Serious Discussion Laptop in an Internet cafe.

[Andy Ful]

Laptop in an Internet cafe.

In another thread, I was asked about the computer security setup suitable for use in Internet cafes.
The laptop in the Internet cafe is more vulnerable than at home (router with NAT). There are two main dangers:

1. Man-In-The-Middle (MITM) attacks.
2. Exploitation of vulnerable network protocols and services exposed via open ports.

If the laptop is unpatched, the attacker can sign into the Wi-Fi network in the cafe and use popular penetration testing tools to exploit it pretty quickly. Protecting unpatched laptops is challenging and warrants a discussion in its own right.

Fortunately, Windows 10+ performs system updates automatically. Furthermore, Microsoft quickly patches system vulnerabilities, before new exploits are added to popular penetration testing tools. So, the default setup of Windows 10+ mainly covers the danger from point 2.

We are left with MITM attacks.
What Is a Man-in-the-Middle (MITM) Attack? | IBM

MITM attacks can be used for:

1. Malvertising.
2. Spying, phishing, identity theft, etc.

Cautious users can follow some healthy habits to avoid most problems:
What is a MITM Attack? Definition, Prevention & Examples - IT Governance Blog En

In the case of Malvertising, the user can improve protection by applying Application Control solutions and file reputation lookup.

Some other types of MITM attacks can be prevented by forcing HTTPS/TLS connections, end-to-end encryption, password manager and strong passwords, multi-factor (or passwordless) authentication, etc.
The impact of MITM attacks can be reduced by using NextDNS or a similar DNS resolver.

The simplest and still effective setup suitable for use in Internet cafes:

1. Windows 11 built-in protection on Standard User Account. This account is reserved only for use in the cafe.
2. Enabled Smart App Control.
3. Enabled Core Isolation.
4. Edge with enabled security options.
5. NextDNS.

 

[Bot]

Great post! You've covered the main security concerns associated with using a laptop in an Internet cafe. I agree, the built-in protections of Windows 11, along with Smart App Control, Core Isolation, and Edge security options, can provide a decent level of protection. Using a service like NextDNS can also help mitigate the risk of MITM attacks. Always remember to stay updated and practice good online habits.

 

[Andy Ful]

@Victor M,

Here is my answer to your question in another thread about the computer security setup suitable for use in Internet cafes:

1. Windows 10 or 11 built-in protection on Standard User Account (SUA).
2. WHHLight package. WDAC in WHHLight can be configured with Two Accounts Setup.
   Highly restricted SUA is reserved for use in the cafe.
3. Enabled Core Isolation.
4. Edge with enabled security options.
5. NextDNS.

 

[Jonny Quest]

@Andy Ful is number 5 a better option or replacement than using a VPN? I've just always used my AV's web browser and antiphishing protection for my online surfing and searches, I've never routinely used a DNS server like NextDNS, Quad9 etc.

Am I trusting to much on my AV's (and Chrome and Brave's) online protection and using a VPN when connected to a public Wi-Fi?

edit:sp

 

[TairikuOkami]

I would add 6. Firewall - blocking TCP port 80 and UDP port 53, can improve security significantly. A lot of malware is still hosted on HTTP and DNS poisoning is considerable on a public WiFi.

 

[Andy Ful]

I would add 6. Firewall - blocking TCP port 80 and UDP port 53, can improve security significantly. A lot of malware is still hosted on HTTP and DNS poisoning is considerable on a public WiFi.

Hardening the Firewall and closing unused services are always the options to consider.
However (if I recall correctly), NextDNS prevents DNS cache poisoning.

 

[Andy Ful]

@Andy Ful is number 5 a better option or replacement than using a VPN? I've just always used my AV's web browser and antiphishing protection for my online surfing and searches, I've never routinely used a DNS server like NextDNS, Quad9 etc.

Am I trusting to much on my AV's (and Chrome and Brave's) online protection and using a VPN when connected to a public Wi-Fi?

edit:sp

I am not sure.
A good VPN with content filtering can probably better prevent MITM attacks, but it introduces some vulnerabilities that can be exploited by the attackers.

 

[Andy Ful]

Hardening the Firewall and closing unused services are always the options to consider.
However (if I recall correctly), NextDNS prevents DNS cache poisoning.

I am not sure if DOH in NextDNS can be exploited as in Firefox (a few years ago):
https://www.diva-portal.org/smash/get/diva2:1451732/FULLTEXT01.pdf

​

Advantages of DNS Over HTTPS (DoH)​

1. Improved Privacy and Security: The primary advantage of DoH is the encryption of DNS queries, which protects users from eavesdropping. Since the DNS request is encrypted, attackers cannot easily monitor or track the websites you visit. This reduces the risk of man-in-the-middle (MITM) attacks, where attackers could intercept and tamper with DNS queries.
2. Prevents DNS Spoofing and Poisoning: Traditional DNS is susceptible to attacks like DNS spoofing (or cache poisoning), where attackers can manipulate DNS records to redirect traffic to malicious websites. DoH uses HTTPS, which includes a certificate validation process, making it harder for attackers to inject false DNS records.
3. Bypass Network Restrictions: In some regions or networks, DNS requests can be monitored or blocked to prevent access to certain websites. Since DoH uses the HTTPS protocol, which is commonly allowed and not easily blocked by firewalls, users can bypass network restrictions and access content that might otherwise be censored.
4. Hiding DNS Queries from ISPs: ISPs typically monitor DNS queries to gather data about their users’ browsing habits. By using DoH, users can prevent ISPs from seeing the domains they are querying, providing greater privacy. It also limits the amount of data that ISPs can use for targeted advertising or surveillance purposes.
5. Faster DNS Resolution: In some cases, DoH can offer better DNS performance by providing faster resolution times. By using servers optimized for DoH, some users may experience quicker load times for websites, particularly if the DNS servers are closer or more reliable than the default ISP DNS.

How to Enable DNS Over HTTPS​

Enabling DoH is relatively simple for most users, particularly those using modern browsers or operating systems. Here’s how you can get started:

For Browsers
Google Chrome, Mozilla Firefox, and Microsoft Edge all support DoH natively. To enable DoH:

• Google Chrome: Go to chrome://settings/security, and enable “Use secure DNS.”
• Mozilla Firefox: Go to Options > General > Network Settings, and enable “DNS over HTTPS.”
• Microsoft Edge: Go to Settings > Privacy, Search, and Services, and turn on DoH under the “Security” section.

For Operating Systems

• On Windows, macOS, and Linux, DoH can be enabled at the system level. Users can configure their system’s DNS settings to point to a DoH-compatible resolver like Google’s 8.8.8.8, with DoH enabled.

DNS Over HTTPS (DoH) - Benefits and Limitations | Indusface

DNS over HTTPS (DoH) encrypts DNS queries via HTTPS, improving privacy by preventing interception and manipulation of DNS traffic, keeping browsing data secure.

www.indusface.com

 

[Zero Knowledge]

I don't use NextDns for security but for ad blocking. Even then it has limitations,n Android/iOS you can't block in app YouTube adds.

 

[Victor M]

I believe a good set of firewall rules is required like TaikuOkami says. Especially because at a cafe we are dealing with attackers in the same LAN. Do yoau remember, for example, that you have a simple 5 character password for your folder shares? Or that you have Remote Desktop turned on for convenience? All that Trust is no longer there when you are at a cafe. You no longer have a NAT modem+router perimeter defense like when you are at home. So you need to have very strict firewall rules.
An alternative compensating control would be to use your cell phone's hotspot

 

[TairikuOkami]

However (if I recall correctly), NextDNS prevents DNS cache poisoning.

I guess, if you do not use Cache Boost, still Windows uses it. Sadly DNS Cache service in Windows can not be disabled, since Windows DoH/DoT relies on it.
Chromium browsers also try to use the blocked insecure DNS, when DoH/DoT is set, causing 5 secs delay every 5 min and MS does not even acknowledges it.

Edge triggers DNS requests ignoring DoH? | Microsoft Community Hub

Edge has recently started to trigger DNS requests via UDP port 53.I have both, Windows 11 Home with DoH and Edge with DoH profile.I have disabled any ...

techcommunity.microsoft.com

 

[Marko :)]

There's one free solution for those connecting to public Wi-Fi networks—Cloudflare WARP. Free, unlimited VPN that encrypts all your traffic. It also by default uses 1.1.1.1 DNS over secure WARP protocol (can be set to DoH or DoT in the settings of the app). Now you just need to install an ad blockers in your browser and you're ready to go.

Firewall in Windows is by default set up correctly, just make sure the network you're connecting to is marked as public in the network settings, so firewall rules for public networks would apply to it.

 

[SeriousHoax]

I guess, if you do not use Cache Boost, still Windows uses it. Sadly DNS Cache service in Windows can not be disabled, since Windows DoH/DoT relies on it.
Chromium browsers also try to use the blocked insecure DNS, when DoH/DoT is set, causing 5 secs delay every 5 min and MS does not even acknowledges it.

Edge triggers DNS requests ignoring DoH? | Microsoft Community Hub

Edge has recently started to trigger DNS requests via UDP port 53.I have both, Windows 11 Home with DoH and Edge with DoH profile.I have disabled any ...

techcommunity.microsoft.com

From what I’ve learned, it probably happens because, even when using a DoH address, your device or application still needs to determine the IP address associated with that DoH server. For example, it must know that 'https://dns.adguard-dns.com/dns-query' resolves to IPs 94.140.14.14 and 94.140.15.15 before using that for DoH.
This is why the initial process of locating and connecting to the DoH/DoT server may require an unencrypted, plain DNS query.

 

[TairikuOkami]

From what I’ve learned, it probably happens because, even when using a DoH address, your device or application still needs to determine the IP address associated with that DoH server.

Yes, that makes sense, Chromium devs should really fix it. I have DNR in Windows disabled and Firefox based browsers do not have such an issue, they most likely use Windows DNS instead.

 

[Andy Ful]

I guess, if you do not use Cache Boost, still Windows uses it. Sadly DNS Cache service in Windows can not be disabled, since Windows DoH/DoT relies on it.
Chromium browsers also try to use the blocked insecure DNS, when DoH/DoT is set, causing 5 secs delay every 5 min and MS does not even acknowledges it.

Edge triggers DNS requests ignoring DoH? | Microsoft Community Hub

Edge has recently started to trigger DNS requests via UDP port 53.I have both, Windows 11 Home with DoH and Edge with DoH profile.I have disabled any ...

techcommunity.microsoft.com

Did you test this with NextDNS?

Those connections do not decrease your security.

 

[Andy Ful]

I believe a good set of firewall rules is required like TaikuOkami says. Especially because at a cafe we are dealing with attackers in the same LAN. Do yoau remember, for example, that you have a simple 5 character password for your folder shares? Or that you have Remote Desktop turned on for convenience? All that Trust is no longer there when you are at a cafe. You no longer have a NAT modem+router perimeter defense like when you are at home. So you need to have very strict firewall rules.
An alternative compensating control would be to use your cell phone's hotspot

Even without additional Firewall rules, you are safe against most cafe hackers. If I recall correctly, the Firewall profile in the cafe will be Public (Network Discovery, File, and Printer Sharing are turned OFF), so Remote Desktop connections and Admin shares are blocked. Of course, when you are in an Internet cafe, it is recommended to use "a password manager and strong passwords, multi-factor (or passwordless) authentication, etc.":

Security News - Troy Hunt: A Sneaky Phish Just Grabbed my Mailchimp Mailing List

You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog...

malwaretips.com

As in the case of any security, it can be slightly improved by advanced users at the cost of usability.

 

[Andy Ful]

I should warn the readers.

Except for the setup in the OP, there will be some recommendations related to system tweaks. Most of those tweaks can sometimes cause problems and reduce the usability of the applied setup. Please, do not apply tweaks without creating/saving/remembering anti-tweaks that can revert to the Windows default settings.

 

[Andy Ful]

I am not sure.
A good VPN with content filtering can probably better prevent MITM attacks, but it introduces some vulnerabilities that can be exploited by the attackers.

VPN penetration testing:

VPN penetration testing explained - BreachLock

BreachLock uses a proven penetration testing methodology. This methodology is powered by artificial intelligence and certified hackers.

www.breachlock.com

Exploiting VPNs:

VPN Vulnerabilities Emerges As The Key Tool for Threat Actors to Attack Organizations

VPN infrastructure has become a prime target for cybercriminals and state-sponsored actors, with vulnerabilities in these systems.

cybersecuritynews.com

However, I do not know how this can be related to Internet cafes.

 

[Nightwalker]

VPN penetration testing:

VPN penetration testing explained - BreachLock

BreachLock uses a proven penetration testing methodology. This methodology is powered by artificial intelligence and certified hackers.

www.breachlock.com

Exploiting VPNs:

VPN Vulnerabilities Emerges As The Key Tool for Threat Actors to Attack Organizations

VPN infrastructure has become a prime target for cybercriminals and state-sponsored actors, with vulnerabilities in these systems.

cybersecuritynews.com

Interesting, but it doesnt seem to be a problem for domestic, commercial VPNs.

About the thread; you should never use a unsafe/unknown DNS resolver, thats why something like a proper configured NextDNS, OpenDNS services and so on are crucial for security, imo its the priority to avoid problems.

HTTPS connections nowadays are almost everywhere, you can even block insecure HTTP connections globally in the browser itself, so I dont think it is a problem for now (in the past it was a nightmare, thats why HTTPS Everywhere extension was a thing).

Good advices my friend.

Source: HTTPS Everywhere

 

[Victor M]

Even without additional Firewall rules, you are safe against most cafe hackers. If I recall correctly, the Firewall profile in the cafe will be Public (Network Discovery, File, and Printer Sharing are turned OFF), so Remote Desktop connections and Admin shares are blocked.

Thanks for pointing that out. Forgot the basics a long time ago, because I have never set my firewall network profile to Private. I just know to open the ports I need when absolutely necessary. And Windows doesn't prompt you to choose the network profile upon install finish anymore.

By the way, there are enabled firewall rules for Network Discovery in the public profile. And SSDP is active, doesn't seem to matter whether you are using the public profile. I guess discovery type of things don't matter much if it doesn't automatically connect. Maybe they don't reach out and touch someone, but what if an attacker touches you? Are those things secure: have authentication, and have strong input validation? I have learned the lesson ( from god knows where) that any sort of input is potentially abuse-able.