Feature: Boosting Wi-Fi Security
That soap opera clich
In the past few months, reports have emerged of Evil Twin attacks (also called "wi-phishing") targeting wireless network users at public hotspots. This week, I'll explain how Evil Twin attacks work and how you can defend yourself against these--and other--Wi-Fi security threats.
The Creep at the Coffee Shop
Unlike wired networks, wireless networks broadcast data over radio waves, which can be easily intercepted. By its very nature, then, a wireless Internet connection is less secure than a wired one. Along with the usual concerns of any computer user--spyware, viruses, and other malware--wireless network junkies must also be particularly careful of hackers.
An Evil Twin attack is a good example of how vulnerable wireless networks can be to clever hackers. Imagine you're at a public hotspot, such as a coffee shop. To initiate a wireless connection, you open your browser to sign on to the network. At the sign-on page, you enter your password, credit-card number, or whatever else that's required. Nothing seems amiss.
But in reality, the Web page is actually an Evil Twin--a forgery--of the legitimate sign-on page. The look-alike was created by one or more hackers for criminal or malicious purposes. They want to steal your personal data, such as credit-card numbers, or infect your notebook with viruses.
How is this possible? In essence, the hacker has turned their notebook into a wireless access point. (An access point acts as a hub, connecting notebooks and other wireless equipped devices to the same network.) While you think you're connected to a Wi-Fi network, in fact you're connected to the hacker's notebook. Everything you type, the hacker can see. Each e-mail you read, the hacker can read. When you try to visit legitimate sites, the hacker redirects your browser to illegitimate ones.
And this is perhaps the creepiest part: Because wireless access points don't have an extensive signal range, the hacker must be physically nearby to pull this off.
For more on Evil Twin attacks, read "Does Your Wi-Fi Hotspot Have an Evil Twin?"
Now that I've sufficiently scared you, I'll offer some reassurance: There are plenty of things you can do to protect yourself at public wireless hotspots.
Change your default Wi-Fi settings. Does your notebook automatically scan for available wireless networks? If so, disabling this option can help prevent your notebook from inadvertently connecting to an Evil Twin site.
Here's how to turn off automatic wireless network configuration in Microsoft Windows XP: Right-click the wireless network icon in your system tray at the bottom-right corner of your screen, then select Open Network Connections. (Alternatively, you can select Start, All Programs, Accessories, Communications, Network Connections.) Right-click Wireless Network Connection and select Properties from the context menu. Click the Wireless Networks tab, uncheck the "Use Windows to configure my wireless network settings" option, and click OK. If the Wireless Networks tab doesn't appear, your wireless network adapter doesn't support this feature.
Look for the lock icon. Whenever you're about to enter personal data or conduct an online financial transaction, make sure a lock icon is displayed in the bottom right of your Web browser. The icon indicates that the Web page you're viewing has been encrypted and certified by a public certifying authority.
Check the URL. A Web page that's encrypted is designated with an "https" address, rather than the standard "http." For instance, your bank's Web site address may be, say, http://www.wellsfargo.com. As you venture deeper into the banking site, you should notice that the URL displayed in the browser's address field begins with "https." If you don't see "https" in the address field on what should be a secure page, don't go any further.
Install security software. Yes, security software can be a pain to install, update, and manage. And yes, it can make your notebook performance a bit sluggish at times. All that said, a car's seat belt can wrinkle your clothes and be uncomfortable, too. But you wouldn't drive without wearing one, right? Whether you're on a wireless or wired network, make sure you've got firewall, antivirus, and anti-spyware software running (some programs offer all three functions). Head over to PC World's Spyware & Security Info Center for more information and to download the software you need. You'll also want to read PC World contributing editor Scott Spanbauer's Internet Tips column on updating your security arsenal.
Use WPA security. Older wireless network adapters, routers, and related equipment used Wired Equivalent Privacy, a wireless security protocol that is easily cracked. Newer standards such as Wi-Fi Protected Access and Wi-Fi Protected Access 2 offer stronger encryption. The Wi-Fi Security Alliance, a nonprofit association, provides an online search tool for finding products that support WPA, WPA2, and other security protocols.
Use a remote connection to your PC. When he's on the road, reader Dave Vogel of Acton, California, says he surfs the Web and checks e-mail on his notebook via a secure remote connection to his desktop PC back home, which has more robust security (such as a local-area network router with built-in firewall) than his notebook. Dave uses MyWebEx PC because it secures remote-access sessions with 128-bit encryption. The downside: Applications usually run more slowly when accessed remotely. MyWebEx PC is available in free or $10-per-month Pro versions. (I haven't used either one.) You can download the free version from the company's Web site.
MyWebEx PC Pro was recently selected as Best Buy in a roundup of remote-access products. For the review, read "PC in a Browser."
Check for misspellings. An Evil Twin site, phishing e-mail, or other online scam may look legitimate on the surface. But read closely and, inevitably, you'll discover misspelled words. For example, I received an e-mail from EBay "Costumer Support" that otherwise appeared perfectly legit. "Costumer Support," indeed. When I need EBay's help with my costumes, I'll ask for it.
Turn it off. To minimize the chances that a hacker can access your notebook, turn off your wireless connection when you're not using it. You'll save battery power, too.
Wait until you're wired. If you want to be as safe as possible, don't shop, check investments, pay bills, or conduct any business transactions on a wireless network, period.
Go to the Wi-Fi Alliance for more information about using public Wi-Fi networks.