[ISN] Three rules for safer Wi-Fi away from home
InfoSec News
isn at c4i.org
Thu May 4 04:15:20 EDT 2006
http://software.newsforge.com/software/06/04/20/2032257.shtml
By Joe Barr
May 02, 2006
Almost everyone has heard about wardriving, the geek sport in which
you drive around and see what wireless access points (WAP) you can
find and access. Because of the ink wardriving has received over the
years, many home and business users have wised up and added security
to their WAPs. But how about the busy traveler, the exec at Marriott,
or the slacker at Starbucks? Do they take that same level of care with
wireless security while they're on the road and seduced by the easy
availability of Wi-Fi hotspots? Probably not, but they should. Here
are three simple assumptions you should make before taking your
wireless laptop on the road.
Memorize these rules, understand what they mean, and learn what to do
to protect yourself. When you can do that, you can begin to protect
your private, confidential, and corporate data from inquisitive eyes.
* Always assume someone is trying to see you enter a user ID or
password.
* Always assume that someone is reading every packet you send and
receive by Wi-Fi.
* Always assume that an "evil twin" is lurking near every Wi-Fi access
point.
In following the first rule, don't worry about appearing to be rude or
paranoid by moving the laptop screen position to block the view of
your fingers as you're typing a password or user ID. Do the same thing
to prevent those sitting to your right, left, or behind you on the
plane, in the airport, or anywhere else from getting an eyeful of
corporate secrets.
Act as if it is the most normal thing in the world to expect a little
privacy, because it is, just as it is when you're entering your PIN at
an ATM. Better than the above is not to do any of those things when
you are close enough to others that they can see what you're trying to
protect, even inadvertently.
While we're talking about physical security at the keyboard, password
protect your laptop and set the timeout on your screensaver to a low
number. Leaving your laptop behind in the hotel room while you go out
for dinner or a meeting? Fine. Disconnect it from the network, power
it down, and lock it.
The Wall of Shame
So much for point one -- on to point two. At Defcon each year, a group
of attendees sniffs every packet sent and received via the wireless
access points, looking for user IDs and passwords. Each time they find
one, they unceremoniously add it to The Wall of Shame in public view.
Just about the only thing easier than using a Wi-Fi network these days
is intercepting the packets on it.
Avoid ending up on your own personal wall of shame by using only
secure, encrypted connections to access your email, corporate
accounts, financial data, and anything else of value. If your business
or ISP provides Web mail, use it instead of unencrypted connections to
POP or IMAP mail servers. A virtual private network between your
laptop and headquarters or your home office is even more secure.
The bad guys will still be able to intercept every packet, but if they
are protected by encryption, you're way ahead of the game. Most script
kiddies stand about as much chance of cracking a recent WEP or WPA
encryption scheme as they do of winning the Lotto. But there are
others who will only be slowed down.
The evil twin
Finally, what about that intriguingly named evil twin? That's what
security pros are calling a phishing scheme where the bad guys spoof a
legitimate WAP's service set identifier (SSID), the name that
differentiates one access point from another. Evil twins disrupt
traffic to the authentic WAP and those associated with it lose their
connection, then automatically re-associate with the device with the
spoofed SSID.
You can avoid falling victim to this deception by not automatically
attaching to a WAP and by not running your wireless connection in ad
hoc mode. Know the SSID of the network you want to attach to, and
learn what security options, if any, are available for it. Always use
WEP or WPA instead of unprotected connectivity if you have that
choice. If you can't, don't access sensitive data over the wireless
connection, period. And finally, running a firewall -- the default
behavior on most modern Linux distributions -- is a very good idea.
Your common sense is your best protection against losing confidential
or personal data. Always behave as if the bad guys are really there,
and that they really want all of your data. Acting on these
assumptions is not a guarantee of wireless security, but following
them will make you a lot safer than you would be otherwise.
More information about the ISN
mailing list