Using public networks

Someone recently sent me a Fox News article from about a month ago. It’s about risks of using public networks, specifically wireless ones — while the issue isn’t limited to wireless, few people wire themselves in any more.

The newest trend in Internet fraud is “vacation hacking,” a sinister sort of tourist trap. Cybercriminals are targeting travelers by creating phony Wi-Fi hot spots in airports, in hotels, and even aboard airliners.

Vacationers on their way to fun in the sun, or already there, think they’re using designated Wi-Fi access points. But instead, they’re signing on to fraudulent networks and hand-delivering everything on their laptops to the crooks.

“More and more people are traveling with Wi-Fi devices like smartphones and laptops,” says Marian Merritt, Internet safety advocate at the computer-security giant Symantec. “Airports and airlines and hotels are responding. They’re setting up free Wi-Fi networks to lure in customers. Now they’re luring in hackers as well.”

The problem here is that there’s a lot of misunderstanding about what the risks are and what to do about it. The advice in the article is fine, as far as it goes, but at the same time it instills unnecessary fear and yet doesn’t go far enough.

Let’s start with advice I gave a long time ago: never, ever use a public computer to log into anything. The computer may be logging your keystrokes, or doing any manner of snooping, man-in-the-middle attacks, and such. Use Internet cafes, kiosks, and other public computers only to look things up... only, in other words, for public stuff.

Now, what about connecting your computer to an unknown network? (And by “computer”, I include iPhones and other PDAs, Kindles, and any other device that gets on the Internet.)

When you connect to any network, everything you send to and receive from the Internet goes through that network. And, so, everything you send to or receive from the Internet can be recorded. Also, your traffic can be redirected (using phony routing or phony DNS resolution). But:

1. What you do locally on your computer can not be recorded. In particular, an attacker can’t do keystroke logging.
2. If your computer is properly secured, files on your computer are safe. The attacker can’t read them or tamper with them.
3. If your computer is properly secured, no one can install malware (or any other software) on your computer.
4. If you have a proper, secure connection to a service provider, even though your network traffic can be recorded by the network, the encrypted data will be undecipherable and useless.

And that all means that you can safely do a lot more with your own computer on someone else’s network, provided that your computer is properly secured and that you’re certain you’re using secure connections to your email service, your credit-card company, and your stock broker.

Let’s look at some advice from the article, and then come back to the question of what that last paragraph means:

Beware of “Evil Twins.” Some Wi-Fi networks look legitimate but are actually dummy networks created by criminals. Even if they contain the name of your airport, airline or hotel, they will directly link your computer to the hacker’s. If you always use the official access keys provided by the establishment, then you should be safe.

I disagree with this item completely. There is absolutely nothing that will prevent an attacker from setting up an “evil twin” that you can not distinguish from the real network. The network’s name is public. The WEP key or WPA password is given to all users, so the attacker can get it too. The attacker can easily set up an access point that looks exactly like an “official” one. If you have to go through a login screen on your first web access, the attacker can mimic that. If you have your own, unique sign-on password, the attacker can just accept whatever you type, and you’re none the wiser.

It makes no difference whether you’re using “official access keys provided by the establishment.”

It is possible to protect users from evil-twin attacks, but it involves more setup work than any public network is willing to do. So you have to protect yourself, by making sure that your computer is protected:

1. Do not run Internet applications that you don’t need to have running. Do not, for instance, have iTunes running if you’re not using it. Do not, for instance, have anything running that lets someone log into your computer or access its files remotely. Shut down file sharing, FTP or Telnet servers, and the like.
2. Do run firewall software. That should be superfluous, but if you’ve forgotten something in number 1, the firewall will back you up in number 2. Configure the firewall to block everything incoming when you’re on a public network, and be sure to switch to that setup.
3. Be especially careful to use secure web connections (SSL/TLS, HTTPS), and be sure you use your own, trusted bookmarks to get to the web sites.
4. Never accept any security-related warnings when you’re on a public network — just go away, and come back when you can trust your network.

That last point is crucial, and is missing from the article’s suggestions. It helps to understand how the SSL “certificates” work:

1. BigBank owns the domain bigbank.example.
2. BigBank goes to a known certificate authority and gets a security certificate for bigbank.example, signed by the certificate authority. Note that this doesn’t mean that the CA says that bigbank.example is a good domain — only that the certificate is vouched for.
3. You visit https://bigbank.example in your web browser to log in.
4. As part of the HTTPS interaction, the web site sends your browser the certificate.
5. Your browser knows about the certificate authority, and accepts the certificate as credentials for the web site.
6. Your browser compares the domain name in the certificate with the domain name in the web site’s URL. This is a key point, and you must not ignore warnings from this step. If the network surreptitiously redirects you to b1gbank.example, the fake web site might actually have a valid certificate for that domain, but it won’t match the requested bigbank.example.
7. Your browser responds to all this by establishing a secure, encrypted channel to the web site, and by displaying some indications of that in the user interface — there’s usually a padlock symbol in the browser frame, an “https” URL in the address bar, and maybe some sort of colour coding around the address bar as well. Do not be fooled by any padlock symbols in the web page itself, and look only for the trusted one in the browser frame.

If you are sure that you have an encrypted connection to the correct web site, it’s actually OK to enter passwords, account numbers, and other personal information there. But only do so if you understand how to check for a valid SSL/TLS connection, and you’ve used a trusted bookmark to get there.

And stick to using insecure connections for reading the New York Times, and Staring at Empty Pages.