?
Solved

Security basics

Posted on 2005-03-24
11
Medium Priority
?
291 Views
Last Modified: 2011-10-03
Need some advice on how to protect my data sent out over the net when I'm connected to various environments (web cafe's, wireless hotspots, ethernet hub/switched networks) from my laptop (or desktop for that matter) ... I just discovered ethereal, and ettercap - and need to shore up my security.

The biggest concern is to protect email, web, and FTP.  What's the best way to prevent eavsdropping ? Thanks all ...

note: follow up question here: http://www.experts-exchange.com/Security/Q_21364326.html
0
Comment
Question by:Gitcho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 8

Accepted Solution

by:
mugman21 earned 500 total points
ID: 13629194
Gitcho,

There are several ways to prevent people from 'sniffing' your web communications, but they apply only in certain instances. The more general answer to your question is there isn't a whole lot you can do.....

First I'll start with the web.

When viewing websites, in general, there is no way to encrypt the data that is sent back and forth between your computer and the server. The obvious exception to this is when SSL (Secure Socket Layer) is used. When browsing the web, you'll know that SSL is in use by the little padlock icon in your browsers statusbar. When SSL is used (which is a form on encryption), the webserver your connecting to will send you its PUBLIC krypto key. Your browser in turn uses the received krypto key to encode all information your computer sends to the server with random data. When the webserver receives your encrypted communication, it in turn uses it's PRIVATE krypto key to decipher the data that was produced randomly using the PUBLIC key.

The over whelming majority of websites only use SSL when it is absolutly nessasary; for example when credit card info or a password and login information is being transmitted. The reason SSL is only used in these situations and not always is due to the overhead that is placed upon the webservers CPU. SSL if used on every single connection with a web server would slow down every web page request therefor its only used when it's absolutly vital. Basically, you can not guard against sniffer software that is between you and the server!

Second, regarding email.

When using email, if it is POP mail, you can use certificates to encrypt the email. The catch is, whoever is receiving the email you send, must have your PUBLIC certificate installed on THEIR computer. MIT created a great encryption program called PGP (Pretty Good Privacy) which will integrate semlesly into outlook and outlook express. If using PGP while sending email, the packets can still be sniffed out, but the data portion of the packet (which contains your email message) will be encrypted and nearly impossible to break.

If using IMAP for email (web based email), using PGP you can copy and send the encrpted text of an email. PGP has a clipboard you can copy your message to, encrypt it, then paste it into your email message.

Third, regarding FTP.

There are some FTP servers that support sFTP, but not many. There is nothing you can do about that. American Express is the only company I've ran into that used sFTP (because I was download a yearly statement).


In a nutshell, there isn't a whole lot you can do. There are some services out there that provide proxy servers with encryption, but the problem with those is once you pass threw them, once again, your data is not encrypted.

Mugman
0
 
LVL 5

Author Comment

by:Gitcho
ID: 13630526
can't i use SSH to add a secure layer ?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 13630680
A encryption solution is the best way to go, a VPN is suited to this very well. Now at some point your data is going to be plain-text, unless the services you use support an encrypted solution. Your Email provider would have to use PGP or some certificate based encryption, or like pgp some sort of public key encryption. Web surfing is plain-text typically, such as a search of google.com or even reading hotmail. But httpS traffic is typically SSL encrypted, such as an online shopping cart ecommerce system.
You can mitigate what others see by VPN'ing into a source that isn't likely to be sniffed, such as your home PC on a cable-modem or a dsl connection. If your wirelessly surfing, you could RemoteDesktop to your home PC and surf the web using it, sending the display to your laptop on a wireless cafe connection. Or VPN to your home PC and have all your packets encrypted, to/from your home PC- RemoteDesktop is encrypted by-default and is a very easy solution to encrypting the data over an otherwise unencrypted, or poorly encrypted connection such as wireless access points.

Your home pc should be secured properly with a firewall, allowing only the ports to the VPN listening port, and or the TerminalService/RemoteDesktop port. This port can be changed to throw off a would be hacker. Your Laptop should do the same, it would not need any listening port's open, the XP firewall is very good with this task for either machine, but it's not as configurable as other software firewalls on the market.

You could also sign up for Anonymizer.com's services (or similar) where the traffic between you and the anonymizer servers are encrypted, http and smtp (or pop3)
Again, the connection is encrypted between you and the anonymizer service, but is (in most cases) plain-text from anonymizer to the internet as there is no other way. Sniffing anonymizer's connection would only be possible by an ISP providing them a connection, or any ISP that traffic is routed through, and the website or other application service provider themselves.
-rich
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 5

Author Comment

by:Gitcho
ID: 13631473
good info rich ...  what about SSH ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13631595
SSH is simply an encrypted protocol, and you can configure about anything to run over it in most cases. SSH stands for Secure SHell. It's an encrypted way to connect to a server and type commands on a command line in it's native development state. You can think of httpS traffic as http over SSH, but it's not really it's over ssh it's SSL

SCP is Secure CoPy, which is copying files over ssh, SFTP is SecureFTP- or ftp over ssh. Again you can use lot's of thing over ssh, you must be able to portforward, or have a utility that is configured to run the ssh wrapper over it's protocol (like in the case of sftp)

http://en.wikipedia.org/wiki/Ssh
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

be sure to use the latest ssh you can, and version 2 also.
-rich
0
 
LVL 1

Assisted Solution

by:rmcferren
rmcferren earned 500 total points
ID: 13640429
Gmail secures pop3 and smtp email over SSL, but web based mail is not secured in that fasion.  Remember that the mail is only encrypted until it reaches google's servers and only from google's server to your computer.  IMHO, I don't think the internet was designed to handle programmers and geeks, but not the common user.  Securing communnications is not possible in the nature mentioned.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13642310
go with ssh, that makes ftp obsolete too ;-)
0
 
LVL 5

Expert Comment

by:tmehmet
ID: 13645830
Fo course with all this 'encryption and wot not,  none of this will matter over the net if password policy is not strong.

ideally, to protect yourself, your services should be using a one time password system, such as RSA SecurID, if your paranoid, use PKI for authentication.

If one time passwords cannot be implemented for technical reasons, then a solid password policy is required.

basically use a hard to guess password (eg. alpha-numeric-upper and lower case - minimum 7 characters and changed every 30 days).

All the encyption does is hide the traffic from being sniffed, it does not prevent someone else using putty or SCP or email client/web browsers from establishing a secure connection and guessing your password.

Over the net, last line of defence is the password.

would not hurt to use a secure client machine either, again, with keystroke loggers, all of the above can be bypassed by unscrupelous internet cafe vendors.
0
 
LVL 3

Assisted Solution

by:acsmedic
acsmedic earned 500 total points
ID: 13862094
The people above have some good ideas. They overlook one crucial piece of information though. If your PC is hacked by virus or certain spyware the rest of your security is suspect. The most simple thing to change to help prevent virus/spyware is to use an account that has USER rights only. I see people all of the time with firewalls, AV software and so on but their account is admin. Than they click on the wrong link in an email or on a webpage and blammo.....you just authorized malicious software on your machine. Some will say "but Microsoft patched the last IE vulnerability" and just as fast as MS patches others find other exploits.

Look at the runas utility which you can use when you need to run an application with admin rights.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx
you can also right click on the executable and select runas (you may have to SHIFT + Right Click)

Good luck
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question