Wifi security while traveling

[booster]

We generally don't use wifi when we are traveling due to the repeated warnings we here about hacks of public wifi systems like coffee shops, parks, and campgrounds. How risky it actually is, I have no idea, but we tend to be very cautious in general on stuff like this.


For the last decade I have had our main PC setup with 4 hard drives that have 3 of them with their own standalone installation of the same windows license. The fourth is a bit data only drive for backup storage. All are independently switched on manually and any combination of them can be used. One is for my daily use and doesn't have any sensitive stuff on it like financial things. One is used for our financial stuff only and is only on very short periods once a month. One is used as a test drive to see if things are worth using without them messing up the main drive and also if there something I want to see, but the security software says it is risky. It is used to be used for the grandkids to use if needed, but now they all are on phones. I was told by numerous computer geeks that even though they use the same bios in the PC and motherboard, there is not much risk of issues because the operating systems are completely separated and it is very, very rare to have two with operating systems on at the same time, and always disconnect from internet when doing it. Usually just if I am cloning a new copy of one of the drives into it from the test drive.


Back to camping, we use DW's laptop which doesn't have a lot of things on it that could be issues, but still don't want to lose the data or get it locked on it or get it locked to a hack even though we do periodic backups to a standalone drive.


Based on what we have on the PC, I thinking I could add a partition to the portable drive that we have for the laptop so we can recover it when we travel, and then clone the complete laptop hard drive to that new partition so we could boot off that when on traveling wifi. We would only use the wifi if we didn't have a mobile hotspot connection and that doesn't happen very often these days with the Nighthawk hotspot.


The only glitch would the that the backup data would show up on the system booted from the same hard drive, as would the hard drive on the laptop.


Another portable drive would take care of the backup data, but the seeing the laptop if tougher, I think, to take care of.


Anybody know of a way to hide the hard drive on the laptop when booted from the portable drive? I really want to stay away from encryption.

[MsNomer]

How about your own WiFi? We use a Netgear MR11 with AT&T SIM.

[RT-NY]

Quote:

Originally Posted by booster

Anybody know of a way to hide the hard drive on the laptop when booted from the portable drive? I really want to stay away from encryption.

Short of physically removing the drive from the laptop, which can be done without too much difficulty on some laptops, I can't think of any way offhand.

But I think that a better solution for what you need might be to use virtual machine software. You can use, for example, Oracle's VirtualBox, which is free for indivudal use, and install Windows (or better, Linux) on the virtual machine. You can choose to expose what you want to the virtual machine (the internet/wifi) and to hide what you want (the physical drive). When you want to access public wifi, you just boot the virtual machine and run the browser inside of it.

[avanti]

Quote:

Originally Posted by booster

I really want to stay away from encryption.

To be honest, I think you are on a bit of a fool's errand. Physical partitioning is all well and good, but experience has shown that it is too-dependent on everybody doing everything right every time. Nothing will save you except encryption. Anything else is only more or less empirically safe--dependent on the hope you haven't missed anything. Modern encryption is PROVABLY safe, because--math.

I realize that encryption often produces the feeling that you are out of control, but in reality it is the opposite. You don't have to depend on your OS to do key management--you can deal with it yourself if you want to. IMO, there is nothing more scary than traveling in an RV with an unencrypted mass storage device--whether inside a laptop or external. I believe that the risk of physical robbery is much greater than that of somebody taking over your system. If a stolen disk is not encrypted at rest, then this can be a disaster. If it is, you are only out the cost of the device.

As for WiFi, there are real risks using a public AP, but they are well-defined. The risks involve fake websites and other on-line services. You must be VERY careful about those (just as you do for phishing emails). But, once you have established an HTTP connection to what you are SURE is a correct and trusted URL, that link is as safe as anything in tech. For all practical purposes, a "man-in-the-middle" attack at the hotspot is impossible.

[RT-NY]

Quote:

Originally Posted by RT-NY

But I think that a better solution for what you need might be to use virtual machine software...

Actually, now that I think of it, the version of Oracle's VirtualBox that I use might not do quite what you want, because it requires the host machine to connect to the wifi. So although the browser could not be easily hacked, perhaps the wifi itself could. Maybe more recent versions of Oracle's software or other virtual machine software can run the wifi driver inside the virtual machine though I am not sure

Quote:

Originally Posted by avanti

As for WiFi, there are real risks using a public AP, but they are well-defined. The risks involve fake websites and other on-line services.

I agree about hard-drive encryption being a reliable and easy solution and about the risk of having a hard drive stolen. And I agree that an encrypted HTTP connection (HTTPS / SSL) is secure. But is it true that connecting to a public Wifi acess point is always secure? Is there no way, even in theory, for malicious code to get to your machine directly (not through the browser) through an access point that you are connected to?

[avanti]

Quote:

Originally Posted by RT-NY

I agree about hard-drive encryption being a reliable and easy solution and about the risk of having a hard drive stolen. And I agree that an encrypted HTTP connection (HTTPS / SSL) is secure. But is it true that connecting to a public Wifi acess point is always secure? Is there no way, even in theory, for malicious code to get to your machine directly (not through the browser) through an access point that you are connected to?

Well, anything is possible. But, the scenario you propose (a malware infection merely due to connecting to a hacked WiFi AP) is pretty improbable:
1) It would require a zero-day (i.e., undiscovered) vulnerability in the specific code on your computer's OS responsible for establishing a WiFi connection. This is very mature code implementing a relatively simple protocol. This protocol is well-understood and doesn't change very often. Plus everyone knows that security here is mission critical, since such a vulnerability would apply not just to public WiFi, but your home WiFi as well. It is a very closely-watched mechanism.
2) Even if there were an exploit that succeeded to copying malicious code to your computer, that isn't enough. The code also has to somehow be executed, which isn't easy, either. Your machine's firewall and other security code try very hard to make that impossible without your explicit permission.
3) Although there are a fair number of public WiFi sites run by hackers, these guys for the most part aren't very sophisticated. So, the risks that are out there are not likely up to such subtle attacks. They mostly amount to phishing schemes.

Bottom line is that I have never read of such an attack in modern times, at least not from credible sources.

All that said, there are other things you have to watch out for. Notably, if your computer is exposing unprotected services such as simple file servers, then anybody on your LAN can easily use them, including the guy in the next hotel room. Then again, this is also largely true of the Internet at large.

[booster]

Quote:

Originally Posted by avanti

Well, anything is possible. But, the scenario you propose (a malware infection merely due to connecting to a hacked WiFi AP) is pretty improbable:
1) It would require a zero-day (i.e., undiscovered) vulnerability in the specific code on your computer's OS responsible for establishing a WiFi connection. This is very mature code implementing a relatively simple protocol. This protocol is well-understood and doesn't change very often. Plus everyone knows that security here is mission critical, since such a vulnerability would apply not just to public WiFi, but your home WiFi as well. It is a very closely-watched mechanism.
2) Even if there were an exploit that succeeded to copying malicious code to your computer, that isn't enough. The code also has to somehow be executed, which isn't easy, either. Your machine's firewall and other security code try very hard to make that impossible without your explicit permission.
3) Although there are a fair number of public WiFi sites run by hackers, these guys for the most part aren't very sophisticated. So, the risks that are out there are not likely up to such subtle attacks. They mostly amount to phishing schemes.

Bottom line is that I have never read of such an attack in modern times, at least not from credible sources.

All that said, there are other things you have to watch out for. Notably, if your computer is exposing unprotected services such as simple file servers, then anybody on your LAN can easily use them, including the guy in the next hotel room. Then again, this is also largely true of the Internet at large.

The whole visible drives thing is why the home pc can have them all turned on and off separately so nobody can see them when on a different one. Duplicating that would be my first choice but can't do it with a laptop, it appears.


Perhaps the best and easiest way to be safe on the occasional wifi use would be do have a cheap and disposable Chromebook to use.

[@Michael]

My thoughts:

When on unencrypted, unauthenticated public WiFi, you could potentially be exposed to a few unique situations:

1. Direct attacks - a bad actor on the same Wi-Fi network attempts to compromise your computer.
2. DNS hijacking - The Wi-Fi network infrastructure is compromised, and your PC will be directed to a rogue DNS server that dishes out address of compromised web sites instead of real ones. This happened to an ISP just recently.
3. Unencrypted WWW - You are using HTTP instead of HTTPS when accessing web sites, and your web requests and responses going to a fake we site and/or are being altered by a 'man-in-the-middle'.

Protecting against (1) is the job of your firewall software and/or AV software. For me, Windows Defender is good enough. Additionally, making sure that any Wi-Fi network that you don't own is configured as a 'public' network tells Windows that you don't trust the network & ensures that some vulnerable services are disabled when you are on those networks. Other operating systems have similar features.

Protecting against (2) can be done by manually configuring your DNS servers in either the operating system, the browser, or both. Note that when the Wi-Fi network is configured as a captive portal where you have to click through one of their web pages before accessing the Internet, you might have to unconfigure and reconfigure DNS before and after the click-through. Sometimes a PITA. FWIW - I use (and pay for) NextDNS, as they also block DNS requests for ads and trackers, so my browsing experience is a bit cleaner. There are other DNS service providers that are just as good.

For (3), one needs to pay attention to what your browser is telling you regarding the validity of HTTPS certificates and whether or not you are accessing the site via HTTPS, not HTTP. Modern browsers are pretty good at this. They tend to get really crabby if you try to access a site with a bad or expired SSL certificate.

Other thoughts that are more general, not specific to public Wi-Fi:

• Keep your software & operating system up to date.
  
• Always log in with a password protected non-administrator account when accessing anything on the Web. When logged into an account that is not an administrator but does have a password, your computer is much better protected against 'root' style attacks. Having that local account tied to a cloud account is better, as it enables security features that are not available without the cloud connection.
  
• Always use the encryption feature on any disk or computer that could potentially be lost or stolen. The loss of an HDD or computer that has disk encryption & password protected logins enabled is an inconvenience, not a security incident.
  
• For accounts that you care about, use a separate e-mail address for the accounts & a unique password for each. And always enable any extra security features such as 2-factor authentication, login alerts, account recovery features, etc.
  
• As has been the case for about 25 years now, be very careful about e-mailed or SMS'd links and attachments, even those that appear to be sent by persons you know. This is still a great way to get caught up in a phishing attack, ransomware, etc.
  
• An advantage of physically separating computers & HDD's is that one is far less vulnerable to ransomware attacks, which for a while were very common. A physically detached backup isn't going to be encrypted by the attackers, so you are less likely to have to pay the $500 bribe to get your data unencrypted. FWIW - I no longer do this. I rely on my cloud providers ability to roll back file modifications to a point prior to the ransomware incident.

[sc_man]

You might want to consider using a live USB drive with a secure Linux distro instead of messing with partitions and cloning. It’s a cleaner solution and keeps your main drive untouched. You just boot from the live USB when you’re using public WiFi, and if anything goes wrong, your main laptop drive stays safe.

[booster]

Quote:

Originally Posted by sc_man

You might want to consider using a live USB drive with a secure Linux distro instead of messing with partitions and cloning. It’s a cleaner solution and keeps your main drive untouched. You just boot from the live USB when you’re using public WiFi, and if anything goes wrong, your main laptop drive stays safe.

I am not familiar with Linux or ever used it, but how does that setup make the laptop hard drive invisible and unaccessible? With Windows the drive is still visible to anyone who gets into the operating system on any drive AFAIK.


The separate drive was one of the original thoughts, but without being able to unpower the laptop drive, there doesn't seem to be a way to make drive inaccessible without encryption.

[RT-NY]

Quote:

Originally Posted by booster

I am not familiar with Linux or ever used it, but how does that setup make the laptop hard drive invisible and unaccessible? With Windows the drive is still visible to anyone who gets into the operating system on any drive AFAIK.


The separate drive was one of the original thoughts, but without being able to unpower the laptop drive, there doesn't seem to be a way to make drive inaccessible without encryption.

A live USB boot with Linux would not make the internal laptop hardrive inaccessible -- it could still be mounted and accessed from within Linux. But, as I mentioned above, running virtual machine software in Windows would.

[phantomjock]

booster -
I assume you are not working while travelling? I too would not connect to a suspicious WIFI with HDD/Laptop with important data.
For checking the weather, planning a route, email, or streaming video I'd consider "sacrificing" a phone. Aren't there are any number of apps that could perhaps provide a reasonable buffer for interim contact on "suspicous" WIFI? I know I have several ones leftover in a drawer - somewhere.
YMMV

Cheers - Jim

[booster]

Quote:

Originally Posted by phantomjock

booster -
I assume you are not working while travelling? I too would not connect to a suspicious WIFI with HDD/Laptop with important data.
For checking the weather, planning a route, email, or streaming video I'd consider "sacrificing" a phone. Aren't there are any number of apps that could perhaps provide a reasonable buffer for interim contact on "suspicous" WIFI? I know I have several ones leftover in a drawer - somewhere.
YMMV

Cheers - Jim

We normally do use the "phone" for our connections, although it is really acellular phone account that we hotspot with a Nighthawk wifi hotspot to the to the laptop. The questionable wifi I referred to is if we don't have a cell connection, which is thankfully getting less and less of the time. We even had coverage on most of the Skyline Drive, Blue Ridge Pkwy, Smoky Mountain Parkway which surprised us. No coverage yet at the campground we were in at Smoky Mountain National park. We will be going to the Copper Harbor area of the U.P. this fall and they have never had cell coverage there. The campground is now saying they have wifi, and that is what started us thinking about all this again.

[phantomjock]

Ahh, that fills me in on your setup/operation. I am in the process of buying/upgrading to a new phone and that set me to thinking for uses for the old ones in "storage."

Cheers - Jim

[engnrsrule]

I decided to add a WiFi capability to my rig. I thought I had a thread about it on IRV2. https://www.irv2.com/forums/f53/sele...on-624698.html

Short answer: King Router that can connect to a hosts WiFi if needed. I only do this if the source system is fully trusted. Rest of the time it connects to a hotspot on my rig. Started with an older jetpack, but recently went to a Netgear Nighthawk M6 which is much better. The jetpack connection to the router was by wifi, but the M6 connects with a CAT5 and is more stable.The Verizon data plan was not expensive, and work when moving as well.

Also added external MIMO antenna. Which also serves as a WiFi antenna to the King Router.

[booster]

Quote:

Originally Posted by engnrsrule

I decided to add a WiFi capability to my rig. I thought I had a thread about it but it might be on IVR2.

Short answer: King Router that can connect to a hosts WiFi if needed. I only do this if the source system is fully trusted. Rest of the time it connects to a hotspot on my rig. Stated with an older jetpack, but recently went to. Netgear Nighthawk M6 which is much better. The Verizon data plan was not expensive, and work when moving as well.

Also added external MIMO antenna. Which also serves as a WiFi antenna to the King Router.

What was the cost and how much data on Verizon data plan?


When we checked all the methods a couple of years ago the best was to just add a line to our existing two lines with Consumer Cellular for $10 a month. We have shared 50gig and rarely us much at all on the phones. We use a Nighthawk M1 with the little suction cup to the window antenna it works very well.

[engnrsrule]

Quote:

Originally Posted by booster

What was the cost and how much data on Verizon data plan?

We have an unlimited data plan that lists for $40/mo, but based on bundled discounts it comes to $17/month. We just moved the sim from the jetpack and it worked immediately. Spent a couple hours with them trying to update my equipment to the M6 (usually AT&T device but was unlocked for Verizon) but they couldn't do it, so my account still shows the jetpack. Even tho the jetpack was a 4g device, I bought a 5g sim bc I anticipated upgrading.

We stream movies on the smart tv and use a couple of laptops no issues.