Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > Public WiFi Security

Public WiFi Security
Thread Tools
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 11, 2007, 11:37 AM
 
Is there a way for me to make my MacBook more secure when using public wireless systems? I recently read about possibilities of "Evil Twin" networks that mimic a business' wireless network but scans any transmissions for passwords, etc. I'm thinking that conversing with websites that have SSL would be okay, but I'm worried something like my password to MacNN could be seen and used maliciously.
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 11, 2007, 12:44 PM
 
I apologize...I quickly did a search about this issue and found lots of information. I've turned off file sharing, turned on the firewall that came with my macbook, changed my airport to only use preferred networks, blocked UDP traffic, enabled stealth mode, and started a firewall log. It seems like my laptop was set up wide-open as a default! I would think that if Apple wants to sell to the masses as a computer that can be immediately turned on and used, they should default the computer to the most secure settings and force users to allow further access.

Checking my firewall log, I see this message repeatedly: "35000 Deny UDP". Is this someone trying to get into my computer, or a common request by a wi-fi network?
     
Addicted to MacNN
Join Date: Mar 2006
Status: Offline
Jun 11, 2007, 12:46 PM
 
I'm fairly sure that it is not set up as 'wide-open as a default'.
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 11, 2007, 01:06 PM
 
I'm fairly sure that it is not set up as 'wide-open as a default'.
Coming from the viewpoint of a noob in the wireless world, I found it odd that the firewall wasn't already enabled. Perhaps from an experienced user's viewpoint, that isn't a security problem.
     
Addicted to MacNN
Join Date: Mar 2006
Status: Offline
Jun 11, 2007, 01:18 PM
 
Yeah, but all ports are also closed by default.
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jun 11, 2007, 02:39 PM
 
However, if you want to share files at any point, it's EASY to open a bunch of ports and forget they're open. There are a lot of ways to basically turn off the OS X firewall, and if you don't have a good background in what you're doing, you can open yourself up without knowing it. I'll bet aikiwav's "open ports" were that way for that sort of reason-totally accidental, but not necessarily benign.

Aikiwav, I'm glad you got everything locked down-it's much more secure that way on any network-but peeb is right in saying that OS X has all network ports closed (NOT stealthed) by default. What method did you use to close and stealth your ports?

Glenn -----OTR/L, MOT, Tx
     
Addicted to MacNN
Join Date: Mar 2006
Status: Offline
Jun 11, 2007, 03:49 PM
 
Originally Posted by aikiwav View Post
I'm worried something like my password to MacNN could be seen and used maliciously.
Ah ha. Yes. That's what I worry about most, too! The horror. The horror.
     
Addicted to MacNN
Join Date: Mar 2006
Status: Offline
Jun 11, 2007, 05:27 PM
 
Originally Posted by ghporter View Post
It's a real problem if, like many people, you use the same password for a lot of different sites.

Fortunately, the only time your MacNN password is sent is when you originally log in-as long as you check the "remember me" box, anyway. The site checks for a valid cookie and when it sees it, you're in as you. This is quite secure.
Ah yes. I was imagining a scenario where someone posted inflammatory nonsense in the political lounge and the subterfuge was undetectable.
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 12, 2007, 09:37 AM
 
My MacNN password was just an example, but I guess I deserved the virtual punch in the arm. ghporter, I appreciate looking at things from different viewpoints...I'm not very good at it--just ask my wife!

Checking through the setup, I did indeed find that most ports were closed. The only one that was open was called "Network Time," and although I'm not sure what it does, I figured that if all the ports were closed except that one, it probably is not a huge security risk.

Right now I'm trying to work through some connection problems with my Airport Extreme Card and my 2Wire wireless router. When I originally set it up it worked great, but since I woke up this morning and brought my MacBook out of sleep, it won't stay connected to the internet. I'll input my WPA key, the wireless light on the router turns on, but as soon as I try to go to a webpage, it disconnects.

My searches so far have taken me to discussion of the base station, which I'm not using...any ideas are always appreciated!
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jun 12, 2007, 09:43 AM
 
Originally Posted by aikiwav View Post
My MacNN password was just an example, but I guess I deserved the virtual punch in the arm. ghporter, I appreciate looking at things from different viewpoints...I'm not very good at it--just ask my wife!
No sweat. Not every post or reply is intended just for the apparent recipient, and a LOT of people deserve a punch (or a kick!) when it comes to security.
Originally Posted by aikiwav View Post
Checking through the setup, I did indeed find that most ports were closed. The only one that was open was called "Network Time," and although I'm not sure what it does, I figured that if all the ports were closed except that one, it probably is not a huge security risk.
Network Time is a Good Thing®. It's quite helpful in allowing your Mac to sync with the world.
Originally Posted by aikiwav View Post
Right now I'm trying to work through some connection problems with my Airport Extreme Card and my 2Wire wireless router. When I originally set it up it worked great, but since I woke up this morning and brought my MacBook out of sleep, it won't stay connected to the internet. I'll input my WPA key, the wireless light on the router turns on, but as soon as I try to go to a webpage, it disconnects.
Can't help you with the 2Wire bit-I have only the most fleeting experience with that brand. Sorry!

Glenn -----OTR/L, MOT, Tx
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 12, 2007, 09:53 AM
 
Update: It seems to be working now. I had changed the WPA key in my router configuration, but the connection died after I hit 'Submit'. I figured the change didn't go through, and since whenever I used the old key it seemed to connect for a second or two, I thought it was a connection issue. When I decided to try the new key, it connected and as been working (only for the last few minutes).

Here's hoping for the best!
     
Senior User
Join Date: Jul 2003
Location: Asia
Status: Offline
Jun 12, 2007, 11:42 AM
 
Originally Posted by aikiwav View Post
Is there a way for me to make my MacBook more secure when using public wireless systems? I recently read about possibilities of "Evil Twin" networks that mimic a business' wireless network but scans any transmissions for passwords, etc. I'm thinking that conversing with websites that have SSL would be okay, but I'm worried something like my password to MacNN could be seen and used maliciously.
Unfortunately SSL can only protect you from evesdroppers once the SSL connection is established. In an evil twin ploy, before you can get the SSL connection going, the evil twin can host a webpage that mimics the site you want and asks for your password. When you try to log in, it captures it. One thing you can do is to ask the public wifi hotspot for the SSID of its wireless network, so you know which is the right wireless signal to connect to. Better is to use a VPN or other form of encrypted tunnel for sensitive communications like accessing your bank account. There are a number of ways to do this. Here are three:

If you have a home Mac attached to the internet with a secure connection like cable broadband or DSL (or an account on a server somewhere) you can remotely log onto that account using SSH (secure shell) and create a secure SOCKS proxy. You then tell your local web browser to use the SOCKS proxy port on local host (127.0.0.1) and you will be surfing via an encrypted connection to the SOCKS proxy on the remote machine. This article gives some detail of the setup.

Likewise, if you have a home Mac attached to the internet with a secure connection you can remotely surf that computer via an encrypted tunnel. You use SSH (secure shell) with local port forwarding to securely log onto it and then (via the encrypted tunnel created), use a Virtual network client (like Chicken of the VNC) to access a Virtual network server on your home Mac (like Vine Server, formerly OSXvnc) and remotely control your home Mac. This is not as difficult as it might seem. Then open your home Macs web browser and you can start surfing remotely via the encrypted tunnel.

You could also use HamachiX in a similar fashion. HamachiX is the OS X front end of Hamachi. You install HamachiX on each of your computers and then set up an encrypted LAN between them, regardless of the geographical location of the computers. You can then use a Virtual network client as above and remotely surf you home computer via the encrypted LAN. The advantage of Hamachi is that it requires less setup if your home computer is behind a router or firewall, or has a changing external ip address.
( Last edited by rjt1000; Jun 12, 2007 at 12:08 PM. )
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 12, 2007, 01:23 PM
 
Better is to use a VPN or other form of encrypted tunnel for sensitive communications like accessing your bank account. There are a number of ways to do this. Here are three:
As I've been doing my research, I've come across the idea of VPNs, but thought it was only for those who had dedicated VPN servers (like a business). I will visit those links with relish...thanks a ton!
     
aikiwav  (op)
Fresh-Faced Recruit
Join Date: May 2007
Status: Offline
Jun 20, 2007, 05:39 PM
 
I finally got the Hamachi option working, but it seems slow. I expect it to be slower than normal due to all the encryption and transmission, but I would click on a menu option and it would take more than 15 secs to show up...is this as slow as it seems to me?

I thought about trying the SSH option...

remotely log onto that account using SSH (secure shell) and create a secure SOCKS proxy. You then tell your local web browser to use the SOCKS proxy port on local host (127.0.0.1) and you will be surfing via an encrypted connection to the SOCKS proxy on the remote machine. This article gives some detail of the setup.
...would this be any faster?

I haven't read anything about Apple Remote Desktop...is that useable to connect to a PC remotely?
( Last edited by aikiwav; Jun 20, 2007 at 06:09 PM. Reason: new thought)
     
Senior User
Join Date: Jul 2003
Location: Asia
Status: Offline
Jun 21, 2007, 12:47 AM
 
Originally Posted by aikiwav View Post
I finally got the Hamachi option working, but it seems slow. I expect it to be slower than normal due to all the encryption and transmission, but I would click on a menu option and it would take more than 15 secs to show up...is this as slow as it seems to me?

I thought about trying the SSH option...
...would this be any faster?

I haven't read anything about Apple Remote Desktop...is that useable to connect to a PC remotely?
Using VNC's can be slow depending on the distance between the computers, the bandwidth of the connection at both ends and general internet traffic in between. After all, there is a lot of data being transmitted with each screen refresh. I think this is probably comparable between using VNC over Hamachi or over an SSH tunnel, and has more to do with the quantity of data being transmitted than the encryption per se.

I only recently tried out HamachiX (the OS X front end is relatively new) so I dont have a lot of experience with it, besides tinkering between local computers. In that situation VNC worked quite responsively.

However, I regularly use VNC over an SSH tunnel to control a remote computer about 1000 miles away (both sides with cable broadband). The responsiveness can range from reasonably good to sluggish. One thing I found that helps is to choose a single color rather than a complicated pattern for the server side computers desktop so that there is less data to transmit with each screen refresh. Likewise keep the server side computers desktop uncluttered with files. I imagine setting the server side computer to display fewer colors (1000's instead of millions) might also help, but I havent tried that.

But if all you want to do is surf through a secure connection (rather than have full VNC control over the remote computer), using SSH to log onto the remote computer and setting up a SOCKS proxy should be significantly speedier than using a VNC to remotely surf. There is much less data being bounced around.

Be sure you have an account on the remote computer, and that remote access is turned on. If the remote computer is behind a router, you will need to set up a manual internal IP address and set the router to forward port 22 to the manual IP address you chose. If the remote computers external ip address changes periodically, you can purchase a service to keep track of it and give you a domain name to use rather than the numerical ip address. (FYI: how to set a manual internal ip address and forward ports on your router is mentioned in this thread)

Then using terminal, enter:
ssh user@12.34.56.78 -D 9999
and hit return.
(where user is your short username on the remote computer, 12.34.56.78 is replaced by the external ip address of the remote computer and 9999 is the port number you've chosen.)

Enter your password and leave the terminal window open for the duration of the connection.

Then set Firefox on your local computer to use a SOCKS v 5 proxy with SOCKS host 127.0.0.1 (aka localhost) and the chosen port number, in this case 9999. (if v5 doesnt work, use v4)

One more issue is where DNS lookups are done. With SOCKS v5 proxy, Firefox can do them remotely (which is more secure and prevents hijacked DNS lookups). To make it so: in Firefox type about:config and then set network.proxy.socks_remote_dns = true

Then you can use Firefox normally on your local computer and your data will be proxied via an encrypted tunnel to the SOCKS proxy on your remote computer.

Give it a try and see what you think.
( Last edited by rjt1000; Jun 21, 2007 at 10:04 AM. Reason: more info on DNS lookups)
     
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Jun 21, 2007, 07:19 AM
 
There are now an increasing number of companies offering PPTP VPNs for monthly fees. But if you can do the same thing with SSH as rtj suggests, that sounds like the way to go.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Jun 21, 2007, 07:21 AM
 
Hey, Future Glenn, how much have things changed in 2019? Can I have some lottery numbers, stock picks and World Series winners?

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jun 21, 2007, 08:57 AM
 
I have returned from the future! I have met the enemy, and he's still us. Lotteries are overrated, and politics aren't any better than in the present day. Microsoft's Windows "Horizon" OS is two years late and nobody's surprised. People can hack your phone via your BlueTooth wristwatch-TV, so avoid MTV-8 and any satellite channel over 1024. Oh, and buy stock in...what was that called? Oh yeah! Wind power! Especially ventures that intend to harvest hot air currents around Washington D.C.!

Glenn -----OTR/L, MOT, Tx
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Jun 28, 2007, 07:18 PM
 
Originally Posted by peeb View Post
Yeah, but all ports are also closed by default.
This doesn't make you impervious to DoS attacks...
     
Mac Elite
Join Date: Sep 2006
Status: Offline
Jun 28, 2007, 09:13 PM
 
Great, now we have a moderator reviving Zombie Threads.
Glenn, this thread is nearly 12 years old!
Bannination!
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jun 28, 2007, 09:47 PM
 
Originally Posted by Sherman Homan View Post
Great, now we have a moderator reviving Zombie Threads.
Glenn, this thread is nearly 12 years old!
Bannination!
Yeah, but I have to be pretty good to revive such long-dead zombies!

Actually, there was a server time glitch a while back that got that particular post its wacky date. I don't know what has changed, but now that post is showing up as the most recent when it didn't before. I'm stumped. Must be time-travel lag.

Glenn -----OTR/L, MOT, Tx
     
Professional Poster
Join Date: Apr 2007
Location: A House of Ill-Repute in the Sky
Status: Offline
Jun 29, 2007, 09:07 AM
 
I'm really tired of moderators like gh abusing their time-travel powers on the forums.
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jun 29, 2007, 09:22 AM
 
I think I'll just end the problem and close this thread. The time travel was fun, but going through security was a real hassle!

Glenn -----OTR/L, MOT, Tx
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Jan 20, 2008, 07:35 PM
 
Originally Posted by aikiwav View Post
I'm worried something like my password to MacNN could be seen and used maliciously.
Originally Posted by peeb View Post
Ah yes. I was imagining a scenario where someone posted inflammatory nonsense in the political lounge and the subterfuge was undetectable.
Originally Posted by ghporter View Post
It's a real problem if, like many people, you use the same password for a lot of different sites.

Fortunately, the only time your MacNN password is sent is when you originally log in-as long as you check the "remember me" box, anyway. The site checks for a valid cookie and when it sees it, you're in as you. This is quite secure.

It's interesting here in the future. My Mac iWatch not only tells time, it has a 23,000X8200 color display-that's all of 75mm wide. It came with every Star Trek episode ever made, but you can't read the credits, or even tell if these are the re-re-enhanced rerelease versions of the episodes. But the COLOR is GREAT!
I've quoted all this so that maybe, when I delete the weird-time post, it'll go away, and this last reply will be all that's left.

Glenn -----OTR/L, MOT, Tx
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 02:47 AM.
All contents of these forums © 1995-2014 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2014, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2