Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

Security basics

Need some advice on how to protect my data sent out over the net when I'm connected to various environments (web cafe's, wireless hotspots, ethernet hub/switched networks) from my laptop (or desktop for that matter) ... I just discovered ethereal, and ettercap - and need to shore up my security.

The biggest concern is to protect email, web, and FTP.  What's the best way to prevent eavsdropping ? Thanks all ...

note: follow up question here: http://www.experts-exchange.com/Security/Q_21364326.html
0
Gitcho
Asked:
Gitcho
4 Solutions
 
mugman21Commented:
Gitcho,

There are several ways to prevent people from 'sniffing' your web communications, but they apply only in certain instances. The more general answer to your question is there isn't a whole lot you can do.....

First I'll start with the web.

When viewing websites, in general, there is no way to encrypt the data that is sent back and forth between your computer and the server. The obvious exception to this is when SSL (Secure Socket Layer) is used. When browsing the web, you'll know that SSL is in use by the little padlock icon in your browsers statusbar. When SSL is used (which is a form on encryption), the webserver your connecting to will send you its PUBLIC krypto key. Your browser in turn uses the received krypto key to encode all information your computer sends to the server with random data. When the webserver receives your encrypted communication, it in turn uses it's PRIVATE krypto key to decipher the data that was produced randomly using the PUBLIC key.

The over whelming majority of websites only use SSL when it is absolutly nessasary; for example when credit card info or a password and login information is being transmitted. The reason SSL is only used in these situations and not always is due to the overhead that is placed upon the webservers CPU. SSL if used on every single connection with a web server would slow down every web page request therefor its only used when it's absolutly vital. Basically, you can not guard against sniffer software that is between you and the server!

Second, regarding email.

When using email, if it is POP mail, you can use certificates to encrypt the email. The catch is, whoever is receiving the email you send, must have your PUBLIC certificate installed on THEIR computer. MIT created a great encryption program called PGP (Pretty Good Privacy) which will integrate semlesly into outlook and outlook express. If using PGP while sending email, the packets can still be sniffed out, but the data portion of the packet (which contains your email message) will be encrypted and nearly impossible to break.

If using IMAP for email (web based email), using PGP you can copy and send the encrpted text of an email. PGP has a clipboard you can copy your message to, encrypt it, then paste it into your email message.

Third, regarding FTP.

There are some FTP servers that support sFTP, but not many. There is nothing you can do about that. American Express is the only company I've ran into that used sFTP (because I was download a yearly statement).


In a nutshell, there isn't a whole lot you can do. There are some services out there that provide proxy servers with encryption, but the problem with those is once you pass threw them, once again, your data is not encrypted.

Mugman
0
 
GitchoAuthor Commented:
can't i use SSH to add a secure layer ?
0
 
Rich RumbleSecurity SamuraiCommented:
A encryption solution is the best way to go, a VPN is suited to this very well. Now at some point your data is going to be plain-text, unless the services you use support an encrypted solution. Your Email provider would have to use PGP or some certificate based encryption, or like pgp some sort of public key encryption. Web surfing is plain-text typically, such as a search of google.com or even reading hotmail. But httpS traffic is typically SSL encrypted, such as an online shopping cart ecommerce system.
You can mitigate what others see by VPN'ing into a source that isn't likely to be sniffed, such as your home PC on a cable-modem or a dsl connection. If your wirelessly surfing, you could RemoteDesktop to your home PC and surf the web using it, sending the display to your laptop on a wireless cafe connection. Or VPN to your home PC and have all your packets encrypted, to/from your home PC- RemoteDesktop is encrypted by-default and is a very easy solution to encrypting the data over an otherwise unencrypted, or poorly encrypted connection such as wireless access points.

Your home pc should be secured properly with a firewall, allowing only the ports to the VPN listening port, and or the TerminalService/RemoteDesktop port. This port can be changed to throw off a would be hacker. Your Laptop should do the same, it would not need any listening port's open, the XP firewall is very good with this task for either machine, but it's not as configurable as other software firewalls on the market.

You could also sign up for Anonymizer.com's services (or similar) where the traffic between you and the anonymizer servers are encrypted, http and smtp (or pop3)
Again, the connection is encrypted between you and the anonymizer service, but is (in most cases) plain-text from anonymizer to the internet as there is no other way. Sniffing anonymizer's connection would only be possible by an ISP providing them a connection, or any ISP that traffic is routed through, and the website or other application service provider themselves.
-rich
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
GitchoAuthor Commented:
good info rich ...  what about SSH ?
0
 
Rich RumbleSecurity SamuraiCommented:
SSH is simply an encrypted protocol, and you can configure about anything to run over it in most cases. SSH stands for Secure SHell. It's an encrypted way to connect to a server and type commands on a command line in it's native development state. You can think of httpS traffic as http over SSH, but it's not really it's over ssh it's SSL

SCP is Secure CoPy, which is copying files over ssh, SFTP is SecureFTP- or ftp over ssh. Again you can use lot's of thing over ssh, you must be able to portforward, or have a utility that is configured to run the ssh wrapper over it's protocol (like in the case of sftp)

http://en.wikipedia.org/wiki/Ssh
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

be sure to use the latest ssh you can, and version 2 also.
-rich
0
 
rmcferrenCommented:
Gmail secures pop3 and smtp email over SSL, but web based mail is not secured in that fasion.  Remember that the mail is only encrypted until it reaches google's servers and only from google's server to your computer.  IMHO, I don't think the internet was designed to handle programmers and geeks, but not the common user.  Securing communnications is not possible in the nature mentioned.
0
 
ahoffmannCommented:
go with ssh, that makes ftp obsolete too ;-)
0
 
tmehmetCommented:
Fo course with all this 'encryption and wot not,  none of this will matter over the net if password policy is not strong.

ideally, to protect yourself, your services should be using a one time password system, such as RSA SecurID, if your paranoid, use PKI for authentication.

If one time passwords cannot be implemented for technical reasons, then a solid password policy is required.

basically use a hard to guess password (eg. alpha-numeric-upper and lower case - minimum 7 characters and changed every 30 days).

All the encyption does is hide the traffic from being sniffed, it does not prevent someone else using putty or SCP or email client/web browsers from establishing a secure connection and guessing your password.

Over the net, last line of defence is the password.

would not hurt to use a secure client machine either, again, with keystroke loggers, all of the above can be bypassed by unscrupelous internet cafe vendors.
0
 
acsmedicCommented:
The people above have some good ideas. They overlook one crucial piece of information though. If your PC is hacked by virus or certain spyware the rest of your security is suspect. The most simple thing to change to help prevent virus/spyware is to use an account that has USER rights only. I see people all of the time with firewalls, AV software and so on but their account is admin. Than they click on the wrong link in an email or on a webpage and blammo.....you just authorized malicious software on your machine. Some will say "but Microsoft patched the last IE vulnerability" and just as fast as MS patches others find other exploits.

Look at the runas utility which you can use when you need to run an application with admin rights.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx
you can also right click on the executable and select runas (you may have to SHIFT + Right Click)

Good luck
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now