We've all done it: You need quick access to email, so you jump on that free WiFi connection at the local coffee shop, the airport, or a conference hotel. What are the chances you'll get hacked, anyway?
Think again. If you use unsecured WiFi in the clear, without any encryption or security, you're asking for it. Your laptop is routinely broadcasting seemingly innocuous data that when put together, can compromise your system as well as your company's. Hackers have the sniffer tools that can grab login and passwords, or gather bits of information that can reveal who you are and possibly gain entry into your corporate applications. (See Joke's on Me, Tool Uncovers Inadvertent 'Chatter', and Data That Doesn't Drip... Drip... Drip....)
Ask any security expert, and they will say "just say no" to naked WiFi. Rule number one for using WiFi safely? "Don't," says David Maynor, CTO of Errata Security , which has recently brought to light some glaring wireless vulnerabilities, including device driver bugs and data seepage. (See Apple Flap Redux and Notebooks Vulnerable to Wireless Attack.)
Sure, these guys are so far in the trenches that they may be a little paranoid, but you'd still never catch Maynor nor Errata CEO Robert Graham jumping on a WiFi connection without protection: "I usually do broadband wireless" instead, says Graham, who built the now-infamous Ferret "sniffing" tool that gathers data broadcast over wireless.
Wireless security experts say the only time you should use a WiFi network is to do some benign Web surfing, like checking the weather or your horoscope. Not for email, and definitely not to file your taxes or bank online. "Not everyone needs to work from a coffee shop," Errata's Maynor says.
But if you absolutely must use WiFi -- and most of us do at some time -- there are some steps you can take to protect your laptop from inadvertently spilling details that could compromise you or your machine, and prevent a hacker hell-bent on breaking into it.
1. Disable unencrypted POP3 and IMAP email.
POP and IMAP mail send login data in clear text, so it's a no-brainer for a hacker who finds that data ensnared in his sniffer. "Email is most likely to get you into trouble accidentally on WiFi," Errata's Graham says. "The most important thing you can do is not use a mail service that is using unencrypted POP and IMAP mail."
That leaves you with the option of encrypting it, or using something like Google's Gmail, which includes an encrypted connection for messaging using Transport Layer Security (TLS).
"You should not use email that uses POP with a clear text user name and password exchange," says Amit Sinha, CTO at AirDefense Inc. "Any clear text message pops right up, so if a hacker is connected to the same AP as you, he can do a quick ARP spoof and redirect all your traffic through his machine."
The same goes for other clear-text protocols, including HTTP, telnet, and FTP, he says. "Instead of using HTTP, use HTTP-S, and SSH instead of telnet, and secure FTP instead of FTP."
If you have to access an unencrypted POP or IMAP email account, do it over a VPN.
Just because you don't see a hacker come in and plug in a bright red cable doesn't mean you're safe, Sinha notes. "But the fact of the matter is it's much worse with WiFi. Wireless makes everything into a giant hub, and anyone on that hub is going to be privy to whatever is being exchanged."
2. Add an additional firewall, or other laptop security tools.
Aside from your laptop's personal firewall, you can crank your security up another notch with a second firewall, such as ZoneAlarm's, that blocks all Internet activity until you're connected to a trusted or known (think VPN) network, Maynor says.
Air Defense Personal is a Layer 2 firewall that works in conjunction with the laptop or machine's existing firewall, according to Sinha. "It stops evil-twin attacks and other hotspot-type attacks, and enforces policies."
Most users don't realize their laptop is constantly probing and searching for networks it has connected to previously, even when you're offline, and that activity can get sniffed, exposing your networking history. An extra firewall can protect you from that, Sinha says. "The moment your laptop connects to the WiFi network, it sort of burps out all of its all previous settings... [like] the last IP address you were connected to."
But Graham says adding firewalls isn't the answer. "Firewalls don't protect you from things your [machine] is sending out willingly," he says. "You should have a firewall if you are connecting to a public network. ZoneAlarm doesn't provide anything more important than a built-in Microsoft firewall" in this situation.
Yoggie Security Systems, an Israel-based company, recently rolled out a new USB-based wireless secure-network-in-a-card for laptops. The credit-card sized device acts as a VPN gateway, firewall, IDS/IPS, antivirus, anti-spyware, and anti-spam system, and it costs $220. "It's insulated from WiFi so people can't get into your laptop from the WiFi network," says Shlomo Touboul, founder and CEO of Yoggie. And it provides secure VPN access outside the WiFi network, he says.
There's only so much that additional tools can do for securing WiFi, though, security experts say. "The first question is what kind of tool will solve this? A tool might help, but the real answer is you have to change your behavior," Graham says. "That's always the answer" with security.
3. Encrypt all communications -- and that includes using a VPN connection.
"You should end the concept of plain-text traffic," Maynor says. If you want to use POP mail, it has to be done over SSL-based VPNs, he adds.
Encryption is no longer an option, Maynor says, but crucial to survival in the wireless space. These can be either SSL or IPSec-based VPN connections.
A VPN connection basically narrows the window of a WiFi attack, Touboul says. It doesn't completely secure you: "If an attacker listens to a packet before you hit the VPN, he can tap into your user name and password and use your VPN name to get to your corporate network."
And unless you're a corporate road warrior, a VPN isn't easy to get or run, notes AirDefense's Sinha, although Google offers a free VPN service option. "What you're doing is setting up a secure tunnel after you connect with the wireless network. So you might still be susceptible to man-in-the middle or session highjacking attacks.
"But you've still raised the barrier higher so that the hackers will go to the lower-hanging fruit," he says.
And encrypting email, with free services such as Hushmail, can help, too, notes Maynor.
4. Use a broadband wireless card instead of WiFi.
Verizon and Cingular are among the service providers now offering broadband wireless service cards you plug into your machine. That's what most security experts say they do: "I use a Cingular mobile broadband instead of free WiFi access points," Maynor says.
He recommends it for mobile corporate users, too, along with a VPN connection: "Outfit your road warriors with Verizon or Cingular cards plus VPN."
These services aren't cheap, however, and sometimes they are slower. They can run from $50 to $70 a month. But they do reduce your risk of getting hacked, for now anyway: Errata's Graham says these connections, too, could be risky in the near future. "They are OK for now, but could be in danger based on the work we've done," he says. "It's still a better option than using a WiFi connection."
5. Close your chatty apps.
You should shut down all applications you don't need while on the WiFi network. "But that's really hard to do," admits Graham. "Even the most experienced users have a tough time figuring out which is on or off."
Trouble is, desktop agents, such as your email client, Oracle, etc., instantly begin asking questions and leaving tracks as they reach out for their servers from that WiFi connection. And if you have your database credentials cached on your laptop, your Oracle client will try to connect to the database server back home, broadcasting that data over the airwaves.
Microsoft Outlook, for instance, is especially difficult to keep quiet. "If you're on a Web page that's actually an email link, Outlook starts trying to send POP and your password across the wire," Graham says. "You really can't turn it off."
Graham recommends making sure no programs on your menu bar are automatically launching while you're online. He says he doesn't have a lot of apps installed on his notebook, nor passwords. "I don't log onto any server," either, he says.
The only app he really trusts in public wireless networks -- even when using his broadband wireless service -- is Google's Gmail.
Meanwhile, the problem with disabling corporate apps on your laptop is when you hit the conference room, they won't work there, either. "The best you can do is understand what's leaking out, and determine if it's anything internal," says Richard Rushing, CSO of AirDefense.
6. Don't use the same or similar logon and password account names for Websites that you use for critical apps like email or online banking.
It may sound like a no brainer, but think about it. Do your various logons and passwords happen to sound, well, alike?
"We're out there watching people on WiFi with MySpace and ESPN.com accounts, and all the other little credentials saved in their browser," Graham says. "When they do an auto-login, we see them using the same account and password, and it's showing that in clear text."
All it takes is trying that same login on a more sensitive site, and voila: An attacker can access your bank account if you aren't careful about mixing up your logons and passwords.
7. Disable your wireless connection when you're not using it.
Even if you're not in wireless range, your machine is constantly reaching out and looking for a connection. "The client desperately goes through all the networks you've been on in the past. I see this all of the time when I'm on a plane" using a sniffer, AirDefense's Sinha says.
The danger is an attacker could fake your machine into accepting his ad-hoc connection to a malicious wireless access point for instance, he says.
"The bottom line is turn wireless off" when you're not using it in public places, he advises.
True, most WiFi threats are short-lived and require an attacker to be nearby physically. But you're not necessarily free and clear when you shut down and leave Starbucks: Beware of malware getting planted onto your machine, or other backdoor gifts that keep on giving, to the attacker, of course.
Kelly Jackson Higgins, Senior Editor, Dark Reading