Travel Security for Techies

Our team had a wonderful time on our recent retreat. Athens displayed itself as a city with an interesting dichotomy of experiences: on one side, the noise everywhere, the chaotic traffic, the colorful streets and the contrasts between modern buildings and ancient ones.

On the other side we had our own internal struggles: the discussions, the review of our company values, the team-building activities and, of course, the work we did (or tried to do) while enjoying our stay there.

This last point is important not because of what we managed to achieve being there (we knew it was gonna be difficult to focus and get a lot of work done), but because of the tools we use to work and the simple act that precedes the usage of them: logging in and logging out.

Yes, yes, we have MFA and Google SSO and what-not, but it doesn’t mean we get to be sloppy. While a determined hacker could surely crack our defenses if given enough time, we should always be prepared to deal with the amateurs and opportunists who see us as virtual training to hone their skills and abilities (and maybe get some cash out of us).

Hence today’s topic: checking what measures we took, where we were right and where we were not.

First, let’s review one of the things some of us did to try and protect our privacy and data from sniffers and man-in-the-middle attacks: using VPNs.

What is a VPN and What Does it Do?

While we all know what VPN stands for (Virtual Private Network), it’s definitely good to review some concepts.

A VPN is an encrypted tunnel between your computer and a random server in the world. This server acts as the gateway between you and the websites you access. Whatever is around that tunnel cannot see what’s inside because what they see instead is a huge amount of gibberish and unintelligible data.

‍

‍

This means that your Internet Service Provider, the System Administrator behind the router or routers you’re connecting to, and anyone spying on your connection will see nothing they can use or steal.

I won’t go into details about the “random server” that is the end where your requests are processed, but the TLDR is that there’s a company that owns that server and if you’re paying for your VPN, they are liable if your data gets leaked from their end, so it is in their best interest that that doesn’t happen.

For more information about the technical details behind VPNs, see here and here.

Also, if you want to know if the VPN you’re currently using has “leaks”, you can check it out here.

‍

Does it work for us?

The short answer is: it depends.

For most members of our team who work through web apps, it is only an additional layer of protection as most of the sites they use (at least in Atlassian) have SSL certificates which encrypt data on browser level. So long as they do not need to access content that is geographically restricted or they do not access insecure sites without the padlock 🔒 on the address bar of the browser, all is well.

But for us developers, the case is different: we are often testing software and using our personal computers as servers to deploy apps and request resources with things like CURL or tools like Insomnia.

This means that if by any chance we omit using SSL, our data is completely naked and out for the world to see. In this case, a VPN gives us a necessary protection layer to both counter human error, and prevent data leaks.

Nevertheless, this is just one step. There’s another step that we should check.

The Hotel wifi’s Login Website

There’s a particular thing that I dislike about using login pages in public wifi: They can be loaded with all kinds of malware and even if the URL has the padlock🔒 we all love, the person behind the creation of that page might not be a benign entity.

While modern browsers can detect when a site tries to force us to download some malicious file, there’s a more pernicious type of attack in which all the attacker has to do to take control of your browser and see everything you do is wait until you open the website. There’s an entertaining and educational youtube video where a guy does exactly this using a tool called Beef.

A simple way to avoid this is by opening an incognito browser and navigating to the login page of any public wifi, login in and then closing that browser. Of course, common sense dictates that you DO NOT DOWNLOAD ANYTHING from any public wifi site and do not use the same browser window you used to login to navigate to other things, otherwise, the attacker can leave some nasty cookies that will make sure they have access to your browser at all times.

But what if you logged in using the same browser where you have a thousand tabs open, including mail, heroku, mongodb, Atlassian pages, etc? Well…

Time to Clear the Browser’s Cookies

Yep, it is time. Unfortunately, this means that all those previous searches, all those passwords saved and everything you did will be gone and you will have to log in again into every service you use. But on the bright side, you might end up clearing some space in your hard drive, plus, maybe all those tabs you had open were not really needed😁.

Now, this is a good opportunity to see what you’re actually using and what is just open because “you might need it later”. In that case, just copy the URL and save it somewhere else (your Slack personal space is a good candidate for that) and then open the link again once you’ve cleared everything.

Also, since you’ll have to log back in to everything it is also a good chance to review your passwords and authentication practices (don’t copy/paste passwords in weird places!).

That’s it from me! I’ll go through this annoying process myself just in case. Cheers! 👋