January 05, 2007 (Computerworld) Wi-Fi hot spots in airports, restaurants, cafes and even downtown locations have turned Internet access into an always-on, ubiquitous experience. Unfortunately, that also means always-on, ubiquitous security risks.
Connecting to a hot spot can be an open invitation to danger. Hot spots are public, open networks that practically invite hacking and snooping. They use unencrypted, insecure connections, but most people treat them as if they are secure private networks.
This could allow anyone nearby to capture your packets and snoop on everything you do when online, including stealing passwords and private information. In addition, it could also allow an intruder to break into your PC without your knowledge.
But there's plenty you can do to keep yourself safe -- and I'll show you how to do that in this article. If you follow these tips, you'll be able to make secure connections at any hot spot.
Disable ad hoc mode
Little-known fact: You don't need a hot spot or wireless router in order to create or connect to a wireless network. You can also create one using ad hoc mode, in which you directly connect wirelessly to another nearby PC. If your PC is set to run in ad hoc mode, someone nearby could establish an ad hoc connection to your PC without you knowing about it. They could then possibly wreak havoc on your system and steal files and personal information.
The fix is simple: Turn off ad hoc mode. Normally it's not enabled, but it's possible that it's turned on without your knowledge. To turn it off in Windows XP:
In Windows Vista, there's no need to do this, because you have to take manual steps in order to connect to an ad hoc network; there's no setting to leave it turned on by default.
Turn off file sharing
Depending on the network you use at work or at home, you may use file sharing to make it easier to share files, folders and resources. That's great for when you're on a secure network. But when you're at a hot spot, it's like hanging out a sign saying, "Come on in; take whatever you want."
So make sure that you turn off file sharing before you connect to a hot spot. To turn it off in Windows XP, run Windows Explorer, right-click on the drives or folders you share, choose the Sharing and Security tab, and uncheck the box next to "Share this folder on the network."
Protect yourself by turning off file sharing (Click image to see larger view.)
If you're a Windows Vista user, it's even easier to turn off file sharing. When you connect to a hot spot, designate it as Public. When you do that, Windows Vista automatically turns off file sharing. You can also turn off file sharing manually. Choose Control Panel-->Set up file sharing, click "File sharing," select "Turn off file sharing," and click Apply. Then click "Password protected sharing," select "Turn off password protected file sharing," and click Apply.
Turn off network discovery
If you're a Vista user, a feature called Network Discovery makes your PC visible on a network so that other users can see it and try to connect to it. On a private network, this is useful; at a public hot spot, it's a security risk. When you connect to a hot spot and designate the network as Public, Network Discovery is turned off, so again, make sure to designate any hot spot as Public.
However, you can also make sure that Network Discovery is turned off for your hot spot connection. When you're connected, choose ControlPanel-->View network status and tasks. Then in the Sharing and Discover section, click the Network Discovery button, choose "Turn off network discovery," and click Apply.
Vista users should turn off Network Discovery for maximum safety (Click image to see larger view.)
Encrypt your e-mail
When you send an e-mail at a hot spot, it goes out "in the clear" -- in other words, unencrypted -- so that anyone can read it. A lot of e-mail software allows you to encrypt outgoing messages and attachments. Check how to use yours, and then use it at a hot spot. In Outlook 2003, select Options from the Tools menu, click the Security tab, and then check the box next to "Encrypt contents and attachments for outgoing messages." Then click OK.
Encrypting outgoing e-mail in Outlook 2003 (Click image to see larger view.)
Carry an encrypted USB flash drive
USB flash drives are cheap, and getting cheaper by the day. For about $50, you can buy a 2GB flash drive, which is more than enough space to carry Windows, the applications you use and the data you need. Make sure to get a drive that can use encryption. Then install Windows, your applications and your data on it.
On your laptop, keep no private data on your hard drive. When you connect at a hot spot, boot from your USB drive. That way, even if someone somehow gets into your PC, they won't be able to read or alter any of your data, because the data is encrypted on the USB drive.
Protect yourself with a virtual private network
Most hot spots are not secure and don't use encryption. That means anyone with a software sniffer can see all of the packets you send and receive.
But you don't need to rely on the hot spot for encryption. For a fee, you can use a virtual private wireless network that encrypts your connection. There are several available, but the one I've been using for years is hotspotVPN, and it hasn't failed me yet.
No special VPN software is needed; you can use XP's or Vista's built-in VPN capabilities. The service costs $8.88 per month, or is available in one-, three- and seven-day increments for $3.88, $5.88 and $6.88. You can also get more secure VPN encryption from the service for between $10.88 and $13.88 per month.
Once you subscribe, you'll get a username, password and IP address of a wireless VPN server. At that point, you run a Windows network connection wizard, fill in the username, password and IP address information, and you'll be ready to go. In Windows XP, choose Control Panel-->Network and Internet Connections-->Create a connection to the network at your workplace. From the screen that appears, choose the virtual private network connection, and follow the wizard.
In Windows Vista, choose ControlPanel-->View network status and tasks. Then click "Set up a connection or network," and then choose "Connect to a workplace" and then "Use my Internet connection (VPN)." Follow the wizard after that.
Setting up a wireless VPN using Windows Vista (Click image to see larger view.)
Disable your wireless adapter
There may be times when you're at a hot spot when you actually don't want to connect to the Internet. In that case, you can guarantee absolute safety --- disable your wireless adapter so you can't connect.
If you have a wireless PC card, you can simply remove it, of course. If you have a wireless adapter built in to your PC, you can disable it. In XP, right-click the wireless icon, and choose Disable. If you're using the adapter's software to manage your connection, check the documentation to find out how to disable it.
If you're using Windows Vista, choose ControlPanel-->Network and Sharing Center. Then in the Connection area, click "View status," and from the screen that appears, click Disable.
Disabling a wireless adapter in Windows XP
Watch out for shoulder surfers
Think all hacking is high-tech programming? Think again. "Shoulder surfers" don't need to know how to write a line of code to steal your password --- all they need to do is peer over your shoulder as you type. So make sure no one seems to be paying too close attention when they're directly behind you.
In addition, if nature calls because you've had too many double lattes, don't leave your laptop unattended when you go to the restroom. Laptop theft has become common in some places, most notably San Francisco, which was subject to a laptop crime wave. Consider bringing along a laptop lock and locking your laptop to a table. Some cafes even include ports to which you can lock your laptop.
Beware phony hot spots
Watch out for this latest hot spot scam --- someone surreptitiously sets up a hot spot near a cafe, created for the sole purpose of stealing personal information. You're asked to type in sensitive information in order to log in, and the thief makes off with your passwords and financial information. Ask a staffer at the cafe if there is, in fact, a hot spot available, and what its name is. Only connect to that network. And if you see two hot spots with the same name, don't connect to either --- one might be a so-called "evil twin" set up by a snooper to trick you into connecting to the phony hot spot.
Turn on your firewall
Windows XP and Windows Vista both have personal firewalls built in, so turn
them on. In Windows XP, choose ControlPanel-->Security Center, then click the
Windows Firewall icon at the bottom of the screen. From the page that appears,
select On, and click OK.
In Windows Vista, choose ControlPanel-->Security-->Windows Firewall. The screen that appears will tell you if the firewall is turned on. If it's not, click Change Settings, select On, and click OK.
Turning on the firewall in Windows Vista (Click image to see larger view.)
Windows XP's personal firewall is underprotected because it doesn't include outbound protection. (Windows Vista's firewall includes two-way protection.) If you're a Windows XP user, consider getting the free version of ZoneAlarm, which has both inbound and outbound protection.
Preston Gralla is a contributing editor for Computerworld.com, and the author of more than 35 books, including How the Internet Works.