Sunday, September 1, 2013

Protect Your Surfing Over Public Wifi

Welcome to Part Three in a series of posts on privacy and security. Before, we talked about Tor and email encryption to keep the NSA away, but today's post will deal with the threats hackers pose, and probably your biggest vulnerability point, surfing over public wifi. Anytime you take your shiny old Mac to a Starbucks and have people gawk at its heretofore undiscovered form factor, you're connecting to a public network susceptible to hackers sniffing for and grabbing all your clear text data. They can see your surf habits, grab passwords, email, or worse. But you still want to surf, right? The solution to all this is encapsulated in the phrase encrypt all the things.

Let's start with the step so obvious I forgot to put it in the first version of this post ;) Turn on your laptop's firewall in OS X's Preferences --> Sharing --> Firewall, and also check that Stealth Mode is enabled by clicking the "Advanced..." button. Linux users can enable their firewall with ufw (Uncomplicated Firewall) or its GUI frontend, Gufw.

Back to encrypting all the things. The simplest and most basic thing you can do is install the Firefox add-on HTTPS Everywhere. This will enforce HTTPS encryption for all traffic on sites that support it and prevent those sites from reverting back to HTTP after you log in.

Got email to send? Encrypt it, or you don't send it. It's really that simple.

If you're chatting, use OTR (off the record) encryption. Pidgin and Adium support it. There's also a Firefox add-on called Cryptocat that in theory looks awesome but suffered a slight scandal recently when it was revealed it had a huge security hole caused by a rookie mistake by the developers. So you may want to avoid that.

As long as we're talking about Mozilla browsers, TenFourFox and Iceweasel users might want to take steps to protect their passwords because, locally anyway, they're, um, completely unprotected. In a fit of jealousy and envy at your beautiful PowerPC Mac, some miscreant could steal it and have access to all your passwords with a simple trip to the Preferences. So go into Preferences --> Security and set a master password. We don't want to make it that easy for 'em.

All that's well and good, but what if you want all your web traffic encrypted, not just HTTPS supported sites? Here's where things get cool. If you have an old Mac lying around not doing anything, you could turn it into a headless SSH server. Then you can set up a SOCKS proxy and tunnel all your web traffic at Starbucks through an encrypted connection to your home server and then on to its ultimate destination. Hackers locked out.

Setting up a server is as simple as it gets. On Debian Linux, if it's not already installed, just install openssh-server and it should automatically run as a daemon. On OS X, go to System Preferences --> Sharing and click the checkbox next to Remote Login. And that's it! Your computer's now a server. You may also need to forward a port on your router. Port 22, TCP only, is standard for SSH.

(UPDATE: I've also learned routers running on Tomato or DD-WRT firmware have their own SSH servers built in, so you don't even need another computer. Set up your router with instructions for Tomato or DD-WRT.)

Now that that's all set, let's open a tunnel from your obnoxiously chic coffee shop. In a terminal, enter:

ssh -CND 9999 user@hostname.com

where user is the username on the server machine and hostname.com is your server's ip address or a hostname you got from DynDNS or an alternative like No-IP or FreeDNS. You'll be prompted for the username's passphrase and you're in. It should be noted that for even better security, you can look into generating SSH public and private keys for passphrase-less login, but that's a bit beyond the scope here. Now leave the terminal window open and move on to configuring your browser.

Under Manual configuration, you'll want to set it to SOCKS host: 127.0.0.1, port 9999, SOCKS v5. Also, No Proxy For: localhost, 127.0.0.1. In TenFourFox, it looks like this (Preferences --> Advanced --> Network --> Settings):

TenFourFox proxy preferences

(Note, to switch back click the "No proxy" or "Use system proxy settings" button.)

To also prevent DNS leaks, go into about:config and change network.proxy.socks_remote_dns to "true." That way your DNS requests are encrypted through your SSH tunnel as well. To plug DNS leaks in other applications, Privoxy is your best option.

In TenFourFox/Iceweasel, anyway, you're good to go. Or as hackers might see it, gvES R∆∂®456E Rkop∫∆®∂ßghZX∂ ≈߃®∆∆kj lytudGFø πµ˜ç√ß∂ß®dfew∫µˆ∆†¥ ƒƒçFGESR˚∆ƒ©ß®ƒç∫∆ NMFGçƒ∆¬∆˚FXgfgdzdx ∫√∂ƒ≈∂ƒGFFDRGHY©√ƒ∂ƒ©g

Encryption humor. Then when you want to terminate the session, hit ctrl-c in the terminal and you're out. To keep from having to switch your browser preferences every time, you can create a separate user profile or look into an add-on like FoxyProxy.

That takes care of encrypted web browsing, but what about encrypting all your traffic, HTTP, NNTP, Bittorrent, everything? For that you need to connect to a VPN (Virtual Private Network). There are some free ones, but for anything good you have to pay. On the client side, Tunnelblick still supports Tiger and PowerPC, so go over and download that if you want to give VPNs a try. On Linux, openvpn is both a client and server package from the command line. And there's gadmin-openvpn-client for a GUI.

And for the truly adventurous, you can eschew VPN paid services and set up your own VPN server on that headless Mac we were talking about. I tried to do this with OpenVPN, but so far I've struck out. If your kung fu is better than mine, you can install openvpn with Tigerbrew or MacPorts (the port is called openvpn2) on OS X or with your package manager on Linux. I'll leave some links on the subject that may be helpful or may just pull you in deeper.

Some Mac-centric instructions:
http://remonpel.nl/2012/02/set-up-an-openvpn-server-on-your-mac/

Get easy-rsa here:
https://github.com/OpenVPN/easy-rsa (the instructions in the above first link show easy-rsa is installed with openvpn, but in newer versions you have to install easy-rsa separately)

How to solve a certain error message:
https://ubuntuforums.org/showthread.php?t=2001055

Alternately, you can set up a VPN server on your DD-WRT router:
http://sriramk.com/ddwrt-pptp-vpn

OpenVPN's HowTo:
http://openvpn.net/index.php/open-source/documentation/howto.html

Apparently there's some extra setup to get OpenVPN to really really tunnel all traffic through the server:
http://blog.johnford.org/openvpn-tunnel-to-home-server/

Finally, on the theme of security, Cameron Kaiser passed on word of a jaw dropping security hole involving sudo in OS X. Fortunately the fix is simple, and you can read in his comments section on how to use vi or nano to do it. Seriously, you'll want to fix this.

4 comments:

  1. That has mostly to do with private companies letting the NSA sneak back doors into their closed source products. Encrypting your email, or chatting with OTR, with open source programs still works. Unfortunately with https, you have to trust the websites not to have a secret arrangement with the government, and, well...Prism showed there's not much to trust there.

    ReplyDelete
  2. Agree that when you are at social networking sites one of these secret agencies take a close look on your activities.

    Thanks
    Silvester Norman

    Change MAC Address

    ReplyDelete
  3. Well MAC Filtering is the best and most effective technique that can be used for protecting your WiFi connection.

    Thanks
    Silvester Norman

    Change MAC Address

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete