Promiscuous laptops

Laptops now outsell desktops, and more and more locations are offering free public Wi-Fi networks. Yet there are no formal recommendations on how one should secure a wireless laptop on a public wireless network. Case in point: A few weeks ago, I attended the RSA Conference 2007 and shortly afterward saw a press release from regarding the number of laptops--at a security conference, mind you--that weren't connecting to the official public wireless network. What's interesting is that most of the wireless laptop security information I've seen is at best vague, including some of my own tips. Here's my take on some known problems with wireless laptop security and some suggested solutions. I welcome any other tips you might have.

The threats are out there

Two years ago I wrote about "evil twin attacks", in which someone places a more powerful wireless access point close to your laptop, causing it to connect to them rather than to the intended access point. Now all your personal data is flowing through the rogue access point laptop before it accesses the Internet in what's called a man-in-the-middle attack. As I mentioned last week, there's now the possibility of mobile devices such as smart phones also conducting evil twin attacks, so we might see more of these in the near future.

Last year, WhiteHat security expert Mark Loveless, aka Simple Nomad, disclosed a problem with Windows XP wireless connections; it seems that Windows XP had a habit of broadcasting a list of known access points that it had connected to in the past. This would, theoretically, allow a criminal hacker to receive that broadcast and configure his or her rogue access point accordingly. Microsoft has since issued a partial fix, in which it turned off the broadcast portion, but maintained the internal automatic connection list. That's still a problem. If you connect at home to a router that's called Linksys, then take your laptop out in public, it will connect to the first access point it finds calling itself Linksys, criminal or otherwise.

Good behavior counts

By and large, security experts, including myself, are all on record stressing that good behavior in public places matters most. The surfing that you do online in a public wireless environment should not be what you surf at home on a much more secured wired connection. For example, don't check your bank balance online, despite what that Bank of America ad says, or type in your credit card to order flowers online while sitting in an Internet cafe.

What is considered safe are Virtual Private Networks (VPN) tunnels into a corporate environment. VPN encrypts the data back and forth, so that even if a criminal hacker were eavesdropping, they would have to first break the encryption to get the data--and who has time for that when the guy across the room isn't using VPN? But even this isn't totally secure, as criminals could capture your clear user ID, then decrypt your password access to the VPN; most companies use one of a handful of VPN services that are well-known to criminal masterminds.

Some suggestions

The problem is that Microsoft designed Windows XP and Windows Vista to be convenient, especially when connecting via wireless, but convenience in the security world often carries a high price. Of course, it goes almost without saying that you should always have a suite of security applications including antivirus, antispam, and antispyware, as well as a personal firewall installed on your laptop. But to avoid having your promiscuous laptop connect to the first access point that looks attractive, try these maneuvers:
  • Use a wireless broadband card : Rather than use a public cafe's open wireless, get a wireless broadband account and use your laptop to connect to 3G networks via cell modem. Overall wireless broadband accounts are more secure--it's harder to hack into a cellular call--and, in some cases, more reliable than public 802.11 wireless.
  • Change your home or office default router name: Don't make your laptop vulnerable in the first place. To do this, access your home or office router's firmware (usually this requires typing a specific address into a browser's address bar), then change the default SSID (Linksys, D-Link, Netgear, or the like) to something original (for example, UpUpAndBeyond, or something similar). While you're at it, change the router's default admin ID and password, and enable some form of encryption (WEP, WPA, or WPA2).
  • Disable the Windows networking automatic connect feature: Don't let your laptop connect just anywhere. To do so, right-click your current wireless network connection, click Properties, then click the Wireless Networks tab. Here you'll see a box with all of the last known connections you've made. After each, if it says "automatic", highlight and click properties, then select the connection tab for that network. Uncheck the box labeled "Connect when this network is in range". The downside is that the next time you fire up your laptop, you won't be connected right away. Instead, you should see a list of available wireless networks. It'll cost you a few seconds to choose one and connect to the right network, but at least you'll know what you're connecting to.
  • Set a MAC address for the routers you know: This won't help with random, open public wireless networks the physical address of which you won't necessarily know, but it will help with home and office connections, particularly if you live or work in a crowded area. Again, if you haven't changed your SSID, how do you know if the Linksys router you're connecting to from the front of your apartment is the one in the back of your apartment, or your neighbor's next door?
  • Turn off the ad hoc connections option: This should already be disabled with most default Windows XP and Vista installations, but you should check anyway.

No comments:

Post a Comment