Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides

 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home

  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router — and by extension, your network — is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.


Five Easy Steps to Hotspot Safety


Most people realize that hotspots can be risky, but they fail to take even the most basic precautions. Here are a handful of ways to protect yourself when using public hotspots.
By Lisa Phifer

Many consumers realize that hotspots can be risky, but fail to take even the most basic precautions. Why? Some underestimate the dangers, while others lack the financial and IT support enjoyed by corporate users. Fortunately, anyone can protect himself or herself by taking a few simple, cost-free steps.

Don’t Talk to Strangers

You rarely know anything about the inherent security of a public hotspot itself or nearby users, so your best bet is to assume that every hotspot harbors threats and to defend yourself accordingly. But just how risky are public hotspots?

During our assessment of three dozen hotel hotspots [Read the full report], just one in four tested networks could both insulate hotspot users and encrypt their traffic. Half filtered some traffic, but failed to reliably block both local and remote access to exposed file shares and ports. The bottom third provided users with no discernable protection whatsoever.

What's That Term?

Not sure what a particular networking term means? Check out our searchable glossary.
 

Only a handful of hotspots support WPA encryption. Elsewhere, consumers can use SSL or VPN connections to protect their own data. But, while that’s a good start, it does not stop LAN broadcasts from disclosing juicy tidbits like workgroup/domain and share names. Attackers can use those values to probe your laptop, grabbing files from browse-able folders or using open ports to pass along worms, spyware, trojans, and other malware.

In fact, because many hotspots deliver two-way Internet access to facilitate VPNs, your laptop may be far more exposed than you realize. A growing number of hotspots block wireless inter-client traffic. However, most do not block traffic originating from strangers on local LANs (e.g., hotel rooms, business centers) or out on the Internet. In other words, the protection routinely afforded by Internet firewalls in home and office networks is absent in many hotspots.

Finally, hotspots are perfect man-in-the-middle attack venues. If a nearby attacker can trick you into connecting to a phony AP with the network name (SSID) used by the hotspot, he can insert himself between you and the Internet. He can then easily mimic the hotspot’s login portal or any other Internet server (e.g., eBay, Amazon) to steal your login, password, credit card, or other financial/identity information. By the time you notice, the thief and his loot will be long gone.

Defensives Measures

  

Many exotic destinations pose health risks, but that doesn’t mean people shouldn’t visit them.fig1a.jpg Instead, smart travelers get vaccinated prior to departure and dine cautiously upon arrival to deter illness. Similarly, public hotspots can be used safely by adopting a few common-sense security measures. Individual users can defend themselves without spending a bundle by following the five steps below.

Step 1: Harden Your Laptop

Start by treating every hotspot session like a direct connection to the World Wide Web of strangers. To eliminate the most common exposure, disable your Wi-Fi connection’s Client for Microsoft Networks and File and Printer Sharing services (right). Deter unauthorized access to your laptop and any sensitive folders by guarding them with hard-to-guess passwords. Fix exploitable bugs by applying OS and security updates as soon as they become available — preferably automatically.

Step 2: Firewall Your Connection

It is always a good idea to disable extraneous network services—for example, most laptops should not run the Windows Telnet service (right). fig2a.jpgOther services that most can do without include Universal Plug and Play Device Host, Remote Desktop Sharing, Remote Desktop Help, Remote Registry, Routing & Remote Access, and the SSDP Discovery Service. To learn more about Windows services and what you can safely disable, visit this site.

 

Whether you're comfortable fiddling with services or not, the best way to make your laptop 'invisible" on public networks is to firewall the affected connection. If you run Windows XP, enable the Microsoft Firewall with no exceptions (below).

fig2b.jpg

If your OS doesn’t have a built-in firewall, install a third-party firewall as described in this ISP-Planet tutorial. When done, visit an on-line port scanner, such as ShieldsUp or HackerWatch to find any remaining exposures (below).

fig2c.jpg

Scan your own laptop.

Go to steps three, four, and five.

Step 3: Secure Your Hotspot Login

 

To avoid accidental associations with strangers, configure your Wi-Fi connection to connect only to Preferred Networks, in manual (not automatic) mode. This ensures that you retain complete control over your wireless connectivity when visiting hotspots (below).

fig3a.jpg

 

The only foolproof way to ensure that you connect to a legitimate hotspot AP is to verify the server’s certificate. In hotspots with WPA-Enterprise (e.g., T-Mobile, iBAHN), configure your laptop to validate the server’s certificate during 802.1x (below).

fig3b.jpg

 

In hotspots where 802.1x is not available, see if you can use a secure roaming client (e.g., iPass, Boingo) that transparently authenticates both you and the hotspot to an off-site roam server (below).

fig3c.jpg

 

Think twice about using unfamiliar paid hotspots that do not support either option. Man-in-the-middle attacks are very difficult to avoid there, since you don’t even know what the server's identity should be. If you decide that the risk is worth it, then avoid entering credit card numbers unless the hotspot login page is SSL-encrypted and the server’s certificate is valid and signed by a trusted root authority. If anything looks suspicious (as below), go somewhere else.

fig3d.jpg

 

Step 4: Encrypt Your Data

In hotspots that offer WPA-Enterprise (below), connect to the encrypted network’s SSID (e.g., tmobile1x, stsn_wpa), being careful to the open network (e.g., tmobile, stsn). With WPA, all packets sent by your laptop will be encrypted—including LAN broadcasts. However, when they reach the hotspot AP, packets will be decrypted and routed onto the Internet.

fig4a.jpg

Encrypt data with WPA.

 

In hotspots without WPA, use higher-layer encryption. If you don’t have your own VPN, you can use a consumer VPN service like JiWire Hotspot Helper, Witopia personalVPN, or HotspotVPN. For example, download and install AnchorFree, an OpenVPN client that tunnels your traffic to a free VPN gateway out on the Internet (below). These services decrypt packets at the provider's VPN gateway before relaying them to the destination in the clear.

fig4b.jpg

Encrypt Data With a VPN.

To protect packets all the way to their destination, without your own VPN, use applications that can encrypt their own messages, like SSL-protected websites and mail clients (below). Doing so hides those messages from third parties, but leaves other applications exposed. For better coverage, protect everything with WPA or VPN, adding SSL for sensitive applications.

fig4c.jpg

Encrypt e-mail with SSL.

  

Step 5: Watch Your Step

Many hotspot connection managers, personal firewalls and Internet security programs can log network activity. Use those logs to confirm or deny your suspicions whenever an incident occurs. If you spend a lot of time at unfamiliar hotspots, consider installing a host Wireless IPS program like Shmoo Group HSDK or AirDefense Personal (below). After all, what you can't see CAN hurt you—especially if you're careless.  fig5a.jpg

Like any traveler in unfamiliar territory, the single most important thing that you can do is to exercise caution and err on the side of safety. If a hotspot feels "phishy" don't stay connected. If your firewall warns you about suspicious activity, don't click "ok" and continue. By combining basic security measures with sound judgment, you can use hotspots safely.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.

Article courtesy of Wi-Fi Planet.


For more help, don't forget to try one of our PracticallyNetworked Forums.


Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums