Wi Fi Hot Spot Security

JungleJezabel

Hi,



I'm going to be travelling soon and i'll using free wifi hotspots sometimes and my question is, if someone is looking into my iphone/ipad with firesheep will they be able to see all my info/passwords in 1password including my master password if I type it in & have the program open.





Thanks

[Deleted User]

[quote name='JungleJezabel' timestamp='1306589293' post='27946']

Hi,



I'm going to be travelling soon and i'll using free wifi hotspots sometimes and my question is, if someone is looking into my iphone/ipad with firesheep will they be able to see all my info/passwords in 1password including my master password if I type it in & have the program open.





Thanks

[/quote]



Hello JungleJezabel and welcome to the Forums!



I am not a security expert, but I've tried to keep up with news on the Firesheep extension. Until one of AgileBits' security experts responds, I have only the following article to offer: [url="http://infoboxinc.com/firesheep-you-need-to-read-this/"]Firesheep: You need to read this.[/url]



Since Firesheep is a cookie hijacker, I do not know whether it would be able to see all of your 1Password related data. However, if you entered the information into a website I can see how you may be compromised.



I really don't know enough about how Firesheep and/or cookies work to offer advice. However, from what I have read, you would be better off NOT visiting sites that require confidential information/logins/etc. This includes Facebook, e-mail accounts, bank sites, etc.



Hopefully, someone with more knowledge will respond soon. Thanks for asking the question. It is important never to become complacent regarding web security. After all, that's what brought us to 1Password in the first place! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



Cheers!



Brandt

thightower

I know this is the iPhone / iPad section but since you specifically mentioned avoiding fire sheep.



The following items are for connections for MacBooks only, not iPhone or iPad :





You may be interested in Sidestep if you have an always on Mac at home. I assume this could be made to work with Windwos etc but I do not have one to try on so for me its Macs only



You will need several things . Leave the Mac On.. first and foremost, if you don't want to pay for a service like DYNdns then you can always grab your home Macs IP address via Dropbox's website (assuming you use Dropbox) and be able to forward a port on your router. I would also recommend a good firewall. If you are going to leave the service on. I have a great aftermarket Firewall.



On your home Mac go to system pref and then sharing enable remote login and allow access for only specified uses make sure to specify the user.



Download Sidestep and setup it is very easy. If you have any questions re: Mac setup let me know I have it running on my Macbook connecting to my Home mini. Again I couldn't help with Windows etc



Links:



Original article:

[url="http://mac.appstorm.net/how-to/security-how-to/how-to-protect-your-wireless-surfing-with-sidestep/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MacAppStorm+%28Mac+AppStorm%29"]http://mac.appstorm....Mac+AppStorm%29[/url]





Download link for SideStep:

[url="http://chetansurpur.com/projects/sidestep/"]http://chetansurpur....jects/sidestep/[/url]



Home Mac setup from the article above:

[url="http://lifehacker.com/205090/geek-to-live--set-up-a-personal-home-ssh-server"]http://lifehacker.co...home-ssh-server[/url]











In re to the iPhone , iPad



Head over to Overplay VPN [url="https://www.overplay.net/"]https://www.overplay.net/[/url] sign up for there free service and you can connect via a VPN but at slower rates. Works a treat on my iPhone. On unsecured wifi.



Note: one thing I didnt see mentioned in there guid inline is when you setup the VPN on the iPhone make sure to change the VPN security level from Auto to MAX thats the only way I could connect. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/biggrin.gif' class='bbc_emoticon' alt=':D' />





Edit : If you are a Lion Beta user I was unable to get Sidestep to connect to my mini running Lion, I had to reboot into SL to get a ssh connection that Sidestep could connect to. I was having issues with the firewall app but upon disabling it, I still was unable to connect.



So in short if you are running Lion make sure and boot into SL prior to departing. I will be delving into this more in the next few days.

[Deleted User]

Thanks Tommy! Great info!



I learned something new today.

danco

On the Overplay setup page, and on their home page under "is it expensive" you can learn about their free service.



But most of the home page is about their paid service, and it would be easy to miss mention of the free option.

JungleJezabel

Thanks guys,



I think i'll try out the free Overplay VPN and see how that goes.

thightower

[quote name='danco' timestamp='1306654663' post='28022']

On the Overplay setup page, and on their home page under "is it expensive" you can learn about their free service.



But most of the home page is about their paid service, and it would be easy to miss mention of the free option.

[/quote]







danco, ......... Oh so correct





I saw google results about it then went to there site and I missed the free option about 4 times, I was like they don't really have one.... Easy way to get the details quickly is sign up and when presented with the paid options its at the top of that screen. Just don't pay for anything...

thightower

I would like to add I followed the guid above in my post and set up an instance on Amazon EC2 of OpenVPN, based upon my figures it will cost me about $15.00 per month for the VPN not including data in and out (Long time existing account / [b]not on free tier[/b]). So that is something to look at especially if you are so inclined I think the free tier is good for 1 year. Look up on amazon's site for details.



Overplay @ $10 per month seems very reasonable and with so many vpns to choose from.... sounds like a deal, But I need to look at there data in and out. (NVM Unlimited bandwidth)

thightower

[quote name='thightower' timestamp='1306619010' post='27999']

Edit : If you are a Lion Beta user I was unable to get Sidestep to connect to my mini running Lion, I had to reboot into SL to get a ssh connection that Sidestep could connect to. I was having issues with the firewall app but upon disabling it, I still was unable to connect.



So in short if you are running Lion make sure and boot into SL prior to departing. I will be delving into this more in the next few days.

[/quote]







I set up another Mac and still cannot connect so maybe there is a bug related to Lion and or Sidestep so if you want to run it Make sure to use SL



Edit : on the Mac you are connecting to.

khad

Connections over SSL (sites using http[b]s[/b] as opposed to http) are not accessible to Firesheep. Facebook added an option to always enable SSL connections. You can find it under Account Settings > Account Security.



[img]https://img.skitch.com/20110530-b1wr5nhp5dwmri7mnsa48kqihj.png[/img]



You can also use Twitter and many other sites over SSL ([b]https[/b]://twitter.com/ etc.).



This sort of network sniffing is only tangentially related to 1Password. 1Password merely fills the form for you. If the form is sent unencrypted over the network, it is like mailing someone a postcard with your password on it. It will likely go unnoticed, but if someone is paying attention they can easily read it. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



Always use SSL when available. I have never seen a banking website that did not use it, for example. There are some sites which do not make use of SSL, but all the high profile ones I can think of (the ones software like Firesheep is designed to target) support it. Someone also has to be actively running Firesheep on an open Wi-Fi network you are using in order for the attack to work.



Also, if the network is protected by [url="http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access"]WPA[/url] you are safe since WPA essentially sandboxes each users' connection from the rest of the users on the network. Firesheep [i]only[/i] works on a network that does [b]not[/b] require a password to access and only if the site is [b]not[/b] using SSL. Either WPA or SSL will keep you safe. I use iPhone tethering when I am out and about for my own private network connection rather than an open Wi-Fi hotspot.



All of this applies whether you are using 1Password or not.