How Safe is My Laptop WiFi?

[BPSCG]

Recently bought a used laptop with a WiFi card on eBay. We have a cable modem in the house that connects to a wireless router that broadcasts to my desktop PC upstairs. I set it up with WEP security, including a ten-digit encryption key, so people driving by the house can't poach my router's signal.

I set the laptop up to communicate with the router, using that encryption key. But while that encryption key protects the signal being broadcast from the router, does it protect the signal being broadcast from the laptop? In other words, if I have the laptop outside at some public hotspot, am I broadcasting my signal in clear, to anyone who wants to intercept it - along with my logon IDs and passwords?

If so, how do I deal with this? Additional software? Recommendations?

Thanks, all.

 

[RyanRoberts]

WEP is link layer encryption using a shared key, traffic to / from your router is an encrypted stream. WEP itself is pretty useless though, if someone actually wants to break in, they can do so in a few hours with easy to find tools. Switch to WPA2 if you can.

 

[BPSCG]

WEP is link layer encryption using a shared key, traffic to / from your router is an encrypted stream. WEP itself is pretty useless though, if someone actually wants to break in, they can do so in a few hours with easy to find tools. Switch to WPA2 if you can.

Okay - not sure I can do that (older router, only does 11 MBPS), but assuming I could, would that secure data being sent from my laptop in a public place?

 

[RyanRoberts]

Yes, it secures communication in both directions.

 

[ShowMe]

if I have the laptop outside at some public hotspot, am I broadcasting my signal in clear, to anyone who wants to intercept it - along with my logon IDs and passwords?

If you log into a public hotspot & use their router then you are using their encryption. But even if it is encrypted & they give you the key it isn't encrypting your data.

Were you to log onto my wireless network and not have the appropriate safeguards in place I would be able to read the informaiton coming from your system as easily as you're reading this message.

 

[merentha]

Since most free hotspots don't have any security encryption enabled, so that means they're close to useless except for suicidal surfers? Or are there any ways for users to protect themselves when using these free hotspots?

 

[BPSCG]

If you log into a public hotspot & use their router then you are using their encryption. But even if it is encrypted & they give you the key it isn't encrypting your data.

Were you to log onto my wireless network and not have the appropriate safeguards in place I would be able to read the informaiton coming from your system as easily as you're reading this message.

Since most free hotspots don't have any security encryption enabled, so that means they're close to useless except for suicidal surfers? Or are there any ways for users to protect themselves when using these free hotspots?

And that's my concern. I read an article the other day that said the guy sitting on the park bench across from you may be in fact intercepting your transmissions, including your logons and passwords. How do I prevent that, apart from never using the laptop to connect to the web outside an interior room of my house?

 

[stormer]

Actually, this really is a problem with the data being able to be read.

The only thing I try to do at a public hotspot is to surf the net - no online banking, no checking email (both webmail or downloaded), no logging on to the server I maintain, etc, etc. Basically, no logons or passwords.

Kind of really limits what I can do at a public hotspot. If I really need to make an internet connection when I am out and about, I'll use my mobile phone (ouch, not free) instead of a public hotspot.

 

[merentha]

Over here in Singapore, the government is planning to link the entire island state with free public access wifi from January 2007 in the hope to promote IT literacy in the citizenry. Since I often detect two neighbours on average (don't know if they're the same guys since the SSID for both are "LINKSYS" after their router) who don't have any encryption on their home wireless network, with the rest on WEP and only one other guy on WPA, I can just foresee trouble ahead.

That I can detect their networks is already cause for concern. One should always hide the SSID.

 

[RyanRoberts]

And that's my concern. I read an article the other day that said the guy sitting on the park bench across from you may be in fact intercepting your transmissions, including your logons and passwords. How do I prevent that, apart from never using the laptop to connect to the web outside an interior room of my house?

Its not a problem in your house, on your network, unless your WEP/WPA key has been compromised. If you are using a public access point, with no encryption then you might want to think about setting up a VPN or at least using an https proxy of some sort for web access.

This is an inexpensive hardware VPN solution. Not as inexpensive as when you could install a custom linux kernel on their earlier models though..

 

[BPSCG]

Its not a problem in your house, on your network, unless your WEP/WPA key has been compromised. If you are using a public access point, with no encryption then you might want to think about setting up a VPN or at least using an https proxy of some sort for web access.

No, that's not my concern; I use WEP in the house, and I'm satisfied it hasn't been compromised. My concern is, what happens when I go outside, to a Starbucks, or an airport, or a hotel? Am I broadcasting my logons and passwords unencrypted to anyone who cares to intercept them? If so, how do I deal with that?

 

[RyanRoberts]

Yes, you are. The best way to deal with that is to set up a VPN server on your home router, so you can securely use your own connection - VPN protocols create an encrypted tunnel over the internet, so any man in the middle will not be able to sniff your connection.

 

[BPSCG]

Yes, you are. The best way to deal with that is to set up a VPN server on your home router, so you can securely use your own connection - VPN protocols create an encrypted tunnel over the internet, so any man in the middle will not be able to sniff your connection.

You mean if I set up a VPN server at home in Virginia (the east coast) and I'm off in California or something, I can do my online banking securely?

Sounds weird. I think I need to check this out...

 

[MortFurd]

Over here in Singapore, the government is planning to link the entire island state with free public access wifi from January 2007 in the hope to promote IT literacy in the citizenry. Since I often detect two neighbours on average (don't know if they're the same guys since the SSID for both are "LINKSYS" after their router) who don't have any encryption on their home wireless network, with the rest on WEP and only one other guy on WPA, I can just foresee trouble ahead.

That I can detect their networks is already cause for concern. One should always hide the SSID.

Hiding the SSID won't help at all. Anyone who is really out to get into your network (recover your WEP key) is going to be able to locate your wifi network whether your SSID is hidden or not.

 

[ShowMe]

You mean if I set up a VPN server at home in Virginia (the east coast) and I'm off in California or something, I can do my online banking securely?

Sounds weird. I think I need to check this out...

In theory, yes. At least against the "man in the middle" attacks that RyanRoberts mentions.

It would be theoretically possible that someone could set up a wifi spot & set up network eyes to "watch" everything you do. A VPN would alleviate most, but not all of the risk.

A good firewall will help, as will a good antivirus solution and a good spyware solution. Each of these can scan your system as you're online to make certain nobody is watching you.

If someone gets a keystroke recorder on your system they can follow your keystrokes. If I were an incredibly evil pereson I would set up a free hotspot in which you had to download a "key" that would consist of everything you needed to connect, as well as a keystroke recorder.

Keep in mind I am hopelessly paranoid about such things. Someone would have to go through an awful lot of trouble to set up such a scenario, and most folks who are after your records are looking for far easier targets.

 

[nescafe]

The only thing I try to do at a public hotspot is to surf the net - no online banking, no checking email (both webmail or downloaded), no logging on to the server I maintain, etc, etc. Basically, no logons or passwords.

For the most part, I do not care about cleartext communications over public access points -- all noncritical accounts use throwaway passwords, and I force IM clients etc. to use a secure protocol if one is available.

With respect to online banking, if your bank does not force you to use https when managing your accounts you should get a new bank.

If you use webmail services, most of them will allow you to check your email using HTTPS instead of HTTP.

If using POP3/IMAP/SMTP for email, your ISP should offer secure variants of those protocols (all of them support in-line TLS encryption, IIRC). Looking into how to configure your email to use those secure variants is a Good Thing in general.

As far as not remotely admin'ing your server, stormer, you should know that the best thing to do there is to install Secure Shell (if remotely adminning unixen), and install Secure Shell and tunnel RDP over it (if remotely admining Windows).

Link-layer security is no substitute for application-layer security.

 

[gnome]

Okay, I'm not sure I'm clear on the risk of using a public wireless hotspot. Is the risk that someone will actually intercept the signals you are giving out and obtain information from it, or is the risk of someone USING the signal to connect to your machine, and run hacking software on it to SEND information to them?

A good firewall/antivirus/antispyware will protect against the latter, but not the former.

 

[stormer]

Link-layer security is no substitute for application-layer security.

Absolutely agree. But would you want both layers of security, or only one if you could?

And thanks, made me remember something I wanted to do with a server on ddns at home.

 

[nescafe]

Absolutely agree. But would you want both layers of security, or only one if you could?

Well, at home I run with wpa2-ccmp on the wireless (mainly because I do not want people leeching my bandwidth), and when not at home I do not sweat it because I already do Paranoid By Default (secure app-layer protocols where possible, throwaway accounts with throwaway passwords where not). If you are already using app-layer security, tho, link-layer security is gilding the lilly.

It rather amuses me to see the other posters on this thread implying that you should be more concerned about spyware and such when using a public access point -- one of the hats I used to wear at work for Four Letter Computer Company was The Guy Who Knows Everything About Spyware. There is no greater chance of getting a virus or a spyware infection at a public access point than at home or at work -- there really is no substitute for keeping things patched and being paranoid in your surfing and downloading habits. Here are a few simple steps I have used to keep my Windows boxen virus and spyware free for years:

• Always have the firewall enabled. Learn how to effectivly configure whatever firewall you are using. I get by just fine with the Windows firewall.
• Never use Internet Explorer unless a specific website you have to access demands it. Instead...
• Use Firefox + Adblock + a throurough adblock.txt. The overwhelming majority of spyware installs happen by exploiting the web browser through any one of the ad serving networks, because it is cheap and easy to purchase a banner ad, and you can hit millions of machines at once. If your web browser never talks to the ad servers, you have closed off the single largest infection vector (not to mention web browsing is so much nicer without all the ads).
• Use webmail over https for non work-related email. This avoids whole classes of attacks targeting the huge, gaping security hole we call Outlook Express. If you must use a standard email client, use Thunderbird and configure it to only use the secure variants of the email protocols.
• For instant messaging, use an all-in-one client such as Gaim or Trillian.
• Any email asking you for your account information or passwords is lying.
• On the internet, everything is guilty until proven innocent. Any email asking you for your account information or passwords is lying, and any file you download should be scanned. Password protected .zip or .rar files should be deleted without opening them unless you are absolutely certian the file is safe.
• And, for $DEITIE's sake, never open an attachment included in an email unless you are absolutely certian that it is what it says it is.

This combination has kept me spyware and virus free on my Windows machines for years.

And thanks, made me remember something I wanted to do with a server on ddns at home.

SSH? SSH has been My Friend for... has it really been more than a decade? Wow... how time flies...

 

[nescafe]

Okay, I'm not sure I'm clear on the risk of using a public wireless hotspot. Is the risk that someone will actually intercept the signals you are giving out and obtain information from it

Yes. Sitting at a public AP with kismet or wellenreiter open, I can watch the cleartext go by, and it is the easiest thing in the world to log all the packets to a file and scan them for username/password pairs*.

or is the risk of someone USING the signal to connect to your machine, and run hacking software on it to SEND information to them?

As long as you have a firewall running and set to deny-by-default, you should not have to worry about this at all.

A good firewall/antivirus/antispyware will protect against the latter, but not the former.

Actually, no -- a firewall is your first line of defense here. If your machine is not listening for incoming connections it cannot be easily attacked, and most attackers will go looking for easier prey.


[*]Not that I would ever do this.