You’ve heard of the practice of Wi-Phishing, or setting up rogue wireless access points in public places.
You’re wondering how to avoid becoming a victim of the scam artists, who can use this technique to steal private data from your laptop or infect it with malware.
Should you avoid using public hotspots? Some experts say yes – at least if you have sensitive data on your PC. “There is no way to stay safe on an open wireless network,” maintains Joshua Wright, wireless security instructor for the SANS Institute and senior security researcher for Aruba Networks Inc. in Sunnyvale, Calif.
Wright prefers using a 3G modem and cellular networks.
But many of us will continue using Wi-Fi. How can we minimize the risk from rogue hotspots? Here are six key precautions.
Know your hotspots: “Free Public Wi-Fi” is a common name for rogue hotspots. Avoid it. “Linksys” is the default ID for networks using the popular brand of home wireless routers. It’s unlikely to be a legitimate hotspot. But even if you see the name of a known service provider like Boingo or Wayport, realize that Wi-Phishers can use those names to fool you.
Once you’ve connected to a network with a particular ID, when your laptop sees that name again it may connect automatically. Either set it not to do this or disable wireless networking when not using it.
Wright advises making sure you’re connecting to an infrastructure network rather than an ad-hoc one. They have different icons in your laptop’s menu of available wireless networks.
Use VPN: A virtual private network protects traffic between two points in a secure tunnel. If you use a corporate laptop it probably has VPN software. Always use it when connecting to corporate systems from a hotspot.
VPNs have limitations, too. A VPN protects traffic between your computer and a remote one, Wright notes, but doesn’t stop an intruder from stealing data from your computer or planting malware there. And it won’t protect your web traffic unless you route that traffic through the VPN to a corporate server and then through the corporate internet connection, which is cumbersome.
Michael Rozender, who heads Rozender Consultants International in Grimsby, Ont., and specializes in wireless and broadband communications, also suggests using a USB key with built-in browser and security software, such as the IronKey, from the company of the same name in Los Altos, Calif. “Basically you’re going in like you’re on a separate computer,” says Rozender, noting that such devices are simpler to use than VPN.
Maintain a secure machine: Any PC should have up-to-date antivirus software, but it’s doubly essential on a laptop that connects to public networks. A personal firewall is another essential, and it’s good to have spyware detection. Tom Slodichak, chief security officer for security firm WhiteHat Inc. in Burlington, Ont., advises always scanning for malware after using a public network. Also, Slodichak advises, “any operating systems and applications that need to be patched should be fully up to date.”
Disable file and print sharing: It’s convenient to share directories at the office or at home, to exchange files with a desktop PC or coworkers. But turn off sharing when on the road – on any public Wi-Fi network, legitimate or not, it’s the computer equivalent of spreading the contents of your briefcase out on a departure-lounge table and leaving them there while you go buy coffee.
Take security alerts seriously:
We’ve all seen security warnings that look like the boy who cried wolf. You’re downloading something from a reputable software vendor’s web site and you get a warning message that a security certificate is out of date.
If you’re wise you take a second look at the site you’re downloading from, but these things do happen, and sometimes it’s all right to proceed.
When you’re on a hotspot, though, paranoia is the best policy. “You can never be sure,” Wright says, so even if you see a security warning you would dismiss on your office PC, take it seriously if you’re on a public hotspot.
Avoid sensitive transactions: While disabling wireless networking and avoiding hotspots altogether may be the only sure defence against Wi-Phishing, many of us encounter situations where we really need connectivity now, maybe to respond to a client or retrieve information we need to meet a deadline. Or we just want to look at a few web sites and no sensitive information is involved. But stop and think: Must you make that purchase that will require entering your credit-card information from your laptop in an airport lounge?
If it involves sensitive information and doesn’t absolutely have to be done right now, save it for when you’re on a more secure network.