As laptops become more portable and handheld
devices more powerful, it's easier than ever
to
take your computing environment to go. Fast
Internet connections are also easier to find
when you
have wireless connectivity. But with this
enhanced mobility comes additional
information security risks.
By understanding these risks and
implementing tools to help minimize them,
you can keep your mobile
computing safe and convenient.
The Pitfalls of Wireless Networks
For road warriors, wireless network
technology, often referred to as WiFi,
offers a readily accessible
and speedy on-ramp to the Internet. WiFi
hotspots are becoming increasingly common in
the U.S.,
found everywhere from coffee shops to
hotels, even baseball stadiums like SBC Park
in San Francisco.
Community-based upstarts such as SF Wireless
and NYCWireless together are building
publicly-accessible WiFi networks in their
hometowns. Gartner market research estimates
30 million
people will connect to the Internet via public WiFi hot spots in 2004.
However, this proliferation of public
wireless networks has evolved with ease of
use in mind -- data
security has been a secondary concern.
Standard WiFi security mechanisms such as
Wired Equivalent Privacy (WEP) and the
newer
WiFi Protected Access (WPA) -- can be
cumbersome
to configure.
As a result (with a few exceptions) Wireless
Internet Service Providers (WISPs) such as
T-Mobile HotSpot and
Wayport have chosen not to implement the
kind of security that protects
data transmission on their networks. Simply
put, they would rather make their networks
easy to use
than complicate them with security
configurations, which could be a potential
turn-off for their customers.
Similarly, in a frenetic rush to lure
customers, mobile technology manufacturers
have rapidly put
products on retail shelves that lack proper
safety measures. Laptop computers, personal
digital
assistants (such as Palm devices), Pocket
PCs, and powerful mobile phones with
wireless
networking capabilities usually don't
require security to operate and most come
with these
features turned off by default. Again,
securing devices and explaining how to
implement security
requires an investment in time, and often it's just easier to forget about
security -- that is, until
something disastrous happens as a result.
Eight Hotspot Dangers and Ways to
Protect Yourself
Because of this emphasis on ease of
use, wireless networking has a number of
vulnerabilities.
People connected to an unsecured WiFi
network could eavesdrop on your data
transmissions
(the practice is commonly known as
sniffing), and hackers could launch viruses
and other attacks.
When you connect to a hotspot, you should
assume that it is a network environment that
you
can't trust and that there are pitfalls that
could make your wireless experience painful.
A good defense involves layers of security,
each designed to thwart certain threats.
Anticipate
the following hazards and apply some
safeguards against them.
-
Viruses and worms: Keep the nasties out
with anti-virus software. It's not
enough to be
cautious just with e-mail anymore,
either. Two recently unleashed worms,
Sasser and Korgo,
infect one computer and then start
looking for other networked computers
close by to attack.
This is especially dangerous when you're
connected to a hotspot. If one hotspot
user catches
this kind of bug, it may try to get you
next. So keep your anti-virus software
up-to-date with
the latest definitions. Better yet,
configure your software to check
automatically for updates
on a regular basis.
-
Another closely related and increasingly
common threat is spyware and malware.
The steps
outlined here will protect you from most
of this harmful software, but you can
also install
utilities like the freeware title
Spybot Search & Destroy and
Lavasoft's Adaware.
-
Flaws in software: Be diligent about
updating key pieces of software --
particularly
Microsoft Windows, Outlook, and Internet
Explorer -- to close vulnerabilities in
them.
Take advantage of
Microsoft's Windows Update service
and Apple's Software Update
utility to patch newly found security
vulnerabilities. Like virus protection,
you can set
your computer to automatically check for
and download updates. You may have to
take further action to install them
after they have downloaded.
-
Intrusions: A personal firewall will
help prevent active attacks, such as
attempts to search
through your computer for interesting
information or deliver a damaging piece
of software
to your system. Windows XP and Macintosh
OS X have basic firewall capabilities
built-in.
Read about other personal firewalls and
their more advanced features in "Firewalls
and You ."
Like anti-virus protection, a firewall
also needs to stay up-to-date and be
configured correctly
in order to be effective against the
latest attacks.
Software publishers like
Symantec and
McAfee now bundle their personal
firewalls with their
anti-virus offering. This is often
cheaper than buying the two pieces
separately, and there is
more integration between them, which
offers the ability to update both parts
with a single click.
-
Snoops: Secure the transmission of your
data over the wireless network by
encrypting it. In
basic terms, encryption makes the data
you transmit incomprehensible and
therefore useless
to snoops. If your organization has a
VPN, use it to make it virtually
impossible to decipher the
data you transmit in case someone is
listening in. You can also purchase VPN
service from a
provider. Some WISPs, such as
Boingo, offer VPN to Windows
customers (for an additional
charge), while VPN service providers
such as AT&T (see
AT&T:
Enterprise Business: Products & Services)
and MCI (see
MCI: Enterprise: VPNs )
have partnerships with WISPs to provide
wireless VPN access. You might also want
to
check out
hotspotvpn.com , which offers a
low-cost subscription.
If VPN is too expensive, at least don't
send sensitive information such as
passwords,
credit card details, or other personal
information without securing it first.
All widely-used
Web browsers support
Secure Sockets Layer (SSL)
connections, which is the standard way
of temporarily establishing a secure
connection with online retailers and
other Web sites with
whom you might exchange sensitive data.
Also, e-mail is particularly vulnerable
to snooping if you are not using
encryption. In most cases,
e-mail is sent "in the clear" -- there's
nothing to scramble the messages or even
your usernames
and passwords. When you log on to Yahoo!
Mail for example, unless you specify an
SSL
connection before sending your password,
there is no security applied to obscure
the e-mails
you send and receive. Popular e-mail
applications such as Microsoft Outlook,
Outlook Express,
and
Eudora offer ways to establish a
secure communications link with e-mail
service
providers that support secure
connections.
Finally, don't discount the
old-fashioned, over-the-shoulder snoop.
In a bustling
publicly-accessible space, it's not hard
for someone to spy on your keystrokes
while you
enter the username and password to your
online banking account, for example. The
same
precautions apply to kiosk computers,
ATMs, and other machines on which you
might enter
sensitive information.
-
Strong passwords: Of course, it makes it
much harder to steal passwords if they
are complex.
A password such as "R#atg09\f" is hard
to remember and crack because it has all
the elements
of a good password -- a mixture of
capital and lowercase letters, numbers,
and special
characters. But, how do you remember a
password that is by design difficult to
recall? Check
out
An Introduction to Internet Security in
the Workplace for a more detailed
look at strong
passwords.
-
Unrestricted wireless networking
configurations: The wireless adapter on
your laptop or
handheld is capable of operating in two
modes, infrastructure and ad-hoc (also
called
peer-to-peer). At a hotspot, you should
disable the ad-hoc mode, which could
allow another
user to piggyback onto your connection.
In Windows XP, depending on which
service packs
and updates you've applied, these
options reside within the advanced
properties of the
wireless network connection
configuration, If you are using OS X,
deselect "Allow this
computer to create networks" in your
Network System Preferences, or don't
choose
"Create Network" from your AirPort
drop-down menu.
Also, if your device is powered on and
you have your networking set to
automatically
connect to available wireless networks,
you could be associating with wireless
access
points without even knowing it. To
prevent this, turn off any features that
automatically
connect you to available wireless
networks.
-
Ignorance of risks: Give yourself the
advantage by knowing what to watch out
for. By
reading this article and other
information about security, you're
already taking an important
step towards protecting your computer.
Be familiar with the latest news about
security threats.
If, for example, you hear on the morning
news that there is a virus rapidly
making the rounds,
update your anti-virus program and have
a basic understanding of the mechanism
the virus
uses to propagate (for example, by
e-mail attachments, file sharing, etc.).
A bit of knowledge
about computer security will help you
take the appropriate steps to protect
yourself.
Security at Home
Most likely, you'll want to put
your mobile technology to work at home too.
If you happen to share a
wireless connection to the Internet with
others in your household or apartment
building, the security
precautions outlined above will go a long
way to protect you. As well, if you set up
your own wireless
network at home, it's a good idea to
implement the security features on your
wireless access point.
Enabling WEP or WPA, disabling service set
identifier (SSID) broadcast and turning on
Media
Access Control (MAC) filtering will make it
harder for malicious users to connect.
In an organizational setting, the same rules
apply, but it may become harder to implement
some of
these security measures -- the more users
you accommodate on a network, the more
difficult it is
to administer some of these steps. But with
more users come more vulnerable entry points
for bad
things to happen, so it becomes increasingly
important to secure the network.
Loss and Theft
Of course, no firewall or software
update is going to protect you from the loss
or theft of your
equipment. Your information is valuable, but
so is the hardware itself. Use cable locks
and other
devices to secure your equipment where
appropriate.
Also, in the event that you do lose your
device, password protection will at least
slow down a thief
or other prying eyes from pilfering
information such as credit card numbers and
other important data
that you may have stored on your machines.
It may just buy you the needed time to
cancel your
accounts or make other arrangements.
Time to Get to Work
Now it's time to implement these
precautions. There are handy guides on
TechSoup (linked
throughout this article) to help you with
the hands-on work, as well as links to other
resources
below. Also, go to
TechSoup Stock to see the anti-virus and
other security software on offer.
Keep in mind that there is an element of
cooperative effort when it comes to
security. For instance,
if more computer users installed anti-virus
protection and kept it up-to-date, it would
make it much
harder for viruses and worms to propagate. A
firewall on every computer would slow the
spread
of spyware. Increasing security on your
mobile technology ultimately helps everyone,
especially
those who may not know how to apply the same
security.
At the same time, all this talk about
security may seem a bit seem daunting and
cryptic.
Implementing good security requires
diligence. When you consider the other work
you could be
doing for your organization, the benefits of
mitigating security risks may seem small. In
reality,
only a small portion of the population has
the ability, the will, and the time to
concoct a virulent
virus or hack into a laptop you're using in
a café.
Also, no matter which security measures you
incorporate, nothing is perfect, and there
is no
way to protect against every conceivable
threat.
But understanding the risks and having an
informed sense of which ones may be the most
threatening to you will allow you to take
the appropriate steps now and in the future
as new
threats emerge.
Last modified: Mar 16, 2006
Original article located on TechSoup at
(http://www.techsoup.org/howto/articles/connections/page1309.cfm)
