4

I have a simple question that many people probably have and yet there does not seem to be a topic on this.

I am visiting a company for a meeting and I have my laptop with me. This company is our competitor and I have some private data in my laptop. Normally I just get an Ethernet cable from my hosts and plug in my laptop for internet connection.

My question is really very simple: what information they can see and what information they cannot see? More specifically:

  1. What information from my internet activity can the network administrators see?
  2. If I use https, can they see my emails, chats, searches, etc? is gmail completely safe?
  3. Can they somehow get into my laptop through Ethernet port, read my files, emails, saved passwords, etc?
  4. How can I increase my security in this scenario? Encryption is the only thing I could think of, but seriously, most people do not have GnuPG installed to decrypt my emails; and would you go over the pain of entering a password for Truecrypt everytime you open a directory?!

Thanks

eli
  • 176
  • 7
  • I don't know the answers to your questions, but have you considered getting a Air Card for your laptop that allows you to use your cell phone plan and bypass the competitor's Ethernet altogether? I'm not sure how secure they are, but I'd feel safer than plugging into a competitor's network. Alternatively, I'd get a laptop with no sensitive data and just not risk it. More info on air cards here: http://news.cnet.com/8300-5_3-0.html?keyword=aircard – David Stratton Feb 20 '13 at 22:51
  • Thanks a lot. Roaming charges get a lot if you travel often. Also nothing matches Ethernet in speed. But thanks for pointing out this; I check it out. – eli Feb 20 '13 at 22:59
  • 1
    *LOL* I'm sure someone smarter than me will answer your questions in detail. I just posted what I'd do if I really didn't trust the company not to steal my secrets. – David Stratton Feb 20 '13 at 23:01

2 Answers2

6
  1. They can see the DNS servers you contact and the IP addresses you visit. DNS doesn't go over HTTPS, so they will see every domain name your machine tries to access. They will also be able to tell how much traffic you send, and probably can guess what types of activities you are performing. The ports you use at the TCP level will give away what services you are using (ie, SSH, HTTP(S), POP3, etc) if you are using the standard ones. (They will likely be able to scan your machine and guess what sort of operating system you are running, but that's probably not concerning.)

  2. HTTPS encrypts the entire HTTP session. If your application/website is working purely over HTTP then it should be fully encrypted. The catch is that not all sites load all their resources over HTTPS and do some mix-and-matching with plain HTTP and HTTPS. This can lead to security issues such as injected malicious content and HTTPS downgrading. But whatever connections are actually established purely over HTTPS are completely opaque to the network sniffers (except for the destination IP). A secure web-based e-mail client should load completely over HTTPS and do all of it's e-mail/chat over HTTPS. I can't speak as to GMail's practices in specific, though.

  3. This is pretty complicated. In short, maybe. It depends on the security of your specific system. The will have the ability to address your operating system's network-facing functionality just like anyone else, so they can scan for and exploit services you have running and use that to get in. What's more, being on the same network as you, they will in a position to reroute any of your traffic that they want to. (HTTPS should protect against connecting to a fraudulent site, hopefully, assuming you don't click-through SSL warning prompts.) It's probably possible to properly prepare a machine that will be safe, but this is the very crux of computer security: How can you ever be completely certain there isn't some clever way to break in? No one knows for certain. The devil will really be in the details here.

  4. Putting all your network activity through a VPN is probably the safest way to use their network. All your network communication will be encrypted, regardless of the sites/services you use, and the destination of all your traffic will, from their perspective, be the same place. That's about the best you can hope for. As far as securing your actual laptop, all I can advise with this level of information is to follow best practices: Encrypt (or leave at home) the data you don't need exposed while there, disable all unnecessary services, update all security patches for your OS and software, and get a decent firewall. Again, the devil is in the details.

B-Con
  • 1,832
  • 12
  • 19
  • Thanks a lot; this information is very useful! I have to go over the first part again! Website login passwords are in particular a great concern. If they get your passwords, they do not need further interception anymore! – eli Feb 20 '13 at 23:47
4

There are a few factors here - the biggest being how actively is the 'competitor' trying to access your data?

Real World - 99% of the time, people aren't going to try and hack into your computer and possibly won't even be monitoring what you are doing. That doesn't mean you shouldn't take common sense precautions or rightfully ask about what's possible as you have done so. All I'm saying is these measures will only be needed in the minority of cases.

The other 1% of the time, they may be monitoring your traffic trying to see what you are doing, or casually probing your computer. This means they can view any information you send over any site that begins with http (logins, etc), ftp, see what sites you're visiting, etc. In other words treat anything that begins with http as insecure and assume they can see it. If it begins with https you're typically (within reason) safe, as this encrypts the information from your computer to the sever, so any information you send (emails etc) they can monitor - but they will only get scrambled garbage. Another thing to be careful of is poorly configured file sharing, it may be the case you've set up the ability for others to look at the files on your computer and possibly read / write to it. Be careful of this.

The 0.001% of the time, I'm talking you work for the US DoD and you're having a conference in China, you may be subjected to direct attacks. In this case pretty much all bets are off and depending on what you have running you could be completely safe - or they could gain complete control of your computer.

So given these levels, what can you do?

  • Assume nothing sent over http is safe, chances are it is, but assume it's not.
  • Use a VPN, this encrypts all information leaving your computer to an external server. Think of it as https for everything.
  • If you're getting into 0.001% territory, and you have something that's actually valuable on your computer the best option is just to not plug it in. Get a mobile modem or use some other method. Much less convenient, much more safe.

As with all security, there is no right answer. There is simply convenience on one side and security on the other. You have to slide along the scale to suit your needs.

Peleus
  • 3,827
  • 2
  • 18
  • 20
  • Great simple answers to simple questions! Wish I had enough privileges to vote up! How much does VPN slow down the traffic? Like you may watch youtube during your 1 week conference, video chat with wife, etc; not sure if VPN gets annoying in such traffic. – eli Feb 21 '13 at 00:00
  • For what you're referring to you have speed as in latency, and speed as in bandwidth. It terms of latency your ping times will typically increase a little, because instead of going directly to a requested IP you go via your VPN provider, wherever their gateway is located. This could be the other side of the country, or the other side of the world (useful for bypassing geo IP restrictions). In terms of bandwidth it depends on your provider. They typically you'll still be able to watch youtube etc fine, chat with the wife, but you might not get as fast downloads. – Peleus Feb 21 '13 at 00:04
  • Arguably, the mobile modem (these days more likely to be a 4G mobile Wi-Fi hotspot) is actually *more* convenient - no cable to run, no need to worry about re-configuring you system to work with their network, and (most importantly here, and of course presuming you're using strong security on the Wi-Fi side plus a VPN) effectively zero chance of the competitor having access to your traffic any easier than they would if you were in your own office. – Iszi Feb 21 '13 at 01:36
  • Highly recommend against the Wifi component if you're after security but yes, you're right in that it's convinent for light use - the type the OP describes. Only downside is a little added expense, but if you're looking for a decent VPN anyway.... – Peleus Feb 21 '13 at 04:06
  • @Peleus A properly secured mobile modem belonging to you is certainly more secure than connecting to an unknown network... –  Feb 21 '13 at 04:47
  • @Terry True, however adding a Wifi hotspot component is a horrible idea if security is your primary goal. Plug it in via usb! – Peleus Feb 21 '13 at 07:15