Wireless Threats

[jcanavera]

Many of you are using wireless laptops and sometimes use free wireless services found at many public locations. Well here is an interview that gives me the shivers. Sort of changes how you may want to use that PC when connected to a free service.

I picked this up from a service that I subscribe to called Spam Busters.
__________________________________________________ __________
Today our guest is Anne P. Mitchell, Esq. Anne is a Professor of Internet Law at Lincoln Law School of San Jose, and the President and CEO of the Institute for Spam and Internet Public Policy. You can find her sharing her wisdom and wit (and she's very funny) at the immensely popular Aunty Spam

site:

==} http://www.isipp.com

==} http://www.aunty-spam.com

Audri: Welcome, Anne! I really appreciate your taking the time to talk with me today -- this is a really great topic that I think will benefit ScamBusters subscribers a lot.

Anne: Thank you, Audri! It's absolutely my pleasure!

Audri: Let me begin by asking: what do you believe is the newest, most dangerous thing people often do on the Internet that doesn't seem dangerous at all?

Anne: Believe it or not, Audri, it's using public wifi hotspots. Well, not so much the hotspots themselves, Audri, but the inadvertent use of evil twin hotspots.

Audri: A lot of our readers don't know what evil twins are.

Can you explain?

Anne: Sure. Simply put, an "evil twin hotspot" is a hotspot that mimics a legitimate public wifi hotspot, such as those to which you may have access at your local Starbucks or bookstore.

However, it is really an Internet gateway which has been set up by a hacker hoping to trick you into connecting to the Internet through them.

When you access the Internet through this "hotspot," the hacker is logging everything you do and type, including your passwords and other sensitive information.

Audri: What exactly are the dangers of evil twins?

Anne: Once having trapped your sensitive information, such as account numbers, user names, and passwords, and knowing at which websites you entered that information, the person behind the evil twin hotspot can gain full access to bank accounts, credit card accounts, email -- anywhere that you went on the Internet while connected through their evil twin.

Audri: I think our subscribers can definitely see the dangers here! Can you give us an example?

Anne: Yes. Just last week I was sitting in my local Starbucks, where they offer wifi hotspots from T-Mobile. In order to log into a T-Mobile hotspot, you must have an account with T-Mobile, for which you must pay.

Even though I don't use the T-Mobile hotspots, I always check (with my laptop) to see what wifi hotspots are available at any given location because, well, that's part of my beat.

Sure enough, users at that Starbucks who opened their laptops and searched for a local wifi Internet connection were presented with the option of "T-Mobile Hotspot," as they should be, but were also presented with a second option, called "Free Wifi from Team WiFi," which I am 99% certain was an evil twin (and indeed Starbucks confirmed that there was no special offer going on which would have otherwise explained that second hotspot).

Now, notice a few things about this second, uninvited hotspot.

First, it uses the term "free wifi." Who wouldn't want to use that, especially compared to the T-Mobile hotspot, where you have to pay?

Second, though, note the friendly and familiar sounding "Team WiFi." By using familiar terms for their evil twin, along with telling people it is free, they are making it very easy for an unsuspecting user to go ahead and click and connect to that evil twin. In fact, users may just think that it's a special offer from the T-Mobile Hotspot people.

Sure enough, Audri, this evil twin caught some people. As the gentleman who was sitting next to me got up to leave, after being on his computer for quite some time, I asked him whether he had logged in to the Internet while he was there.

When he said that he had, I asked him whether he was a T-Mobile user. "Oh no," he replied, "they have a free wifi hotspot set up here."

I advised him that it was almost certainly an evil twin, and that if he had done anything online while logged in through that "free" hotspot which might have compromised any sensitive information, he should take immediate measures to remedy the situation, such as changing any passwords he had sent while logged in.

At this point your readers may be wondering why I didn't alert the authorities. And this is why user education is so very important.

There really was nobody for me to effectively alert. I could have called the police, but they would not have had the resources to even figure out where this evil twin was located, let alone to figure out who and how it was being done. The best thing I could do at that point was to let people know not to use that hotspot.

Audri: That's a really important point, and in fact, one of the reasons we started ScamBusters. Often, understanding the principles behind scams is about the only real protection you have.

For example, it's not enough to know that Team WiFi

(specifically) may be an evil twin. This name probably already has changed by the time you read this. But by understanding this evil twin scam, subscribers can be careful and make sure they don't compromise their personal information.

Moving on: can you explain in a non-technical way how evil twins work?

Anne: Basically someone sits nearby with either a laptop hidden in a backpack or under a coat -- or they may even be sitting there with the laptop in front of them, pretending to work.

But that laptop is really set up as an Internet server which has been programmed to announce itself as a public Internet access point.

This is essentially how legitimate wifi hotspots are set up as well. The difference is that the evil twin has additional software on it that is designed to capture all of the data from the Internet traffic that goes through it.

If you send unencrypted text, the hacker will be able to simply read it.

But even if you send something that is encrypted, such as a password, it isn't very hard for the hacker to figure that password out.

Audri: How?

Anne: First of all, some hacking software can install a virus that actually records keystrokes. Second, there is plenty of software out there designed to crack many types of passwords.

In fact, Aunty Spam wrote just last month about a website where you can plug in an encrypted password, and it will decrypt it for you.

That sort of encrypted password is exactly what the evil twin will capture.

Audri: So what that means is that you're not completely safe if you use encrypted passwords.

How widespread is this problem?

Anne: Nobody really knows for sure, but I can tell you that I hear about instances every week. In one recent infamous case, someone walked into an IT conference in England and walked around with a live evil twin in their backpack, and caught several people. At a conference full of Internet security experts!

Audri: Wow!

Here's a related question we got this week: can you tell us what is "email sniffing"?

Anne: Email sniffing also involves interception of data, but it is typically a situation where one person is sending and receiving email on a network, and another person on that same network is intercepting the email data.

Audri: How can our subscribers keep their email safe from sniffing?

Anne: For the average user, the safest thing to do is to use a secure webmail service. For example, both Hotmail and Gmail services use a secure protocol.

For users who must access their work email while on the road, and because there are so many different enterprise email systems, the user should work with their IT department to ensure the most secure access.

Audri: How can you know if you're connected to an evil twin?

Anne: Well, of course, that's the lion's share of the problem.

You can't, really.

The best defense is a good offense, meaning take precautions to ensure that you don't connect to an evil twin in the first place.

Audri: "The best defense is a good offense" is one of my favorite sayings.

Is this a serious enough problem that some people should simply not use wifi? If so, who?

Anne: People who don't feel competent to identify the wifi spots they know and trust, or to distinguish other hotspots from those trusted few, should probably think twice before connecting.

If it's so important that you can't wait until you get home or back to the office to check from your regular connection, then it's probably too important to risk sending across an un-secure and potentially malicious wifi connection.

Audri: Let me ask you two questions on related topics: Is there anything you can do to protect yourself when you're not at home or are traveling? What about people who live in large cities -- how big an issue is this for them? What should they do?

Anne: By definition, this is an issue which is most likely to arise when you are not at your home or office (unless your workplace offers free public wifi!).

It's extremely unlikely that someone is going to create an evil twin of your home wifi.

People in big cities may be more likely to encounter evil twins than, say, people out in rural areas, but only because of numbers, not because rural hackers are any less sophisticated!

Audri: Are there any rules of thumb that could help our subscribers protect themselves?

Anne: As to how best to protect yourself, first and foremost, check your wifi settings on your laptop!

Is your computer set to search and automatically log on to the nearest wifi hotspot? If so, that's a recipe for disaster.

Change that setting!

Audri: I bet most people didn't know that, Anne.

Anne: Second, whenever possible avoid sending sensitive information from public wifi locations. The more important the information is, the less chance you should take with it.

If you really must conduct financial business from public wifi spots, such as if you are on the road a lot, either use a credit card with a special limited line of credit, or use a debit card in which you keep only as much money as you are willing to lose if someone compromises your data.

Finally, really scrutinize the sites through and to which you connect. If something doesn't look or "feel" right, it probably isn't.

And make sure that any page to which you connect and through which you have to transmit any sensitive data really is a secure page (look for the little key at the bottom of your browser or whatever your browser uses to indicate "secure").

Audri: This is great advice. Is that what you do every time you connect to a public hotspot?

Anne: <laugh>...no, I actually avoid all of these problems by connecting my laptop to the Internet through my cell phone.

Many cell providers now have unlimited Internet access rate plans, and with the higher speed cell data networks, while it's not as fast as a wifi hotspot, it's plenty fast, and they haven't been cracked yet.

Audri: Can you summarize what action steps should our subscribers take so they don't become vulnerable (or become less vulnerable)?

Anne: Yes. Be careful. Be cautious. Be wary. And be aware.

Audri: Thanks so much, Anne! I think we'll stop here and finish this interview in next week's issue. I really appreciate you sharing your advice on evil twins with our subscribers. Stay tuned...

[Stefrobrts]

As I understand, people can also 'eavesdrop' on your wi-fi transmissions while using a public hotspot. I would avoid doing anything that requires passwords or using VISA cards while on a public line. Save secure stuff for a landline.

[ALANSD]

good info. On a similiar note, I alsways check the locations of the phisihing web sites that come thru my email. Most are overseas, and so i ignore them, but on occasion I have caught one or two that were in the US. I notify their ISP that fraudulent activity is taking pace throught their service, forwarding them the email and ip address.
Recently I received over 5000 very nasty emails from one of the phishers who had been shut down by his ISP. He used an untraceable email address this time, and must have been mighty mad, as over two days the total to my email account was 9000 plus.
Actually made me feel good, like I had shaken him up some.
The web is such a great tool, but loaded with schemes to rip us all off...I would suggest everyone be on their guard, and use a good spyware program to clean out the crap on a regular basis.

[74Argosy24MH]

Quote:

Originally Posted by ALANSD

Recently I received over 5000 very nasty emails from one of the phishers who had been shut down by his ISP. He used an untraceable email address this time, and must have been mighty mad, as over two days the total to my email account was 9000 plus.
Actually made me feel good, like I had shaken him up some.

Kind of make you wonder about an ISP that would forward your email address to the pinhead they were shutting down. Seems like they would just go in and shut off the account, no real explanation necessary.

John

[Silvertwinkie]

Better standards for security are sorely needed for wireless Ethernet. Wired has had it for years, but wireless I think is sort of just now starting to tackle some of these issues.

One shameless plug is that you wouldn't have to worry about keystroke software being installed if you had a Mac...even less so if you had your firewall configured correctly.

But as the interview suggests, you go on someone else's network, anything is theirs for the taking if you transmitt through their equipment. Someone, somewhere can get it.

I agree and disagree with the idea that these can't be found. The police might not have the equipment, but there are tools that can narrow down the area the device is located. More over, if credit cards are being stolen, that starts to fall under a federal crime.... the FBI has a special group of folks that can get even more precise and make an arrest closing these evil twins down one at a time....but they are right, it's a fools paradise out there. You have to be careful.....

[somefun]

Like my grandma used to say, "Never write down anything that you don't want anyone else to see." Even though this was in the pre-PC days, the same principle applies. I only feel semi safe on my encryped, firewalled home network. Even on employers' networks, all internet traffic goes through a proxy server, which can log all of your travels! As far as bank card numbers, etc., there's way more of a chance for that info to be stolen via dishonest merchants (or their employees) that you deal with face to face in everyday life, than online. (But you still need to be aware of such things as mentioned above!!)

Good info!

[Silvertwinkie]

There will be a special report on ABC news tomorrow night at 10pm (channel 7 local news here). Loved all the drama music in the background and scare methods they use to draw you into the story.

[Rhodie]

Quote:

Originally Posted by Silvertwinkie

One shameless plug is that you wouldn't have to worry about keystroke software being installed if you had a Mac...even less so if you had your firewall configured correctly.

Does this mean a macs info can't be intercepted....I can breathe easier if the answer to this is "yes"!

We're going on our big trip soon and I pay my bills online so was going to use these "hotspots" along the way...maybe I'll rethink this and look into a more up to date cell phone?

Thanks for this post BTW, will pass this info on.

Barb

[85MH325]

Jack, thanks for posting this. I hope you don't mind, but I copied your post in its entirety and reposted it on Fiberglassrv.com (properly crediting you, and AirstreamForums, of course) for the benefit of the members there. Great information.

Roger

[Silvertwinkie]

Quote:

Originally Posted by CaliforniaStreamin

Does this mean a macs info can't be intercepted....I can breathe easier if the answer to this is "yes"!

We're going on our big trip soon and I pay my bills online so was going to use these "hotspots" along the way...maybe I'll rethink this and look into a more up to date cell phone?

Thanks for this post BTW, will pass this info on.

Barb

I don't believe the Mac is exempt from someone doing packet sniffs, but they are exempt from 99% of the viruses, spyware and keystroke monitoring software thats our there. So the Reader's Digest version of all this is that you still should be extremely careful who's network you're using because no matter what platform you use on the Internet, we all talk on it using the same IEEE protocol.

[overlander63]

Quote:

Originally Posted by Silvertwinkie

I don't believe the Mac is exempt from someone doing packet sniffs, but they are exempt from 99% of the viruses, spyware and keystroke monitoring software thats our there. So the Reader's Digest version of all this is that you still should be extremely careful who's network you're using because no matter what platform you use on the Internet, we all talk on it using the same IEEE protocol.

Hackers usually go for the biggest impact, most people use PC's, not MAC's. Sometimes, like this one, it is a good thing to be unpopular.