BACKGROUNDThis blog was prompted by a friend. While she was at a university, she used her iPad to take class notes–and to chat with friends using Yahoo and Facebook. By some odd coincidence, 2 days later we find that her Yahoo and Facebook accounts have been hacked!
WIFI SECURITYMost anyone who has a wireless device knows there is some risk involved with WiFi, but few know the facts, or how to protect oneself. With wireless networks (Apple calls it Airport networks), your computer is broadcasting radio signals in the microwave range to a wireless base station. In most cases, that base station is connected via an Ethernet, DSL, or Cable TV cable to the Internet. This radio signal can be easily picked up by off the shelf equipment 1/2 mile away. With more specialized equipment (and we are talking a Pringles potato chip can), the signal can be picked up more than 10 miles away. What I’m saying here is that
anything that you enter or read over the Internet is being broadcast more than 10 miles around you, and that there are people out there that have nothing better to do with their lives than to wait for your data, hoping for something juicy like a name and password.
Wireless networks come in 4 basic flavors. At the least secure level we have unsecured/unencrypted networks. These networks are most common in cafe’s. Just sit down, open your laptop, select the network by name, and you are on the internet. If you are on one of these networks and log into your Facebook or bank account, you may as well be yelling your name and password over a loudspeaker. This is the same as leaving your home for vacation, and leaving the front door open. Anyone can come on in and take what they want (from your radio broadcast).
One step up is the wireless network secured by name and password. These are most common in hotels. In the typical configuration, you open your web browser and are prompted to enter a name and password in the browser to access the network. This may look secure, but this is really nothing more than leaving your home for vacation, closing the front door, but not locking it.
The next level brings us some security. This is when the wireless base station has been configured to encrypt all data using the WEP encryption protocol. WEP was the first commercial encryption for wifi, but it was quickly compromised. With current laptop computers it can take a hacker less than 2 minutes to break into the network and read your data streams. Keeping with the analogy, think leaving your home for vacation, locking the front door, but leaving the key under the mat.
At the highest security level we have networks using WPA encryption. There are two flavors of WPA–WPA and WPA2. Though WPA has been compromised, it takes enough effort to break in that the possibility is very low. WPA2 has not yet been compromised and represents the gold standard for wireless encryption. Think leaving your home for vacation, locking all doors and windows, putting bars on the windows, and drawing the curtains.
If you are connecting to either a WPA or WEP network, it will be obvious from the authentication window. Below is the authentication window for our guest network:
Note that in the first sentence it mentions requiring a WPA password. This tells you this is WPA-encrypted. Same would be true for WEP.
So, does this mean that unless you are connected to a WPA network you shouldn’t even
be on that network? Not at all. If I need to surf the web, what do I care that some hacker can see that I’m visiting apple, google, etc. On the other hand, if I need to buy equipment over the Internet using my credit card or log into an account with my name and password, it may be possible for others to harvest that information. More on this a bit further down.
ETHERNET SECURITYJust because you are connected to the network via an Ethernet cable doesn’t mean you are secure either. Unless you know the network (meaning, it is your home or your business), the network should be considered untrusted and insecure.
Keep in mind that while you are on an Ethernet network, your data travels through the Ethernet cable, possibly through any number of hubs and switches, eventually finding its way to the router or modem, and then onto the Internet. Unless you have a very sophisticated network, all of that data is unencrypted. If a hacker can plug into your network from another Ethernet port, they can run a sniffer program that will read all of the data passing through that cable. It gets worse. Since every time an electron moves along a conductor it creates an electromagnetic wave, your data passing along the Ethernet uses it as a giant antenna, broadcasting itself. Though I have not seen off the shelf devices that can read these signals, I have seen them in use by corporate spies, and the US government has the ability to reach down 22,500 miles from space to read these signals from satellite.
SECURING YOUR DATA ON A WIRELESS OR ETHERNET NETWORKWeb BrowsingThe only way to secure your data when browsing the web is to be using an SSL-encrypted web site. This is entirely out of your control (except for your own web site), but you can easily determine if you are on such a site. Take a look at the following Facebook login page:
Note the URL–“http://www.facebook.com”. What is important here is the “http”. This indicates that the page is not secure, and that any data one inputs is sent in the clear for anyone sniffing to read. This is why my friends Facebook could be hacked.
Now take a look at the login page from Authorize.net:
Note the URL–“https://secure.authorize.net”. What is important here is the “https”. The “s” indicates SSL encryption. The data one enters here is fully encrypted. Someone with a sniffer will see the data, but it will be in a gibberish that cannot be understood or used.
Bottom line: If you need to enter a name and password, or other sensitive information to a web page while on a WiFi or Ethernet, make sure at least one of the following is in effect:
- You know that you are on a WPA-encrypted network.
- You know that you are on a trusted Ethernet network.
- The web page into which you are entering your data has an “https” at the beginning of the URL, not “http”.
EmailEmail presents its own set of security problems. When your computer connects to your email server, it sends your user name and password. Then as you send and receive email, that is data that can also be sniffed from the WiFi or Ethernet broadcast.
If you know you are on a WPA network, it isn’t an issue. But if you are not (or using an untrusted Ethernet network), then you either need to know that your email server is using encryption, or don’t use email. To determine if your email server is using encryption (assuming that you are using the built-in Mail.app in Mac OS X):
1. Open your Mail application.
2. Select the Mail > Preferences menu.
3. Select the Accounts icon at the top of the window.
4. From near the bottom of the window, click on the “Outgoing Mail Server (SMTP)” pop-up menu to select “Edit SMTP Server List”.
5. From the list at the top, select your account.
6. About half way down, verify that “Use Secure Sockets Layer (SSL)” is enabled.
NOTE: If it is not enabled,
do not enable it or you will not be able to use your email. Instead, contact your email provider (such as Comcast, Google, MSN, Qwest, etc.) and ask tech support for how to enable SSL for your email account.
7. Click OK.
8. Click the “Advanced” tab.
9. Select your email account from the side bar.
10. Verify that the “Use SSL” is enabled.
NOTE: If it is not enabled,
do not enable it or you will not be able to use your email. Instead, contact your email provider (such as Comcast, Google, MSN, Qwest, etc.) and ask tech support for how to enable SSL for your email account.
11. Close Mail Preferences.
Bottom line: If you need to use email on a WiFi or Ethernet network, make sure at least one of the following is in effect:
- You know that you are on a WPA-encrypted network.
- You know that you are on a trusted Ethernet network.
- Your email account is configured to use SSL encryption.
Tags: Security, wifi, networks, Ethernet
