| By Scott Dunn |
You see them everywhere your Wi-Fi laptop goes: unprotected wireless signals offering "Free Internet Access" or "Free Public Wi-Fi."
But connect to them and you’ll be disappointed. In a few cases, you may even have your computer hacked. Here’s the scoop on how to protect yourself.
What are these mystery wireless networks?
Many laptop users have seen unsecured access points like "Free Internet Service" show up in their list of available wireless networks. They appear to be especially common at airports. Attempts to connect to these networks usually don’t result in any Internet access. What is the source of these cyber chimeras?
The answer is that the majority of these access points are not Internet-accessible networks, but merely peer-to-peer or "ad-hoc" networks connecting one computer to another. Their ubiquity stems from the fact that when a Windows wireless computer connects to a network, it remembers the name or Service Set Identifier (SSID) of that network. The next time you use your laptop, your computer will broadcast that same SSID to other computers, and the users may confuse your signal for a legitimate Internet access point. In this way, names like "Linksys" or "Free Public Wi-Fi" are pollinated from user to user.
In most cases, attempts to connect to these networks only result in the user getting frustrated at the lack of an Internet connection and disconnecting. But, according to an advisory paper from Nomad Mobile Research Centre, the feature can be used by attackers to learn a victim’s IP address and directly access the computer. The risk is especially high if you have file sharing turned on. In addition, if an attacker uses this method to plant malware on your laptop, you could place your company’s network at risk the next time you connect to the network at your job.
Another hacker ploy is to set up an "evil twin" signal that broadcasts a site resembling a respectable hotspot such as an airport Wi-Fi service. You may enter credit-card information — thinking you’re only buying a few hours of Internet access — but you are actually turning over your account numbers to a cyber criminal.
How to protect your wireless laptop
So, how can those of us with wireless laptops and networks protect ourselves from the kind of mistakes the security pros were making? Fortunately, you can take several steps to avoid undesired peer-to-peer access and limit your risks when connecting to a wireless hotspot in a public place.
Before going any further, however, make sure your own Wi-Fi system is using the latest encryption standard, WPA2 (Wi-Fi Protected Access 2). For details on these and other basics of Wi-Fi security, see Brian Livingston’s Top Story in the May 26, 2005, issue.
1. Turn off Wi-Fi when not in use
The first and most basic way to limit your risk is to turn off your system’s Wi-Fi feature when you’re not using it. Many laptop computers have a physical switch to toggle the wireless capabilities.
If you don’t have a physical switch, you can turn off Wi-Fi in XP by right-clicking the wireless icon in the taskbar "tray" (the area near the clock) and choosing Disable. To turn it back on, go to Control Panel and open the Network Connections window. Right-click the Wireless Network Connection icon and choose Enable.
In Vista, go to Control Panel and launch the Network and Sharing Center. Click Manage network connections on the left. Then, right-click the Wireless Network Connection icon and choose Disable. Click Continue if prompted by User Account Control. To reverse this setting, return to this window, right-click the same icon, and choose Enable. As before, click Continue if prompted by User Account Control. Then use the Network and Sharing Center to connect to a network.
2. Install and enable a firewall
Make sure you have a firewall enabled on your laptop. If you don’t have a third-party firewall, you can turn on Windows built-in firewall by opening Control Panel and launching Windows Firewall. If you have XP Service Pack 2 or Vista, the firewall should be enabled by default.
3. Know the difference
The best way to avoid potential attacks via peer-to-peer connections is simply to refuse to connect to an unknown ad-hoc network. Fortunately for XP users, the Wireless Network Connection window clearly distinguishes between the two types of networks. Each ad-hoc network is labeled as a "computer-to-computer network." Infrastructure networks are labeled as "wireless networks."
In addition, XP uses distinctive icons to differentiate between the two types of networks: Ad-hoc network icons show two computers, while infrastructure network icons show an antenna (see Figure 1).
Figure 1: XP shows peer-to-peer networks as two computers, but access points as an antenna.
Vista, however, is a lot less clear on this point. The display of available networks doesn’t offer any description to distinguish between ad-hoc and infrastructure networks. The user is forced to rely solely on inscrutable icons. Ad-hoc networks are depicted with three computers connected by green lines, while infrastructure networks are shown as two computers sitting on a network cable (see Figure 2).
Figure 2: In Vista, peer-to-peer network icons show three computers, while access point network icons show only two.
4. Clean up your network list
In XP, use Windows Control Panel to open the Network Connections window. Right-click Wireless Network Connection and choose Properties. Click the Wireless Networks tab, which displays (among other things) a list of preferred networks (those you have connected to in the past). While you’re there, select any suspicious-looking networks (like "Free Public Wi-Fi") and click Remove.
In Vista, use Control Panel to open the Network and Sharing Center. Click Manage Wireless Networks in the task pane on the left. Right-click any suspect networks and choose Remove Network.
In addition, you should set all of your preferred networks to manual so your system doesn’t automatically connect to a rogue network with a matching name. To do that, follow these steps:
Step 1. Select any network in the list with "(Automatic)" after its name (XP) or displaying Automatic mode (Vista).
Step 2. Click Properties.
Step 3. Click the Connection tab.
Step 4. Uncheck Connect when this network is in range.
Step 5. Click OK.
Step 6. Repeat for each automatic connection in the list.
5. Turn off ad-hoc networking in XP
While you’re in the Wireless Network Connection dialog box (XP only), you may want to take the advice of the Nomad advisory paper, which recommends that users turn off ad-hoc networking:
Step 1. In the Wireless Network Connection Properties dialog box, with the Wireless Networks tab selected, click the Advanced button near the bottom of the dialog.
Step 2. In the Advanced dialog box, select Access points (infrastructure) networks only. Also, make sure there is no checkmark next to Automatically connect to non-preferred networks.
Step 3. Click Close.
Unfortunately, changing this setting does not stop ad-hoc networks from appearing in the list of available wireless networks in the Wireless Network Connection window. Nor does it prevent you from connecting to them manually. It does, however, filter out ad-hoc networks from appearing in the list of preferred networks.
This setting is not in Vista, which always requires manual connections to ad-hoc networks.
6. Turn off file sharing
If you’re going to be connected to a public network, such as an airport hotspot, you can reduce the risk of mischief by turning off file sharing:
Step 1. In XP, launch Windows Explorer and right-click the folder or drive that’s shared.
Step 2. Choose Sharing and Security, and turn off sharing for that folder.
Step 3. Click OK.
Things are much easier in Vista. When you connect to a Wi-Fi network for the first time, you are prompted to designate the network as private or public. Selecting Public automatically turns off file sharing. If you have already connected to the network, you can change this setting by going to Control Panel and launching Network and Sharing Center. Click Customize on the right. Select Public, click Apply, and follow the remaining prompts on screen.
7. Turn off network discovery in Vista
Another risk-reducer with public Internet connections is to make your computer invisible on the network you joined. If you designated the connection in Vista as Public, as described above, that’s already done for you. If not, you can change that setting independently in the same Network and Sharing Center window. Under Sharing and Discovery, click the On button or the down arrow to the right to display more options. Select Turn off network discovery and click Apply.
8. Use a Virtual Private Network (VPN)
Perhaps the best way to protect your wireless communications when using a public network or hotspot is through virtual private networking. For tips on doing so, see the discussion of VPNs in our May 26, 2005, issue.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.