How To: Avoid password theft, Faceraping, Email hijacks etc. On public networks

Network SendHas your email been blacklisted? Does your forum-posts suddenly contain nothing but kittens? Did your relationship status become same-sex over night? Well, physical access to your box may be the answer to most of these scenarios. But everything you send on public wire, in plain-text that is, has the potential to be sniffed out or otherwise phished if you are careless.

Here are a few tips in avoiding disaster:

* SSL/TLS
Encrypt, encrypt, encrypt and make sure the certificate in question is properly signed – its mandatory. Wether if its web, email or chat. Most online services today allow an encrypted alternative and that includes popular services like Google, Facebook and Twitter. Just be on the lookout for https:// and not plain http:// in the address-bar. Never trust a pretty “Lock Icon”, those can be injected onto the session while SSL is being striped out, in an attempt to fool the user.

Secure Address-Bar

The same mindset applies to SMTP/IMAP/POP3-email and various chat protocols. Enable, if any, SSL option that is available. For email, the default SSL port numbers are as follows: 993 for IMAP(S), 995 for POP3(S) and 465 for SMTP(S). The port number may vary depending on your email provider.

* SSH Tunnel
When encrypted alternatives are not available, or doesn’t exist, an SSH-tunnel can be used. Simply, tunnel the traffic through an encrypted SSH-session and relay it through the trusted network where the SSH-server is located. I have a tutorial on how to do just that, complete with syntax and resources required here: http://peppoj.net/2012/10/tunnel-http-traffic-encrypted-using-polipo-and-ssh/.

* BYOIC (Bring Your Own Internet Connection)
If all else fails and trust is an issue, avoid public networks completely and use your own connection. If you already made the leap to the new generation and bought a smartphone with a generous dataplan, why not use it? Most smartphones today (and some older devices I’ve seen) allow tethering to computers and other devices. Simply enable tethering, hock it up and mess with the network settings on your host.

Disclaimer:
None of the tips above will protect you from Phishing, or otherwise plain fraudulent websites. Use you’re brain.

Feedback welcome

Be Sociable, Share!