Vacation hacking, a new term invented in this article to scare folks: It's Fox News, yes, but this article needs to be stopped dead in its tracks. The article claims that you're going to be hacked because of "phony Wi-Fi hot spots" all over the place--"in airports, in hotels, and even aboard airliners."
This article recycles what is now a pretty dismantled myth that the Free Wi-Fi networks you see around are havens of hackers. They're not. Instead, it's Windows XP broadcasting a peer-to-peer network by that name that the user of the system once connected to in order to get free Wi-Fi (which didn't exist). Ad hoc networking in Wi-Fi under XP spreads names like viruses by advertising the names when the peer-to-peer networks aren't active. You can easily test this yourself if you have an XP box by creating an ad hoc network named Free Wi-Fi, turning it off, and leaving your XP system not associated with a regular (infrastructure) Wi-Fi network.
Here's a nice summary with details at an Aruba Networks blog. Note that Aruba sells technology infrastructure to corporations, which includes security elements, but doesn't sell security as a separate piece. Thus, the firm has a good place on which to dispel such a myth.
The folks from security companies are offering quite broad-stroked statements here that I don't buy as well. For instance, Symantec's "Internet safety advocate" is putting out the line that "hackers" are setting up shop in hotels, airplanes, and airports because there are Wi-Fi networks available. Think about that for a moment. Most people who use airports and hotels are passing through. It's hard to linger for too long without being a guest or passenger. So what this is really saying is that there are hackers traveling around who turn on scamming software whenever they're in a public place with lots of people. That's not an unreasonable speculation for some small number of people, but I also doubt this is happening on a large scale. I also think that thieves are exposing themselves to detection in places where they could be easily detained, which makes it less likely.
Now, I always maintain you should use public Wi-Fi networks as if there were always someone sniffing and recording signals around you, but that's more of general advice. I don't believe that there are always hackers around, just that if there's a small statistical chance you should act as if the opportunity for loss of passwords or other data is 100 percent. I may be paranoid, but I'm not crazy, as the saying goes.
The Fox News article then dredges up a 2008 AirTight survey that looked into security at airports, both in airport operations and in user behavior and settings. The article gets it mostly wrong, including stating that "fake Wi-FI hots spots" had been set up by hackers. I found the original AirTight report, and it talks about the "Free Wi-Fi" locations in the same manner I do above. (I wrote about this report back in March 2008. You can disable this in XP by using wireless settings to turn off the ability to join ad hoc networks entirely. That's a great start.)
What AirTight actually discovered was a very low rate of use of VPNs by users (under 3 percent in its testing), and extremely poor operations security, with closed networks and WEP being used to prevent outside access to private networks. The Fox news article conflates VPNs and secure networks together, making a muddle.
I've talked to Rick Farina of AirTight before, I believe, and his quote in the Fox News article is too absurd to believe without it being taken out of context. He notes that people engage in "all sort[sic] of dangerous activity," but he includes banking and buying stock in that list. So long as you're not working with a bank or stock-trading firm that's stupid enough to not deploy extended-validation (EV) SSL/TLS security--the green bar in most browsers that shows a verified identity--your risk of being taken advantage of is essentially nil.
However, I do heavily recommend the use of VPNs, because it prevents two separate problems: first, if you're using a system that has a history of vulnerabilities to viruses (yes, I'm talking about Windows XP), being on a public network with other local users seeing you as an available node is a terrible increase in risk. If you have firewall software installed, it's possible that joining a wireless network will make the software think you're on a safe LAN if the local Wi-Fi network uses the same private IP address space, which is highly likely.
If your company doesn't offer (and require!) a VPN, you can use services from Witopia, AnchorFree, and others on subscription or ad-funded basis, depending on the firm. With a VPN active, if you connect to an evil twin (a malicious double of a real network) or an accidental ad hoc network, the VPN either won't connect properly (but won't reveal your login password or credentials either), letting you know something is wrong; or, it will connect securely, meaning that even if your traffic is being intercepted, it can't be deciphered!
The last part of this article has five tips for security from Symantec that aren't bad, but most don't relate to Wi-Fi security.
My advice? Don't join ad hoc networking, disabling that capability if you can, or using cues in Mac OS X or Vista to avoid them. Use a VPN.
Leave a comment