopefully after reading this we can set ourselves up to be a bit more secure.

It’s never been secure to connect to the Internet over open wifi access points. Hacking open wifi sessions is easy for people to do, if they know how, but this week it was made way easier for people to do with a simple plugin for the popular browser Firefox.

Just to be clear, the login screen at Starbucks or Second Cup does not make it a secure wifi access point. Unless you have to put in either a WEP, WPA or WPA2 key when attaching to a wifi network, you are most likely on an open access point and subject to this vulnerability.

The new plugin called Firesheep makes it easy for people capture your login IDs, passwords, and other important information. People can do this by simply running Firesheep on another computer on an open network, either Wifi or cable connection. They can then see what you are doing and grab onto your session and use the tool like it’s you.

There are many different applications that are vulnerable to this sort of attack, including:

  • Facebook
  • Twitter
  • Foursquare
  • Google
  • Flickr
  • bit.ly
  • Amazon
  • more …

Pretty much any web-site that does not use encryption when you log in is vulnerable. Unfortunately that includes this web-site, but I will be looking at how to change that for logged in users.

The Electronic Frontier Foundation has released a Firefox plugin called HTTPS Everywhere to try to force you to use an encrypted connection when connecting to these web-sites. Unfortunately not all web-sites support an encrypted connection, but those that are will be much more secure when using HTTPS SSL Encryption. Even without the plugin you can type in https:// instead of http:// in your URL address bar to achieve a secure encrypted connection with sites that support it. I’m doing that now with Facebook and Twitter.

Here are some sites that you may be using that support the https ssl encryption:

  • Google Search
  • Wikipedia
  • Twitter
  • Facebook
  • most of Amazon
  • GMX
  • Wordpress.com blogs
  • The New York Times
  • The Washington Post
  • Paypal
  • EFF
  • Tor
  • Ixquick

It’s easy to get freaked out after reading this and to panick, but it’s one of those things that if we are aware of it, we can protect ourselves.

So after I’ve written this post I will be loading the HTTPS Everywhere Firefox plugin from the EFF to force https on the sites that support it, and I will be careful of using sites that don’t support it when I am on open wifi access points.

Update

If you are using Internet Cafe computers, and not your own laptop, you also need to be aware of this vulnerability. You will need to be sure to manual write https://www.facebook.com for example, instead of http://www.facebook.com. This will give you a secure and encrypted connection and will protect you from this type of hack.

More Reading

0
Your rating: None
Steve's picture

re: Be Aware of Your Security at Internet Cafes

Submitted by Steve on Wed, 11/03/2010 - 09:33.

I have to fully agree with this post. And, to be quite honest, regarding security it's actually worse then that.

Every unencrypted traffic on an open network is pretty much open for the public to read. No matter if you are using Linux, Mac, or Windows, with every browser. You don't need any plug-ins for that. Passwords, Usernames, everything and anything unencrypted (non SSL traffic).
It is possible with freely and legally available software to monitor the network traffic. Of course this software was intended for administrators for troubleshooting. But as with everything else, this software can easily be miss-used with malicious intentions.

On top of that WEP for Wireless encryption must also be considered insecure. For someone who knows what he's doing it is a matter of minutes to break that encryption. It is highly recommended to use WPA2 or at the very least WPA in case you have older hardware that doesn't support WPA2.
Of course, this isn't helpful when in an Internet Cafe or where ever else with an open Wifi. But it might be important to know that WEP can NOT be considered secure, so that you don't falsely assume you would be secure.
See Wikipedia on WEP: http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

Also, good to know is, don't be fooled by simply using a network cable if available instead of the wireless. If there is an open Wifi the whole network traffic (wired and wireless) can be monitored.
And on a side note, public computers in Internet Cafes might have key logger or other sniffing software installed. Though, this is not the topic of this post, I guess.

So, I fully agree with the original post. There is no need to be frightened, panic or freak out. But we need to be aware and act accordingly. E.g. by not accessing sites that require us to log-in (social networks, online stores, bank, etc) or using appropriate security measures.

--~~~~~
Cheers,
Steve

Somebody's terminal is dropping bits. I found a pile of them over in the corner.

kahunapule's picture

It isn't just wireless connections that are insecure.

Submitted by kahunapule on Thu, 11/04/2010 - 16:49.

Actually, the ease of snooping on unencrypted wireless connections is amazing. It is simple enough for a third grader to do. However, don't think that you are secure if your wireless connection is encrypted or you are using a wired connection. Unencrypted communications (i. e. http instead of https, or not using a VPN or encrypted tunnel of some sort) are easy to intercept at many points along the path between you and the computer you are communicating with-- some in surprisingly distant places. Some cover vast areas, like satellite links. Some are vulnerable with special equipment on microwave links. For people with physical access to any wired network you use, including as it passes through other countries, it is also easy. Note that you don't know which way a packet you send may go. It might actually get routed through another country even on a "domestic" connection.

Now you know why I used a totally different password for this site than what I use for my bank. You did, too, right?

Aloha,
Michael
http://mpj.us

Be Aware of Your Security at Internet Cafes

Submitted by Joe Barry on Sat, 07/16/2011 - 10:20.

China shut down more than 130,000 illegal Internet cafes in the country over a six year period, as part of crackdown to control the market, according to a new Chinese government report. Internet cafes in China are highly regulated by the government, which can issue and revoke their licenses. Authorities have made it illegal for Internet cafes to serve minors under the age of 18, stating that the Web's content could endanger their well-being. Last April, the Ministry of Culture issued new rules declaring that Internet cafes would be closed down if they were found admitting minors. China has the world's largest Internet cafe market, said Yu. "The leadership has been trying to regulate it for some time now," he said. China is actively closing down Internet cafes that don't meet regulations in an effort to standardize the way they operate.

I rarely use internet cafes

Submitted by lissabrown on Sun, 08/07/2011 - 13:33.

I rarely use internet cafes but it's good to keep this in mind. I thought there are certain antivirus tools which offer you protection regarding this issue though, as far as I know they make a good job from blocking any unwanted attack on your computer.

Steve's picture

security software

Submitted by Steve on Mon, 08/08/2011 - 14:19.

It is good to have some kind of AV (Anti Virus) software. But it is not all for "complete" protection. In any case, it should be noted that something like "complete", as in 100%, protection is not achievable. But there is more that can (and should) be done to get as close as possible towards those 100%.

A Firewall is pretty much a must have. For most people the standard Windows Firewall in newer Windows versions should be OK. For WinXP it is generally recommended to use a 3rd party Firewall, e.g. something like Zonealarm. There is other software like this available, as well, it's just an example.

On top of that there is a whole lot more specialised software available to protect yourself against the many dangers of the interwebs.

However, the actual concern in the original blog post wasn't a direct attack on ones computer, for which the AV, Firewall, etc. is designed. The issue was that everything one is doing with the laptop can be monitored. In other words, using the Internet is like sending postcards. Everyone who handles your postcard can freely read it, without the need of any special tools to e.g. secretly open an envelop and closing it again in a manner that no one else recognises that manipulation. Meaning, that every piece of hardware (Wifi Access Point, Modems, Server, etc.) the information is routed, it is possible to just simply read what is transmitted and no AV or Firewall or similar can prevent that, as it happens outside your own computer. Unless (theoretically) that information is encrypted, which is generally indicated when a website uses https (SSL encryption) instead of http (no encryption at all) in the URL.

The browser plug-in mentioned in the original post actually caused a big security issue. It was possible to view Internet traffic even when people thought they would be on the safe side. Meaning, it was possible to see someone's user name and password for a website like Facebook, etc.

So, in order to prevent those spying eyes one needs to make sure that the traffic is not readable by others. This is what encryption is for, however, as seen with the above mentioned browser plug-in there are ways around it. Either by malicious attempt of software bug.
To add more security one would need to have a VPN, a tunnel from your computer to a remote location. But this is either a lot more technical or it is a service one has to pay for.

Of course, the cheapest option to stay as safe as possible from these spying eyes is to simply not use a public Internet, at all. No matter if that is an Internet Cafe, or something that Starbucks, McDonalds, an Airport, or the local Library offers. Once we get over that thought that we always have to be connected and available it is quite easy to actually not use a computer in any other location than home, office, or similar, where you know that the network is set up with some security in mind. E.g. the WPA2 encryption mentioned sometime earlier here in a blog post. Extra points for resisting the temptation of wireless all together.

--~~~~~
Cheers,
Steve

Somebody's terminal is dropping bits. I found a pile of them over in the corner.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.