Public hotspots pose security pitfalls

Picture this: You’re at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop’s management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along.

That may sound ridiculous, but if you’re using public-access Wi-Fi without taking the proper precautions, you might as well be asking your coffee compatriots to partake in confidential company information.

Today, most tech users know how (and why) to secure their home wireless routers. Windows 7 and Vista now pop up a dialog box to warn you when you’re connecting to unencrypted wireless networks.

They built in privacy…so can you

Cyber attacks target sensitive data and specific individuals

Free broadband works wonders at Fredericton and Moncton

No WiFi? No worries – transform your iPhone into a wireless modem

In a coffee shop, an airport lounge, or a library, however, people frequently connect without thinking twice–and though using an unencrypted connection to check a baseball score or a flight status might be acceptable, reading e-mail or performing any Web activity that requires a login is akin to using your speakerphone in the middle of a crowd.

So why don’t all businesses encrypt their Wi-Fi networks? The answer lies in the difficult key distribution system in the IEEE 802.11 design specification: To encrypt traffic, the network owner or manager needs to select a password, also known as a “network key.” The arrangement requires one password per network, shared among all users whether the owner has selected the less secure, outdated WEP or the more secure WPA or WPA2.

At home, all you have to do is set it up once, tell your family the password, and surf worry-free from a poolside lounge chair. In a coffee shop, the barista would have to tell each patron the password (or the 26-character hexadecimal WEP key) and perhaps even troubleshoot their connection–definitely not a chore that your typical java slinger would relish. In that situation, nothing beats a blank password for ease of use.

Even if the network is encrypted, however, you’re still not completely safe. Once your computer knows the password, your communication is safe only from people who aren’t on the network; all the other diners in the café can see your traffic because they are using the same password.

But what if you think that your data isn’t important enough for someone to snoop on? Perhaps you’re just browsing Websites, not logging in to any e-mail systems or Web applications that require passwords. You should be safe then, right? Not necessarily.

Imagine you’re on airport Wi-Fi while you’re returning from an industry trade show. Instead of checking the hundreds of e-mail messages waiting for you (unlikely, right?), you decide to browse your competitors’ Websites, looking for ideas. Or maybe you elect to research potential acquisition targets.

In the background, however, your e-mail client detects an Internet connection and starts to download your e-mail. A colleague back at headquarters sees your instant-messenger status change to ‘online’ and sends you a panicked plea: “Huge problem @ factory. Possible recall. Call Bob ASAP!”

Armed with nothing more than wireless packet analyzer software, a fellow conference attendee in the same seating area may be able to glean competitive intelligence based solely on the Websites that you visit and your (probably unencrypted) instant messages–not to mention the personal e-mail from the recruiter indicating you’re ready to jump ship, or the notes reflecting your relationship problems with your significant other. In short, the “other guy” is reading your messages before you are, and you didn’t even do anything.

First, to combat mail snoops, use a Webmail system with HTTPS for the whole session. Almost all Webmail systems use HTTPS when asking you to log in, so your password is transmitted securely. However, after authentication, they usually switch back to HTTP because it reduces the computational strain on their servers and makes serving advertisements easier.

That means that everyone who is on the same wireless network (either unencrypted or with a shared password) can read the content of your e-mail. In some cases, a person can steal your session cookie and log in to your Webmail session without your password. (That is, until you click the ‘Logout’ link–which you do every time, right?)

Two very notable exceptions are Gmail and your corporate e-mail system (such as Outlook Web Access). Earlier this year, Gmail switched from the common practice of using HTTPS just for logins to using HTTPS throughout the entire Webmail session.

Google Apps users were previously able to opt in to this feature, but it is now the default with the ability to opt out (if you hate security). This change, combined with Google’s new suspicious-login detection algorithms, make Gmail a standout among free Webmail providers. If you were looking for a reason to switch from your AOL, Hotmail, or Yahoo account, you’ve found it.

Your company’s Webmail system is also likely protected by HTTPS at all times, because that is the default configuration for most systems. However, if you check your work messages using local software (Outlook, Thunderbird, Mac OS X’s Mail) instead of HTTPS Web-based e-mail, you may or may not be using encryption.

While researching this article, I found a common misconception among travelers and coffee enthusiasts–namely, the idea that commercial hotspots that require pay-per-hour or monthly subscription fees (AT&T, Boingo, GoGo, T-Mobile) are more secure than their free counterparts because a payment and a password are involved.

In fact, these hotspots are almost always unencrypted, and they employ what is called a “captive Web portal” only to prevent access to the Internet until you enter a payment method (or subscriber password). Though this “gateway” Web portal is usually delivered over HTTPS (to protect the credit card information or the password), once authenticated all the traffic is unencrypted on the wireless network.

As a result, your $10 monthly fee gives you access but not security. In fact, due to the nature of radio frequency transmissions, another person–even if they aren’t a subscriber–can still view any unencrypted traffic that you send, just by joining the same SSID wireless network.

This means that outsiders can easily observe and capture any regular HTTP Websites you visit, any unencrypted POP3 e-mail you access, and any FTP transfers you make. Talented hackers can even modify their wireless card to clone the identity of your wireless card, thus obtaining free access through a commercial hotspot by “piggybacking” on your signals.

If your company offers a VPN (virtual private network) connection with Internet access, you should take advantage of that functionality when using either free or subscription Wi-Fi hotspots. By enabling the VPN function on your laptop, you ensure that all of your communication is encrypted with high-strength ciphers and tunneled from the Wi-Fi hotspot, across the Internet, and into your company’s data centre, where it is unpacked and sent out on the company’s Internet connection.

This is a secure method of accessing company resources (intranet, e-mail, databases) because no matter who is also on the shared wireless network, you have a private tunnel back to your company. In some companies’ VPN configurations, you can also browse the Internet in addition to accessing company resources.

Such an arrangement may be slightly slower than unencrypted Web browsing, but the security makes it worthwhile. Additionally, if you are traveling in a country that imposes Internet restrictions (such as China or Egypt), you can tunnel your traffic back through your U.S.-based VPN connection and reach sites as if you were stateside.

If your company doesn’t offer a VPN service or has a “split tunneling” VPN (in which only requests to company resources travel through the encrypted tunnel, and all other traffic transmits unencrypted directly to the target), don’t worry–you can still stay safe.

Try out HotSpot Shield, a no-cost VPN service from AnchorFree. The company offers its own VPN software that you install on your laptop prior to using public Wi-Fi.

Once you enable the software and service, it encrypts your traffic and sends it through a tunnel to the HotSpot Shield data centre and then out to the Internet, in much the same way a company’s VPN server does. HotSpot Shield even has mobile VPN settings (with no downloads necessary) to protect your Web surfing on your iPhone using the built-in Cisco VPN client software that Apple provides.

By using a such a service, you make your connection secure all the way from the coffee shop to the AnchorFree data centre in Northern California. Once there, your traffic travels unencrypted to its final destination on the Internet, as if you were browsing from a laptop plugged directly into the company’s data centre.

This arrangement isn’t perfectly secure, since the encrypted tunnel does not travel all the way to the Website you visit. However, it’s certainly more secure than a setup with no VPN at all; to get in, would-be data thieves would need access to the AnchorFree data centre, not just the Wi-Fi network you’re on.

So, to recap:

1. If your company has a VPN that you can use for Web browsing, use it.

2. If you can’t use a company VPN, give HotSpot Shield a try.

3. Don’t equate subscription (paid-for) Wi-Fi Internet with secure browsing.

4. On unencrypted wireless networks, everyone can see where you are surfing (except on HTTPS Websites).

5. On encrypted wireless networks, everyone with the password can see where you are surfing (this could be a handful of people in your house, or hundreds of people in an airport).

6. If you must use a Wi-Fi hotspot without any form of VPN, imagine that your laptop is connected to a stadium Jumbotron. Don’t visit any sites you wouldn’t visit with 80,000 people looking over your shoulder.