Print
Discuss
Send to friend
RSS feedsEach week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.
This week Paul King, principal security consultant at Cisco Systems UK, maintains that it is perfectly safe to use wireless hotspots if you follow a few simple security procedures.
The recent headline-grabbing demonstration of wireless Lan security issues around public hotspot access seems reason for concern, and was described by some as new and sophisticated.
However, it needs to be put into context. The attack, as demonstrated at Cranfield University, was based on a tool that has been available for at least three years and is really quite straightforward.
The user connects to this 'evil twin' wireless access point believing it to be the legitimate commercial hotspot, and the hacker can now intercept the data. Simple. So what can we learn from this latest security scare?
Rather than focusing on the threat itself we should consider the wider implications. Wireless networks are transparent: everyone can 'see' the traffic anyway because it's a radio network.
A public hotspot provides access to the internet, similar to broadband or telephone dial-up, so the user should be taking basic security precautions just as they should for all internet access. If you don't want people to see your data you should use encryption.
Let's consider corporate users first. They are strongly advised to use virtual private network technology to provide encryption of all traffic from their laptop when using any public links to the internet.
Even if the hacker did intercept the data (and given that it is wireless radio you should assume that people can intercept it) they would not be able to read it. Nearly all corporate users with wireless laptops use this method of connection, so they shouldn't be at risk from this attack.
So what about non-corporate users with personal laptops? If you connect to the internet using a public wireless hotspot to access your web mail, a hacker might be able to read your email and get your web mail passwords.
But they might be able to do this anyway because of the wireless radio, so there's no need for any hacking tools. For this reason you are advised to use encryption on all public connections such as hotspots.
If you want to keep your communications private you should use a Secure Socket Layer (SSL) web mail service, and there are plenty to choose from. Look for the padlock in the corner of your browser.
If you are accessing a banking site or entering any personal details you are strongly advised to check that it is encrypted, so again always check for that padlock.
If it's there then you should be safe from the 'evil twin', unless the 'evil twin' is phishing and pretending to be the website as well, in which case you need to pay attention to the next paragraph.
There is one more important thing to remember, and this is nothing to do with wireless security, and that is to check your SSL certificate. This sounds very technical but it is not difficult and it is very important.
If you connect to any site that uses SSL (the URL usually starts with https:// and there will be a padlock in the corner of the browser) you are advised to check the SSL certificate.
Think of this as like checking a cash point machine for tampering before putting in your card and entering your Pin. This will help to protect you from the 'evil twin' pretending to be the website to which you're connecting.
How do you do this? With Microsoft's Internet Explorer you simply double click on the padlock in the bottom right corner and a window will open with the details of the certificate. Check that the details are as expected especially the certification path. More details can be found on the Microsoft website here.
For users of Mozilla's Firefox browser the padlock is down in the bottom right corner and again you can just double click on it to check the details. If anything doesn't look quite right then do not enter any details, just like if you were suspicious of a cash point machine.
By using security wisely you can join the millions of people who safely use the internet everyday, just like I am doing to write this article (over a public wireless hotspot). Good security practice lets me do this safely.
See also:
Unsecured Wi-Fi in one third of all wireless networks 10 Mar 2005
Two in three firms failing to use basic encryption 02 Feb 2005Sales of Wi-Fi kit will double by 2009, reports analyst 27 Jan 2005
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004All Hacking
del.icio.us
Digg this
reddit!
