Last week, we looked at Wi-Fi, AKA, “Wireless Fidelity.” We learned that it is synonymous with wireless networking, and I showed you how to set up a secure, encrypted wireless network of your own.
Secure wireless networks are great, but what about when you want to use your laptop at IHOP, Burger King or the local library? Those networks are free for anyone to use, but are they secure? Are they safe?
The answer is a great, big, loud ,”No!” If you are using a free or “open” Wi-Fi network, one that does not require a password or “key,” then you are using an unencrypted, insecure network. Such networks should be treated as hostile and dangerous.
Open networks like these may be fine for general website surfing, but that’s about it. Without the proper measures in place, I sure as heck wouldn’t check my bank account on an unsecured network. I wouldn’t check my email, either. I wouldn’t even login to Facebook.
There are many reasons for being so cautious around open networks. The first reason should be easy to see. Open networks are, by definition, insecure, as opposed to the encrypted network I taught you about last week. That means all the information you send across the network, everything you type, every email you send, every password you enter can be intercepted by a skilled bad guy and stolen from you.
What do we do about this situation? The easiest solution is the most obvious: don’t visit any website that requires you to login. That means no email, no banking, no online bill-paying, no Twittering, no Facebooking, no online shopping, etc. In essence, no doing the things you really want to do.
There are a few ways to alleviate some of these concerns, such as observing the “s+lock” rule that I have written about previously (read my column titled, “Batten down the hatches with encryption, Part One,” 5-24-09, found on my website). Another partial solution is using SSL (Secure Socket Layer) with email programs like Outlook (read my column titled, “Busted by Defcon’s Wall of Sheep,” 8-17-08, found on my website).
These measures, s+lock and SSL, will not protect you, though, from the nastiest of the open wireless network problems: the “Man-in-the-Middle Attack.”
The Man-in-the-Middle Attack works sort of the way it sounds: there is a man (or, bad-guy woman) in the middle, between your computer and the network you think you’re connected to. The bad person in the middle makes this work in a very simple way: they trick you into logging on to the wrong network. By using their laptops to covertly set up their own, bogus hotspot network in the same physical location as a legitimate network, and tricking you into connecting to it, they can intercept and compromise everything you do, no matter how secure you think you are.
For example, our local library has an open, free, unsecured wireless network for everyone to use. To use it, you simply look at the list of available networks that you are in range of and connect to the one named “library.” No passwords required, no fuss, no muss. But, what if you also saw a network named “library2,” or, “Library Free Wireless,” or just, “Free Wi-Fi?” What if you connected to one of those networks, instead of the library’s real network, which is named “library?”
You could be in big trouble, that’s what. Those other networks could have been setup by a crook lying in wait to make you their next victim. This sort of deception happens all the time around libraries, schools, restaurants, bookstores and hotels. I see it all the time in airports, too. There’s not much that can be done to stop it, either. What are you going to do, go around demanding to look at every laptop within a thousand yards to see who might be running a phony network? I think not.
Next week, we will look at the solution to unsecure wireless networks in, “To Wi-Fi, or not to Wi-Fi, Part 3.”