One more "sensitive info" security question

No problem. That is what this group is all about...Helping others with Wi-Fi issues and being helped.

but now I'd

I'm not surprised. Wireless internet using Hot Spots is the new "Hot Thing" and businesses are maneuvering to cash in on it. It's simply business.

Just add in a dash of common sense and you have everything you need to safely surf the web in public hotspots.

Well, we now know you have common sense. (smile)

Although I've used about every software firewall available at one time or another, my personal preference is Sygate. That's not to say that Zone Alarm is not worthy because it is. I just prefer Sygate.

Thanks in advance! ....Pam

You're welcome.

Although the software is nice to have above, the buck really stops with the XP O/S and no where else in protecting the machine from attack. You should consider securing the XP O/S from attack by hardening the O/S for a machine that has a direct connection to the Internet, especially a machine using the NT based O/S. Some things you can do are disable the MS File and Print Sharing service since I don't think you'll want to share resources with other machines, strong passwords, disable the Everyone group account etc, etc along with other things being mentioned in the links.

None of the software above is going to prevent wireless eavesdropping on the your air waves. So if that software you're talking about kind provide additional wireless protection on eavesdropping on the wireless air waves, you should use it. However, you may want to find an ISP that provides a VPN solution for their clients. They are out there too.

I'll be at a client's site in a hotel for the next six month with my XP pro laptop on a dial-up direct connection to the Internet and I am now hardening the O/S to attack and shutting down or closing things I don't need active on the XP O/S and activating other solutions like IPsec which is being mentioned in the link above implanting the AnalogX Secpol rules for IPsec to supplement the BlackIce PFW that I use and IPsec can stop inbound or outbound traffic by port, protocol, or IP behind any personal FW solution. With the machine connected to my home network none of it is implemented.

The one thing that a 3rd party personal FW or IPsec cannot do is get to the TCP/IP connection at boot and protect the machine from the Internet like the XP FW can do and can get to the TCP/IP at boot and protect the machine before any thing else can get there. I put a short-cut for Active Ports (free) in the Start-folder so I can see all connections at the boot a logon process.

Duane :)

No. Their major purpose is to keep your protection up to date. You can do that yourself. It is tedious but a necessary habit. Be sure to do updates for: 1. Windows Update. 2. Office Update. 3. Spyware scanner update (I suggest Microsloth Anti-Spyware Beta 1) 4. Anti-Virus update. 5. Firewall Update. In addition, many applications tend to have security holes. Recently, there are holes in Winamp, Acrobat, etc. These have either automatic updated features or notifications that updates are available.

The real danger for laptops and wireless are sending unencrypted logins and passwords over the internet. It's easy enough to sniff for these and use them. For example, one of my customers non-cleverly used the same password on *ALL* his accounts. Someone sniffed his POP3 email login and password, figured out his eBay and Paypal ID, and tried the password. It worked. I was fortunate enough to catch it before they could do any damage but the potential was certainly there. Do NOT use a password twice. Do not send unencrypted passwords over the internet. That means use a VPN to download your mail or use encrypted webmail (i.e. Squirrel mail) to read online. The list of programs that send logins and passwords over the internet in the clear is extensive so be careful.

I like Kerio, with Zone Alarm as a tolerable 2nd best. I haven't tried Sygate for many years. No clue on it.

It's good advice, unfortunately human nature being what it is, it _isn't_ going to happen (at least in most cases). I finally have a system where I can use different passwords, have my computer memorize them in a secure location (well, as secure as possible), and am starting to use more passwords, but for most people it simply isn't an achievable goal. If you _do_ use different passwords, how do you remember them?

That's a little extreme (and you must have meant "e.g.", not "i.e." - there are any number of secure web mail solutions - even Hotmail encrypts the password dialog). Many people don't have access to VPNs and Web mail is no solution for someone who gets a lot of email. Most mail servers now can use TLS for secure login, and most mail clients can also. TLS is a fine alternative and if your ISP doesn't provide it ask them why not. If you don't have a clue how to set up your email to use TLS, call your ISP's support line and ask them.

I've been planning to close a security hole on my system for too long, and this has prompted me to get with the program...

I'm happy with Zone Alarm for my wife's purposes (my system is Linux with a self-configured firewall). If it's only a "tolerable 2nd best", I'll accept Jeff's recommendation of Kerio.

I only try to remember the ones that I use constantly. For the rest, I have my ever growing list of passwords printed on 4 pieces of paper from an Excel spreadsheet. The spreadsheet is in an encrypted filesystem on my PC and on a USB dongle. No way do I store it on my PDA or cell phone. I'm not worried about losing the encrypted spreadsheet or dongle, but the printed version is a problem. If I ever lose that, I'm toast as it also contains my customers passwords.

Which is extreme? Not reusing a password twice or using an encrypted pipe to get and send your email? I do both and have few problems.

Correct. I'll review my Latin abbreviations when I have time.

Good advice. TLS (transport layer security) is an incompatible extension of SSL. However, I still see a substantial number of ISP's that offer unencrypted POP3 logins for email. I would be gratified if they would dump these in favour of more secure solutions. Not one of the local ISP's currently offers TLS email security. A few offer VPN terminations (PPTP or IPSec). One offers nothing but POP3. If the locals are any indication of the general status, we have a long way to go. The good news is that the high volume ISP's (Yahoo, Hotmail, AOL, Earthlink) all have encryption features.

I spent much of last night interrogating a customer for the names of all her important online accounts. Her sole password was leaked (by her daughter at college borrowing her mom's email account) and was used for a small Paypal test purchase. She caught it in time and we got to spend a dull and boring evening changing ALL her passwords. In the process, we found a few online store accounts that had the attached email address changed and was in the process of having the password change confirmed. She's going to take the day off today and call or email all these vendors and try to reclaim the accounts. Also, a review of all the important financial accounts to verify that nothing as gone astray. This is about the 4th time I've personally seen such a mess precipitated by a lost common password.

Your unspecified ISP has to provide the VPN termination at their end. You'll need to contact them to see if they offer the service. You can't do it with just your end of the puzzle. They need to provide a VPN termination.

You then install a VPN client on your end, or use the Windoze supplied PPTP or IPSec client. I'm currently using the Cisco VPN client. There are also SSH, SSL, and TLS solutions.

Good.

This has VPN passthru for both IPSec and PPTP. That should work. However, I can't seem to determine how many VPN tunnels can be simultaneously passed through the router. Hopefully, it's more than one.

Sure, but there's a problem. Most VPN's will change the default route to the terminating server and block local LAN access. That's to insure that one of your other machines on your home LAN does not bridge through your computer, through the VPN tunnel, and into the network at the other end. Only your machine goes through the VPN. The result is that you're effectively disconnected from the rest of the LAN and internet while connected to the VPN. There are ways around this but it is a potential problem.

As for your question, the purpose of the VPN is to provide a secure tunnel between you and your ISP. Of course you can read your email while connected in this manner. A VPN may be overkill for just email security. It's generally used to provide a secure tunnel for access to ALL the resources at the terminating end. If I connect to my palatial office, I can see all the servers, shares, and printers from network neighborhood. That's a bit too much for just checking your email. Simply encrypting the email and passwords would be sufficient without encrypting everything.

Please explain how to do this. Current personal setup is as follows:

Windows XP PRO w/ SP2 Roadrunner (broadband) is the ISP PC is the HP Pavilion dv4170US Wireless Router is D-LINK DI-624 rev c (firmware v. 2.70) Wireless card is Intel Pro 2200 BG Wireless Config is Intel Pro/Set 9.0.2.1

Even though there are 4 PCs connected, via ethernet cable to DI-624 and 3 notebooks are connected wirelessly, I do not use Windows Internet Connection Sharing. Now, based on your comment above, is it possible to download my email messages from my ISP, via VPN, while using my wireless notebook pc? If so, how?

and that's the problem. It's safe (afaik :-) ) from wireless snooping, but those pieces of paper can probably be found in virtually every desk at most people's workplaces.

Sorry, should have snipped. You didn't say, "only use an encrypted pipe", though, you said VPN or Squirrel Mail, and I'm pointing out that there are simpler methods than VPN for most of us, that solve the problem of getting your email - of course, for anything else VPN is sometimes the only acceptable solution.

Completely agreed. I'm assuming they're worried about the support costs of just dumping the insecure method and forcing SSL or TLS access, but there's no reason they need to. Set up a second server, only allow secure access, change all your help files to specify how to access it instead of the insecure server, and give this to all new customers. Then advertise it to the old customers and encourage them to use it. Finally, when you have many people using the secure method and everyone's comfortable with it start pushing the Luddites off the old server.

All three of mine _offer_ TLS (i.e., both POP & IMAP servers advertise it) but my main ISP doesn't actually seem to implement it correctly - I can't get it to log in. So I just don't use it.

OK, I promise never to use the same password again :-) (Well, except the innocuous password I use for all the email lists I subscribe to - if someone is so desperate to hijack those and pretend to be me, they're welcome to it).

Thanks Jeff. I really appreciate your help and advice. Take care.

Sure. I did some security audits a while back. On 52 desktops, I found approx 15 pieces of paper with the passwords. On 2 of them, I found the password scribbled directly onto the monitor with a pen.

As I mentioned, if I ever lose the printed password list, I'm toast. So, I have a rather crude scrambling scheme for what's printed on the sheet. At first glance, it looks like real logins and passwords, but a bit of mental shuffling is required to extract the real passwords. Easy to do in Excel with an easily tweaked formula. Anyone with some experience in codes and ciphers can figure it out in about 10 minutes, but until I find a better way to store a large number of passwords (approx 400), it's the best I can do.

Oh, right. There are other ways besides VPN and Squirrel Mail.

is overkill for just email, but it does the job and fixes a few other security issues at the same time.

I guess I should mention that good old ftp and telnet have the same problem with unencrypted logins and passwords. Switch to SSH and SFTP as in WinSCP:

Not a bad deployment plan. That's roughly the way one ISP I deal with has done it. Eventually, they plan to dump the older insecure protocols. However, since I'm still using UUCP over TCP with a TLI interface and SMTP client polling, I suspect that the old junk will be around forever.

The real "problem" is that most users don't have a clue how their programs work. They don't know the risks, the mechanics, what hackers can do with a login and password, or which applications are safe to use. I don't know how to educate the users.

Also guilty. Do like I say, not like I do. I just looked at my printed list. Out of about 150 entries that are mine, 15 have identical passwords. Same issue. Mailing lists, weblogs, and worthless accounts all get the same password. OK, so I'm lazy.

Incidentally, speaking of identity theft. Many years ago, I was leaving my business cards at local computer stores, restraunts, markets, stores, and any place that might send me some repair biz. Someone grabbed a few of my cards and drifted into one of my larger customers claiming that I had sent him to "pickup" a machine or two for repair. He used my business card as proof that I had sent him. However, he was such a poor actor that the customer became suspicious and paged me. He disappeared. Perhaps I should encrypt my business cards?

Yeah, I do some tech support for a university, which only recently closed telnet and ftp access and forced users to use ssh and scp. Now 90% of the calls are about why they can't get into telnet & ftp.

LOL. That's only funny because it had a happy ending :-)