The Woes of WiFi, Part 2: Digital Defense

WiFi has became pervasive. Not just laptops, but an arsenal of palmed-sized devices including smartphones, PDAs (personal digital assistant) and mobile media players, now connect to the Internet using Wireless Fidelity technology.

However, many users are clueless about security and connect to password-protected accounts and financial Web sites thinking that they are as secure as computing on their home or office desktop.

They aren't, warn network security experts.

"The learning curve on WiFi security is just now ramping up. Users don't know about settings," Steve Gorretta, director of product marketing at 2Wire, told TechNewsWorld. 2Wire is a manufacturer of home networking products.

Part 1 of this two-part series expanded on the dangers and weaknesses of public WiFi hotspots. Part 2 features tips users can take advantage of to protect themselves from snoops.

Basic Security

Many wireless users think running the same antivirus and firewall programs on a laptop will provide security when they connect to a WiFi point. That thinking, however, is very wrong.

Device security is no longer related to just mobile computers. All mobile equipment with Internet and WiFi access -- iPhones, PDAs, smartphones, etc. -- are part of the security risk.

"The Web has become the great equalizer. It negates individual protocols though some Web protocol all devices use," Corey O'Donnell, vice president of marketing for security software firm Authentium, told TechNewsWorld.

Third-party programs only defend against attacks from within the connection. WiFi security is the outer wall. It is the first level of defense. Antivirus protection is secondary protection, explained Gorretta.

To build that outer protective wall, WiFi connections should be protected by either WEP (Wired Equivalent Privacy) or WPA (WiFi Protected Access) encryption. Of these two methods, the WPA standard is newer and more resilient.

Encryption features are usually turned off in the default settings for routers and WiFi card installations. Users have to learn to enable encryption.

Default Barriers

"Turn on encryption at the gateway. The default setting usually has encryption turned off. The rest of the industry needs to change the default strategy . But there are barriers to doing this," Gorretta said.

Those barriers are largely time and money savers for the product manufacturers. The computing industry needs to get behind a movement to make default installations of all wireless equipment turn on encryption, he urged.

The barriers involve the installation process itself. With the default set to no encryption, new users will be able to connect to the Internet as soon as the installation is completed.

Having a different default adds to the installation process, according to Gorretta. Users would have to find and enter the encryption key and password during the setup process.

This added requirement would also cause a burden for customer support. This procedure is also harder to do with off-the-shelf products, according to Gorretta.

WiFi How-To Tips

Between the mobilization of business, the convenience of WiFi connections -- especially the free networks -- and the consumer entry of WiFi-enabled smartphones like the iPhone, wireless networks are receiving more traffic than ever. Just a little security knowledge can go a long way for users everywhere.

With that in mind, TechNewsWorld asked several security experts for their best tips in avoiding hackers when using WiFi connections.

Best Practice for WiFi-Enabled Handhelds

-- From Richard Rushing, CSO at network security firm AirDefense

• Disable the wireless feature when not using the device.
• Avoid hotspots at places like hotels, airport clubs, libraries.
• If using a hotspot, only do so for Web surfing.
• Enter passwords only onto Web sites that include an SSL (secure sockets layer) key at the bottom right.
• When IMing or using e-mail from hotspots, avoid providing proprietary information for possible consumption by hacker.
• Avoid unknown, free WiFi links. Chances are very good that the free access will be a ploy to steal access ID.
• Social engineering is still a key tool hackers use to trick you into divulging sensitive details. Don't be chatty or cooperative when asked for personal information.
• Always check with the hotel or restaurant about their WiFi access. It is easy for a hacker to set up a bogus lookalike access point for that location. In many locations you cannot tell if the WiFi access is legitimately provided by that business.

Public Hotspot Safety

-- From Corey O'Donnell, vice president of marketing for security software firm Authentium

These tips are based on the results of a study conducted at Chicago O'Hare International Airport.

• Look for official corporate logos on airport-sponsored free access. It is easy for hackers to set up official-looking hotspots.
• Be aware of exposed folders and files on your computer. Make sure you disable the share files feature.
• Keep up-to-date antivirus and firewall products. If you do latch onto a dirty hotspot, you want to be able to detect and contain any viruses downloaded to your portable device.
• Use a corporate VPN (Virtual Private Network) whenever possible instead of a public WiFi point.
• Set up specific user profiles for different connection scenarios. For instance, have one profile for family log-ons, another profile for connecting to a bank and a separate profile for logging onto shopping Web sites.
• Have different credentials like charge accounts, user names and passwords for specific online accesses. Then you can see which account and online access was compromised if someone attempts to steal your identity. Meanwhile, your other online visiting spots will remain safe.

Final Considerations

Users of private WiFi services also need to be careful, warned O'Donnell. Most of these providers do not offer security on WiFi connections. All connected devices are equally hackable, he said.

"But joining a reputable network limits the risk caused by using unknown providers," he said.

Also, look for the terms and conditions page when when signing on to a WiFi hotspot, suggested Rushing. Legitimate access providers usually require you to acknowledge their terms and conditions before letting you gain full access.

Finally, for better protection, look for hotspots that have account-only access, suggested Gorretta.

"Join that network, even if you take the minimum usage package. It will offer a VPN-like tunneling to provide better security. The subscription services have good auditing controls to monitor who is connected," he concluded.

The Woes of WiFi, Part 1: Insecure by Default