Using public Wi-Fi safely

Rich Vázquez, a fellow CISSP, has an article in the Georgetown Hutto/Taylor by way of Community Impact Newspaper entitled Ways to use public Wi-Fi safely. While generally good advice I feel compelled to, if not disagree exactly,  elaborate of some of his statements. So here goes.

The first thing to do in a public space is find the name of the network to connect to. Hackers sometimes set up similarly spelled networks, such as HavaHouse instead of JavaHouse. This is called an Evil Twin Attack. Once connected to the imitation network, hackers can get information from the computer and internet activity. It is important to verify the name of the intended network before connecting to one.

Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.

Using anti-virus and firewall software is a front line of defense. A firewall prevents someone from finding a program on a computer that would allow them to connect and steal information. If a hacker can connect to a victim’s computer, he or she can also find a way to infect the victim’s computer with a virus and later steal private information. Many criminals collect information in large databases and work through the names over time. Some frauds are executed over many months or years, so victims may not realize their information or computer has been compromised until the criminal is ready to use it.

Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is  information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.

File sharing is also a big risk. Many people have multiple computers in their homes and share files. If folder with family pictures or business documents is shared at home, those files will still be shared when connected in a public place and may be exposed to anyone else on the network.

Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.

Not every attack is high-tech. While engrossed in email or doing taxes online, someone may be sitting nearby carefully watching for user names, passwords or other personal information. This is called shoulder surfing. Social engineering can be a series of emails, phone calls or a conversation that tricks a victim into revealing information that can be used later to bypass security. That same person who was looking over a victim’s shoulder could start a conversation and during casual chatter find out additional personal information such as birthdays, names of children and names of pets — all commonly used passwords. Without ever touching a computer, a hacker could find out e-mail providers, banking information, and answers to commonly asked security questions.

In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.

The easiest way to confirm a secure connection is to check for the https, with an s at the end, on a  website to verify that it is using basic encryption for the traffic. Errors on the page could also be an indicator to watch out for. Sites using https are using SSL Certificates, which help verify the website is authentic. The information sent between visitors and the website is also encrypted, or scrambled so that someone watching the network cannot read the information.

Encryption helps protect website visitors from wireless sniffing. Tools are available for free that enable information to be tracked as it moves on the network. Attackers can watch a website vistor’s traffic and use it to find passwords or even recreate a document or file sent to someone via the internet.

Again Rich makes a very important point. Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of  HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently an entry on the Security Bloggers Network (sorry I forget who, please set me straight since I’d really like to give credit where credit is due) described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely)  and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!

[UPDATE] The blog entry referenced earlier is from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security. In addition, I referenced it earlier in this blog in an entry entitled Save us from the other people

Check out Rich’s article, he’s got some great resouces listed. Maybe we can even convince him to blog with the SBN.