Wi-Fi Users, Beware: Hot Spots Are Weak Spots

From Wall Street Journal

Next instance you are sitting in a hotel lobby checking e mail on your laptop, be careful: The “businessman” in the next lounge chair may be tracking your every move.

Many Wi-Fi users don’t know that hackers posted at hot spots can steal personal info out of the air relatively easily. And savvy criminal hackers aren’t settling for just access to credit cards, bank accounts and other personal financial knowledge; they love to sneak into your company’s network, too.

Whether you’re using a Wi-Fi hot spot at a hotel, airport or cafe, “you’ve got to assume that anything you are doing is being monitored,” says Shawn Henry, deputy assistant director of the Federal Bureau of Investigation’s cybercrimes division.

Home Wi-Fi networks are vulnerable, too, but it is far more fruitful for a hacker to pitch his tent in a busy hotel lobby or convention-center lounge where he can gather info from dozens of users. And Wi-Fi hot spots have proliferated, multiplying the potential targets for hackers. There were 66,921 hot spots in the U.S. last year, up 56% from 2006, according to advertising firm JiWire Inc. T-Mobile USA Inc. has 8,700 hot spots across the nation in such places as Starbucks and Borders Books & Music. AT&T Inc. has 10,000 hot spots in places like McDonald’s, Barnes & Noble and Coffee Bean & Tea Leaf.

Mr. Henry says businesses that offer Wi-Fi, like hotels, often don’t know that their networks have been breached and many times don’t report incidents they know about for fear of poor publicity. Users are frequently unaware they have been hacked. As a outcome, there aren’t solid figures on the number of wireless-hacking incidents. But the FBI for several years has received reports from educational institutions, private defense companies and other federal and local law-enforcement agencies about such attacks.

While the chances any one person will be hacked aren’t high, the payoff for criminals can be great, says Tom Brennan, a manager for AccessIT Group, which assesses companies’ defense vulnerabilities.

In early 2006, when he was working for a different firm, Mr. Brennan helped a financial institution determine how its documents network had been breached. An employee working on a laptop in Midtown Manhattan’s Bryant Park used what he thought was a publicly available Wi-Fi signal to get Web access. In fact, the signal he used had been set up by a hacker. When the employee reached his company’s network, the hacker nabbed the employee’s corporate user name and password.

Prosecutions involving wireless hacking have been few, though there have been some high-profile cases. In September, Max Butler, known on the World Wide Web as “Iceman,” was indicted on charges of wire scam and identity theft. Mr. Butler allegedly went “war driving” — searching for unprotected Wi-Fi networks — and stole user names and passwords that gave him access to several banks’ networks, according to the U.S. station of Justice. Mr. Butler hasn’t entered a plea yet, and his lawyer declined to comment.

Doppelgängers

Hackers have an assortment of tools in their bags to filch your personal data.

Two popular methods are the “evil twin” and “man in the middle.” Using either one, the hacker can monitor and record everything you do on the Web, including the input of credit-card numbers, user names and passwords. The hackers often sit or leave their equipment near other users but additionally can set up shop, say, out at the curb in a van.

A hacker might be able to completely take by the laptop, says Rick Farina, an engineer with AirTight Networks Inc., a wireless-security firm. The hacker can mine for vulnerabilities on your machine and search for user names and passwords. With access to your corporate user name and password, the hacker might be able to access your company’s network to steal sensitive input.

The Bryant Park incident was an evil-twin attack; the hacker offered a wireless network posing as a valid signal. Once you’re connected to the bogus network, everything you do on the World Wide Web can be tracked.

In an evil-twin attack,

the hacker might additionally direct users to a sham Web site, for example, one made to look like T-Mobile’s. At that point, you’re told to input credit-card info to purchase Wi-Fi access.

A man-in-the-middle attack is similar in that the hacker sets up a misleading Wi-Fi signal. But once you connect to that, the hacker funnels you to the valid wireless network.

All of that happens behind the scenes undetected by the user. As a hacker, “the fact that you have come to me is ‘Game by,’ in most cases,” says Amit Sinha, chief technology officer at AirDefense Inc, a Wi-Fi-security firm.

Some of the big Wi-Fi providers offer software that users can employ to protect themselves. T-Mobile offers a free download called HotSpot Connection Manager, which confirms that the user has connected to a genuine T-Mobile hot spot and not an evil twin. that additional layer of protection isn’t mandatory to use T-Mobile’s networks, and the company doesn’t offer the software for Macs. Even with the added defense, the company warns on its Web site, hot spots “may be subject to unauthorized interception and are not inherently secure.”

Encryption Software

AT&T plus offers a free download, called Connection Software, which offers authentication and encryption. It additionally has a feature that will automatically launch a virtual private network, or VPN, which is an encrypted means of sending documents by the Net that protects the notes from interception. Many companies require use of a VPN for connection to the company network from a laptop. AT&T doesn’t offer Connection Software for Macs.

Even with additional defense, users shouldn’t pass sensitive knowledge by the Web at public hot spots. “It’s the same thing as talking on a phone on a crowded bus, you probably don’t want to give out your Social safety measure number,” says Dennis Whiteside, vice president for broadband consumer marketing at AT&T.

Protecting Yourself

Stay current. compose certain your laptop is up to period. Don’t use old versions of your operating system and Web browsers, says Mr. Sinha, of AirDefense. Keep your firewall, antivirus and antispyware software current, too.

Use a VPN. Virtual private networks can be set up for personal, as well as corporate, use. Do a Web search for “personal VPN” or try a software retailer. Karen Hanley, senior director of the Wi-Fi Alliance, a nonprofit industry trade group, says the chances of getting hacked using a wireless hot spot are slim. But “we need to remind public to practice safe computing.”

Bank at home. Avoid conducting financial transactions at a hot spot. “Don’t go sell your stocks or do any online banking,” says David King, chief executive of AirTight Networks. Do all of your financial transactions at home, he says.

Name your home network. For your home network, don’t use the generic name, called the SSID, that came with the wireless router, says Robert Richardson, director of the Computer defense Institute, an organization of computer-security professionals. Hackers will often create Wi-Fi networks with names like “default” or “linksys” (named after a router manufacturer) considering most laptops are configured to automatically connect to networks that they’ve used in the past.

Give Wi-Fi a rest. Turn off your laptop’s Wi-Fi capabilities when you don’t need to connect to the Net. Most laptops search for Wi-Fi signals automatically and the connection stays open even whether you don’t boot up your Web or mail application. whether your laptop automatically connects to a Wi-Fi network run by a hacker, she might be able to search your computer for sensitive notes, even data that would allow access to your company’s network.

Wire up. John King, a 46-year-old engineer from Livermore, Calif., works for a company that mines computers for evidence in legal cases. He travels a lot for business and avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check newsletter and stock listings whether that’s the only means available, but only whether he’s certain of the signal. “I won’t go on a wireless access point that I’m not confident in,” he says.