Jimiz.net – Jim Becher on the web

I went to a coffee shop today to do some work. Update a few documents and get some random things I have been putting off.    As always I log onto the coffee shop wireless and connect to my VPN.  (read other articles here and here).

After completing the items I had set out to do.  I took some time to do some poking around on the wifi.  Since wireless is basically you sharing a network with others, it is easy to see what people are doing.  I used a simple nmap query to see who my neighbors are.

That scan showed me 5 active people and their IP.   It also let me know that the router had HTTP running.   Since I already knew the PC names and what ports they had open. (some one had a web server running).  I decided to look at the wireless router.  To my surprise it was running DD-WRT, my favorite router firmware.    DDwrt is a very powerful router firmware that can turn a basic wireless router into a great device.

However there are a few settings you need to understand when using DDWRT.  One in particular is to disable the default status page for unauthenticated users.  This page shows a lot of information that you don’t want snooping people like me to see.   Things like:

• Public IP
• Firmware version
• Device Type and name
• Connected users (IP address, mac address, dhcp lease)

Not only was this on but I was able to also see the other computers on the network (with out doing a nmap scan).   So everyone who had connected in the last 2 hours pc was listed on this page.  I decided to push up a pic.  My pc is called TP2.

This is scary to me because someone took the time to use a great opensource Firmware but not the time to properly secure it.    It is also interesting to see the number of android devices that were using the wifi.  I guess the same is true for iPhone devices.

I can’t stress this enough, when on public wifi use a VPN.  If you don’t have one.  Head on over to wifi-vpn.com and subscribe or purchase.

The other item on the list is BT, that is the backtrack vm that I started to do some network sniffing.

I’ve posted before regarding browsing the web on a public wifi network like your local coffee shop or restaurant. I will repeat my message, this type of browsing is not secure, you don’t know who else is on the same network you are using. It is not hard for someone to view your sessions or info. (take for example firesheep) It allows anyone that uses firefox the ability to download a plug-in and see other wifi users facebook sessions.

So what are you suppose to do? To begin with, you should secure your connection to the internet. Securing your connection can be done a few ways. Some of the more practical methods are SSH tunneling or a VPN connection. These allow you to use an unsecured wifi network and send your traffic to a known secure network somewhere else.

If you are unsure what a SSH tunnel or a VPN is, you may have more trouble securing your connection. For the novice I suggest using a Free or Paid VPN service if your work does not offer one.

Here are two free VPN connections that I am aware of:
1. OPENVPN.net – http://www.openvpn.net/ SSL/TLS based VPN that you need to install software to use (windows or linux)
2. MacroVPN – http://www.macrovpn.com/
3. USA IP – http://www.usaip.eu/en/free_vpn.php
4. Projectloki – http://www.projectloki.com/

Paid VPN connections
1. AlwaysVPN – http://alwaysvpn.com/
2. Wifi-vpn – http://www.wifi-vpn.com/
3. AccessVPN – http://www.accessvpn.com/
4. http://worldvpn.net/

I have not used any of these services but have seen them on a few top 5 lists. I use both SSH and VPN connections back to my home or my office to secure my connections.

I recommend using a PPTP client on your home router as a simple method to secure your connections. Read my article on how to setup a VPN on DDWRT.

There was an interesting article on lifehacker regarding offline file shareing. Kind of like the old “sneaker net”. Where you would put files on a disk and walk the over to someone. The concept of this offline peer-to-peer is to place a flashdrive or similar item into a permanent fixture and people go to that location and either leave info or pick up info.

I’m not sure if this will go any where but it made me think of how offline info is important and useful. Wouldn’t it be interesting that instead of a physical device it was more of a virtual thing. Instead of a flash drive, how about a wireless network that was open and had a file share on it. To get to the information you would have to physically be in the area of the Wireless network (say 100 yards or so) to get or share data.

So instead of being offline it would be more like off the grid. Because this would require some power to run the wifi.
http://lifehacker.com/5689159/create-an-offline-peer+to+peer-filesharing-network-with-usb-dead-drops

I love the new firefox plug-in that allows you to view user sessions. It is a simple plug-in called firesheep that uses winpcap to capture packets and hijack web sessions. If you have not heard of this head on over to firesheep and read more

What I find funny is the fact that people are all worked up about their security and the fact that others could see what they are doing. I am amazed, that people somehow think that a wifi hotspot is secure. I’ve seen people do online banking at starbucks, or a few online purchases at BigB’s. If you are not sure of who is giving you WiFi (public wifi does not count) than don’t do anything that you would not want the person to see next to you.

Firesheep is a good example of this, it no longer takes a “computer guy” to be able to sniff packets and basically snoop on your browsing. It is now a simple click and install and watch other’s facebook info…

Here is a great article about the legality of using firesheep. (http://www.computerworld.com/s/article/9194159/Is_it_legal_to_use_Firesheep_at_Starbucks_)
I find this interesting, basically the argument would be that you are doing something illegal by use of wiretap. I would equate firesheep to the same as two people in a coffee shop talking. One person is next to you and the other is all the way across the room. The person next to you is yelling at the top of their lungs to communicate to the person on the other side of the room. Hey may be yelling his credit card number to be able to purchase a coffee drink, or maybe his username / password to his bank account to allow the other guy to enter it into the computer for him. The same is when you share a wireless (wifi) network with your closest friends at a coffee shop you are basically yelling your information over the wire (or wireless in this case).

If a person decides to listen, is that illegal? Aren’t you and that other person sharing the same space , communication, it’s not illegal to both communicate. When does it become illegal to listen?

If you are concerned about people snooping, use some type of security tunnel to your home network, use ssl everywhere, or setup a vpn. If you don’t know about these things and would like some help, give me a call or email. I can help you understand how to do this and also why to do this.

There is now a little firefox plug-in for detecting firesheep called black sheep. http://www.zscaler.com/blacksheep.html Reminds me of the fuzz buster.. then there was the radar detector detector….

It is amazing how reliant you get on internet access. Over the weekend a few things happened with our family and the need to communicate and send messages. I realized that I have become dependent on being able to either just pick up a phone or have some type of communication.

Because of the location where we were the cell signal is weak. If you go outside you are ok, however in a rainstorm it is a bit difficult to go outside and have a conversation.

In the end I was able to get the wifi back up (we get wifi from a very long distance repeater – high wind can cause some interference). Used a few tools to forward calls and in the end my favorite google voice to make a few calls.

The difficult part was anticipation of not having WiFi and missing the worldcup games on Saturday. (Thank you ESPN3)

I take technology for granted. As much as I would love to say that I could get along fine without some forms of technology I would struggle.