Last week, the Sacramento Bee, citing concerns from the FBI, published an article about the security risks of free Wi-Fi networks. These days, free Wi-Fi hotspots abound. So what can you do to keep your personal data safe? We asked our CTO, Niels Jonker, for some words of wisdom to help understand the potential risks, and ways to stay safe when you connect to a free or unmanaged Wi-Fi network.
LOCK OUT HACKERS WITH A VPN
According to the FBI’s Sacramento office, hackers may set up fake Wi-Fi hotspots in airports with names like “Free Wi-Fi”. A user connects to this SSID thinking they are connecting to a legitimate airport-sponsored service, when in fact it’s bogus. The hackers are then able to steal passwords and other personal information.
Niels’ Words of Wisdom: “Open Wi-Fi, by its very nature, is insecure. This means that your best defense is a good offense. Make sure you’re only using SSL-encrypted services – which means logging in to https://gmail.com instead of http://gmail.com — or use a VPN to lock down all of your traffic over the wireless network. Most online service providers like Google and Yahoo! allow you to enforce SSL for all interactions with their services, which is a really, really good idea. Unfortunately, providers like Facebook and Twitter do not yet include this as an option on their websites, though their smartphone apps may include this as an option. And if you see ANY warnings about a “certificate problem” when you connect to an HTTPS website, that’s bad news. Disconnect from that site immediately. You should never use sites that give security warnings when on an open Wi-Fi network. Again, the prudent Wi-Fi user will make sure they’re connecting to the authorized Wi-Fi network, and the safest user will lock down their session with a VPN.”
In early October, a software freelancer released a Firefox plug-in that made it point-and-click simple for the layman to become a pseudo-hacker on any network, including open Wi-Fi networks. It doesn’t enable you to steal usernames and passwords, but it does allow you to “sidejack” that user’s current session. By sidejacking the session, you can effectively use web services such as Facebook or Twitter as that user. Think of the mischief that might ensue; you could pose as that person using their account, download their photos, send spam, change the user’s password, delete the account or worse.
ARTICLE: The Firesheep Don’t Even Look Up
Niels’ Words of Wisdom: “Again, a VPN is your best weapon to stay as secure as possible on unsecured networks. In addition, you should also be selective about the networks you connect to. For example, in the hotspots where Boingo manages the hardware, we’ve configured the network infrastructure to render Firesheep as ineffective as possible. If the website in question has done a reasonable job implementing their ‘session persistence’ cookies, you should be safe from Firesheep at our hotspots. Unfortunately, this is likely the exception rather than the rule, especially among unmanaged or free hotspots. Again, a VPN is your best weapon to ensure safety.”
DON’T CONNECT TO THE SSID: “FREE PUBLIC WI-FI”
How many times have you opened up your laptop and seen the SSID “Free Public Wi-Fi”? The network itself is almost always an ad-hoc – or computer-to-computer – network, not one with access points tied to the Internet. And while these networks are more of an annoyance than anything else, the potential for risk exists as hackers can set them up, wait for people to get connected, and then search their computer or install malware.
Niels’ Words of Wisdom: “Several years ago, I actually ran into one of these malicious ad hoc networks in an airport on the East Coast. Because I just had to see what was behind it, I connected with several monitoring tools in place, and immediately saw it start to scan my laptop. I know what I’m doing, and I wouldn’t advise that you do what I did. Your best approach here is to make sure that any network you’re connecting to isn’t an ad hoc network – especially if it broadcasts itself as a free one. Unless you’re specifically coordinating with a friend or business associate to create a computer-to-computer network to transfer files or play a game, you’d be wise to avoid ad hoc networks, since the other end is someone else’s computer, and you really didn’t want to give some random person access to everything on your hard drive, did you? You’re better off making sure that when using public Wi-Fi networks, you rely on the authorized network for the airport, coffee shop or hotel you’re sitting in. If in doubt, ask.”
Personal VPN Services (no endorsement implied):
Witopia — from $60/yr
HotspotVPN — from $109/yr.
StrongVPN = from $84/yr.
SurfBouncer — from $120/yr.
Golden Frog VyprVPN — from $180/yr.
AnchorFree — free
LogMeIn Hamachi2 — free
SecurityKiss — free