Tips for connecting online wirelessly in a hotel/cafe setting

Question

I'll most likely be using TeamViewer or LogMeIn to connect securely to another machine.
While that connection is secure, my laptop is still on a simple hotel/cafe connection.

What is recommended for locking down a machine that will be using a wireless hotel/cafe internet connection [with WinXPPro]?

-have the firewall running [always, anyway]
-disable file sharing [for the time being]
-anything else?

EDIT: is there anything that is better to use in these situations? A specific VPN perhaps?

Answer 1

Use VPN to Encrypt the Network Traffic

Establish a VPN back to your home or office. The VPN will encrypt the network traffic.

If you don’t have VPN access make sure you use SSL (HTTPS) whenever you login your email account, bank account, or anything else that's sensitive. Beware of ARP poisoning as well.

Also don't use applications that make use of protocols such as telnet, pop, imap, ftp, etc. These programs send data without encryption. Instead you should be using protocols with encryption such as imaps, pops, vsftp, ssh, scp.

If you want to set up a VPN server using Microsoft products check out their articles on how to do this. If you're using linux you can also find several free products to set you up with a VPN.

Perhaps the easiest though is to just buy a cheap VPN router or install an IPCop box or something to that effect. It really depends on your comfort level and skill level. VPN routers are pretty painless.

---

Make sure your laptop is PATCHED

It goes without saying but make sure you're up to date on your operating system's updates/patches.

---

Don't use public computers for sensitive tasks

Avoid using public computers for anything sensitive/personal such as checking email, online banking, etc. Its not your computer, you don't know what's on it, and its simply not secure. Enough said on that one. ;-)

Answer 2

Be aware that hotels and airports are prime locations for people to ARP poison you. ARP poisoning is a very trivial thing to do and most people won't even know that it's been done to you.

Some of the signs of ARP poisoning are SSL certificates that suddenly popup asking you to 'verify' them when you haven't gotten them before. Especially with sites like Yahoo mail, etc. These websites pay for root certs already installed on your machine. There shouldn't be a 'normal' reason to have to install their certificates. Cain will attempt to glean your userid and password to these sites by issuing fake certs and getting you to accept them on your machine. Once that happens, the ARP poisoner will then have access to your logon information even though you are connected via SSL.

You can try a program like XArp (which used to be free) but I've found that it returns a lot of activity and generally gets in the way.

As an aside, most AV programs will not notify on ARP poisoning...

Answer 3

Know if your can trust the hotspot.

How will you be sure that the hotspot is hosted by the cafe/hotel people (even if you can trust them) and, not by someone hanging around with a attack ready laptop on one of the other counters?

The name may even be more promising than the real hotspot when you connect.
If you ever see multiple hotspots be very wary.
And, even if its a single station, you never know if the original station has malfunctioned, been disconnected...

Some references:

1. Does Your Wi-Fi Hotspot have an Evil Twin?
   • New devices make hotspots a hacker's paradise
   • refers Tor encryption for security
   • not sure how how much to trust that

I'd say, how much and when you use public hotspots should be dependent on the sensitivity of your communication and probably the strength of your paranoia :-)

Answer 4

Mostly just exercise the caution you always should:

• Always keep your OS fully patched
• Don't open any ports to the outside unless you have to. An nmap scan can help you find out if you have anything open you may not be aware of. Shut these services down, make them listen on localhost only, or check that they are secure (fully patched, secure passwords etc.)
• While using the hotspot, always assume that all your traffic is logged and analyzed. I.e., only work over a securely encrypted connection, i.e. encrypted VPN, SSH, HTTPS or similar.
• Don't disregard any warnings your encrypted connections give you (bad SSL cert etc.).

If you follow that advice (which is mostly always a good idea anyway), you should be pretty safe.

If you need to use loads of different services over the net, a VPN is probably the easiest solution. If you need just one service (a certain website, some remote login), it's probably easier to use application-level encryption, such as HTTPS or SSH.

If a service/protocol does not use encryption, an SSH tunnel can also be useful and easier to setup that a full-blown VPN.

Answer 5

Upgrade your OS. Windows XP is almost 10 years old, which means it was created before Wi-Fi hotspots were common.

Windows Vista and Windows 7 default to a new network as "public", which locks down the firewall, disables file/printer/media sharing, etc. Home & work networks can be trusted to allow these features to still work.

You still want to encrypt your connections, e.g. using https: and VPNs, of course.

Answer 6

If I'm working from an untrusted source I'll always bounce everything down the VPN.

I use OpenVPN, which has a config option called redirect-gateway. This sets the VPN connection as the client's default route and all traffic will be sent through the remote network.

I can be a bit slower, depending on where your VPN terminates. But providing you have host authentication to ensure that your VPN endpoint is who they say they are then you can surf safe and sound.

For computers that you don't own you should always assume that somebody else will see everything that you view and type.