Wireless Internet Hotspots Not Secure?

[Dancali]

I've been reading up a bit on wireless hotspots now that I have a laptop.

It seems that most of what one does at a wireless hotspot could be intercepted by a hacker.

For the more paranoid types like myself, should one be careful about messing around with sensitive financial and business stuff when on a wireless network?

[Gumballl]

Dancali

Yes, you should be "careful", but not paranoid. It is possible for someone to gain access to your system, especially if you are running windoze. If you have Win XP, you should consider enabling your firewall (via the Control Panel).

Any computer system can be compromised, not just windoze. That is why it is best to send/receive encrypted data.

The main thing to worry about, on an unsecured network, it to make sure that 1) you have a firewall enabled, and 2) that you are not "sharing" any important folders or resources on your PC.

I trust the Mac OS X and any Linux version over windoze any day of the week for aspects concerning security, but if you must run windoze (and I personally do), button up your system so that nobody can get access to it. Then surf the web like you normally would.

Additional stuff you can do to protect your PC... subscribe to a company that provides anti-virus software (eg Norton), and install software that removes SpyWare (eg SpyBot).

Finally, some folks believe that it is better to use Mozilla than IE. Based on all of the problem reports issued by Microsoft concerning its IE browser, I am not at all surprised to hear this.

Hope this tidbit of info helps allay your fears of surfing the web.

P.S. If you know of someone, or an establishment, that has an insecure network, think twice before informing them of this oversight. Sometimes I can get access to neighbours hi-speed internet, when I am away from home... and it's free! Now why would I complain to that!

[Dancali]

Thanks for the insight.

I am not too worried about somebody hacking into my system as I pretty much understand the things I can do to help prevent that. But what about emails and other information sent "in the air"? It seems as if that could be intercepted by an unscrupulous individual nomatter if your computer is otherwise completely secured. I was reading the T-Mobil security info and they seem to make it clear that such info can be intercepted.

Is the only information safe that which is actually transmitted while on a secure site connection?

And good point about not letting them know about an open connection. I know of a good one myself from a well-located computer store. This may be a dumb question, but can whoever has set up the wireless hotspot get any access to the data you are transmitting through their setup?

[LivinLOS]

Personally I mentally put email in about the same security level as a postcard.. Yes it can be read and yes it can be read at many stages of the chain..

If you are concerned about this try and get the person with whom you need to communicate with privately to use PGP or similar.

[Gumballl]

Dancali -

Transmitting data via a wi-fi can be intercepted, but you need to ask yourself what is the probability.

When a wi-fi system is secured (and there are various means of doing this), data that is sent and received is encrypted, usually using a 128-bit key. Generally, however, public wi-fi hotspots will not secure their networks because it would be too mind boggling for the average joe (or jane) to key in a 128-bit key (in hexadecimal values) before using the network.

If you are still bent on securing your email, there are applications out there that you can use to encrypt your email before it is sent over the network, using similar technology as the encryption method previously discussed. Naturally though, the recipient of your email would have to be able to decrypt your email. Personally I do not use this stuff, but if you do a search for PGP software, you might find something you can use.

Concerning your question:

This may be a dumb question, but can whoever has set up the wireless hotspot get any access to the data you are transmitting through their setup?

Yes, someone could intercept your data. This data is worthless to the "someone" if the data is encrypted... unless the someone has access to a supercomputer and gobs of time on their hands (for instance the NSA) to devote trying to reconstruct your transmitted data into something intelligible.

Note that in most financial websites, the login page generally transmits the data you enter encrypted. But, and this is a big but... if you have spy-ware on your system, someone could be snooping the actual keys that you strike on your keyboard. Hence the earlier recommendation to get a spy-ware eliminator.

Anyhow, I'm tapped out of info. If you've got the time, there are many sites on the web concerning the use of spy-ware software, PGP, and encryption.

Have fun!

[rcjoop]

A public wifi network is usually insecure. If not using a secure site that uses SSL encryption your data are easy to read by anyone.

Using encryption by static keys as in WEP does help very little, many tools are around that automatically recover encryption keys, our students do it often.

AIRsnort is one of the many tools available free.

You can make the network secure (but not easy for public hotspots) by using 802.1X/WPA type of security and using PEAP or TTLS on top of this.

Basically these systems use a long encryption key of 128 bit and automatically rotate the keys so that not enough data can be intercepted to recover the key.

To transmit authentication data in PEAP and TTLS a secure tunnel is set up similar to when using a VPN server.

PEAP is part of Win XP , very few public hotspots use it.

Of course you must be aware of the dangers of spy software etc. but this is valid for all networks.

[bkk_mike]

I have one big issue here - he seems to think that the internet is secure, and it's just the Wi-Fi that's a problem. If anything, so long as your PC isn't set up to share drives the WiFi is almost as secure as the normal internet... (i.e. neither are particularly secure)

Everything on the internet is handled by passing information through a series of computers. The only time it is secure is when there is some form of encryption involved. (Virtually all shopping web pages are encrypted with SSL when it comes to pages where you're entering credit card information - you should see a padlock on the browser window to show this).

Other internet communications using encryption that are in common use are things like VPN (used by teleworkers to connect to their office), or email encryption such as PGP.

Without encryption, nothing on the internet is secure, and could be intercepted (if someone was so inclined), by system administrators or users with sufficient permission on any of the boxes that your message is passing through.

The analogy of a postcard is pretty accurate. Don't write anything assuming the person in the sorting room and the postman won't read more than the address. He probably won't, but without encryption, you can't prevent him reading it if he wants to.

Edited December 12, 2004 by bkk_mike