MacNN Forums (http://forums.macnn.com/)
-   Networking (http://forums.macnn.com/networking/)
-   -   Public WiFi Security (http://forums.macnn.com/92/networking/338648/public-wifi-security/)

 
aikiwav Jun 11, 2007 11:37 AM
Public WiFi Security
Is there a way for me to make my MacBook more secure when using public wireless systems? I recently read about possibilities of "Evil Twin" networks that mimic a business' wireless network but scans any transmissions for passwords, etc. I'm thinking that conversing with websites that have SSL would be okay, but I'm worried something like my password to MacNN could be seen and used maliciously.
 
aikiwav Jun 11, 2007 12:44 PM
Update
I apologize...I quickly did a search about this issue and found lots of information. I've turned off file sharing, turned on the firewall that came with my macbook, changed my airport to only use preferred networks, blocked UDP traffic, enabled stealth mode, and started a firewall log. It seems like my laptop was set up wide-open as a default! I would think that if Apple wants to sell to the masses as a computer that can be immediately turned on and used, they should default the computer to the most secure settings and force users to allow further access.

Checking my firewall log, I see this message repeatedly: "35000 Deny UDP". Is this someone trying to get into my computer, or a common request by a wi-fi network?
 
peeb Jun 11, 2007 12:46 PM
I'm fairly sure that it is not set up as 'wide-open as a default'.
 
aikiwav Jun 11, 2007 01:06 PM
Just an Impression
Quote
I'm fairly sure that it is not set up as 'wide-open as a default'.
Coming from the viewpoint of a noob in the wireless world, I found it odd that the firewall wasn't already enabled. Perhaps from an experienced user's viewpoint, that isn't a security problem.
 
peeb Jun 11, 2007 01:18 PM
Yeah, but all ports are also closed by default.
 
ghporter Jun 11, 2007 02:39 PM
However, if you want to share files at any point, it's EASY to open a bunch of ports and forget they're open. There are a lot of ways to basically turn off the OS X firewall, and if you don't have a good background in what you're doing, you can open yourself up without knowing it. I'll bet aikiwav's "open ports" were that way for that sort of reason-totally accidental, but not necessarily benign.

Aikiwav, I'm glad you got everything locked down-it's much more secure that way on any network-but peeb is right in saying that OS X has all network ports closed (NOT stealthed) by default. What method did you use to close and stealth your ports?
 
peeb Jun 11, 2007 03:49 PM
Quote, Originally Posted by aikiwav (Post 3401854)
I'm worried something like my password to MacNN could be seen and used maliciously.
Ah ha. Yes. That's what I worry about most, too! The horror. The horror. :)
 
peeb Jun 11, 2007 05:27 PM
Quote, Originally Posted by ghporter (Post 3402413)
It's a real problem if, like many people, you use the same password for a lot of different sites.

Fortunately, the only time your MacNN password is sent is when you originally log in-as long as you check the "remember me" box, anyway. The site checks for a valid cookie and when it sees it, you're in as you. This is quite secure.
Ah yes. I was imagining a scenario where someone posted inflammatory nonsense in the political lounge and the subterfuge was undetectable.
 
aikiwav Jun 12, 2007 09:37 AM
I set myself up on that one...
My MacNN password was just an example, but I guess I deserved the virtual punch in the arm. :p ghporter, I appreciate looking at things from different viewpoints...I'm not very good at it--just ask my wife!

Checking through the setup, I did indeed find that most ports were closed. The only one that was open was called "Network Time," and although I'm not sure what it does, I figured that if all the ports were closed except that one, it probably is not a huge security risk.

Right now I'm trying to work through some connection problems with my Airport Extreme Card and my 2Wire wireless router. When I originally set it up it worked great, but since I woke up this morning and brought my MacBook out of sleep, it won't stay connected to the internet. I'll input my WPA key, the wireless light on the router turns on, but as soon as I try to go to a webpage, it disconnects.

My searches so far have taken me to discussion of the base station, which I'm not using...any ideas are always appreciated!
 
ghporter Jun 12, 2007 09:43 AM
Quote, Originally Posted by aikiwav (Post 3403042)
My MacNN password was just an example, but I guess I deserved the virtual punch in the arm. :p ghporter, I appreciate looking at things from different viewpoints...I'm not very good at it--just ask my wife!
No sweat. Not every post or reply is intended just for the apparent recipient, and a LOT of people deserve a punch (or a kick!) when it comes to security.
Quote, Originally Posted by aikiwav (Post 3403042)
Checking through the setup, I did indeed find that most ports were closed. The only one that was open was called "Network Time," and although I'm not sure what it does, I figured that if all the ports were closed except that one, it probably is not a huge security risk.
Network Time is a Good Thing®. It's quite helpful in allowing your Mac to sync with the world.
Quote, Originally Posted by aikiwav (Post 3403042)
Right now I'm trying to work through some connection problems with my Airport Extreme Card and my 2Wire wireless router. When I originally set it up it worked great, but since I woke up this morning and brought my MacBook out of sleep, it won't stay connected to the internet. I'll input my WPA key, the wireless light on the router turns on, but as soon as I try to go to a webpage, it disconnects.
Can't help you with the 2Wire bit-I have only the most fleeting experience with that brand. Sorry!
 
aikiwav Jun 12, 2007 09:53 AM
password change
Update: It seems to be working now. I had changed the WPA key in my router configuration, but the connection died after I hit 'Submit'. I figured the change didn't go through, and since whenever I used the old key it seemed to connect for a second or two, I thought it was a connection issue. When I decided to try the new key, it connected and as been working (only for the last few minutes).

Here's hoping for the best!:thumbsup:
 
rjt1000 Jun 12, 2007 11:42 AM
Quote, Originally Posted by aikiwav (Post 3401854)
Is there a way for me to make my MacBook more secure when using public wireless systems? I recently read about possibilities of "Evil Twin" networks that mimic a business' wireless network but scans any transmissions for passwords, etc. I'm thinking that conversing with websites that have SSL would be okay, but I'm worried something like my password to MacNN could be seen and used maliciously.
Unfortunately SSL can only protect you from evesdroppers once the SSL connection is established. In an evil twin ploy, before you can get the SSL connection going, the evil twin can host a webpage that mimics the site you want and asks for your password. When you try to log in, it captures it. One thing you can do is to ask the public wifi hotspot for the SSID of its wireless network, so you know which is the right wireless signal to connect to. Better is to use a VPN or other form of encrypted tunnel for sensitive communications like accessing your bank account. There are a number of ways to do this. Here are three:

If you have a home Mac attached to the internet with a secure connection like cable broadband or DSL (or an account on a server somewhere) you can remotely log onto that account using SSH (secure shell) and create a secure SOCKS proxy. You then tell your local web browser to use the SOCKS proxy port on local host (127.0.0.1) and you will be surfing via an encrypted connection to the SOCKS proxy on the remote machine. This article gives some detail of the setup.

Likewise, if you have a home Mac attached to the internet with a secure connection you can remotely surf that computer via an encrypted tunnel. You use SSH (secure shell) with local port forwarding to securely log onto it and then (via the encrypted tunnel created), use a Virtual network client (like Chicken of the VNC) to access a Virtual network server on your home Mac (like Vine Server, formerly OSXvnc) and remotely control your home Mac. This is not as difficult as it might seem. Then open your home Macs web browser and you can start surfing remotely via the encrypted tunnel.

You could also use HamachiX in a similar fashion. HamachiX is the OS X front end of Hamachi. You install HamachiX on each of your computers and then set up an encrypted LAN between them, regardless of the geographical location of the computers. You can then use a Virtual network client as above and remotely surf you home computer via the encrypted LAN. The advantage of Hamachi is that it requires less setup if your home computer is behind a router or firewall, or has a changing external ip address.
 
aikiwav Jun 12, 2007 01:23 PM
One Step Ahead
Quote
Better is to use a VPN or other form of encrypted tunnel for sensitive communications like accessing your bank account. There are a number of ways to do this. Here are three:
As I've been doing my research, I've come across the idea of VPNs, but thought it was only for those who had dedicated VPN servers (like a business). I will visit those links with relish...thanks a ton!
 
aikiwav Jun 20, 2007 05:39 PM
Hamachi is slow...
I finally got the Hamachi option working, but it seems slow. I expect it to be slower than normal due to all the encryption and transmission, but I would click on a menu option and it would take more than 15 secs to show up...is this as slow as it seems to me?

I thought about trying the SSH option...

Quote
remotely log onto that account using SSH (secure shell) and create a secure SOCKS proxy. You then tell your local web browser to use the SOCKS proxy port on local host (127.0.0.1) and you will be surfing via an encrypted connection to the SOCKS proxy on the remote machine. This article gives some detail of the setup.
...would this be any faster?

I haven't read anything about Apple Remote Desktop...is that useable to connect to a PC remotely?
 
rjt1000 Jun 21, 2007 12:47 AM
Quote, Originally Posted by aikiwav (Post 3409457)
I finally got the Hamachi option working, but it seems slow. I expect it to be slower than normal due to all the encryption and transmission, but I would click on a menu option and it would take more than 15 secs to show up...is this as slow as it seems to me?

I thought about trying the SSH option...
...would this be any faster?

I haven't read anything about Apple Remote Desktop...is that useable to connect to a PC remotely?
Using VNC's can be slow depending on the distance between the computers, the bandwidth of the connection at both ends and general internet traffic in between. After all, there is a lot of data being transmitted with each screen refresh. I think this is probably comparable between using VNC over Hamachi or over an SSH tunnel, and has more to do with the quantity of data being transmitted than the encryption per se.

I only recently tried out HamachiX (the OS X front end is relatively new) so I dont have a lot of experience with it, besides tinkering between local computers. In that situation VNC worked quite responsively.

However, I regularly use VNC over an SSH tunnel to control a remote computer about 1000 miles away (both sides with cable broadband). The responsiveness can range from reasonably good to sluggish. One thing I found that helps is to choose a single color rather than a complicated pattern for the server side computers desktop so that there is less data to transmit with each screen refresh. Likewise keep the server side computers desktop uncluttered with files. I imagine setting the server side computer to display fewer colors (1000's instead of millions) might also help, but I havent tried that.

But if all you want to do is surf through a secure connection (rather than have full VNC control over the remote computer), using SSH to log onto the remote computer and setting up a SOCKS proxy should be significantly speedier than using a VNC to remotely surf. There is much less data being bounced around.

Be sure you have an account on the remote computer, and that remote access is turned on. If the remote computer is behind a router, you will need to set up a manual internal IP address and set the router to forward port 22 to the manual IP address you chose. If the remote computers external ip address changes periodically, you can purchase a service to keep track of it and give you a domain name to use rather than the numerical ip address. (FYI: how to set a manual internal ip address and forward ports on your router is mentioned in this thread)

Then using terminal, enter:
ssh user@12.34.56.78 -D 9999
and hit return.
(where user is your short username on the remote computer, 12.34.56.78 is replaced by the external ip address of the remote computer and 9999 is the port number you've chosen.)

Enter your password and leave the terminal window open for the duration of the connection.

Then set Firefox on your local computer to use a SOCKS v 5 proxy with SOCKS host 127.0.0.1 (aka localhost) and the chosen port number, in this case 9999. (if v5 doesnt work, use v4)

One more issue is where DNS lookups are done. With SOCKS v5 proxy, Firefox can do them remotely (which is more secure and prevents hijacked DNS lookups). To make it so: in Firefox type about:config and then set network.proxy.socks_remote_dns = true

Then you can use Firefox normally on your local computer and your data will be proxied via an encrypted tunnel to the SOCKS proxy on your remote computer.

Give it a try and see what you think.
 
Big Mac Jun 21, 2007 07:19 AM
There are now an increasing number of companies offering PPTP VPNs for monthly fees. But if you can do the same thing with SSH as rtj suggests, that sounds like the way to go.
 
Big Mac Jun 21, 2007 07:21 AM
Hey, Future Glenn, how much have things changed in 2019? Can I have some lottery numbers, stock picks and World Series winners?
 
ghporter Jun 21, 2007 08:57 AM
I have returned from the future! I have met the enemy, and he's still us. Lotteries are overrated, and politics aren't any better than in the present day. Microsoft's Windows "Horizon" OS is two years late and nobody's surprised. People can hack your phone via your BlueTooth wristwatch-TV, so avoid MTV-8 and any satellite channel over 1024. Oh, and buy stock in...what was that called? Oh yeah! Wind power! Especially ventures that intend to harvest hot air currents around Washington D.C.! :D
 
besson3c Jun 28, 2007 07:18 PM
Quote, Originally Posted by peeb (Post 3401985)
Yeah, but all ports are also closed by default.
This doesn't make you impervious to DoS attacks...
 
Sherman Homan Jun 28, 2007 09:13 PM
Great, now we have a moderator reviving Zombie Threads.
Glenn, this thread is nearly 12 years old!
Bannination!
 
ghporter Jun 28, 2007 09:47 PM
Quote, Originally Posted by Sherman Homan (Post 3416803)
Great, now we have a moderator reviving Zombie Threads.
Glenn, this thread is nearly 12 years old!
Bannination!
Yeah, but I have to be pretty good to revive such long-dead zombies!

Actually, there was a server time glitch a while back that got that particular post its wacky date. I don't know what has changed, but now that post is showing up as the most recent when it didn't before. I'm stumped. Must be time-travel lag. ;)
 
Dakarʒ Jun 29, 2007 09:07 AM
I'm really tired of moderators like gh abusing their time-travel powers on the forums.
 
ghporter Jun 29, 2007 09:22 AM
I think I'll just end the problem and close this thread. The time travel was fun, but going through security was a real hassle! ;)
 
ghporter Jan 20, 2008 07:35 PM
Quote, Originally Posted by aikiwav (Post 3401854)
I'm worried something like my password to MacNN could be seen and used maliciously.
Quote, Originally Posted by peeb (Post 3402425)
Ah yes. I was imagining a scenario where someone posted inflammatory nonsense in the political lounge and the subterfuge was undetectable.
Quote, Originally Posted by ghporter (Post 3402413)
It's a real problem if, like many people, you use the same password for a lot of different sites.

Fortunately, the only time your MacNN password is sent is when you originally log in-as long as you check the "remember me" box, anyway. The site checks for a valid cookie and when it sees it, you're in as you. This is quite secure.

It's interesting here in the future. My Mac iWatch not only tells time, it has a 23,000X8200 color display-that's all of 75mm wide. It came with every Star Trek episode ever made, but you can't read the credits, or even tell if these are the re-re-enhanced rerelease versions of the episodes. But the COLOR is GREAT!
I've quoted all this so that maybe, when I delete the weird-time post, it'll go away, and this last reply will be all that's left.
 
All times are GMT -4. The time now is 05:10 AM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2