Wi-Fi worry: Laptops at risk of attack
As communities push to turn themselves into massive wireless hot spots, unsuspecting Internet users are giving hackers nearly effortless access...
Los Angeles Times
As communities push to turn themselves into massive wireless hot spots, unsuspecting Internet users are giving hackers nearly effortless access to their laptops and private information, authorities and high-tech security experts say.
It's a growing invasion with a twist: People who think they are signing on to the Internet through a wireless hot spot might actually be connecting to a look-alike network, created by a malicious user who can steal sensitive information, said Geoff Bickers, a special agent for the FBI's Los Angeles cyber squad.
It is not clear how many people have been victimized, and few suspects have been charged with Wi-Fi hacking. But Bickers said that over the past couple of years, these hacking techniques have become increasingly common, and they are often undetectable. The risk is especially high at cafes, hotels and airports, busy places with heavy turnover of laptop users, authorities said.
"Wireless is a convenience; that's why people use it," Bickers said. "There's an axiom in the computer world that convenience is the enemy of security. People don't use wireless because they want to be secure. They use wireless because it's easy."
For Mark Loveless, it was a just a letter that separated security from scam.
Logging on to his hotel's free wireless Internet in San Francisco last month, Loveless had two networks to choose between on his laptop screen — same name, one beginning with a lowercase letter, one with a capital. He chose the latter and, as he had done earlier that day, connected. But this time, a screen popped up asking for his log-in and password.
Tips for safer surfing
Do it yourself: Connect and disconnect from the Internet manually by right-clicking on the wireless Internet icon and either enabling or disabling the connection. This prevents your computer from searching out Internet and possibly fake access points automatically without your knowledge.
Be unique: Change default names of your network from "Linksys" to a unique name (not your home address) and change any default passwords as soon as possible.
Don't share: Keeping your network open or allowing others access to shared files leaves a big hole in your system for hackers. Deactivate all sharing. If you must share because you are on a corporate network, make sure you change these settings when you are outside the office.
Be selective: Connect to "infrastructure" points, or official access points, rather than "peer-to-peer" connections or another user's computer. Set your Network Connections to only connect to infrastructure points. The default searches for all open hot spots.
Sensitive material must be secure: Do sensitive computing — banking or anything else you would hate to have a hacker gain access to — on your personal wired (to the wall) home computer.
Stay trendy: This means making sure your browser, all your software, antivirus and firewalls are up to date.
Be wary: If you get an e-mail from your bank, make sure the e-mail is indeed from your bank and that you are being routed to the bank. Put your cursor over the link and look at the address, or right-click on Properties and see where it will lead you. Always go to the bank site via its main site in a new window, not via a link in an e-mail. Also, if your computer pops up with a security certificate warning, do not click away without inspecting the certificate and the signature. Even then, certificates are easily faked. If you must continue using the Internet, do not do anything sensitive.
Go exclusively corporate: If you can, use a Virtual Private Network while surfing wirelessly.
Source: Cisco Systems network engineer Roland Dobbins
Loveless, a 46-year-old security analyst from Texas, immediately disconnected. A former hacker, he knew an attack when he saw one, he said.
Many Internet users do not.
About 14.3 million American households use wireless Internet, and this figure is projected to grow to nearly 49 million households by 2010, according to JupiterResearch, which specializes in business-and-technology market research.
"There's literally probably millions of laptops in the U.S. that are configured to join networks named Linksys or D-Link when they are available," said Corey O'Donnell, vice president of marketing for Authentium, a company that provides security software. "So if I'm a hacker, it's as easy as setting up a network with one of those names and waiting for the fish to come."
Linksys and D-Link are two of the many commercial brands of wireless routers, products that allow a user to connect to the Internet using radio frequency.
As the field of wireless connectivity expands, so too does a hacker's playground. More than 300 municipalities across the United States are planning or already operating Wi-Fi service. Google and EarthLink are working to bring wireless access to all of San Francisco.
In the Puget Sound area, Wi-Fi hot spots provided by businesses or private enterprises are widely available, but in Seattle, the city has chosen not to go the Wi-Fi route, opting instead to look at deploying Internet access through fiber lines.
A survey at Chicago's O'Hare Airport by Authentium revealed 76 peer-to-peer networks, or access points that are connected to via another user's computer, with 27 advertising access to free Wi-Fi. The company also found three networks had fake or misleading addresses, a sign that these hot spots could be the work of hackers.
"At a busy place like O'Hare, in one hour a bad guy could get 20 laptops to connect to his network and steal the users' account information," said Ray Dickenson, vice president of product management at Authentium, who conducted the survey in September.
Most laptops are configured to search for open wireless points and common wireless names, whether or not the user is trying to get online. That leaves people open to hacking.
In two new attacks, called "evil twin" and "man in the middle," hackers create Wi-Fi access points titled whatever they like, such as "Free Airport Wireless" or an established, commercial name.
In the "evil twin" attack, the user turns on a laptop, which might automatically be trying to connect behind the scenes. When it does connect, it is connecting to a fake access point, or "evil twin," and the hacker gets into personal files, steals passwords or plants a virus.
The attacker can become a "man in the middle" when he funnels the user's Internet connection through this false access point to a true wireless connection. The unsuspecting Wi-Fi surfer then might proceed to enter credit-card information, access e-mail or reveal other sensitive data. Meanwhile, the session appears ordinary to the user.
Although the FBI has been aware of this kind of attack for about five years, its use has increased in the past couple of years, Bickers said.
"The actual tools you need, the software, the hardware, etc., to mount this sort of attack has become insanely easy to acquire," Bickers said.
When vice president of Sub Pop Records Megan Jasper isn't running things at the office, she's working in her garden at her West Seattle home where she and her husband Brian spend time relaxing.