Sign in with
Sign up | Sign in
Your question

One more "sensitive info" security question

Last response: in Wireless Networking
Share
Anonymous
a b 8 Security
September 16, 2005 5:16:52 AM

Archived from groups: (More info?)

I appreciate all the suggestions I received about securing private
information when using wireless internet in public places, but now I'd like
your opinion about using web security programs such as JWire Spotlock I
downloaded it because they have a free internet hotspot directory, but to
use the security feature requires a monthly subscription. If I disable all
folder sharing, use Windows XP and Internet Explorer with SP2, Microsoft
Antispyware, and install Zone Alarm or Sygate Personal Firewall, is it
necessary for me to use one of these subscription services? I'd just as
soon not obligate myself to yet another monthly bill. Also - which is the
better free firewall, ZA or Sygate? I've used both at one time or another
and liked them both. Thanks in advance! ....Pam
Anonymous
a b 8 Security
September 16, 2005 5:35:05 AM

Archived from groups: (More info?)

On 15-Sep-2005, " Pam" <per1818@nospam.planttel.net> wrote:

> I appreciate all the suggestions I received about securing private
> information when using wireless internet in public places,

No problem. That is what this group is all about...Helping others with Wi-Fi
issues and being helped.

but now I'd
> like
> your opinion about using web security programs such as JWire Spotlock I
> downloaded it because they have a free internet hotspot directory, but to
> use the security feature requires a monthly subscription.

I'm not surprised. Wireless internet using Hot Spots is the new "Hot Thing"
and businesses are maneuvering to cash in on it. It's simply business.

> If I disable
> all
> folder sharing, use Windows XP and Internet Explorer with SP2, Microsoft
> Antispyware, and install Zone Alarm or Sygate Personal Firewall, is it
> necessary for me to use one of these subscription services?

Just add in a dash of common sense and you have everything you need to
safely surf the web in public hotspots.

> I'd just as
> soon not obligate myself to yet another monthly bill.

Well, we now know you have common sense. (smile)

> Also - which is
> the
> better free firewall, ZA or Sygate? I've used both at one time or another
>
> and liked them both.

Although I've used about every software firewall available at one time or
another, my personal preference is Sygate. That's not to say that Zone Alarm
is not worthy because it is. I just prefer Sygate.


Thanks in advance! ....Pam

You're welcome.



--
Just Me, D
Anonymous
a b 8 Security
September 16, 2005 6:59:15 AM

Archived from groups: (More info?)

" Pam" <per1818@nospam.planttel.net> wrote in message
news:82pWe.113173$084.39707@attbi_s22...
>I appreciate all the suggestions I received about securing private
>information when using wireless internet in public places, but now I'd like
>your opinion about using web security programs such as JWire Spotlock I
>downloaded it because they have a free internet hotspot directory, but to
>use the security feature requires a monthly subscription.

> If I disable all folder sharing, use Windows XP and Internet Explorer with
> SP2, Microsoft Antispyware, and install Zone Alarm or Sygate Personal
> Firewall, is it necessary for me to use one of these subscription
> services?

Although the software is nice to have above, the buck really stops with the
XP O/S and no where else in protecting the machine from attack. You should
consider securing the XP O/S from attack by hardening the O/S for a machine
that has a direct connection to the Internet, especially a machine using the
NT based O/S. Some things you can do are disable the MS File and Print
Sharing service since I don't think you'll want to share resources with
other machines, strong passwords, disable the Everyone group account etc,
etc along with other things being mentioned in the links.

http://labmice.techtarget.com/articles/winxpsecurityche...
http://www.ntsvcfg.de/ntsvcfg_eng.html
http://www.petri.co.il/disable_administrative_shares.ht...

None of the software above is going to prevent wireless eavesdropping on the
your air waves. So if that software you're talking about kind provide
additional wireless protection on eavesdropping on the wireless air waves,
you should use it. However, you may want to find an ISP that provides a VPN
solution for their clients. They are out there too.


> I'd just as soon not obligate myself to yet another monthly bill. Also -
> which is the better free firewall, ZA or Sygate? I've used both at one
> time or another and liked them both. Thanks in advance! ....Pam

I'll be at a client's site in a hotel for the next six month with my XP pro
laptop on a dial-up direct connection to the Internet and I am now hardening
the O/S to attack and shutting down or closing things I don't need active on
the XP O/S and activating other solutions like IPsec which is being
mentioned in the link above implanting the AnalogX Secpol rules for IPsec to
supplement the BlackIce PFW that I use and IPsec can stop inbound or
outbound traffic by port, protocol, or IP behind any personal FW solution.
With the machine connected to my home network none of it is implemented.

http://www.petri.co.il/block_ping_traffic_with_ipsec.ht...
http://www.analogx.com/contents/articles/ipsec.htm
http://support.microsoft.com/?id=813878

The one thing that a 3rd party personal FW or IPsec cannot do is get to the
TCP/IP connection at boot and protect the machine from the Internet like the
XP FW can do and can get to the TCP/IP at boot and protect the machine
before any thing else can get there. I put a short-cut for Active Ports
(free) in the Start-folder so I can see all connections at the boot a logon
process.

Duane :) 
Related resources
Anonymous
a b 8 Security
September 16, 2005 8:13:02 AM

Archived from groups: (More info?)

On Fri, 16 Sep 2005 01:16:52 GMT, " Pam" <per1818@nospam.planttel.net>
wrote:

>If I disable all
>folder sharing, use Windows XP and Internet Explorer with SP2, Microsoft
>Antispyware, and install Zone Alarm or Sygate Personal Firewall, is it
>necessary for me to use one of these subscription services?

No. Their major purpose is to keep your protection up to date. You
can do that yourself. It is tedious but a necessary habit. Be sure
to do updates for:
1. Windows Update.
2. Office Update.
3. Spyware scanner update (I suggest Microsloth Anti-Spyware Beta 1)
4. Anti-Virus update.
5. Firewall Update.
In addition, many applications tend to have security holes. Recently,
there are holes in Winamp, Acrobat, etc. These have either automatic
updated features or notifications that updates are available.

The real danger for laptops and wireless are sending unencrypted
logins and passwords over the internet. It's easy enough to sniff for
these and use them. For example, one of my customers non-cleverly
used the same password on *ALL* his accounts. Someone sniffed his
POP3 email login and password, figured out his eBay and Paypal ID, and
tried the password. It worked. I was fortunate enough to catch it
before they could do any damage but the potential was certainly there.
Do NOT use a password twice. Do not send unencrypted passwords over
the internet. That means use a VPN to download your mail or use
encrypted webmail (i.e. Squirrel mail) to read online. The list of
programs that send logins and passwords over the internet in the clear
is extensive so be careful.


>Also - which is the
>better free firewall, ZA or Sygate?

I like Kerio, with Zone Alarm as a tolerable 2nd best. I haven't
tried Sygate for many years. No clue on it.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
a b 8 Security
September 16, 2005 1:33:20 PM

Archived from groups: (More info?)

Jeff Liebermann wrote:

> The real danger for laptops and wireless are sending unencrypted
> logins and passwords over the internet. It's easy enough to sniff for
> these and use them. For example, one of my customers non-cleverly
> used the same password on *ALL* his accounts.

It's good advice, unfortunately human nature being what it is, it _isn't_
going to happen (at least in most cases). I finally have a system where I
can use different passwords, have my computer memorize them in a secure
location (well, as secure as possible), and am starting to use more
passwords, but for most people it simply isn't an achievable goal. If you
_do_ use different passwords, how do you remember them?

> Do NOT use a password twice. Do not send unencrypted passwords over
> the internet. That means use a VPN to download your mail or use
> encrypted webmail (i.e. Squirrel mail) to read online.

That's a little extreme (and you must have meant "e.g.", not "i.e." - there
are any number of secure web mail solutions - even Hotmail encrypts the
password dialog). Many people don't have access to VPNs and Web mail is no
solution for someone who gets a lot of email. Most mail servers now can
use TLS for secure login, and most mail clients can also. TLS is a fine
alternative and if your ISP doesn't provide it ask them why not. If you
don't have a clue how to set up your email to use TLS, call your ISP's
support line and ask them.

> The list of
> programs that send logins and passwords over the internet in the clear
> is extensive so be careful.

I've been planning to close a security hole on my system for too long, and
this has prompted me to get with the program...

> I like Kerio, with Zone Alarm as a tolerable 2nd best. I haven't
> tried Sygate for many years. No clue on it.

I'm happy with Zone Alarm for my wife's purposes (my system is Linux with a
self-configured firewall). If it's only a "tolerable 2nd best", I'll
accept Jeff's recommendation of Kerio.
--
derek
Anonymous
a b 8 Security
September 16, 2005 1:58:07 PM

Archived from groups: (More info?)

On Fri, 16 Sep 2005 09:33:20 -0300, Derek Broughton
<news@pointerstop.ca> wrote:

>If you
>_do_ use different passwords, how do you remember them?

I only try to remember the ones that I use constantly. For the rest,
I have my ever growing list of passwords printed on 4 pieces of paper
from an Excel spreadsheet. The spreadsheet is in an encrypted
filesystem on my PC and on a USB dongle. No way do I store it on my
PDA or cell phone. I'm not worried about losing the encrypted
spreadsheet or dongle, but the printed version is a problem. If I
ever lose that, I'm toast as it also contains my customers passwords.

>> Do NOT use a password twice. Do not send unencrypted passwords over
>> the internet. That means use a VPN to download your mail or use
>> encrypted webmail (i.e. Squirrel mail) to read online.

>That's a little extreme

Which is extreme? Not reusing a password twice or using an encrypted
pipe to get and send your email? I do both and have few problems.

>(and you must have meant "e.g.", not "i.e."

Correct. I'll review my Latin abbreviations when I have time.

> - there
>are any number of secure web mail solutions - even Hotmail encrypts the
>password dialog). Many people don't have access to VPNs and Web mail is no
>solution for someone who gets a lot of email. Most mail servers now can
>use TLS for secure login, and most mail clients can also. TLS is a fine
>alternative and if your ISP doesn't provide it ask them why not. If you
>don't have a clue how to set up your email to use TLS, call your ISP's
>support line and ask them.

Good advice. TLS (transport layer security) is an incompatible
extension of SSL. However, I still see a substantial number of ISP's
that offer unencrypted POP3 logins for email. I would be gratified if
they would dump these in favour of more secure solutions. Not one of
the local ISP's currently offers TLS email security. A few offer VPN
terminations (PPTP or IPSec). One offers nothing but POP3. If the
locals are any indication of the general status, we have a long way to
go. The good news is that the high volume ISP's (Yahoo, Hotmail, AOL,
Earthlink) all have encryption features.

>> The list of
>> programs that send logins and passwords over the internet in the clear
>> is extensive so be careful.

>I've been planning to close a security hole on my system for too long, and
>this has prompted me to get with the program...

I spent much of last night interrogating a customer for the names of
all her important online accounts. Her sole password was leaked (by
her daughter at college borrowing her mom's email account) and was
used for a small Paypal test purchase. She caught it in time and we
got to spend a dull and boring evening changing ALL her passwords. In
the process, we found a few online store accounts that had the
attached email address changed and was in the process of having the
password change confirmed. She's going to take the day off today and
call or email all these vendors and try to reclaim the accounts.
Also, a review of all the important financial accounts to verify that
nothing as gone astray. This is about the 4th time I've personally
seen such a mess precipitated by a lost common password.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
a b 8 Security
September 16, 2005 7:26:11 PM

Archived from groups: (More info?)

Thanks again. I'll start working on security for my laptop before I attempt
to access any hotspots. You've been a great help. Best Regards, Pam
" Pam" <per1818@nospam.planttel.net> wrote in message
news:82pWe.113173$084.39707@attbi_s22...
>I appreciate all the suggestions I received about securing private
>information when using wireless internet in public places, but now I'd like
>your opinion about using web security programs such as JWire Spotlock I
>downloaded it because they have a free internet hotspot directory, but to
>use the security feature requires a monthly subscription. If I disable all
>folder sharing, use Windows XP and Internet Explorer with SP2, Microsoft
>Antispyware, and install Zone Alarm or Sygate Personal Firewall, is it
>necessary for me to use one of these subscription services? I'd just as
>soon not obligate myself to yet another monthly bill. Also - which is the
>better free firewall, ZA or Sygate? I've used both at one time or another
>and liked them both. Thanks in advance! ....Pam
>
Anonymous
a b 8 Security
September 16, 2005 8:45:51 PM

Archived from groups: (More info?)

On 16-Sep-2005, Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:

<snipped>
> That means use a VPN to download your mail
<snipped>

Please explain how to do this. Current personal setup is as follows:

Windows XP PRO w/ SP2
Roadrunner (broadband) is the ISP
PC is the HP Pavilion dv4170US
Wireless Router is D-LINK DI-624 rev c (firmware v. 2.70)
Wireless card is Intel Pro 2200 BG
Wireless Config is Intel Pro/Set 9.0.2.1

Even though there are 4 PCs connected, via ethernet cable to DI-624 and 3
notebooks are connected wirelessly, I do not use Windows Internet Connection
Sharing. Now, based on your comment above, is it possible to download my
email messages from my ISP, via VPN, while using my wireless notebook pc? If
so, how?

--
Just Me, D
Anonymous
a b 8 Security
September 16, 2005 8:45:52 PM

Archived from groups: (More info?)

On Fri, 16 Sep 2005 16:45:51 GMT, "Doug Jamal"
<bishiv6AT@yahooDOT.com> wrote:

>
>On 16-Sep-2005, Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>
><snipped>
>> That means use a VPN to download your mail
><snipped>
>
>Please explain how to do this.

Your unspecified ISP has to provide the VPN termination at their end.
You'll need to contact them to see if they offer the service. You
can't do it with just your end of the puzzle. They need to provide a
VPN termination.

You then install a VPN client on your end, or use the Windoze supplied
PPTP or IPSec client. I'm currently using the Cisco VPN client.
There are also SSH, SSL, and TLS solutions.

>I do not use Windows Internet Connection
>Sharing.

Good.

> Wireless Router is D-LINK DI-624 rev c (firmware v. 2.70)

This has VPN passthru for both IPSec and PPTP. That should work.
However, I can't seem to determine how many VPN tunnels can be
simultaneously passed through the router. Hopefully, it's more than
one.

>Now, based on your comment above, is it possible to download my
>email messages from my ISP, via VPN, while using my wireless notebook pc?

Sure, but there's a problem. Most VPN's will change the default route
to the terminating server and block local LAN access. That's to
insure that one of your other machines on your home LAN does not
bridge through your computer, through the VPN tunnel, and into the
network at the other end. Only your machine goes through the VPN.
The result is that you're effectively disconnected from the rest of
the LAN and internet while connected to the VPN. There are ways
around this but it is a potential problem.

As for your question, the purpose of the VPN is to provide a secure
tunnel between you and your ISP. Of course you can read your email
while connected in this manner. A VPN may be overkill for just email
security. It's generally used to provide a secure tunnel for access
to ALL the resources at the terminating end. If I connect to my
palatial office, I can see all the servers, shares, and printers from
network neighborhood. That's a bit too much for just checking your
email. Simply encrypting the email and passwords would be sufficient
without encrypting everything.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
a b 8 Security
September 16, 2005 9:27:35 PM

Archived from groups: (More info?)

Jeff Liebermann wrote:

> On Fri, 16 Sep 2005 09:33:20 -0300, Derek Broughton
> <news@pointerstop.ca> wrote:
>
>>If you
>>_do_ use different passwords, how do you remember them?
>
> I only try to remember the ones that I use constantly. For the rest,
> I have my ever growing list of passwords printed on 4 pieces of paper

and that's the problem. It's safe (afaik :-) ) from wireless snooping, but
those pieces of paper can probably be found in virtually every desk at most
people's workplaces.

>>> Do NOT use a password twice. Do not send unencrypted passwords over
>>> the internet. That means use a VPN to download your mail or use
>>> encrypted webmail (i.e. Squirrel mail) to read online.
>
>>That's a little extreme
>
> Which is extreme? Not reusing a password twice or using an encrypted
> pipe to get and send your email? I do both and have few problems.

Sorry, should have snipped. You didn't say, "only use an encrypted pipe",
though, you said VPN or Squirrel Mail, and I'm pointing out that there are
simpler methods than VPN for most of us, that solve the problem of getting
your email - of course, for anything else VPN is sometimes the only
acceptable solution.

>>Most mail servers now can
>>use TLS for secure login, and most mail clients can also. TLS is a fine
>>alternative and if your ISP doesn't provide it ask them why not. If you
>>don't have a clue how to set up your email to use TLS, call your ISP's
>>support line and ask them.
>
> Good advice. TLS (transport layer security) is an incompatible
> extension of SSL. However, I still see a substantial number of ISP's
> that offer unencrypted POP3 logins for email. I would be gratified if
> they would dump these in favour of more secure solutions.

Completely agreed. I'm assuming they're worried about the support costs of
just dumping the insecure method and forcing SSL or TLS access, but there's
no reason they need to. Set up a second server, only allow secure access,
change all your help files to specify how to access it instead of the
insecure server, and give this to all new customers. Then advertise it to
the old customers and encourage them to use it. Finally, when you have
many people using the secure method and everyone's comfortable with it
start pushing the Luddites off the old server.

> Not one of
> the local ISP's currently offers TLS email security. A few offer VPN
> terminations (PPTP or IPSec). One offers nothing but POP3.

All three of mine _offer_ TLS (i.e., both POP & IMAP servers advertise it)
but my main ISP doesn't actually seem to implement it correctly - I can't
get it to log in. So I just don't use it.

> I spent much of last night interrogating a customer for the names of
> all her important online accounts. Her sole password was leaked (by
> her daughter at college borrowing her mom's email account) and was
> used for a small Paypal test purchase. She caught it in time and we
> got to spend a dull and boring evening changing ALL her passwords. In
> the process, we found a few online store accounts that had the
> attached email address changed and was in the process of having the
> password change confirmed. She's going to take the day off today and
> call or email all these vendors and try to reclaim the accounts.
> Also, a review of all the important financial accounts to verify that
> nothing as gone astray. This is about the 4th time I've personally
> seen such a mess precipitated by a lost common password.

OK, I promise never to use the same password again :-) (Well, except the
innocuous password I use for all the email lists I subscribe to - if
someone is so desperate to hijack those and pretend to be me, they're
welcome to it).
--
derek
Anonymous
a b 8 Security
September 16, 2005 9:46:55 PM

Archived from groups: (More info?)

Thanks Jeff. I really appreciate your help and advice. Take care.

--
Just Me, D
Anonymous
a b 8 Security
September 17, 2005 3:44:45 AM

Archived from groups: (More info?)

On Fri, 16 Sep 2005 17:27:35 -0300, Derek Broughton
<news@pointerstop.ca> wrote:

>and that's the problem. It's safe (afaik :-) ) from wireless snooping, but
>those pieces of paper can probably be found in virtually every desk at most
>people's workplaces.

Sure. I did some security audits a while back. On 52 desktops, I
found approx 15 pieces of paper with the passwords. On 2 of them, I
found the password scribbled directly onto the monitor with a pen.

As I mentioned, if I ever lose the printed password list, I'm toast.
So, I have a rather crude scrambling scheme for what's printed on the
sheet. At first glance, it looks like real logins and passwords, but
a bit of mental shuffling is required to extract the real passwords.
Easy to do in Excel with an easily tweaked formula. Anyone with some
experience in codes and ciphers can figure it out in about 10 minutes,
but until I find a better way to store a large number of passwords
(approx 400), it's the best I can do.

>Sorry, should have snipped. You didn't say, "only use an encrypted pipe",
>though, you said VPN or Squirrel Mail, and I'm pointing out that there are
>simpler methods than VPN for most of us, that solve the problem of getting
>your email - of course, for anything else VPN is sometimes the only
>acceptable solution.

Oh, right. There are other ways besides VPN and Squirrel Mail.
http://www.squirrelmail.org
VPN is overkill for just email, but it does the job and fixes a few
other security issues at the same time.

I guess I should mention that good old ftp and telnet have the same
problem with unencrypted logins and passwords. Switch to SSH and SFTP
as in WinSCP:
http://winscp.net/eng/index.php

>> Good advice. TLS (transport layer security) is an incompatible
>> extension of SSL. However, I still see a substantial number of ISP's
>> that offer unencrypted POP3 logins for email. I would be gratified if
>> they would dump these in favour of more secure solutions.

>Completely agreed. I'm assuming they're worried about the support costs of
>just dumping the insecure method and forcing SSL or TLS access, but there's
>no reason they need to. Set up a second server, only allow secure access,
>change all your help files to specify how to access it instead of the
>insecure server, and give this to all new customers. Then advertise it to
>the old customers and encourage them to use it. Finally, when you have
>many people using the secure method and everyone's comfortable with it
>start pushing the Luddites off the old server.

Not a bad deployment plan. That's roughly the way one ISP I deal with
has done it. Eventually, they plan to dump the older insecure
protocols. However, since I'm still using UUCP over TCP with a TLI
interface and SMTP client polling, I suspect that the old junk will be
around forever.

The real "problem" is that most users don't have a clue how their
programs work. They don't know the risks, the mechanics, what hackers
can do with a login and password, or which applications are safe to
use. I don't know how to educate the users.

>OK, I promise never to use the same password again :-) (Well, except the
>innocuous password I use for all the email lists I subscribe to - if
>someone is so desperate to hijack those and pretend to be me, they're
>welcome to it).

Also guilty. Do like I say, not like I do. I just looked at my
printed list. Out of about 150 entries that are mine, 15 have
identical passwords. Same issue. Mailing lists, weblogs, and
worthless accounts all get the same password. OK, so I'm lazy.

Incidentally, speaking of identity theft. Many years ago, I was
leaving my business cards at local computer stores, restraunts,
markets, stores, and any place that might send me some repair biz.
Someone grabbed a few of my cards and drifted into one of my larger
customers claiming that I had sent him to "pickup" a machine or two
for repair. He used my business card as proof that I had sent him.
However, he was such a poor actor that the customer became suspicious
and paged me. He disappeared. Perhaps I should encrypt my business
cards?


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
a b 8 Security
September 17, 2005 3:52:36 AM

Archived from groups: (More info?)

Jeff Liebermann wrote:

> I guess I should mention that good old ftp and telnet have the same
> problem with unencrypted logins and passwords. Switch to SSH and SFTP
> as in WinSCP:
> http://winscp.net/eng/index.php

Yeah, I do some tech support for a university, which only recently closed
telnet and ftp access and forced users to use ssh and scp. Now 90% of the
calls are about why they can't get into telnet & ftp. <sigh>
>
> Incidentally, speaking of identity theft. ... Perhaps I should encrypt my
> business cards?

LOL. That's only funny because it had a happy ending :-)
--
derek
!