 | By Ian “Gizmo” Richards
Using a Wi-Fi network in a coffee shop, airport, or hotel is such a serious security risk that I simply never do it without taking additional measures to protect my data and my PC.
These three techniques will keep you safe while using a public network, often without costing you anything but a small bit of time.
|
Public wireless networks attract data thieves
Wi-Fi may not in itself be insecure, but various implementations of the wireless technology are.
The most vulnerable of these are “open” networks, which don’t even require a password or network key to use. Unfortunately, open networks are common; indeed, most of the free networks you encounter in coffee shops, hotel lobbies, and other public spaces fall into this category.
Whenever you use an open network, the information you send and receive is exposed for all to see. And there are plenty of nasty types lurking around who want to see it. They are looking for confidential information in your e-mails, SMS messages, and other Web communications that would enable them to steal your passwords, personal identity, and money.
Stealing information from traffic on an open Wi-Fi network is relatively easy. You don’t have to be a technical expert or hacker because there is a wide range of tools available for download that allow just about anyone to tune into and record other people’s communications.
One such program is the free Wireshark utility, which Ryan Russell described in his Mar. 20 Perimeter Scan
column. Hey, there’s even a
YouTube video showing how to do it.
So the next time you’re considering using an open network, remember that the person at the next table or in the next room may be listening in. If that thought makes you uncomfortable, here are some things you can do to prevent being a wireless victim.
Option 1: Always connect via a secure network
Accessing many hotel and airport Wi-Fi networks requires a network key that you typically have to purchase. Such networks are much more secure than open networks, but there are two serious caveats that you need to be aware of.
First, don’t purchase access to the network by entering your credit card details over the same network. When you buy access online, you’re doing so over an open network. It has to be open to allow you to buy the access key.
Admittedly, most such credit card purchases make use of an encrypted
https: connection, but this encryption is not a total safeguard. Quite often, these transactions use both secure and insecure pages, so some of your personal details can still be stolen.
A much better solution is to bypass the problem entirely by buying a network access card or coupon from a clerk or vending machine. It’s simply a much better practice. None of your credit card details can be stolen because you enter only the access code over the open network — never any personal data.
If you regularly use open networks, a more convenient solution is to purchase the services of a Wi-Fi access provider such as MobilityPass, Boingo, or iPass. Most such services offer secure connections and let you buy access before you travel. Some also offer VPN access and other additional security measures. On the downside, these services don’t offer universal coverage and are not cheap.
A second caveat is that not all networks using access keys are secure. Some such networks still use the first-generation Wired Equivalent Privacy (WEP) security protocol rather than the more recent and more secure Wi-Fi Protected Access (WPA) and WPA2. WEP security can be broken with relative ease using off-the-shelf tools such as WEPAttack and WEPCrack, so WEP can no longer be considered secure.
Both Windows XP and Vista display the security protocol used whenever you connect to a wireless network. If you see that you’re connected to a WEP network, you’re not secure, even though you used a network password to access the network.
For more on WEP and WPA security, see Mark Edwards’ Nov. 13 PC Tune-Up
column.
Option 2: Use a virtual private network
One of the best ways to protect your Wi-Fi sessions is to use a VPN connection. A VPN functions as a fully encrypted private network operating within — or “tunneling through” — the public Internet. In the context of Wi-Fi, a VPN works like this:
A special VPN program runs on your PC and uses a Wi-Fi connection to create a link with a remotely located VPN server. Afterward, all your Internet activities are conducted with the VPN server acting as an intermediary between your computer and the Internet.
In other words, the VPN server sits between you and the Internet. The connection between you and the remote VPN server is fully encrypted, so no one can spy on your traffic over the Wi-Fi link. Furthermore, VPN encryption is virtually unbreakable: you have effectively turned a highly insecure Wi-Fi connection into a highly secure one.
VPNs do more than simply provide a secure link, however. They also give you Web anonymity and privacy — even your ISP won’t be able to determine where you have surfed over the encrypted link. VPNs also let you bypass corporate and national firewalls, which explains the popularity of VPNs in countries with restrictive or totalitarian governments.
The IT departments of most corporations and government agencies provide their employees with VPN connections so the workers can get secure remote access to the organization’s resources. However, home users can also set up a VPN by using one of several different methods.
If you use an always-on Internet connection and your ISP has allocated you a dedicated (or “static”) IP address, then in principle, you can set up your home PC as a VPN server.
Whenever you’re using a laptop or other computer away from home, you can connect to the VPN server software on your home PC to create a secure VPN. Then you can surf securely via your home network, even over an insecure, open Wi-Fi connection.
Challenges to creating a home VPN server
Creating a VPN server on your home PC is technically challenging. Furthermore, doing so creates the risk of enabling a hacker to break into your home PC via the VPN server.
If you’re the adventursome type and tempted to try the home-PC server approach, I suggest you use LogMeIn’s Hamachi program (free for home use) to set up the VPN (
download page).
Then follow the instructions on LogMeIn’s
forum to tunnel your remote Wi-Fi browsing sessions through Hamachi. An alternative to Hamachi is the open-source OpenVPN program (
download page).
A far simpler approach is to use a third-party VPN server. There are many companies that provide this service for a fee, including:
•
PublicVPN •
Witopia •
GoTrusted Most of these services provide access to their VPN servers through a small, downloadable program or, alternatively, via the Web. Access is available on a spot-usage basis or via monthly or quarterly subscriptions.
When choosing a VPN service, make sure the company provides VPN access for e-mail as well as for Web browsing. If you use IM and FTP, make sure these messaging and file-transfer networks are covered by the service as well.
There are several VPN protocols in use, each of which is capable of doing the job. The protocols include PPTP, L2TP, IPSec, and SSL. Indeed, the clients for most VPN services will offer a choice of VPN protocols, because some ISPs don’t support all the protocols.
There have been some security concerns about PPTP, which is the most-widely deployed VPN protocol. However, if you use a long password or passphrase, you’ll be completely safe using PPTP.
If you don’t like the idea of paying for a VPN service, consider going with a free, ad-supported alternative. The most popular of these is
HotSpot Shield. I haven’t used this service myself, but with 15 million customers, the company must be doing something right.
Another free VPN service is
iPIG. Unlike HotSpot Shield, there are no ads on iPIG, but most users will find the service’s 10MB data-transfer limit a deal-breaker.
Option 3: Use an anonymizing service
You may have heard of the free Tor program (
download page) that allows you to surf the Internet anonymously. However, Tor and other anonymizing services can also be used to increase your Internet security.
That’s because Tor encrypts the first link between your PC and the first Tor server. If that link includes a Wi-Fi connection, then the Wi-Fi link is encrypted as well.
That means you can use even an insecure, open Wi-Fi connection with confidence. Furthermore, Tor’s additional security won’t cost you a cent.
It sounds like a great solution, but there are a couple of catches:
First, you’ll find your surfing noticeably slower when using Tor because all traffic is routed through an additional chain of Web servers. At peak periods, this can be a real problem; I’ve seen Tor bring my network to a near-standstill at times.
Second, you’ll find Tor works well enough for Web browsing but not so well for other Internet activities. FTP is a good example: while it’s possible to configure Tor to work with FTP, I’ve found the performance to be unacceptable. (I’ve heard that BitTorrent performance can be poor over Tor as well.)
These limitation aside, Tor is a free and time-proven solution for improving your Wi-Fi security.
The wireless-security plan that works for me
I travel a lot, so I find myself using Wi-Fi networks in airports and hotels all the time. Because so many of these networks are open, Wi-Fi security is a real and practical problem for me.
I’ve tried various solutions, including setting up Hamachi on my home PC. None of the setups has been problem-free, but on balance, the solution that works best for me is a commercial VPN service. Over the years, I’ve used three of these services, which are mentioned above in Option 2, and all three worked just fine. The one I use today is the cheapest service that offers me the features I need.
As a backup, I also carry a copy of Tor around with me. For this purpose, I use OperaTor (
download page), which is a portable implementation of the Opera browser with Tor preconfigured.
Whatever you do, please don’t use open Wi-Fi networks without some form of additional protection. If in the past you’ve gotten away with using open wireless networks without encryption or other safeguards, then thank your lucky stars.
If you continue to use open Wi-Fi without protection, I can assure you that one day, you’re going to get caught out big-time. Be smart and fix the problem now.
Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.
Microsoft DHCP bugs make Windows lose networking
By Scott Spanbauer 
By Dennis O’Reilly 
By Susan Bradley
