[trip221]

I'm curious, just so I don't mess up my MBP or worse - if I use an unprotected network, say a neighbor's or starbucks, will my computer be vulnerable to other people using the network or the administrator? They can't look into my computer, can they?

I know some people who won't check their bank accounts or credit cards when they're using an unprotected network since they think someone could hack into their computer while they're doing it and steal that information.

And just in general, should I be nervous using an unprotected network?

[Big Mac]

Is OS X vulnerable? No. Is your unencrypted network data vulnerable? Yes. It is very easy to snoop on unencrypted traffic. More likely than not no one's going to be watching, but that hope isn't a very good form of security. At the very least I'd more frequently change passwords on accounts logged into on an open network. Or you can secure yourself with a VPN.

[MacosNerd]

No more vunerable then when your own network at home. Unlike windows, OSX is very secure out of the box. Making sure you only have the services that you need turned on and others turned off and have the firewall turned on should be more then sufficient.

[Cold Warrior]

You should be fine on OS X. Just make sure you have all the latest security updates, just to be safe. Encrypted sites like your bank will provide security from your browser to their end, even if the wifi network itself is unencrypted. However, many email accounts don't use secure transmission, so if you check something like an Earthlink account through its POP3 option in a client like Mail or Entourage, your password and email would be vulnerable to sniffing and intercept on an unencrypted network. For practical purposes, I also consider WEP as unencrypted.

[besson3c]

Originally Posted by MacosNerd 

No more vunerable then when your own network at home. Unlike windows, OSX is very secure out of the box. Making sure you only have the services that you need turned on and others turned off and have the firewall turned on should be more then sufficient.

No no no no no, this is bad advice.

This is not a platform issue, this is an issue of network security. If you have a Mac or a Commodore 64 on an insecure wireless network, you are insecure, period.

[Cold Warrior]

Originally Posted by besson3c 

No no no no no, this is bad advice.

This is not a platform issue, this is an issue of network security. If you have a Mac or a Commodore 64 on an insecure wireless network, you are insecure, period.

Your transmitted data is insecure, but a patched OS X system is far more secure than anything else.

[besson3c]

Originally Posted by Cold Warrior 

Your transmitted data is insecure, but a patched OS X system is far more secure than anything else.

Isn't that what he is talking about? Sending credit card and bank info over an insecure network?

[besson3c]

never mind... I had posted a link to the Wikipedia article on war driving:

Wardriving - Wikipedia, the free encyclopedia

but war driving only pertains to people driving around looking for networks, not necessarily sniffing unencrypted traffic.

[trip221]

I guess I don't know what my exact questions are, but:

1. If on an unprotected network - can people look into my computer at my files?

2. If I'm on an unprotected network but using an encrypted website, say the bank or credit card company - can I safely log-in and access those accounts since the website itself is encrypted, but not the network?

I ask only because I'm coming from a desktop pc, so I have no experience with wireless stuff or OS X.

Thanks

[besson3c]

Originally Posted by trip221 

I guess I don't know what my exact questions are, but:

1. If on an unprotected network - can people look into my computer at my files?

Not unless you've enabled some sort of software on your computer that provides a backdoor for such activities. As far as normal OS X installs go - no.

2. If I'm on an unprotected network but using an encrypted website, say the bank or credit card company - can I safely log-in and access those accounts since the website itself is encrypted, but not the network?

No. It is quite easy to listen in (or "sniff") unencrypted wireless traffic before it even leaves the wireless network. I would not do this in a public place on an insecure network. Some might not even do this on a secure network.

Hope this helps...

[besson3c]

Originally Posted by Cold Warrior 

Your transmitted data is insecure, but a patched OS X system is far more secure than anything else.

Not to nit-pick, but technically speaking, a Linux/BSD machine can be secured the same way, even more so than a default OS X machine. It all depends on what options are enabled in the case of OS X, and how security minded you are as an individual.

Sorry, I just generally dislike overly simplistic "do this and you are impervious" sorts of advice. I'm not suggesting that we should all be paranoid (I'm not), but it is good to learn as much about IT security as we are interested in and/or can tolerate. Ignorance (or if you want to use a less offensive term - lack of knowledge) is never a good security technique. There are no just-add-water products that provide absolute security, just relative security, and enough deterrents to hopefully ward off interest in your system/network.

[MacosNerd]

Originally Posted by besson3c 

No no no no no, this is bad advice.

This is not a platform issue, this is an issue of network security. If you have a Mac or a Commodore 64 on an insecure wireless network, you are insecure, period.

Huh??, he's as secure on another network as he is on his home network. That means he needs to make sure his computer has only services he needs and his firewall is on. How is that bad advice?

[besson3c]

Originally Posted by MacosNerd 

Huh??, he's as secure on another network as he is on his home network. That means he needs to make sure his computer has only services he needs and his firewall is on. How is that bad advice?

You don't send sensitive data via an insecure wireless network in a public place for the reasons I've described. I'm sorry for jumping on you like that, but I just thought that the fact that there are people out there doing things such as traffic sniffing was relatively well-known. There are even recipes for cracking WEP encryption you can find with a Google search.

[Cold Warrior]

Originally Posted by trip221 

2. If I'm on an unprotected network but using an encrypted website, say the bank or credit card company - can I safely log-in and access those accounts since the website itself is encrypted, but not the network?

yes.

Originally Posted by besson3c 

No. It is quite easy to listen in (or "sniff") unencrypted wireless traffic before it even leaves the wireless network. I would not do this in a public place on an insecure network. Some might not even do this on a secure network.

You're wrong, unless you misspoke. On an open or WEP-encrypted network, someone using a secure website is still ok as long as they're in the fully secure environment. Encryption is handled by the browser using TLS or SSL when you load the page. Regardless of the wifi network's encryption level (read: none), the data from web page to bank server will be encrypted.

[besson3c]

Originally Posted by Cold Warrior 

You're wrong, unless you misspoke. On an open or WEP-encrypted network, someone using a secure website is still ok as long as they're in the fully secure environment. Encryption is handled by the browser using TLS or SSL when you load the page. Regardless of the wifi network's encryption level (read: none), the data from web page to bank server will be encrypted.

But the data coming from your keyboard outside of that wireless network will not be, that's the point.


Edit: I'm wrong. What I'm saying only applies to keystroke loggers...

[MacosNerd]

Originally Posted by besson3c 

You don't send sensitive data via an insecure wireless network in a public place for the reasons I've described.

Right and people think they're even less secure when they're on another network without realizing that they're just as vulnerable on their own network.

[besson3c]

Originally Posted by MacosNerd 

Right and people think they're even less secure when they're on another network without realizing that they're just as vulnerable on their own network.

True, your wireless base station provides enough signal to reach areas outside of your line of sight.

[besson3c]

Cold Warrior is right...

As long as you are communicating with SSL protected sites, that particular traffic is safe, but any other unencrypted information may not be for the reasons I've described. This could include authenticating to any unencrypted service such as FTP, unencrypted IM conversations, forum logins (many people use a single password for everything), etc.

[trip221]

Okay, so basically I don't need to worry (any more than normal) as long as I'm using a legitimate company's website that are already encrypted. Thanks for all the info! I already feel more secure just by moving to os x!

[ginoledesma]

Originally Posted by trip221 

Okay, so basically I don't need to worry (any more than normal) as long as I'm using a legitimate company's website that are already encrypted.

Emphasis mine.

This is rare, but it has happened before. If you join someone else's network (let's say in a public area like downtown), you are subject to that network controller's traps. A rogue administrator could set up a false website to pretend it's your intended website (via transparent proxies, or whatnot). While SSL may a means of verifying the identify of a site, some users may just ignore such warning messages (or worse, a real certificate could be used, but the site could just redirect you to the real website after its gotten your input).

For certain things (e.g. banking institutions), I'd say visit it on a public network only if you really need to. Some banks have implemented increased security measures such as site keys or randomized passwords, so you'll know if you're looking at the real site or not.

[JKT]

Didn't someone demonstrate that it is relatively trivial for a cracker to get (for e.g.) your GMail login details if they are able to obtain cookies from pages that are not encrypted. As Google only encrypt the login pages, but not the whole site once you are logged in, you are vulnerable to your data been stolen if the cracker can get those cookies. The same applies to any other site with secure login pages but not secured pages throughout.

[Cold Warrior]

Originally Posted by JKT 

Didn't someone demonstrate that it is relatively trivial for a cracker to get (for e.g.) your GMail login details if they are able to obtain cookies from pages that are not encrypted. As Google only encrypt the login pages, but not the whole site once you are logged in, you are vulnerable to your data been stolen if the cracker can get those cookies. The same applies to any other site with secure login pages but not secured pages throughout.

That's why I use gmail with a mail client (e.g., Mail, Entourage) -- because I'm able to use SSL for both gmail's POP3 & SMTP servers, ensuring my connection is encrypted at all times regardless of the network I'm on.

[besson3c]

Originally Posted by JKT 

Didn't someone demonstrate that it is relatively trivial for a cracker to get (for e.g.) your GMail login details if they are able to obtain cookies from pages that are not encrypted. As Google only encrypt the login pages, but not the whole site once you are logged in, you are vulnerable to your data been stolen if the cracker can get those cookies. The same applies to any other site with secure login pages but not secured pages throughout.

I guess it would be possible to create a fake/proxy GMail page the login form sends its post data to. Whether there was any sensitive data in the cookies/session variables would depend on how GMail is designed.

[Big Mac]

Potential gmail exploits have been in the news recently.

[frdmfghtr]

Originally Posted by Cold Warrior 

That's why I use gmail with a mail client (e.g., Mail, Entourage) -- because I'm able to use SSL for both gmail's POP3 & SMTP servers, ensuring my connection is encrypted at all times regardless of the network I'm on.

When you access GMail's web interface, replace the http:// with https:// when viewing your email list. You will then be accessing GMail via a secure connection.

If you use Firefox, there is a plugin that will automatically force a secure connection with GMail:

Lifehacker Code: Better Gmail (Firefox extension) - Lifehacker

Why Google doesn't require a secure connection on the web interface is puzzling, since you can do it manually.

[Cold Warrior]

thanks for that one

[besson3c]

Originally Posted by frdmfghtr 

When you access GMail's web interface, replace the http:// with https:// when viewing your email list. You will then be accessing GMail via a secure connection.

If you use Firefox, there is a plugin that will automatically force a secure connection with GMail:

Lifehacker Code: Better Gmail (Firefox extension) - Lifehacker

Why Google doesn't require a secure connection on the web interface is puzzling, since you can do it manually.

Perhaps they don't require it to keep loads down?

[Gavin]

Right, it has to encode the html code for every page it sends - and decrypt your replies. With several million users that adds up to lots of extra computers needed. Generally for email you don't need to encrypt it. How often do you email someone your credit card info? Also, email flies around the Internet in plain text anyway, encrypting the last step doesn't exactly make it air tight.

[Pierre B.]

Originally Posted by ginoledesma 

This is rare, but it has happened before. If you join someone else's network (let's say in a public area like downtown), you are subject to that network controller's traps. A rogue administrator could set up a false website to pretend it's your intended website (via transparent proxies, or whatnot). While SSL may a means of verifying the identify of a site, some users may just ignore such warning messages (or worse, a real certificate could be used, but the site could just redirect you to the real website after its gotten your input).

Well, there is this danger if you have to go through the bank's site and just authenticate to connect. My bank has a different system: you can connect to your account either through a browser or their proprietary software, but in each case you have to use one more proprietary piece of software for authentication and encrypted data transmission, which will only work if you have a special file on your computer, generated automatically the first time you log in. Without that file, it is impossible to get access to your account. Also, first log in is possible only using the special codes that the bank will physically provide you with.

[CatOne]

Originally Posted by besson3c 

No no no no no, this is bad advice.

This is not a platform issue, this is an issue of network security. If you have a Mac or a Commodore 64 on an insecure wireless network, you are insecure, period.

Sorry, but you're wrong. The default configuration of Mac OS X has *no* ports open by default. There are simply no attack vectors. You don't even need to run the firewall.

Now if you have turned on personal file sharing, or the web server, or remote login (ssh), then you could be vulnerable to hack attempts (password guesses, buffer overflows, etc.) but if you haven't turned on anything in sharing, the machine is "deaf" to attacks.

Of course, that's not to say that data you send can't be snagged on an open wireless network. Unless you have turned on ssl on Mail, for example (and for most people this is the DEFAULT!) your username and password for mail are sent over the wireless network IN THE CLEAR, and if you use the same username/password for mail as you do for your system... well someone with a sniffer can get that information in about 2 seconds. The first time you connect to the network Mail will blow that out there for all to see. Ouch.

[besson3c]

Originally Posted by CatOne 

Sorry, but you're wrong. The default configuration of Mac OS X has *no* ports open by default. There are simply no attack vectors. You don't even need to run the firewall.

Now if you have turned on personal file sharing, or the web server, or remote login (ssh), then you could be vulnerable to hack attempts (password guesses, buffer overflows, etc.) but if you haven't turned on anything in sharing, the machine is "deaf" to attacks.

Of course, that's not to say that data you send can't be snagged on an open wireless network. Unless you have turned on ssl on Mail, for example (and for most people this is the DEFAULT!) your username and password for mail are sent over the wireless network IN THE CLEAR, and if you use the same username/password for mail as you do for your system... well someone with a sniffer can get that information in about 2 seconds. The first time you connect to the network Mail will blow that out there for all to see. Ouch.

How is that different from what I said? I said that you are insecure on an insecure network, because of the prospects of having unencrypted data sniffed on the LAN. You are insecure on *any* network if you use insecure protocols and transmit your password in the clear, but for different reasons (the sniffing doesn't have to take place on your LAN).

Secondly, technically speaking without running a firewall, you can make your machine vulnerable to various denial of service attacks. Running a firewall and having it properly configured can block these requests at the kernel level, rather than the network stack level.

[fubar_this]

Originally Posted by CatOne 

Sorry, but you're wrong. The default configuration of Mac OS X has *no* ports open by default. There are simply no attack vectors. You don't even need to run the firewall.

Now if you have turned on personal file sharing, or the web server, or remote login (ssh), then you could be vulnerable to hack attempts (password guesses, buffer overflows, etc.) but if you haven't turned on anything in sharing, the machine is "deaf" to attacks.

That's not entirely true. Your computer can be compromised without any ports open. If there is a vulnerability in Safari or QuickTime that allow remote code execution (as there have been), simply visiting a Web site can compromise your computer, meaning pretty much anything can be an attack vector these days. In fact, on Windows there are very few self spreading viruses these days. Most malicious payloads are delivered by visiting compromised Web sites (such as phishing sites) or via spam. Turning on the firewall doesn't do anything in this case. You need an intrusion prevention system to prevent these types of attacks. On the Mac, there are no known exploits, but there have been many vulnerabilities posted.

For more information, look at the recent QuickTime and Safari security patches. QuickTime in particular has had several remote code execution vulnerabilities.

Also, to stay that Mac OS X has no ports open is a false statement. First, mDNSResponder is running all the time on Mac OS X. It's listening on port 5353. Also Mac OS X runs ntpd on port 123 when you have Network Time Sync enabled in System Preferences (as is the default). Finally, most of the time your computer is running SLP (port 423). Run sudo lsof -i on the command line and you'll see at least 3 or 4 ports open, even if you have never turned on any services in Mac OS X.

[Kevin]

Originally Posted by Cold Warrior 

Your transmitted data is insecure, but a patched OS X system is far more secure than anything else.

This is teh correct answer.

[Kevin]

Originally Posted by fubar_this 

Run sudo lsof -i on the command line

Thanks for that bit of info BTW

[driven]

Originally Posted by Cold Warrior 

yes.

You're wrong, unless you misspoke. On an open or WEP-encrypted network, someone using a secure website is still ok as long as they're in the fully secure environment. Encryption is handled by the browser using TLS or SSL when you load the page. Regardless of the wifi network's encryption level (read: none), the data from web page to bank server will be encrypted.

Without WEP (which provides very little and easilly breakable security) then everything you transmit is in clear-text and quite easy to capture. This would include e-mail accounts. Charter e-mail is never encrypted. GMAIL is *ONLY* if you specify https:// when you go to their web-site. (Which also implies that your password is sent unencrypted if you don't use the SSL version of the page.)

Only some sites use SSL (banks, credit card companies, etc.) of course this doesn't prevent your URLs from being sent in clear text as you load the web-site. It's not hard to figure out what someone is browsing for in Starbucks by just looking at the URLs that they are going to.

Personally I always use my companies VPN when I'm in an internet cafe such as Starbucks. At least then I know I have end-to-end encryption. (Although then my company knows everywhere I go ... so avoid job searches. :-) )

[CatOne]

driven it depends on how you have your VPN configured. Mine is configured so that traffic that goes to IP addresses in the company goes through the VPN, and other traffic does not. This is configurable in the VPN settings in Internet Connect tho'... the "Send all traffic through VPN connection" checkbox.

[driven]

Originally Posted by CatOne 

driven it depends on how you have your VPN configured. Mine is configured so that traffic that goes to IP addresses in the company goes through the VPN, and other traffic does not. This is configurable in the VPN settings in Internet Connect tho'... the "Send all traffic through VPN connection" checkbox.

Good call! I'm using the Cisco VPN client so I don't think that option is available. (Or if it is they may have hid it from me.)

But yes, if you have that option be aware that you might not be protected.

I was thinking of replacing my aging wireless router at home with a new one. I originally was going to go with the Apple Airport Extreme. (I like the ability to teether a hard drive to it.) But, I'm now thinking of getting one with a built in VPN.

Has anyone used one of these?