Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
After years of being stuck in the "Dark Ages", I am strongly considering breaking down and getting a Wireless Data Plan with Verizon (or possibly another carrier).

Before I do this, though, I want to make sure I understand how the technology works, and that I am getting my expected outcome, that being...

What things do I need to do to have a totally *secure* wireless connection - while I am away from home - between my MacBook and the Internet??


Here is what I *think* I know...

1.) Buying a "Data Plan" with a Wireless Carrier (e.g. Verizon) will allow me to surf the Internet over an encrypted path to the Internet, so I shouldn't have to worry about "Man-in-the-Middle Attacks" that would be quite easy from the free, unsecured connections I often use at Panera, McDonalds, etc.

2.) If I choose to get a "Jet Pack" from Verizon, there is somewhat of a risk that I could be a victim of a "Man-in-the-Middle Attack", because the connection between my MacBook and the JetPack could be compromised. (Although I hear conflicting things about this?!) :confused:

3.) By instead choosing a "Wireless USB Modem", that should all be eliminate the possibility of a "Man-in-the-Middle Attack", because the connection from MacBook --> USB Modem would be solid, and the connection between the Wirless USB Modem and Verizon's Wireless Towers would be using some of the strongest encryption around in the industry.

Another advantage would be the fact that there wouldn't be the need to enter the Serial # plastered on the bottom of the Jet Pack, and thus someone couldn't piggyback onto my Data Plan.

-----------
In addition to these things, I'm not sure what other "Attack Vectors" may exist for Wireless Connections??


At any rate, I am hoping that the "experts" here at MacRumors can help me understand better how all of this technology works, if what I think I know is correct, and what other things I need to learn and consider.

Sincerely,


Debbie
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
After years of being stuck in the "Dark Ages", I am strongly considering breaking down and getting a Wireless Data Plan with Verizon (or possibly another carrier).

Before I do this, though, I want to make sure I understand how the technology works, and that I am getting my expected outcome, that being...

What things do I need to do to have a totally *secure* wireless connection - while I am away from home - between my MacBook and the Internet??


Here is what I *think* I know...

1.) Buying a "Data Plan" with a Wireless Carrier (e.g. Verizon) will allow me to surf the Internet over an encrypted path to the Internet, so I shouldn't have to worry about "Man-in-the-Middle Attacks" that would be quite easy from the free, unsecured connections I often use at Panera, McDonalds, etc.

2.) If I choose to get a "Jet Pack" from Verizon, there is somewhat of a risk that I could be a victim of a "Man-in-the-Middle Attack", because the connection between my MacBook and the JetPack could be compromised. (Although I hear conflicting things about this?!) :confused:

3.) By instead choosing a "Wireless USB Modem", that should all be eliminate the possibility of a "Man-in-the-Middle Attack", because the connection from MacBook --> USB Modem would be solid, and the connection between the Wirless USB Modem and Verizon's Wireless Towers would be using some of the strongest encryption around in the industry.

Another advantage would be the fact that there wouldn't be the need to enter the Serial # plastered on the bottom of the Jet Pack, and thus someone couldn't piggyback onto my Data Plan.

-----------
In addition to these things, I'm not sure what other "Attack Vectors" may exist for Wireless Connections??


At any rate, I am hoping that the "experts" here at MacRumors can help me understand better how all of this technology works, if what I think I know is correct, and what other things I need to learn and consider.

Sincerely,


Debbie

Debbie,

I am not quite sure what a "jet pack" is. Is it a wireless hotspot like the older Verizon MiFi? Essentially... a portable hotspot so that you can connect your laptop to the Verizon LTE network?

If so... you can avoid the "man in the middle" issue by not letting anyone else onto your network. You do that by selecting a pretty strong security key.

I) Do not use WEP or even WPA. Use WPA2.
2) Use a long random passphrase. I use about 24 bits.

With that... it is very unlikely that someone will hack into your jetpack and steal your identity. The biggest threat (at open hotspots) is sidejacking... and the sidejacker needs to be signed into the same network as you.

If you want to be extra careful... you can use a VPN service. I use WiTopia. It costs about $70/year... but it gives me secure access as far as their servers. Hence... I can safely surf on a public hotspot, once I turn on the VPN.

/Jim
 

hallux

macrumors 68040
Apr 25, 2012
3,437
1,005
In my small amount of experience with them, the jetpacks (I believe they were previously MiFi) come pre-configured with a password-protected WiFi connection, requiring a password to connect to them. I do not know what (if any) encryption they have or use or if the device can be reconfigured by the purchaser.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
Debbie,

I am not quite sure what a "jet pack" is. Is it a wireless hotspot like the older Verizon MiFi? Essentially... a portable hotspot so that you can connect your laptop to the Verizon LTE network?

Sorry, yes, that is what I mean.

("Jet Pack" must be Verizon's term. Maybe the generic term is "Hot Spot"?)


If so... you can avoid the "man in the middle" issue by not letting anyone else onto your network.

But the crux of my OP was that I thought it might be possible for someone to do a Man-In-The-Middle attack between your Laptop and the Hotspot? (Whereas with a USB Modem, there is no "air" in between the two.)


You do that by selecting a pretty strong security key.

Can you explain to me how someone might hack the transmission between your Laptop and the Mobile Hotspot?


I) Do not use WEP or even WPA. Use WPA2.

Would I even have a choice in that with a Jet Pack? :confused:


2) Use a long random passphrase. I use about 24 bits.

My understanding is that Verizon puts the "password" to the Jet Pack on the device itself?!

Most people type (??) that in once, choose "Auto Log In" and never do anything again.

I would want to type in the "password" every time, but then there is the issue of *if* it is stuck on the body of the device, what do you do?!


It is also my understanding, that the worst that could happen if someone got a hold of your "password" would be to get a free Internet connection.

If, for example, you and I were at Starbucks, and I went to the bathroom, and while I was away, you turned over my Jet Pack, wrote down the "password" and then used it to log in, then while you were physically next to me, you would have free Internet, but once I left that "password" would be useless.

And Verizon reassured me (??) that even if that happened, it is not like you could see everything I typed and where I surfed, because 2 devices on one Jet Pack can't see what the other is doing...

Is that true?! :confused: :confused:



With that... it is very unlikely that someone will hack into your jetpack and steal your identity. The biggest threat (at open hotspots) is sidejacking... and the sidejacker needs to be signed into the same network as you.

Oops, you lost me there...


If you want to be extra careful... you can use a VPN service. I use WiTopia. It costs about $70/year... but it gives me secure access as far as their servers. Hence... I can safely surf on a public hotspot, once I turn on the VPN.

But if you use WiTopia from, say, McDonalds, don't you still have to worry about someone being able to see things? (Sorry, I am a super newbie on this topic!!)

Sincerely,


Debbie
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
My understanding is that Verizon puts the "password" to the Jet Pack on the device itself?!

Most people type (??) that in once, choose "Auto Log In" and never do anything again.

I would want to type in the "password" every time, but then there is the issue of *if* it is stuck on the body of the device, what do you do?!

I do not know specifics about that particular device. I used to have a MiFi by Verison... and I currently have a hot spot by AT&T. Both came with a preconfigured passcode (writting on the bottom)... but like any router, you can change that to the passcode of your choice.

I suspect that you do not re-type your passcode at home every time you connect to your home wireless network. This is exactly the same thing.

And Verizon reassured me (??) that even if that happened, it is not like you could see everything I typed and where I surfed, because 2 devices on one Jet Pack can't see what the other is doing...

This is where they are wrong. Two devices on the same network can see each other's traffic with simple hacking tools. The most common is called "sidejacking"... which will capture unencrypted authentication cookies... and then they can "be you" on sites that you frequent. The most common implementation is a firefox plug-in called "fire sheep" written by a young man in Seattle who did this as a public service to teach everyone how simple it was to accomplish... and to shame websites into using SSL encrypted links (HTTPS vs HTTP). In the first few days... a million copies were downloaded. Pretty scary.

But if you use WiTopia from, say, McDonalds, don't you still have to worry about someone being able to see things? (Sorry, I am a super newbie on this topic!!)

If you use a VPN (like WiTopia)... then you are generally safe on public networks... at least from sidejacking by people sitting across the restaurant or out in their cars. Maybe not from unspecified government agencies... I really do not know.

Hope this helps.

/Jim
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I do not know specifics about that particular device. I used to have a MiFi by Verison... and I currently have a hot spot by AT&T. Both came with a preconfigured passcode (writting on the bottom)... but like any router, you can change that to the passcode of your choice.

I suspect that you do not re-type your passcode at home every time you connect to your home wireless network. This is exactly the same thing.

Well, at home I have always used a *wired* connection, so that doesn't apply.

I guess I am confused about what you are saying here and below.

Here you imply, "Don't worry about your passcode. But in the next paragraph, you describe how if you got onto my connection, you'd be able to see nearly everything I did, right?!

So think about this common scenario...

I am at McDonalds, using my new Verizon JetPack. You - being the nefarious one for this example - come in and sit down next to me. You are even friendly, and tell me that you like my new sweater. (It's purple!) Having worked up a thirst processing all of this information you guys are teaching me, I go up to the counter to get some more coffee. In the mean time, you reach over, flip over my JetPack, write down the passcode, and log in. I come back and go back to working online, and you now can see everything I do by "side-jacking"...

Again, I know nothing about security or wireless, but I know I was concerned last month when I was in a Verizon Wireless store and the kid helping me was like, "Oh yeah, they put your passcode right on the bottom of your device!"

Help me understand all of this...


This is where they are wrong. Two devices on the same network can see each other's traffic with simple hacking tools. The most common is called "sidejacking"... which will capture unencrypted authentication cookies... and then they can "be you" on sites that you frequent. The most common implementation is a firefox plug-in called "fire sheep" written by a young man in Seattle who did this as a public service to teach everyone how simple it was to accomplish... and to shame websites into using SSL encrypted links (HTTPS vs HTTP). In the first few days... a million copies were downloaded. Pretty scary.

Wow!!!! :eek:

So how do I know if I am being "side-jacked"?! And more so, how can I prevent it from happening if I get a JetPack (with free passcode pasted on the side!!!)


If you use a VPN (like WiTopia)... then you are generally safe on public networks... at least from sidejacking by people sitting across the restaurant or out in their cars. Maybe not from unspecified government agencies... I really do not know.

Are their any competing technologies like WiTopia?

Why use that one versus others?

And how does that relate to "Hide My Ass" which someone mentioned to me on here last month?


Hope this helps.

/Jim

We are certainly making progress, but, BOY, is this stuff complicated?! :eek:

Thanks,


Debbie
 

thejadedmonkey

macrumors G3
May 28, 2005
9,155
3,265
Pennsylvania
I would look at getting a Synology NAS device. They're as low as $200, and can act as a VPN server as well as a backup device for your mac.

Then when you connect to the internet while you're out and about, connect to any internet you want, even open WiFi at McDonald's. But before you do anything else, connect to your VPN that's hosted on the Synology box at your house. All of your internet browsing will be encrypted from your laptop where-ever you are in the world, to your house. It will then use your home internet connection to connect to whatever website, and relay it back to your laptop via the Synology box.

As long as your Synology is connected to your modem via Ethernet, it's about as bulletproof as it comes.
 

Guiyon

macrumors 6502a
Mar 19, 2008
771
4
Cambridge, MA
So how do I know if I am being "side-jacked"?! And more so, how can I prevent it from happening if I get a JetPack (with free passcode pasted on the side!!!)

You don't and can't know if your connection is being sniffed, it's just someone else passively listening in on your connection. WiFi is not a point-to-point technology; each time you send something your wireless card is pretty much screaming out "HEY! AP! SEND A MESSAGE TO X!"

I wouldn't worry too much about being having your traffic sniffed as long as you're using WPA/WPA2. The attacker would need to both get your shared key (the password you use to connect to the wireless router) and grab the 4-way handshake that occurs when you first connect to the wireless router. Not difficult for someone who's really determined but far better than the cluster that WEP was. Just make sure you're using SSL whenever working with sensitive data (looks for the HTTPS and make sure your mail client is configured to use SSL or TLS).

As for the issues with the passcode on the side of the device: Don't leave your system unattended in public; if you do, you deserve whatever happens.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I would look at getting a Synology NAS device. They're as low as $200, and can act as a VPN server as well as a backup device for your mac.

Then when you connect to the internet while you're out and about, connect to any internet you want, even open WiFi at McDonald's. But before you do anything else, connect to your VPN that's hosted on the Synology box at your house. All of your internet browsing will be encrypted from your laptop where-ever you are in the world, to your house. It will then use your home internet connection to connect to whatever website, and relay it back to your laptop via the Synology box.

As long as your Synology is connected to your modem via Ethernet, it's about as bulletproof as it comes.

What does that solution offer that WiTopia doesn't?

(Other than why buy hardware that I have to pay for and monitor when I can let someone like WiTopia do it for me?)


Debbie
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I wouldn't worry too much about being having your traffic sniffed as long as you're using WPA/WPA2. The attacker would need to both get your shared key (the password you use to connect to the wireless router) and grab the 4-way handshake that occurs when you first connect to the wireless router. Not difficult for someone who's really determined but far better than the cluster that WEP was.

Well, what about what I said in my OP Point #3?

If I had got a USB Wireless Modem like the Pantech UML290 (Verizon Wireless), then that should eliminate being hacked during the "wireless handshake", right?

By contrast, I really like this Verizon Jetpack 4G LTE Mobile Hotspot MiFi 5510L, but since there is AIR between it and my MacBook, maybe it isn't as secure?!


Also, the JetPacks have that whole SSID and Passcode thingy, whereas I don't believe the USB Wireless Modems have or need those...

Thoughts?


Just make sure you're using SSL whenever working with sensitive data (looks for the HTTPS and make sure your mail client is configured to use SSL or TLS).

How much would having a Personal VPN like WiTopia help?

My understanding is that having a Personal VPN would help me in the area of *privacy*, and getting some kind of Data Plan with Verizon (or whoever) would help me in the area of *security*.

But I am wondering if the *combination* of the two would somehow make it harder for someone to "sniff" my Internet connection and cause trouble?

(All of this is so unnerving, because you can't easily see or understand it?! If I was creating a program, I'd know pretty easy if my code wasn't working, but I wonder how anyone ever really knows if they are "secure" online...)


As for the issues with the passcode on the side of the device: Don't leave your system unattended in public; if you do, you deserve whatever happens.

That's not realistic...

What, you've never been on-the-road and needed to use the restroom?

My laptop is always cabled to a table or pole, and I use OS-X's "Screen-Saver Lock" to attempt to keep people off of my MacBook - although I question how secure that is?!

As long as I could re-set the Passcode and make sure there wasn't some obvious label stuck to the side of my JetPack, don't you think that is reasonable enough - except when I visit that cafe in Turkey... ;)

Sincerely,


Debbie
 

thejadedmonkey

macrumors G3
May 28, 2005
9,155
3,265
Pennsylvania
What does that solution offer that WiTopia doesn't?

(Other than why buy hardware that I have to pay for and monitor when I can let someone like WiTopia do it for me?)


Debbie

WiTopia isn't free, so you're saving the cost of the monthly/annual bill, although they provide support so it's a toss up, depending on how comfortable you feel with doing it yourself.

But the other advantage is that you have a backup of your stuff. Most people don't have a backup, so this kills 2 birds with 1 stone. Also, I'd rather trust my own equipment than someone else's, but that's just personal preference.
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
I am at McDonalds, using my new Verizon JetPack. You - being the nefarious one for this example - come in and sit down next to me. You are even friendly, and tell me that you like my new sweater. (It's purple!) Having worked up a thirst processing all of this information you guys are teaching me, I go up to the counter to get some more coffee. In the mean time, you reach over, flip over my JetPack, write down the passcode, and log in. I come back and go back to working online, and you now can see everything I do by "side-jacking"...

Debbie,

You have lots of questions that need to be answered, and understood in order before you move forward. The bolded section of your post above is the first thing you need to get your head around.

Let's assume you get a new MiFi... and the default wireless SSID is "Mifi-1234" and the default passcode which is written on the bottom of the device is 1234.

When you turn on your computer and MiFi... you will see a network named "MiFi-1234" and if you try to connect to it, it will ask you for a passcode and you will type in 1234 and you will be connected to the network.

At this point, you go into setup... and you rename the device to have a new network name. You set it to Debbies-MiFi.

Now if you were to start your computer and MiFi, then you would see a network called "Debbies-MiFi", and if you connect to it, you would type 1234 as the passcode.

Now obviously... this is still not good... so you would then go back into setup, and you would set your passcode to something tougher... such as p9DPDJ=T+m2adjBvMDwYagvo

Now... when you log into your network... you would connect to "Debbies-MiFi" and for the passcode, you would type: p9DPDJ=T+m2adjBvMDwYagvo and it would be preferable if you told your computer, iPad, or whatever to remember this passcode. Note that p9DPDJ=T+m2adjBvMDwYagvo is not written on the bottom of your device. The default is now no longer active. Hence nobody else can connect to your wireless network... unless they cracked that 24 character code... which I suspect that would never occur... unless you spent decades sitting in the same Macdonalds.

You would also set a "basestation Name + basestation password" to the device... so that nobody else could change your settings.

Note that on the MiFi... there is probably a reset button... which would reset the machine back to the state as when you first bought it. However... if someone was to reset it (while you were in the bathroom)... then you would instantly know, because your computer would no longer connect... so you would still be safe.

If you are not sure about the above... then do not read any further... just re-read the above to full comprehension before going further.

Regarding VPNs (like WiTopia)... there are many competing companies. I chose WiTopia because when I researched... they seemed to come up on top... and was highly recommended by several seemingly unrelated sources... including two journalists in which I have moderate trust. So I tried them, and found them easy enough to use.

If you use a VPN... then you can connect to public networks. The VPN will encrypt all of your data... and send it to the VPN company which will then forward your requests over the net. There is a small performance penalty most of the time... but it is usually negligible. Nothing to worry about.

I do have a MiFi equivalent... and I also have a VPN. I NEVER attach to a public hotspot without using a VPN. NEVER. It is too easy to be sidejacked.

I generally do not use a VPN when I am using my MiFi because I am impervious to being sidejacked. It would probably be better to use both concurrently (for other unknown reasons)... but MiFi devices are fairly slow (the cell phone networks are generally not great)... and I do not want the double whammy of a slow telco connection plus a VPN slowing it down more.

One final thing. Ignore the comment someone made about suggesting setting up a personal VPN at home by using a NAS. I do not think that is great advice. It is sort of like asking someone for the time... and being told how to build a clock. You do not need that complication in your technical life at this point.

Hope this helps.

/Jim
 

hallux

macrumors 68040
Apr 25, 2012
3,437
1,005
Not to mention that you don't need to leave the MiFi device on the table in order to use it, you can stuff it in a bag or pocket once it's turned on unless you need to leave it on the table as some kind of status thing.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
Jim (and others),

First off, THANKS for your patience in trying to teach me new things!! (Sorry for all of the questions, but I'm a newbie in this area...)


Debbie,

You have lots of questions that need to be answered, and understood in order before you move forward. The bolded section of your post above is the first thing you need to get your head around.

I understand that *in theory*, but I also know the *reality* of being away from home.

Would I leave my MacBook unattended in an airport or Grand Central Station? Of course not!

But would I momentarily leave my cabled and screen-saver locked MacBook at the local library in Mankato, MN? Yes...

Is that "ideal"? No. Is it a fair compromise between "security" and "living"? I personally think so.

In an ideal world, I would have a wired, cabled desktop at home, behind a steel door. But the reality is I am away from home most of the year, and when I'm at Panera in Average-Town USA, it isn't practical to shut down my laptop, go outside, lock it in the trunk - which creates new issues - then run back inside to go to the bathroom, and then start the process again... (No sarcasm, just describing "real" life...)

Anyways...


Let's assume you get a new MiFi... and the default wireless SSID is "Mifi-1234" and the default passcode which is written on the bottom of the device is 1234.

When you turn on your computer and MiFi... you will see a network named "MiFi-1234" and if you try to connect to it, it will ask you for a passcode and you will type in 1234 and you will be connected to the network.

At this point, you go into setup... and you rename the device to have a new network name. You set it to Debbies-MiFi.

(Lots of questions to follow...) :eek:

1.) Not to turn you into "Verizon Support", but how likely is it that the "Verizon Jetpack 4G LTE Mobile Hotspot MiFi 5510L" that I have been eyeing would allow that?

All the teeny-bopper kids at Verizon have told me that "You can reset the passcode on your JetPack, but it is EXTREMELY difficult, and requires our Tech Support to help you out. You wouldn't want to go there..."


2.) I have heard from different people at Verizon - and one really angry blogger - that - at least in the past - when you get your new JetPack, you cannot manage anything online UNTIL Verizon - in their infinite wisdom - MAILS YOU a Passcode Letter to your home, and then you have to use that to set up your online account. The blogger said this took like 4-6 weeks...

I've had several Verizon people verify this, and yet an equal amount say, "Oh, no, we can set you up in the store!"

And that fact would be a real worry for me, considering that I am 2,000 miles away from home right now, and won't be heading back anytime soon...

Any Verzion customers out there that can prove/disprove this horror-story??

(One thing that makes me *cringe* about Verizon is the fact that if you ask 50 people - including managers - anything, you'll get 60 different answers...) *sigh*


3.) From my limited research, it seems like most people say "You SSID is designed to be 'public knowledge', so don't worry what it is..."

Agree? Disagree?


Now if you were to start your computer and MiFi, then you would see a network called "Debbies-MiFi", and if you connect to it, you would type 1234 as the passcode.

Now obviously... this is still not good... so you would then go back into setup, and you would set your passcode to something tougher... such as p9DPDJ=T+m2adjBvMDwYagvo

Again, maybe a question you can't personally answer, but...

4.) What are the chances that I could actually change the JetPack Passcode? (The Verizon Sales people tried to scare me off from wanting to do this. The same ones that said, "The worst thing that could happen if someone got your passcode is that they'd get free Internet while sitting next to you.")

You would think you would treat the JetPack's passcode the same way you'd treat your password to any important online account...
- Kept secret
- Strong password
- Change regularly

Right?


Now... when you log into your network... you would connect to "Debbies-MiFi" and for the passcode, you would type: p9DPDJ=T+m2adjBvMDwYagvo and it would be preferable if you told your computer, iPad, or whatever to remember this passcode. Note that p9DPDJ=T+m2adjBvMDwYagvo is not written on the bottom of your device. The default is now no longer active. Hence nobody else can connect to your wireless network... unless they cracked that 24 character code... which I suspect that would never occur... unless you spent decades sitting in the same Macdonalds.

Okay, on one hand, that all makes good sense. But on the other hand...

5.) Are you sure it is a good idea to create some really complex passcode, only to then set things as 'Log in automatically'? :confused:

I mean, wouldn't it be better to create a "secure passcode" that I could remember, but have to type in each time?


6.) Any idea how you type in the passcode on the JetPack? (It doesn't have a keypad, right?!)

7.) Assuming there is a way to type things in, would creating a Pass-Phrase that I type in every time, e.g. "MacRumors*Is*My*#1*Site"


You would also set a "basestation Name + basestation password" to the device... so that nobody else could change your settings.

You totally lost me here.

8.) What are those??

9.) And what about the "Admin Username" and "Admin Passcode" I have heard about? How do they relate to all of this?


Note that on the MiFi... there is probably a reset button... which would reset the machine back to the state as when you first bought it. However... if someone was to reset it (while you were in the bathroom)... then you would instantly know, because your computer would no longer connect... so you would still be safe.

What about from the reverse...

10.) If my JetPack was compromised, and a hacker signed in, is there anyway I'd know this, or would they be logged and "surfing in the shadows" unbeknownst to me?!


If you are not sure about the above... then do not read any further... just re-read the above to full comprehension before going further.

I think you did an excellent job explaining things. And I have definitely learned some new things, so thanks!!

(Of course, I had a *few* follow-up questions, too...) :eek:


Regarding VPNs (like WiTopia)... there are many competing companies. I chose WiTopia because when I researched... they seemed to come up on top... and was highly recommended by several seemingly unrelated sources... including two journalists in which I have moderate trust. So I tried them, and found them easy enough to use.

Yeah, they seem like a good place to start.


If you use a VPN... then you can connect to public networks. The VPN will encrypt all of your data... and send it to the VPN company which will then forward your requests over the net. There is a small performance penalty most of the time... but it is usually negligible. Nothing to worry about.

Okay.


I do have a MiFi equivalent... and I also have a VPN. I NEVER attach to a public hotspot without using a VPN. NEVER. It is too easy to be sidejacked.

Yep, I got that message crystal clear.


I generally do not use a VPN when I am using my MiFi because I am impervious to being sidejacked. It would probably be better to use both concurrently (for other unknown reasons)... but MiFi devices are fairly slow (the cell phone networks are generally not great)... and I do not want the double whammy of a slow telco connection plus a VPN slowing it down more.

Okay.


One final thing. Ignore the comment someone made about suggesting setting up a personal VPN at home by using a NAS. I do not think that is great advice. It is sort of like asking someone for the time... and being told how to build a clock. You do not need that complication in your technical life at this point.

Yeah, I felt the same way when I read that. (Way over my competency level, and probably little or no savings.)


Hope this helps.

/Jim

Yes, all of this opens up a new world to me.

I can't believe I have been so ignorant (and cheap) for so long, but "Better late than never!!"

Look forward to your replies...

Sincerely,


Debbie
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
From the Verison support pages for your proposed device:

Wireless Network Security Settings - Verizon Jetpack™ 4G LTE Mobile HotSpot – MiFi® 5510L
Access the Administration Web Interface.
From the left menu, click Jetpack Settings.
From the Wi-Fi tab, configure Wi-Fi settings as desired:
Depending upon the selected security type, available options may vary.
Display Wi-Fi Name
Enabled when the adjacent switch is set to ON.
Display Wi-Fi Password
Enabled when the adjacent switch is set to ON.
Wi-Fi name
802.11 Mode
802.11b + 802.11g + 802.11n
802.11g + 802.11n
802.11b + 802.11g
802.11n only
802.11g only
802.11b only
Security
None
WPA2 Personal/PSK
WPA/WPA2 Mixed Mode
Wi-Fi password
If the Wi-Fi Password is changed, the network settings on the computer must updated. For assistance, select the appropriate operating system:
Macintosh OS X
Windows 8
Windows 7
Windows Vista
Windows XP
Maximum Wi-Fi connected devices (1-10)
Broadcast Wi-Fi name
Enabled when a check mark is present.
Wi-Fi privacy separation
Enabled when a check mark is present.
Wi-Fi Multimedia (WMM)
Enabled when a check mark is present.
Channel (Automatic, 1-11)
Wi-Fi range
Short range - longer battery life
Long range - shorter battery life
Click Save Changes (located in the lower-right).​

The bolded lines top to bottom:

  • Display WiFi password: This will inhibit your new passcode from being displayed on the screen
  • WiFi name: This is your new SSID... this is the name of the wireless network that you will attach to. You set it to whatever you want "Debbies-MiFi"
  • WPA Personal/PSK - This is the security that you want to select
  • WiFi Pasword - this is where you set a long complex WiFi passcode
  • Maximum devices - If you set this to 1... then nobody else can connect to your device once you are connected. Personally, I think this is unnecessary... and at a minimum you would want to set it to the number of devices you might use such as laptops, iPads, etc.

As you can see... you can indeed set up secure networks. It would have to be this way, otherwise the device would be very insecure and useless.


/Jim

----------

3.) From my limited research, it seems like most people say "You SSID is designed to be 'public knowledge', so don't worry what it is..."

You would think you would treat the JetPack's passcode the same way you'd treat your password to any important online account...
- Kept secret
- Strong password
- Change regularly

Right?

Are you using 1Password? If not... highly recommended. to answer those questions.. Yes, VERY STRONG Auto-generated, No... set it and forget it.

5.) Are you sure it is a good idea to create some really complex passcode, only to then set things as 'Log in automatically'? :confused:

yes. It is better to have it locked in your keychain (this is what OSX does) than type it in every time. Someone can watch you type (as an example)

I mean, wouldn't it be better to create a "secure passcode" that I could remember, but have to type in each time?

No

6.) Any idea how you type in the passcode on the JetPack? (It doesn't have a keypad, right?!)

Via your computer... you set everything via your computer

7.) Assuming there is a way to type things in, would creating a Pass-Phrase that I type in every time, e.g. "MacRumors*Is*My*#1*Site"

No... use auto generated Passwords

I put comments inline above.

Finally.... there is a different place where you set the actual password for the device... which enables you to go in and adjust these settings. You would want a different complex password for device access as well. That could be stored in your "1Password" vault... along with the rest of your other passwords... a different one for each site.

/Jim
 
Last edited:

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
Wow, this will be a tricky one to respond to so everyone can follow the conversation!!


-------------------
6.) Any idea how you type in the passcode on the JetPack? (It doesn't have a keypad, right?!)

Via your computer... you set everything via your computer

Display WiFi password: This will inhibit your new passcode from being displayed on the screen

So, based on what has been said, let me summarize and see if I have this down...

- It is possible to make it so the SSID doesn't show on the JetPack.

- It is possible to make it so the Passcode doesn't show on the JetPack.

- If change the default SSID and Passcode, and make sure there are no labels identifying things on the JetPack, then there would be no physical way for a stranger to look at the device and get my SSID and Passcode, right?


-------------------
WPA Personal/PSK - This is the security that you want to select

I thought "WPA2" was the most secure??


-------------------
Are you using 1Password? If not... highly recommended.

Sounds like a complicated topic, and one I'm sure I'd be opposed to, but we can debate that in another thread... ;)


-------------------
to answer those questions.. Yes, VERY STRONG Auto-generated, No... set it and forget it.


5.) Are you sure it is a good idea to create some really complex passcode, only to then set things as 'Log in automatically'?

yes. It is better to have it locked in your keychain (this is what OSX does) than type it in every time. Someone can watch you type (as an example)

- Any idea of the limitations of setting a Passcode on the JetPacks? (e.g. Can you create a "Pass-Phrase" that is super long?)

- Why is it better to create a strong Passcode and set things to "Remember my Passcode" and never log in again?

(Isn't that like never logging out of your computer or e-mail or online bank account?)


No... use auto generated Passwords

Why do you say that?

Everything I have read says that if you choose a L-O-N-G Pass-Phrase that is also complex, for example...

"I Once Watered My Cactus Too Much And It Died ;("

...then you are extremely safe?!


And since you are telling me that all of this is done from the comfort of my browser, and once it is typed in, just use "Auto Sign-In", then I don't see the advantage of using an auto generated Passcode?!


-------------------
Maximum devices - If you set this to 1... then nobody else can connect to your device once you are connected. Personally, I think this is unnecessary... and at a minimum you would want to set it to the number of devices you might use such as laptops, iPads, etc.

I would leave this at "2".


-------------------
If you don't mind, here are some questions you skipped in your last response...

- I have heard from several sources that you cannot manage your JetPack and/or Data Usage until you get a snail-mail "Pin Letter" from Verizon, which is sent to your home address.

True?


You would also set a "basestation Name + basestation password" to the device... so that nobody else could change your settings.

You totally lost me here.

Are you talking about the "Admin" Username and Password?

What purposes do those serve relative to your JetPack SSID and Passcode?


- If my JetPack was compromised, and a hacker signed in, is there any way to figure this out?


Okay, thanks for all of the help so far!!!

Sincerely,


Debbie
 

DoFoT9

macrumors P6
Jun 11, 2007
17,586
98
London, United Kingdom
I'm going to chime in here, I think this thread has addressed a lot of things - most notably awareness (which I am all for!) of security when in public spaces, so it's good to see some educated input for this topic.

I must say though, I think this is a little excessive in discussion. I appreciate that users will want a secure connection with them when in public - absolutely, but I think that it's no different than when in your home when connected via your WiFi network (where somebody in a car could quite easily attack your property).

I say this for a number of very simple reasons, those of which I won't elaborate on right now:
1. Timeframe: In a public environment (cafe, MacDonalds, etc) there is not an excessive amount of time to firstly crack a WiFi network password, and then do anything with it. If one was to combine 4 5970ATi GPUs (pretty powerful GPUs mind you), and try to brute force attack a 10 key passphrase, it would take about 95,000 years. This time can be brought down by using learned code, dictionaries, and specialised attacks, but it's still a VERY long time - certainly not going to happen during a coffee break! (Note: i'm not forgetting pre-shared key info, handshake info, etc)

2. Cracking WiFi != magical access. It's not like once they have your SSID + passphrase the attacker can magically access your computer, or steal your bank details. ALL they can really do is watch (the now unencrypted) packets travel around the network, which might not all be seen anyway! (any HTTPS based websites will still be encrypted traffic anyway).

So, a lot of in-depth conversation CAN be had, but I think some common sense is required here otherwise it's just worry for nothing. My tips:
- Choose a WPA2 password that is over 10 characters in length, change it periodically if you so desire.
- Choose a secure workstation password over 8 characters in length.
- Enable a shortcut, hotcorner or 1 minute timeout screensaver for your computer, so if you do move away you can easily lock the screen (and any attackers)
- & enable GPS tracking on your laptop/phone/devices

I think, really, as long as you're logically safe with your access, then no others can touch you. There will always be somebody around with an unsecured network, or somebody joined to the free MacDonalds WiFi who will be attacked. Stress less, I say!
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
I thought "WPA2" was the most secure??

My mistake. Yes... you want WPA2. I thought that is the option that I selected.

The bottom line is that it is inconceivable that the device does not allow you to change the passcode. That would be like buying a new computer that came with a preset password that was printed on the bottom and was unchangeable. It just is not going to happen.

You are over thinking this. It is really quite simple. The system is secure.

The device has a password in order to access the settings of the device. You can (and should) change it.
The device allows you to set the SSID
The device allows you to set the passcode associated with that SSID

That is all you really need to do.

As far as password strength... start a new thread. The common wisdom is that you are best off with random generated passwords that are unique for each site. There are many reasons for this. The common wisdom is that using a password manager is a very smart thing to do. By far... the most common, and most trusted password manager is 1Password. You will hear differing opinions... most are noise.

/Jim

----------

1. Timeframe: In a public environment (cafe, MacDonalds, etc) there is not an excessive amount of time to firstly crack a WiFi network password, and then do anything with it. If one was to combine 4 5970ATi GPUs (pretty powerful GPUs mind you), and try to brute force attack a 10 key passphrase, it would take about 95,000 years. This time can be brought down by using learned code, dictionaries, and specialised attacks, but it's still a VERY long time - certainly not going to happen during a coffee break! (Note: i'm not forgetting pre-shared key info, handshake info, etc)

In general, I agree with your post. There are a few exceptions. In a place like MacDonalds, Starbucks, etc... the network connection is either open... or they give out the passcode to every customer who asks. Hence... no hacking is necessary. That is why I always use a VPN if on a public network. No exceptions.

At that point, the would be attacker is on the same network as you and you are at risk for sidejacking.

I also think that you are not being conservative enough with password length. My understanding is that with the advent of GPUs... much longer passwords are necessary. In any case... using a password manager makes long password length a non issue. It is no harder to have a longer more complex password than a short, more easily compromised password.

/Jim
 
Last edited:

viktormadarasz

macrumors member
Jun 15, 2010
47
0
Madrid,Spain
Personally I use Vpn to connect back to my home over the internet while I am away..I consider it the securest method / way I can think of.

After years of being stuck in the "Dark Ages", I am strongly considering breaking down and getting a Wireless Data Plan with Verizon (or possibly another carrier).

Before I do this, though, I want to make sure I understand how the technology works, and that I am getting my expected outcome, that being...

What things do I need to do to have a totally *secure* wireless connection - while I am away from home - between my MacBook and the Internet??


Here is what I *think* I know...

1.) Buying a "Data Plan" with a Wireless Carrier (e.g. Verizon) will allow me to surf the Internet over an encrypted path to the Internet, so I shouldn't have to worry about "Man-in-the-Middle Attacks" that would be quite easy from the free, unsecured connections I often use at Panera, McDonalds, etc.

2.) If I choose to get a "Jet Pack" from Verizon, there is somewhat of a risk that I could be a victim of a "Man-in-the-Middle Attack", because the connection between my MacBook and the JetPack could be compromised. (Although I hear conflicting things about this?!) :confused:

3.) By instead choosing a "Wireless USB Modem", that should all be eliminate the possibility of a "Man-in-the-Middle Attack", because the connection from MacBook --> USB Modem would be solid, and the connection between the Wirless USB Modem and Verizon's Wireless Towers would be using some of the strongest encryption around in the industry.

Another advantage would be the fact that there wouldn't be the need to enter the Serial # plastered on the bottom of the Jet Pack, and thus someone couldn't piggyback onto my Data Plan.

-----------
In addition to these things, I'm not sure what other "Attack Vectors" may exist for Wireless Connections??


At any rate, I am hoping that the "experts" here at MacRumors can help me understand better how all of this technology works, if what I think I know is correct, and what other things I need to learn and consider.

Sincerely,


Debbie
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
I say this for a number of very simple reasons, those of which I won't elaborate on right now:
1. Timeframe: In a public environment (cafe, MacDonalds, etc) there is not an excessive amount of time to firstly crack a WiFi network password, and then do anything with it. If one was to combine 4 5970ATi GPUs (pretty powerful GPUs mind you), and try to brute force attack a 10 key passphrase, it would take about 95,000 years. This time can be brought down by using learned code, dictionaries, and specialised attacks, but it's still a VERY long time - certainly not going to happen during a coffee break! (Note: i'm not forgetting pre-shared key info, handshake info, etc)

Agreed.

Also, I don't have the source handy now, but everything I have read says that LENGTH is the key to safe passwords in this day and age.

It is better to have an easier-to-remember "Pass-Phrase" that is 15-20 normal characters in length, than a 1 Uppercase, 1 Lowercase, 1 Number, 1 Special Character Password that is 8-10 characters in length.

In addition, based on my limited networking and security knowledge, I think where a person - at McDonalds - needs to be more concerned is a.) Walking away from the JetPack, and b.) the initial "handshake" to connect to Verizon's Network. (The second one still has me paranoid, because *true* hackers would go after that stuff...)


2. Cracking WiFi != magical access. It's not like once they have your SSID + passphrase the attacker can magically access your computer, or steal your bank details. ALL they can really do is watch (the now unencrypted) packets travel around the network, which might not all be seen anyway! (any HTTPS based websites will still be encrypted traffic anyway).

Again, I'm not a security expert here, but my understanding is that if you are "Side-Jacked", then it is the same as being hacked over Free Wi-Fi.

That is to say that if you got on to my Verizon JetPack, then you could easily start monitoring all of my Data Packets (i.e. communications) and could easily get things like Emails, Username, Passwords, Account Info, etc.

And the hacker might even be able to "intercept" things like a Username/Password before it goes over an HTTPS connection. (Unverified.)

At any rate, I think my "paranoia" about protecting my Verizon JetPack connection is totally warranted. Hey, think of it this way... I am a road-warrior and also trying to start my own business, and while I have a life beyond my computer - that so few Americans do - I also have a significant portion of my life on my laptop!! (So why take *any* risks?!)

BTW, I am going to take flynz4's advic and by a Personal VPN (e.g. WiTopia) in the next few days... :apple:


So, a lot of in-depth conversation CAN be had, but I think some common sense is required here otherwise it's just worry for nothing. My tips:
- Choose a WPA2 password that is over 10 characters in length, change it periodically if you so desire.

Agreed.


- Choose a secure workstation password over 8 characters in length.

Agreed.


- Enable a shortcut, hotcorner or 1 minute timeout screensaver for your computer, so if you do move away you can easily lock the screen (and any attackers)

I already do this. (Although I am question How Secure is my OS-X Screen-Saver??)


- & enable GPS tracking on your laptop/phone/devices)

How do I do that?

I don't own a cellphone.

Is there a way to set-up GPS Tracking on my JetPack??

And how would I do that on my MacBook?


I think, really, as long as you're logically safe with your access, then no others can touch you. There will always be somebody around with an unsecured network, or somebody joined to the free MacDonalds WiFi who will be attacked. Stress less, I say!

I appreciate your advice, but I think it is better to "over-worry" and be safer, than to "chill out" and get burned.

For instance, I have talked with over 30 people at Verizon Stores and on the phone, including Customer Service, Sales, newbies, people doing this for over a decade, Managers, etc.

And guess what?

90% of the advice I got was wrong!! (Big shock coming from *anyone* working in retail...)

Had I just accepted what people told me, I would have been very misinformed, and not very secure!

Fortunately, I am persistent, and have kept researching things, and obviously found some very smart people here, which in the end has made me more secure.

So while I agree with your advice about chilling out on Passcode complexity, I think there are things like Side-Jacking that one needs to be very careful to prevent. (I think WiTopia solves most of that issue?!)

Thanks for all of your advice!!!


Debbie
 

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
That is to say that if you got on to my Verizon JetPack, then you could easily start monitoring all of my Data Packets (i.e. communications) and could easily get things like Emails, Username, Passwords, Account Info, etc.

And the hacker might even be able to "intercept" things like a Username/Password before it goes over an HTTPS connection. (Unverified.)

Debbie...

Any traffic that goes out using HTTPS is secure and cannot be "locally - sniffed" by common means. Likewise... once you establish a connection to your VPN, everything is encrypted locally, so all of your traffic is also "locally - unhackable".

By the way... the person who invented the "fire sheep" plugin for Firefox did so as a "public service". Millions of copies were downloaded... and it because obvious that anyone... with just a few clicks could assume the identity of anyone else on a public network... depending upon which applications the "victim" was using.

Some of the more prominent at the time were Facebook, hotmail, etc. If you were sitting at computer in Macdonalds, Starbucks, or your hotel room... anyone else on the network who was running FireSheep could see who else was on the network, and which (non-https) applications they were running. With a single click, they could be in your facebook account (along with you)... and they would be "you". Even if you closed (but not logged out of) Facebook, they could continue to be you long after you left Macdonads. They could do anything they wanted... send malicious information to your friends, change/view your personal information, etc. In your email account, things get worse. They could change your settings to forward a copy of every incoming email to an account they control. In other applications (I'm not sure which)... they could turn in your webcam to view you (think about that next time you step out of the shower in your hotel room).

In response... companies like facebook have changed to use HTTPS for all pages (not just login)... so they are now safe. Banks were already safe. It was amazing that some email services were not. Slowly but surely, companies are closing the HTTP security holes... but it may take many years. This is why I will use a VPN whenever on a public hotspot.

The local "on your local network" is by far the greatest threat while traveling. Nothing talked about here protects you from many other ways of hacking out on the internet backbone, within the firewalls of corporations that manage your data (banks, stores, etc)... or many other means. However, protecting your local connection is important... and you are taking it seriously. Maybe too seriously... but still OK.

/Jim
 
Last edited:

flynz4

macrumors 68040
Aug 9, 2009
3,242
126
Portland, OR
Personally I use Vpn to connect back to my home over the internet while I am away..I consider it the securest method / way I can think of.

This is good approach. I still prefer to pay for a service. Your method relies on your home equipment being operational... along with the complexity of managing it. While away, if your home had a power failure, internet service outage, or a computer crash... or any number of other things... then you are without VPN service.

For very occasional use... it is absolutely fine... and in the long run, it is probably cheaper than using a service. However, the services are so inexpensive now... and their reliability is so good... that I prefer paying for the services.

/Jim
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.