Just how big a threat does public WiFi pose to your security?

By Steven Rosenberg on May 23, 2008 12:00 PM | | Comments (0) |

Rick Coca of the Daily News had a story on the cover today concerning an FBI warning about hackers who set up their own WiFi router with the same SSID name as the public WiFi router you wish to connect to, with the purpose being to steal vital passwords and other information during your wireless Internet session.

While the article was short and didn't go very deep into the security issues surrounding WiFi and Internet networking in general, and laptop computers in particular, users of WiFi in general and public WiFi in particular need to be aware of what they should and shouldn't do.

The article did say that it's a good idea to have your computer configured to CHOOSE the WiFi router to which you wish to connect, because the consequences could be, for lack of a better word, bad:

Once in, a hacker can steal passwords and credit-card information and install viruses, worms and other malware — malicious software — on a computer that can spread to other systems you run.
...
(FBI cybercrimes supervisor Bryan) Duchene recommends that Wi-Fi users change their settings so they have to manually input the Service Set Identifier (SSID) they want to log on to.

While free-access seekers spawned the "wardriving" phenomenon — Wi-Fi users drove around with GPS systems and Wi-Fi-seeking laptops, marking locations of unsecured, free Wi-Fi sites — that practice eventually piqued the interest of criminals, Duchene said.

While WiFi does increase the risk of "bad" things happening, and the lack of encryption on almost all public WiFi connections doesn't help matters, I'm pretty confident in saying that if you are entering logins, passwords and other "sensitive" information over a secure connection — one with https:// in the Web address instead of just plain http:// — you are pretty safe, even over public WiFi.

But in cases where your login or password is NOT sent via a secure, encrypted connection, or for regular Web browsing on non-secure connection, it's quite possible that others can see what you're doing on the Internet.

That may bother you, or it may not.

But especially when it comes to e-mail, make sure you are using a secure, encrypted connection, either through a Web-browser interface, or via the settings in your e-mail client, be it Microsoft Outlook, Mozilla Thunderbird, the Apple Mail program or whatever else you're running.

The worst thing you can do is send sensitive information -- or any personal or private information -- via unencrypted e-mail over an unencrypted WiFi connection. That's just too much of a risk.

I've often said that I wish all Internet traffic — e-mail, Web browsing, file transfers, etc. — took place over secure connections. I think we're headed in that direction.

So here's my quick guide on what to do and not do over a public WiFi connection:

E-mail: Only read and send e-mail via a secure encrypted connection. That means if you're using a Web interface, make sure the ENTIRE session, from login and password to composing and sending the e-mail and logging out -- takes place in a secure environment with the https:// in the address box.

For Gmail, you can choose a secure connection with https://gmail.com ... BUT the last time I read about it, your Google login and password is stored as a cookie on your computer for easy access, and it can be easily stolen over a public WiFi connection.

For Yahoo! Mail, your login and password is entered in a secure environment, but the rest of your e-mail session is unencrypted, so don't use Yahoo! Mail over a public WiFi connection.

If you have an office-provided e-mail service via a Web browser, look for the https:// instead of http:// and ask your system administrator about whether your connection is secure the whole way through.

If you use an e-mail client like Outlook or Thunderbird, make sure your e-mail server allows secure connections -- and make sure your client software is set up properly to use it.

There are e-mail services that offer more security. For the extremely paranoid, there's HushMail, but my favorite is Fastmail.fm. Just make sure you use the secure version. I'll also put in a plug for my ISP, DSL Extreme, which offers Web-accessible e-mail in a completely secure session.

Antivirus, antispyware, firewall protection: Whatever you do, and especially if you're using Microsoft Windows, make sure you have up-to-date antivirus and firewall programs. This excellent though aging Washington Post page has links to many vendors of these programs, some of which are available free. For the PC, I prefer Avast. Avast also runs on Linux, although with that operating system you're only likely to pass along a virus, because almost all malicious code is aimed at Windows computers, which are much easier targets.

Web: For Web browsing, if you are on an unsecured connection, it's easy for snoops to figure out the URLs of the Web pages you're visiting. And from there those snoops can see what's on those pages, too.

While it's not conducive to privacy, this might not be a problem, depending on where you're browsing.

But ... if you're entering any logins, passwords or other sensitive information, make sure you're on a secure connection before beginning. AND make sure your computer is NOT set up for file sharing.

To be more clear, if your computer is free of malicious software -- key-loggers that record every keystroke, spyware, etc. -- an encrypted connection should give you enough security over WiFi.

IM is a problem: Most instant-messaging traffic is unencrypted, so don't IM anything you don't want others to potentially see. The last time I checked, Yahoo! Instant Messenger, AOL's AIM and Microsoft's MSN Messenger are all unencrypted.

And do yourself a favor: NEVER, EVER, EVER NEVER, install any kind of software from an untrusted source, over WiFi or a wired Internet connection. That's when the bad stuff happens -- when malicious software makes its way onto your computer. It's easier by orders of magnitude to attack from the inside than from the outside.

WiFi at home and work: Wireless routers that you control at your home or workplace can be set up for encrypted connections only. Don't use WEP encryption because it can be easily cracked. Instead, use WPA or WPA2, which are much, much more secure and robust.

And like it says in the Daily News article, make sure you change the SSID name of your router to something other than the default (usually something like Linksys, Netgear, or the name of whatever company made the router), and also make sure you have your computers set to only connect with YOUR router.

For more on this subject, here are a few links:

Categories:

Tags:

Leave a comment

Tech Talk column

Steven Rosenberg's weekly Tech Talk column, which appears Saturdays in the Los Angeles Daily News, is now available on the Daily News Technology page.

About this blog

New ways to sign in to comment: I just added the ability for prospective commenters on this blog to sign in using their AOL, Yahoo! and Wordpress.com accounts (for the past 200 posts anyway ... more than that will take an extensive, middle-of-the-night rebuild). That's in addition to the other sign-in choices, which include starting a Movable Type account on this blog, Typekey, OpenID, Live Journal and Vox. If you have trouble getting your Movable Type account verified, or any of the other sign-in options are not working properly, please e-mail me. With these added ways of signing in, there's more reason than ever for you to make a comment (or several!).



Steven Rosenberg aims to learn what he does not know. He writes about it here.


About this Entry

This page contains a single entry by Steven Rosenberg published on May 23, 2008 12:00 PM.

OpenSolaris 2008.05 strikes out again was the previous entry in this blog.

WordPress may be winning the war, but Movable Type is getting back into the game is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Recent Comments

Powered by Movable Type 4.25

Search

LXer

Links

Daily News technology
LXer
Distrowatch
Linus' Blog
David Pogue
BoingBoing
Linux Today
TuxRadar
Linux.com
Linux Planet
The Open Road
Linux Outlaws podcast
Dan Lynch
Fabian Scherschel
The VAR Guy
Larry the Free Software Guy
Chess Griffin
Linux Reality podcast
Desktop Linux
Practical Technology
Linux Devices
ZDNet
ZDNet U.K.
iTWire
CNet News
TechCrunch
The Register
Ars Technica
Reg Developer
Computerworld
Computerworld blogs
Steven J. Vaughan-Nichols at Computerworld
Debian
Planet Debian
Debian Forums
Debian News
debianHELP
debiantutorials.org
The Debian User
Wolfgang Lonien
Debian-News.net
Debian Administration
Debian Admin
Debian Weather
Ubuntu
Xubuntu
Kubuntu
Edubuntu
Gobuntu
Planet Ubuntu
Ubuntu Forums
Ubuntu Geek
Works With U
Dustin Kirkland
Ubuntu UK Podcast
Popey
gNewSense
CrunchBang Linux
OpenBSD
OpenBSD Journal
OpenBSD Ports
OpenBSD 101
Planet.OpenBSD.nu
jggimi's OpenBSD live CD
DaemonForums
BSDanywhere
Marc Balmer
Denny's OpenBSD blog
Polarwave's OpenBSD Tips and Tricks
Binary Updates for OpenBSD
Puppy Linux
Damn Small Linux
Tiny Core Linux
PCLinuxOS
Mandriva
Red Hat
Red Hat News
Red Hat Blogs
Red Hat: Truth Happens
Red Hat Magazine
CentOS
Planet CentOS
Fedora
Slackware
Slackbuilds
Robby's Slackware Packages
Slackblogs
dropline GNOME for Slackware
GNOME Slackbuild
GWARE - GNOME for Slackware
Wolvix
Zenwalk Linux
Vector Linux
Slax
Splack Linux — Slackware for Sparc
Nonux
How to Forge
marc.info BSD and Linux mailing list archive
FreeBSD
FreeBSD, the Unknown Giant
A Year in the Life of a BSD Guru
NetBSD
PC-BSD
DesktopBSD
DragonFlyBSD
DragonFlyBSD Digest
DesktopBSD
BSD Talk podcast
OpenSolaris
MilaX
BeleniX
DeLi Linux
Linux Loop
Electronista
Engadget
Gizmodo

Advertisement

Other blogs

Johnson Update in Inside USC with Scott Wolf
Has Bynum outgrown Kareem? in Inside the Lakers
Can the Angels just get to the end of this thing without an injury? in Farther Off the Wall
Neuheisel On: in Inside UCLA with Jon Gold
U.S. Roster for Final Two WCQ Announced in 100 Percent Soccer