Number 2 with a bullet on the First Annual Security For All Hit List was a surprise [to me anyway]. This post on March 16, 2009 titled Using public Wi-Fi safely was a review/amplification of this article by Rich Vázquez. So I came up with this great idea that I would do another review/amplification on my original review/amplification. Are you confused yet? Don’t worry you will be. Here are the high points.
Certainly you want to verify that the wireless net is what you expect prior to connecting, but the more important issue is that the operative word in “open Wi-Fi” is open. Most open Wi-Fi nets don’t need an evil twin. They are totally amoral by definition. Open means exactly that – anyone and everyone is invited to join in the fun. Which is great if you are adequately protected. Or a grifter looking for marks.
While this is certainly true, it’s a little light on actionable advice. Open Wi-Fi nets can be really useful if you want to do some innocuous web surfing or anything that doesn’t involve disclosure of sensitive information. Having said that, the unfortunate reality is that pretty much anything you would want to do online – including innocuous surfing – involves disclosure of sensitive information. The point is that if you want to use open public Wi-Fi you need to have your PC, whether it is running Windows, Mac OS/X or Linux, locked down tight. But what exactly does “locked down tight” mean? Turns out that is addressed in the next section.
Actually using personal firewall software is the first line of defense. Anti-virus is the last line of defense. While I’m sure this will cause a great deal of controversy (at least I hope so – bring it!) I submit that anti-virus software is optional and a good bi-directional firewall is critical. How so? Glad you asked. The firewall should make you invisible to the outside network. Many, if not most, popular firewalls do not do this out of the box. You need to make a visit to the Gibson Research (Steve Gibson of Security Now! fame) Shields Up! site and tweak your firewall setup until you are in “stealth mode”. If you don’t do that, then even good anti-virus software – and I’m dubious that such a thing exists – will not be useful. The greatest threat posed by the open network is information leakage, not malware infection. The risk of your PC being infected by malware that steals your information is significantly mitigated by the firewall. And once the PC is infected by such malware, if your firewall blocks egress to everything but approved processes – a feature of those good bi-directional firewalls mentioned earlier, information leakage should be prevented anyway. My point: it is a lot more effective to prevent malware infestation than to detect it after the fact. It should be noted here, that Rich makes an excellent and critical point: there is almost always a time lag between when information is stolen and when the stolen information is used. Sometimes the time lag is significant, so just because your stolen information hasn’t been exploited yet doesn’t mean it hasn’t been stolen.
I’ll admit it, I’m not a fan of the concept of anti-virus. I think it’s a sucker game with no winners but the anti-virus vendors and professional hackers. Certainly not you, the user. But far be it from me to suggest that you dump your anti-virus. If you use Microsoft Windows, then you probably should continue using it. But if I were you, I’d certainly stop paying for it. There are free anti-malware suites available – including one from Microsoft – that are as good or even better than the subscription based stuff. Just remember to keep it updated. The main point here is that anti-virus is optional but a good firewall is critical. Mac OS/X and most distributions of Linux (certainly all of the popular distros) ship with a very good firewall. Unfortunately the firewall that ships with Windows XP and earlier is weak and should be replaced with one of the excellent third-party software firewalls available. Many for free. To understand why you need a firewall, you need to know what it is and how it works. So allow me to digress. If you already know this stuff then feel free to skip it. Or comment on what I got wrong or oversimplified.
[Begin Digression: Firewalls]
When a computer communicates over a network there must be a way for other computers to find it. Otherwise no communication happens. Therefore each computer must have an address, not unlike a post office box. In order for any kind of communication to take place there must be at least two parties involved. Same with computers. Only computers have strict rules of etiquette governing conversations. There are always two distinct roles in a computer conversation. The server and the client. The server is the computer that is going to provide most of the information in the conversation. The client is the one asking for information. It’s easy to see this in action any time you connect to a web site. Your computer [acting as the client] contacts the web site computer [acting as the server] and requests information. The server sends the information in the form of a web page back to your client which displays it in your browser. So how did your computer [the client] know how to reach the server? And how did the server know where to send the reply? Remember those addresses I mentioned earlier? Well, the URL that you typed into your browser (or the link you clicked on) gets translated into one of those PO Boxes. But that’s only half the story. Each of those PO boxes is shared by a bunch of different services. So each PO box has a port for each of the services. When the message goes to a specific port in the PO box, the service listening for messages will respond. The service knows where to respond because there is a return address (including a port) in the message. If a service is not listening at it’s port or the port is not accepting messages this is referred to as the port being closed. Any messages sent there are ignored. Here is the critical thing to know about ports: Server ports are well-known and advertised (otherwise nobody would be able to start a conversation) but client ports are random and used for one and only one conversation. In other words when your client contacted that web site, the “http://” in the URL meant “send this message to port 80“, the HTTP port. Your client put a random port in the message return address so only replies to this particular message can get back to your client. By this time your probably wondering what this has to do with firewalls. Everything, actually. Stay with me. Something that might not be obvious is that every networked computer is both a client and a server. That’s right. Even your PC or Mac. This is where a firewall comes in. A firewall controls all of the ports on your computer. A good firewall will start with almost all ports closed. In other words if you want your computer to share folders with other computers (i.e. be a server for the share service) then the firewall needs to open the share service ports (139 and 445). Early Windows XP (before Service Pack 2) had lots of ports open by default. Stuff like Universal Plug and Play (UPNP) and Remote Registry. This was a really bad idea since black-hat hackers figured out ways to crash or abuse those services and get malware on your computer by sending malicious messages to those open ports. But if you have a firewall, you can close all ports that you don’t need. That way even if the service is listening for messages, it will never get them. And all those malicious messages will just be ignored. Further, a good bi-directional firewall watches for outgoing network messages. It knows that your browser and email program should be allowed to start conversations with other computers (well duh, they wouldn’t be very useful if they couldn’t). But it will block and/or warn you when something it doesn’t recognize (say NastyMalware.exe) tries to start a conversation with another computer. That’s why firewalls are so important.
[End Digression: Firewalls]
[In response to Rich's advice that file sharing be turned off] Absolutely spot-on here! The average personal computer does not implement many of the file sharing protections that are available on corporate networks. Otherwise very few home users would ever be able to take advantage of file sharing. As Rich points out, whatever you share is shared with everyone on the network. The entire open Wi-Fi network. Just say no to file shares.
Actually that just about covers it. There is never a good reason to have a Windows file server on an open Wi-Fi network. Period.
In fact most of the threats in a “coffee shop” environment (i.e. your typical open Wi-Fi hotspot) are decidedly low-tech. Fortunately the best defense is also low-tech – don’t be an idiot. One of the examples Rich uses is a perfect case in point: if you are doing your taxes online from an open Wi-Fi hotspot you are a moron and deserve to be pwned. I’m sorry but it’s true. There really is no mitigation for user stupidity. Seriously though, social engineering is by far the most effective tool black hat hackers have. There is definitely one born every minute. Don’t be the one.
There is no substitute for common sense. If you want to check your personal email from a Wi-Fi hotspot, sure go ahead. Much as we would like to believe the contrary, our personal mail is mundane, boring and of little value to anyone else. Your tax return, or your employer’s internal profit forecast are a completely different story.
Regardless of how “steathy” your PC is, it still has lots of incoming and outgoing traffic that is easily sniffed on the open Wi-Fi network. Go snag a copy of AirSnort if you want to see just how easy this is. Your traffic had better be encrypted if you don’t want it to be completely public. Having said that, encryption in and of itself is not enough. As Hugh Thompson says you can’t just “sprinkle on the magic crypto fairy dust”. For example if you’ve already been compromised by a Man-In-The-Middle attack, starting an encrypted session might simply result in a nice encrypted pipe that is available to no one but you, your bank and the attacker. Also, a site’s use of HTTPS is no indication of the legitimacy of the site unless you actually check the validity of the SSL certificate. And very few people do that. Or even know how to do that. So back to an earlier point, don’t be an idiot. Encryption does not mitigate stupidity. Recently this article from Thomas Nicholson at Nicholson Security blog entitled People will always be the weakest link in security described a situation in a coffee shop where a business person connects to the corporate LAN (no doubt securely), starts up a remote desktop session (again no doubt securely) and then goes to the restroom leaving the laptop unlocked and unattended for 10 minutes. Doh!
In case you forgot, your Wi-Fi adapter is a radio. The hot spot wireless access point is also a radio. Radio waves go everywhere and can be received by anybody in range with a radio receiver tuned to the right frequency. It’s not just talk radio hosts that think this is a swell idea. But again, regardless of how well protected your Wi-Fi signal is, if there is sensitive information on the screen, where anybody within sight range can see it, it’s still exposed. Remember, if you stand naked in front of a window, even if the window has bulletproof glass, you’re still exposed.
Finally, as far as I know Rich still hasn’t joined the Security Bloggers Network. And he still should.