Wireless hotspots often offer no security on their own, but you can make your Wi-Fi experience safe without much trouble. Columnist Wayne Rash tells you how.
The original plan for this column was to write it at my neighborhood Starbucks while sipping down some good old French Roast and getting my blood caffeine level into the quadruple digits. Alas, it was not to be. My T-Mobile account seems to have expired; the Washington, DC, area was clobbered by a massive 3-inch snowfall, making travel impossible; and worst of all, Starbucks has all those high-carb goodies there at the coffee counter. I couldn't take the risk.
But one thing that wouldn't have been risky is using the T-Mobile hotspot at my local Starbucks. I could have settled in next to the fireplace (we have a nice Starbucks) and written my column, knowing that prying eyes would never see it before it reached my editor. The reason? I know that my ISP uses a secure connection to its Web mail site, so that anything I do there is encrypted using SSL.
But before you just assume that everything you do at a convenient hotspot is safe, there are some things you should know.
First, unless you absolutely know otherwise, assume that every hotspot you're likely to encounter is totally open and unsecured. This means that anything you send between your laptop and the access point is in the clear, and anyone sniffing the signals will be able to read everything that goes to or from your computer. This is definitely the case with public access wireless, if only because anything else would likely be unmanageable for the provider. So when you're sitting at scenic San Francisco Airport using those Centrino stations, whatever you do can be seen by anyone in the terminal.
However, you can still use your wireless connection in public, if you're careful, and if you take some precautions before you connect.
Most important is to find out whether your e-mail provider can handle a secure connection. Some POP and IMAP servers at ISPs will support SSL or other types of secure connections, but you'll need to call your ISP or check the Web site to find out, and then you'll probably need help implementing the connection.
If your ISP's POP or IMAP connecton isn't secure, your ISP's Web mail server might well support an encrypted link. You can find out by looking for the lock symbol at the bottom of your browser window when you're using your ISP Web mail. You'll probably also see messages from your browser asking if it's OK to display non-secure items.
Once you're satisfied you have a secure connection, you're safe using e-mail from an open Wi-Fi access point.
If you're connecting to your company's e-mail, regardless of whether it's through a Web mail connection or an e-mail server, the chances are very good that you'll be safe, because you'll be using a VPN. If you are, you'll probably know about it, because your IT department will have installed the VPN client on your laptop for you to use when you're outside the office. Most public hotspots will work fine with most VPN software, but there are times when they won't work.
If the VPN doesn't work, check your company's Web mail to see if it's encrypted in the same manner as you'd check your ISP's Web mail.
If you can't use your company VPN and there's no encrypted Web mail, don't give in to the temptation to risk your e-mail in the clear. You can't afford to take that chance with company information. In addition, it's unlikely you'll be allowed to connect to anything important on your company network without some kind of security that encrypts the data stream.
On the other hand, there are things you probably don't have to worry about, even when working in the clear. For example, if you do your on-line banking in an open hotspot, you should be fine. Every financial services site I've ever seen uses an encrypted link. The same is true about many (but not all) e-commerce sites. But it's critical that you check your browser windows to make sure. Some sites have non-secure access, and you don't want to use one of those by mistake.
While it's true that there's never been a case in which someone has stolen a credit card number over the open Internet, remember that the hotspot you're using isn't the same thing. It is possible to sniff a credit card number, or a user name or password, over the air if the site at the other end isn't encrypted.
Likewise, if you're using a site that requires a log-in, be careful. If the site isn't protected, and you use the same user name and password on that site that you use elsewhere, it could be picked up fairly easily. And if the bad guys have your log-in information for one site, they'll try it for everything that you've attempted to access, just in case you got lazy and used that same information for your bank, or your office. Don't go to these insecure sites unless you're satisfied that your log-in information is not the same as it is for other sites.
It's also important that you have a personal firewall up and running and that you have file sharing turned off on your laptop. Even if someone isn't able to sniff your information over the air, they might be able to get into your computer remotely through your wireless connection.
And finally, be aware of what's going on around you. Most private information isn't stolen over the ether, but rather from over the shoulder. If you're reading your e-mail or doing your banking in a public place, remember that the person seated behind you or next to you may be able to see everything you're doing. That also means that they can read that Post-it Note with your log-in or account information. It may be low tech, but it works.
You have a lot more exposure from people physically looking at your laptop screen than you do from a wireless sniffer, simply because the wireless sniffer requires more skill to run.
Using public Wi-Fi is perfectly safe, as long as you're careful what you do, pay attention to making your computer secure from wireless sniffing and over-the-shoulder peepers, and be careful where you browse. In fact, it's probably a lot safer than using an ATM at night, and chances are you already do that every week.
Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at firstname.lastname@example.org. Contact the editor of Security Pipeline at email@example.com.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.