Watch out for the ‘evil twin’ when using public Wi-Fi
Dan Fost
USA Today
For the modern nomadic worker, few things are more enjoyable than heading to a cafe, ordering a cappuccino and firing up the laptop to get some work done. As far as anyone you’re e-mailing knows, you’re at the office.
Unfortunately, few things expose your work to greater security risks than latching onto a public Wi-Fi service. Most people don’t realize the risks, and even fewer have the ability to perform the geeky tasks that would fix it.
Computer criminals can “sniff” the traffic in a cafe, or set up a fake hot spot that you might innocently log into. When that happens, watch out: Everything you type goes directly to the host computer, known as an “evil twin.” In that scenario, as soon as you get into your online bank account, the evil twin is ready to grab the password.
The best advice for avoiding those situations is to tap only into wireless connections that you trust. Be wary of connections with names such as “free public wifi.” Ask at the cafe for the name of its network. Even then, be aware that someone sitting next to you could have set up a network with the same name, such as “Starbucks,” that you could tap into unwittingly.
Most security-savvy travelers assume the worst and don’t do anything that could cause trouble if it fell into the wrong hands.
“Every packet that goes out over the Internet is observable” by a tech-savvy hacker, says Brett Levine of San Francisco.
Nonetheless, Levine, a vice president at Internet video start-up Dovetail, remains a dedicated cafe worker. He spoke from Hong Kong, at the end of a business trip in which he communicated with “nothing but my laptop. The only connections I’ve had were in hotel lobbies or cafes. I’m sitting here with my ramen noodles.”
He just makes sure that every e-mail he sends is encrypted. And if he’s doing anything sensitive online, he makes sure the site is secure.
For instance, if a website starts with “https” in the address bar instead of the standard “http,” the site is most likely more secure. “Https” is the standard that banks and online trading firms use.
“If you’re on a wireless network, assume it’s public,” says Alex Stamos, vice president of professional services at iSec Partners, a software security consulting firm in San Francisco and Seattle. “If you’re trading stocks, you should be very careful and make sure you’re going over the ‘https’ link.”
Once you’re over “https,” you generally are safe, though there are caveats, says Zulfikar Ramzan, a senior principal researcher at Symantec in Cupertino, Calif. “What ‘https’ guarantees to you is that whoever is receiving your traffic is receiving it encrypted. But that doesn’t guarantee that it goes to the right person.”
Take care in small cafes
Dave Zaytsev, a co-owner of Goliath Security in Chicago who works as a consultant for identity-theft protection company LifeLock, warns that the risks are greater in small, local coffee shops than in chains such as Panera Bread, which advertise their secure networks.
“The corporate places are locked down pretty decent,” Zaytsev says. “The mom-and-pop places that are just trying to compete, like Joe’s Coffee, they don’t have consultants. They just go to Best Buy, buy a Linksys router and have a friend set it up.”
Zaytsev has tested some cafes for local television stations’ consumer news segments and has often been able to see files stored on individuals’ laptops. He’s also done “man in the middle” attacks, in which he scans the traffic in a cafe, then steals people’s usernames and passwords. (The people in his tests were all willing dupes, he says, usually interns at the TV station.)
If you can use your company’s “virtual private network,” or VPN, you can feel fairly safe. VPNs create secure “tunnels,” in which all online communication is encrypted at both ends. But simply using a top security suite from Symantec, McAfee (MFE), Trend Micro or others won’t protect you in a cafe situation. The companies say that while those programs will protect you from viruses and even phishing scams, they can’t save you from traffic that you’ve sent over the open Internet.
“A security suite will protect you if you did end up at a bad site that tried to install malicious software on your machine, but not if you give your credit card to someone else,” says Symantec’s Ramzan.