Wi-Fi Planet Guide to Hotspot Safety

By Lisa Phifer

January 08, 2008

Five easy ways to protect yourself when using public hotspots.

Many consumers realize that hotspots can be risky, but fail to take even the most basic precautions. Why? Some underestimate the dangers, while others lack the financial and IT support enjoyed by corporate users. Fortunately, anyone can protect himself or herself by taking a few simple, cost-free steps.

Don’t talk to strangers

You rarely know anything about the inherent security of a public hotspot itself or nearby users, so your best bet is to assume that every hotspot harbors threats and to defend yourself accordingly. But just how risky are public hotspots?

During our assessment of three dozen hotel hotspots [Read the full report], just one in four tested networks could both insulate hotspot users and encrypt their traffic. Half filtered some traffic, but failed to reliably block both local and remote access to exposed file shares and ports. The bottom third provided users with no discernable protection whatsoever.

Only a handful of hotspots support WPA encryption. Elsewhere, consumers can use SSL or VPN connections to protect their own data. But, while that’s a good start, it does not stop LAN broadcasts from disclosing juicy tidbits like workgroup/domain and share names. Attackers can use those values to probe your laptop, grabbing files from browse-able folders or using open ports to pass along worms, spyware, trojans, and other malware.

In fact, because many hotspots deliver two-way Internet access to facilitate VPNs, your laptop may be far more exposed than you realize. A growing number of hotspots block wireless inter-client traffic. However, most do not block traffic originating from strangers on local LANs (e.g., hotel rooms, business centers) or out on the Internet. In other words, the protection routinely afforded by Internet firewalls in home and office networks is absent in many hotspots.

Finally, hotspots are perfect man-in-the-middle attack venues. If a nearby attacker can trick you into connecting to a phony AP with the network name (SSID) used by the hotspot, he can insert himself between you and the Internet. He can then easily mimic the hotspot’s login portal or any other Internet server (e.g., eBay, Amazon) to steal your login, password, credit card, or other financial/identity information. By the time you notice, the thief and his loot will be long gone.

Defensives measures  

Many exotic destinations pose health risks, but that doesn’t mean people shouldn’t visit them.fig1a.jpg Instead, smart travelers get vaccinated prior to departure and dine cautiously upon arrival to deter illness. Similarly, public hotspots can be used safely by adopting a few common-sense security measures. Individual users can defend themselves without spending a bundle by following the five steps below.

Step 1: Harden your laptop

Start by treating every hotspot session like a direct connection to the World Wide Web of strangers. To eliminate the most common exposure, disable your Wi-Fi connection’s Client for Microsoft Networks and File and Printer Sharing services (right). Deter unauthorized access to your laptop and any sensitive folders by guarding them with hard-to-guess passwords. Fix exploitable bugs by applying OS and security updates as soon as they become available—preferably automatically.

Step 2: Firewall your connection

It is always a good idea to disable extraneous network services—for example, most laptops should not run the Windows Telnet service (right). fig2a.jpgOther services that most can do without include Universal Plug and Play Device Host, Remote Desktop Sharing, Remote Desktop Help, Remote Registry, Routing & Remote Access, and the SSDP Discovery Service. To learn more about Windows services and what you can safely disable, visit this site.

 

Whether you're comfortable fiddling with services or not, the best way to make your laptop “invisible” on public networks is to firewall the affected connection. If you run Windows XP, enable the Microsoft Firewall with no exceptions (below).

fig2b.jpg

If your OS doesn’t have a built-in firewall, install a third-party firewall as described in this ISP-Planet tutorial. When done, visit an on-line port scanner, such as ShieldsUp or HackerWatch to find any remaining exposures (below).

fig2c.jpg

                                                                                  Scan your own laptop.

Go to steps three, four, and five.

Pages: 1 2
Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.