Part of going to any conference is picking and choosing the presentations to attend. But, going to a hacker conference, such as the upcoming HOPE in New York City, means taking extra care for security. In my case, I'm going to bring a Windows XP laptop. Am I asking for it?
Here's my plan, many parts of which can help anyone needing to secure a computer while traveling.
Since Internet access at the conference is via an unsecured wireless network, the most obvious first step is use a VPN. VPNs provide the over-the-air encryption that comes with WPA or WPA2 on home/business networks.
Without a corporate home office to connect to, I pay a yearly fee for VPN access to Witopia. They offer two types of VPNs, PPTP and SSL, and have been very reliable. Yes, there are free, ad-supported VPNs, but that's not a business model for me. Some free things are great, but good security is worth paying for.
Another step that anyone using a public wireless network should take is insuring that the operating system firewall is both running and configured properly.
On some computers I use Online Armor from Tall Emu, but in many ways the firewall built into Windows XP is just fine. What's especially nice about it, is that the configuration is drop-dead simple. Complex firewall configuration is an accident waiting to happen.
If you're not sure about the state of a firewall on a computer, you can test it at Shields UP! a free service from Steve Gibson. Stealthed ports are the best, closed ports are good enough and open ports are bad. Be aware though, that if your computer is behind a router, any external firewall test is actually testing the firewall in the router, not your computer.
One step that is easily skipped is File and Printer Sharing. On a home or business network, we normally want to share files with other computers on the LAN. Not so on a public network. File and printer sharing will be disabled on my XP system while at the conference. With Windows 7, if you tell it that you are on a public network, it should turn off file and printer sharing.
Ad-hoc networks are another potential danger.
Normal networks, run by a router are called "infrastructure" networks and this is the only type you want to deal with. Computers can create their own ad-hoc networks such that two computers can communicate directly without involving a router. Bad guys create ad-hoc networks in the hope of luring in unsuspecting computer users. Not me. Windows XP will be configured to never connect to any ad-hoc network, a step anyone running XP should take.
Speaking of XP, every time I boot my laptop, I will logon on a restricted user, rather than an administrator.
Normally when I travel, sensitive files are stored in a TrueCrypt container on the hard drive. However, this being a hacker conference, I'm keeping the TrueCrypt container on a USB flash drive in my pocket and I hope to never have to refer to any sensitive files while at the conference.
Even more so, I'll separate the somewhat sensitive files into a different container from the more sensitive ones.
If, however, I have to look at any of the sensitive files, this means entering the TrueCrypt password while in the belly of the beast, so to speak. To minimize potential damage, I won't use my normal password, but will create a new one specifically for the conference.
Ditto email. Beforehand, I'll change my email password, and after the conference, I'll change it back.
Speaking of email, I normally use Thunderbird, but won't at the conference.
Any client side email program has to send out your password to an email server, and this exchange is, all too often, unencrypted. VPN or not, special short-term password or not, this scares me. All my email will be done via encrypted webmail.
Of course, all webmail systems are not the same. Some only encrypt the logon, others encrypt everything, including the pages for reading and writing email. Gmail is perhaps the most secure in that it now encrypts everything. This gives me two levels of encryption, the VPN and SSL from Gmail. Fortunately, the webmail system offered by my ISP also encrypts everything.
Gmail has another great feature, auditing. At the bottom of each page is a link to information about the last couple times the account was accessed. Great feature. It could be better, but I haven't yet seen anything comparable on another webmail system.
As for web browsers, it goes without saying that Internet Explorer will never see the light of day.
The big advantage to Firefox is the zap I wrote about last year. With a slight modification to a CSS file, Firefox can display all secure web page URLs in green. This is a great defense against man-in-the-middle attacks and is especially helpful in the home office of such attacks, a hacker confab.
For extra protection, I just may well run Firefox in a Sanboxie sandbox. And, if I can remember, I'll turn off the Wi-Fi radio in my laptop when I'm not online. That's a big if though.
There's my game plan. Come and get me hackers. Uh, then again, never mind.
No comments:
Post a Comment