WiFi has became pervasive. Not just laptops, but an arsenal of palmed-sized devices including smartphones, PDAs (personal digital assistant) and mobile media players, now connect to the Internet using Wireless Fidelity technology.
However, many users are clueless about security and connect to password-protected accounts and financial Web sites thinking that they are as secure as computing on their home or office desktop.
They aren’t, warn network security experts.
“The learning curve on WiFi security is just now ramping up. Users don’t know about settings,” SteveGorretta, director of product marketing at 2Wire, told TechNewsWorld. 2Wire is a manufacturer of homenetworking products.
Part 1 of this two-part series expanded on the dangers and weaknesses of public WiFi hotspots. Part 2 features tips users can take advantage of to protect themselves from snoops.
Basic Security
Many wireless users think running the same antivirus and firewall programs on a laptop willprovide security when they connect to a WiFi point. That thinking, however, is very wrong.
Device security is no longer related to just mobile computers. All mobile equipment with Internet and WiFi access — iPhones, PDAs, smartphones, etc. — are part of the security risk.
“The Web has become the great equalizer. It negates individual protocols though some Web protocol all devices use,” Corey O’Donnell, vice president of marketing for security software firm Authentium, told TechNewsWorld.
Third-party programs only defend against attacks from within the connection. WiFi security is the outerwall. It is the first level of defense. Antivirus protection is secondary protection, explained Gorretta.
To build that outer protective wall, WiFi connections should be protected by either WEP (Wired Equivalent Privacy) or WPA (WiFi Protected Access) encryption. Of these two methods, the WPA standard is newer and more resilient.
Encryption features are usually turned off in the default settings for routers and WiFi cardinstallations. Users have to learn to enable encryption.
Default Barriers
“Turn on encryption at the gateway. The default setting usually has encryption turned off. The rest of theindustry needs to change the default strategy. But there are barriers to doing this,” Gorretta said.
Those barriers are largely time and money savers for the product manufacturers. The computing industryneeds to get behind a movement to make default installations of all wireless equipment turn on encryption, he urged.
The barriers involve the installation process itself. With the default set to no encryption, new userswill be able to connect to the Internet as soon as the installation is completed.
Having a different default adds to the installation process, according to Gorretta. Users would have tofind and enter the encryption key and password during the setup process.
This added requirement would also cause a burden for customer support. This procedure is also harder to do with off-the-shelf products, according to Gorretta.
WiFi How-To Tips
Between the mobilization of business, the convenience of WiFi connections — especially the free networks — and the consumer entry of WiFi-enabled smartphones like the iPhone, wireless networks are receiving more traffic than ever. Just a little security knowledge can go a long way for users everywhere.
With that in mind, TechNewsWorld asked several security experts for their best tips in avoiding hackerswhen using WiFi connections.
Best Practice for WiFi-Enabled Handhelds
— From Richard Rushing, CSO at network security firm AirDefense
- Disable the wireless feature when not using the device.
- Avoid hotspots at places like hotels, airport clubs, libraries.
- If using a hotspot, only do so for Web surfing.
- Enter passwords only onto Web sites that include an SSL (secure sockets layer) key at the bottom right.
- When IMing or using e-mail from hotspots, avoid providing proprietary information for possibleconsumption by hacker.
- Avoid unknown, free WiFi links. Chances are very good that the free access will be a ploy to stealaccess ID.
- Social engineering is still a key tool hackers use to trick you into divulging sensitivedetails. Don’t be chatty or cooperative when asked for personal information.
- Always check with the hotel or restaurant about their WiFi access. It is easy for a hacker to set up a bogus lookalike access point for that location. In many locations you cannot tell if the WiFi access islegitimately provided by that business.
Public Hotspot Safety
— From Corey O’Donnell, vice president of marketing for security software firm Authentium
These tips are based on the results of a study conducted at Chicago O’Hare International Airport.
- Look for official corporate logos on airport-sponsored free access. It is easy for hackers to set upofficial-looking hotspots.
- Be aware of exposed folders and files on your computer. Make sure you disable the share files feature.
- Keep up-to-date antivirus and firewall products. If you do latch onto a dirty hotspot, you want to beable to detect and contain any viruses downloaded to your portable device.
- Use a corporate VPN (Virtual Private Network) whenever possible instead of a public WiFi point.
- Set up specific user profiles for different connection scenarios. For instance, have one profile forfamily log-ons, another profile for connecting to a bank and a separate profile for logging ontoshopping Web sites.
- Have different credentials like charge accounts, user names and passwords for specific online accesses. Then you can see which account and online access was compromised if someone attempts to steal your identity. Meanwhile, your other online visiting spots will remain safe.
Final Considerations
Users of private WiFi services also need to be careful, warned O’Donnell. Most of these providers do notoffer security on WiFi connections. All connected devices are equally hackable, he said.
“But joining a reputable network limits the risk caused by using unknown providers,” he said.
Also, look for the terms and conditions page when when signing on to a WiFi hotspot, suggested Rushing.Legitimate access providers usually require you to acknowledge their terms and conditions before lettingyou gain full access.
Finally, for better protection, look for hotspots that have account-only access, suggested Gorretta.
“Join that network, even if you take the minimum usage package. It will offer a VPN-like tunneling toprovide better security. The subscription services have good auditing controls to monitor who isconnected,” he concluded.