What do TAISMUSEN (both mac addresses), Free Public Wifi, NCR-GCC-G9, INFOR2007, LA5757, and linksys all have in common?
They are all computer-to-computer network SSID’s broadcasting at the Marriott O’Hare in Chicago. The Marriott itself provides internet access via its local ethernet at $12.95 / day, but helpful individuals are apparently all to willing to share their connecting for free. Or are they?
I recently told my mom, basically, that she was being riduculous in spreading hype and hysteria about man in the middle attacks at coffee shops and other public places people like to whip out their laptops and other wifi devices. In these scenarios, they may pay for their access to a legitimate service, but they also open their computer up to provide that service to others. So far, seems like at best a nice thing to do, and at worst probable violation of the terms of service of their ISP. What they do though is log every communication you send through their computer.
So yeah, most of your banks use SSL… when you’re logging in. I’ve seen a couple that forget that I also want to protect my account information, not just my password. What about your YaHoo, gMail, and POP3 email accounts. do you always enable SSL? no? they just got your password. Now they can, at leisure, go through your 1.4 GB of emails that you never delete because you have all the room in the world. How much of the information in your gmail account could be used by someone. Think about it, come up with a number, multiply by two and you’re probably only scratching the surface.
In fact, just logging in to you legit T-Mobile hotspot can open you up to these attacks. Using a network packet analyser such as ethereal, a person can connect to a T-Mobile hotspot, and without even logging on, record every piece of information going to and from that access point. Again, whatever doesn’t have that magic lock in the bottom right hand corner or on the address bar (depending on your prefered flavor of browser tech) is easily readible. I did this once as an excercise at a local caffe. Started up my laptop and did some file management for about an hour while I drank a coffee. Then I went home and examined the log.
First thing I noticed is that the log didn’t last for the full hour. I had extended the logs max size from the default of 1 meg to 100 meg and it still only lasted a bit over half an hour. I was able to find several password for online social networking sites and email names, addresses, and passwords for people using outlook. Now me? I deleted the damned log. I don’t want those peoples identity. I just wanted to see if it really was that easy. Go online, download some software, buy a cup of coffee and a danish and boom. you’ve got (someone else’s) mail!
How to protect yourself? simple. Get a VPN.
A Virtual Private Network encrypts ALL communications between you and a trusted server that resides…. somewhere. The point is, the communications over an untrusted network (like a public hotspot) are all encrypted. You are still sending unencrypted information to Google and your search results are still unencrypted. But instead of sending your search results directly to you over the internet, to your cafe, over the public hotspot, and then to your computer, Google will now send your search results to your VPN server who will encrypt them and finish the journey. Now, no one knows that you are secretly researching alternative eggplant recipes.
I use Relakks. its a swedish VPN for about $8/mo. whenever I’m out and about, I log onto my VPN (this itself is an encrypted communication) and then surf freely knowing that unless someone is staring at my fingers and can read keystrokes at 65wpm, they aren’t getting my password. Others VPN services are available, and if you have a home computer that is permanently connected to the internet, you can even run your own and save yourself the money of using a service. Either way, secure your information. It is yours. It does not belong to the world. and despite what the government says, encryption is good.