I’m sure in a year or two this will be as obvious as “don’t hand your credit cards to strangers (except, y’know, at restaurants),” but for now, it’s good info.
The next time you’re at an airport looking for a wireless hot spot, and you see one called “Free Wi-Fi” or a similar name, beware — you may end up being victimized by the latest hot-spot scam hitting airports across the country.
You could end up being the target of a “man in the middle” attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen, end up with a spyware-infested PC and have your PC turned into a spam-spewing zombie. The attack could even leave your laptop open to hackers every time you turn it on, by allowing anyone to connect to it without your knowledge.
[…] First, let’s take a look at how the attack works. You go to an airport or other hot spot and fire up your PC, hoping to find a free hot spot. You see one that calls itself “Free Wi-Fi” or a similar name. You connect. Bingo — you’ve been had!
The problem is that it’s not really a hot spot. Instead, it’s an ad hoc, peer-to-peer network, possibly set up as a trap by someone with a laptop nearby. You can use the Internet, because the attacker has set up his PC to let you browse the Internet via his connection. But because you’re using his connection, all your traffic goes through his PC, so he can see everything you do online, including all the usernames and passwords you enter for financial and other Web sites.
In addition, because you’ve directly connected to the attack PC on a peer-to-peer basis, if you’ve set up your PC to allow file sharing, the attacker can have complete run of your PC, stealing files and data and planting malware on it.
The underlying theme is “Don’t connect to anything you’re not sure of, and make sure your autoconnecting is either turned off or tightly controlled.”
I do a fair amount of business travel, and have had multiple occasions to connect into WiFi access points at airports (and other locations). While I’ve tried to be careful, this article will have me being even moreso.
The article makes an interesting point, but:
This is a very simplistic way of stating something much more complicated. Yes the hacker has the ability to see what you are doing. But they need a packet sniffer and a packet analyzer, or a program that can do both.
While these programs do exist and are becoming easier to use, there are still other tangibles in play. It takes a lot of time to go through all the millions of packets and hunt for a username and password. Looking through packets is something you learn how to do for the M$ 70-291 certification.
There are also easy ways to defend against this attack, use encryption. If you send information encrypted while browsing on a free Wifi spot, you will not have to worry about this kind of attack (depending on your encryption strength).
Try going to sites using https. The “s” means any data sent will be encrypted. And for most hackers, as soon as they see encrypted packets they will try to find another victim.
Encryption is, in general, a good idea for any WiFi environment, though not always practical. And, yes, it’s more likely that a malefactor will be after other actions or activitites than trying to spot your office e-mail ID and password.
On the other hand, you could probably leave your front door unlocked all the time, too, with a minimal chance that a burglar will ever actually try it. But …
If it’s free, it must be safe, right?
Heh. After citing this article a few weeks back, I was … amused at the airport when I looked up available WiFi connections and got … this. ATTWiFi is…