Beware the evil twins of wireless!

There’s a rather strange report on The BBC News web site about “evil twins”, wireless hotspots that are evil, but that pretend not to be evil. Apparently:

“Users need to be wary of using their wi-fi enabled laptops or other portable devices in order to conduct financial transactions or anything that is of a sensitive or personal nature,” said Professor Brian Collins, head of information systems at Cranfield University.

It strikes me as a non-story – anyone remember the panic over “bluejacking” that would enable villains to eat your mobile phone using space power, or some such guff? – but it does raise a salient point: people forget that the whole point of wireless networking is that there aren’t any wires and it travels through walls. That means traffic can be intercepted, and if you connect to a network without any security on it whatsoever before doing something private, such as online banking, then you’re a bloody idiot.

I wrote about laptop and wireless security for Laptop Magazine a few months back. Here’s a quick extract:

If you’re using Wi-Fi wireless networking, it’s possible for others to listen in… some simple precautions can prevent this. Don’t give out sensitive information on sites that aren’t secure (secure sites have addresses beginning with “https” instead of “http”), ensure you’re connecting to the correct network and not someone else’s computer, and make sure your wireless network’s security features are enabled.

In another issue of the same magazine, I pointed out that you need to take precautions at home, too.

In the US, many home users are unwittingly sharing their broadband connections – and possibly their secret files – with complete strangers, once again because they haven’t taken any security precautions. Running even a simple home Wi-Fi network without switching on the security features is like leaving your door unlocked when you go on holiday.

The BBC article does make one important point, though: by default, new wireless kit doesn’t tend to have its security systems enabled, so if you don’t switch it on then your wireless kit is wide open. Here’s a very quick example: in my flat I’m in range of two wireless networks other than my own. One of them has the network name “Belkin54g”, which indicates that it’s Belkin kit and that the user has stuck with the default settings – which means even the simplest security measures are switched off. Can I connect to that network? Of course I can.

However, it’s important to keep wi-fi security, hackers and other heavily hyped nasties in perspective. If you’re out and about, the biggest single danger to your data is that you’ll lose or smash your laptop, or that someone will nick it. Back to that Laptop Magazine article:

[laptops are] vulnerable to all kinds of dangers. Just ask the boss of technology firm Qualcomm: in 2000, Irwin Jacobs delivered a presentation to a group of journalists and then chatted to his guests. Although he was only a few feet from his machine, someone stole his laptop.

According to research firm Gartner, one in ten laptops is stolen every year. The UK government lost more than 1,300 laptops in 2001 alone, and a recent MORI survey on behalf of Microsoft suggests that over the next 12 months, UK firms will lose 67,000 laptops to thieves. However, theft isn’t the only problem: Gartner also reports that 15% of laptops will suffer hardware failures, and MORI suggests that 100,000 laptops belonging to UK firms will suffer serious damage in the next twelve months.

Theft or hardware failure is even worse when the machine contains valuable data, as heart specialist Dr Abdul Karim Duke discovered in January when his laptop was stolen. The machine contained a research project on children’s heart conditions, which represented years of work – and the doctor didn’t have a backup copy. The doctor isn’t alone: Microsoft’s MORI poll found that 27% of UK small businesses don’t backup key data. As John Coulthard, head of small business for Microsoft UK explains: “The MORI study revealed that half the respondents believed their laptop was susceptible to theft, yet more than a third did not make copies of confidential files.”

As if the threat of theft or failure wasn’t bad enough, there are other worries too. Viruses and Trojan horse programs can cause chaos on your computer, while the press is full of stories about hackers attacking businesses. Oh, and did we mention industrial espionage, human error and toddlers filling your keyboard with jam?

Don’t underestimate the power of stupidity, either.

When you’re choosing passwords, try to avoid anything that can be guessed: pets’ names, the names of relatives, maiden names, car registration numbers, commonly used phrases or the word “password”. And never, ever let anyone know what password you’ve chosen. If that sounds like common sense, it isn’t that common: in April, InfoSecurity Europe 2003 found that 90 per cent of office workers gave out their passwords at Waterloo Station in exchange for a promotional pen. The most common password was “password” (12 per cent) while 16% of people used their own name, 11% used their favourite football team and 8% used their date of birth.

One man refused to give out his password, saying: ““I am the CEO, I will not give you my password – it could compromise my company’s information.” He then admitted that the password was his daughter’s name. The researcher asked, what’s your daughter’s name? “Tasmin,” he answered.

Of course, it’s much easier to nick a laptop than it is to try to guess passwords and hack into a system.

Laptop theft is big business: in the Thames Valley Police area alone, 1,229 laptops were stolen in 2000 and 1,570 in 2001. Many of those machines were the result of opportunist theft, where computers were stolen from pubs or parked cars; for example, some of the MOD’s missing laptops that hit the headlines were left in the back of taxis or stolen while the owner bought a train ticket. Because laptops are so easy to steal – and so easy to sell – it’s essential to be vigilant, especially in public places.

If someone breaks into your car and nicks your notebook, you could be in for a shock: many insurance policies have strict cover limits, so for example your car insurance may only cover you for theft of items up to £200. It’s worth checking your policy carefully to make sure that your laptop will be covered if someone breaks into your car and steals it.

If your laptop was stolen because it was clearly visible from outside the car, the policy may not pay out. Most insurers have a get-out clause that requires you to take “reasonable precautions… to safeguard the lost or damaged property.” Given that most thefts from cars are the result of a broken window or popped door lock, if you must leave your laptop in the car then lock it securely in the boot – even when you’re driving. If your laptop is sitting on the car seat, it’s easy for someone to grab it while you’re stopped in traffic.

9 thoughts on “Beware the evil twins of wireless!

  1. gusto says:

    This story strikes me as, er, bollocks. Surely if you want to listen in on someone’s wireless traffic and steal their online banking details it’d be easier to simply set up an open access point that anyone can connect to than to bother trying to emulate someone else’s access point with a stronger signal? I just don’t quite get the point of the article, or the countless others that are running: is it that we should secure our own wireless connections, or that we should be terrified of connecting to wireless connections in net cafes, or is it just that we should be scared of the internet (again)? Or is it bollocks?

  2. Gary Marshall says:

    My money’s on “bollocks” :-)

    Gusto, is your weblog ready for public consumption yet? I was going to link to it but I’ve lost the URL…

  3. Squander Two says:

    On my last network (haven’t got one at the minute [sniff]), I just specified the MAC addresses of the devices that were allowed to link to the access point. How’s that for security? Good or crap?

  4. Gary Marshall says:

    Pretty good, because it locks out unauthorised machines from your network. Doesn’t prevent eavesdropping with l33t h4x0r t00lz, though. Although I doubt that’s a big problem for many people.

  5. David says:

    Jo – the mac thing isn’t too bad from one point of view – someone is unlikely to be able to be able to connect to your network but the traffic itself is unencypted so can be intercepted by someone dead clever – although the chances of someone wasting those sort of resources on you is pretty unlikely. I would reckon that for home use that is perfectly acceptable – but I wouldn’t recommend it for corporate stuff (not counting the pain in the arse admin involved!) Mind you, it is possible to spoof mac addresses.

    Gusto – I think security – especially wireless – is something that is completely ignored by most users. Whether it is at home or from an access point. Most home users think it is a great idea to be able to share files with other computers in the house and to do so they have a tendency to open everything up (because doing it properly is a pain) which, if not using any wireless security, opens every file to anyone who wants it. As far as the access point emulation goes – i

  6. David says:

    OUt of interest – this truncates your comments if you ramble on a bit.

    Basic gist of rest of it –

    Blah, blah, blah waffle waffle.

    Laptops – buy encryption software to protect your data.

    That’s about it.

  7. Gary Marshall says:

    Sorry david, because I’m on the free version of Haloscan it tends to chop long comments :(

Comments are closed.