115. Safe wi-fi
By Andrew D. Wright
Wireless access points are common these days and so are ways to break into
them.
At this year's Black Hat conference in Las Vegas, a gathering of network
security experts, presenter Robert Graham demonstrated how easy this could
be when he broke into an audience member's internet mail account live
while they were accessing it over hotel wi-fi.
Many people, perhaps even most people, running a wireless access point
rely on the protection of WEP, Wireless Encryption Protocol, but this can
be broken into within minutes by anyone capable of using an internet
search engine to look up how.
If you have control over the wireless access point, use WPA or WPA2, Wi-fi
Protected Access, with a strong passphrase (something mixing letters,
numbers and punctuation marks greater than eight characters in length) to
protect traffic over your network.
If you do not have control over the wireless access point then you must be
careful what you do.
If you use some sort of webmail, make sure your login is sent over an
encrypted connection, one with an https:// web address rather than the
usual http:// web address. If your webmail supports it, all traffic sent
between them and you should also be encrypted the same way. This may be an
option you need to set in your webmail service's options.
Without all mail traffic being secure, someone can intercept the webmail
session cookies, text files storing the session information, and have the
same access to your mail as you do. They can even send out mail as you.
If you use a POP3 or IMAP mail program then make sure it is using either
SSL or TLS encryption to securely access your mail, assuming your provider
supports encryption. Without the protection of encryption, using POP3 or
IMAP over an open connection is not safe.
You will have less choice with SMTP, the send mail server, which needs to
be the send mail server of the wireless access point's internet service
provider. Since you cannot necessarily trust what an unknown access point
is telling you, best not to use SMTP at all to send mail over an open
wireless link.
Older protocols like FTP and telnet are also to be avoided over open
connections as passwords and usernames are sent in clear text.
One of the best ways to secure access over wireless is to use a Virtual
Private Network or VPN, which encrypts all traffic. There are a number of
different kinds of VPN, some requiring software to be run. Most Windows,
Macintosh and Linux computers can use IPsec, which works on the network
layer of the network protocol, beneath the transport layers used by TCP or
the application layers used by name servers or web servers.
As a result, a VPN can be used to securely link up to a trusted computer
over an insecure connection and safely route all network traffic through
to it.
The new Chebucto Wireless service run by Chebucto Community Net uses this
method to secure the wi-fi access for its members.
Chebucto Wireless project page:
http://wifi.chebucto.net/
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 26 August 2007
