Is your Wifi secure?
In order to see this content you need to have both Javascript enabled and Flash installed. Visit BBC Webwise for full instructions
Wi-fi hot-spots across the country are not secure and are vulnerable to attack.
An investigation by Watchdog has revealed that the UK's top three wi-fi providers; BT Openzone, The Cloud and T-Mobile are all susceptible to attack by hackers - leaving tens of thousands of users at risk of fraud.
Thousands of these hotspots are available nationwide in hotels, trains, airport lounges and high street food outlets but they may not be as safe as some users had anticipated.
According to Tom Illube, from internet security firm Garlik, over the last year there has been a 207% increase in 'account takeover fraud', where criminals try and access existing accounts rather than using stolen identities. In light of this he thinks the vulnerability of wi-fi hotspots is worrying.
Tom Illube said: "I think a lot of people don't realise that using public wi-fi that's insecure is pretty much like writing your bank details onto a postcard and popping it in the post and being surprised that someone's read it."
Watchdog used equipment readily available on the internet to hijack wireless traffic at a variety of hotspots, while experts working with the programme-makers could have been able to take control of other hotspot users' internet accounts. Once inside these accounts, malicious hackers would have then been able to harvest masses of personal data which could enable them to access the users' accounts on a variety of websites, including those for shopping and banking.
Watchdog asked Crimewatch presenter and former policeman Rav Wilding to set up an email account on a laptop at a wireless hotspot. The Watchdog team were able to access Rav's email within seconds before freezing him out of his account altogether. So although Rav was no longer able to use his email, the team still had full access to it.
The Watchdog team were also able to access the email accounts of two members of the Watchdog audience viewing everything the users were doing online, including their email and social networking activities.
Believing the process demonstrated by Watchdog is particularly alarming as it does not require particularly high-level skills or know-how, Tom Illube also said: "You don't have to be a super hacker to get into this sort of information and therefore it's becoming more widespread and we as consumers need to be more careful about how we use them and what we use them for."
One way of protecting wi-fi connections at public hotspots is to use a Virtual Private Network or VPN. Although BT Openzone, The Cloud and T-Mobile all suggest using VPNs, only T-Mobile offer them as a software download when users log on.
Following Watchdog's investigation the three big hotspot providers told the programme that they would do more to encourage the use of VPNs to protect wi-fi users.
BT Openzone Statement:
"BT Openzone offers encryption at log-in, a standard used by all global Wi-Fi operators. To help customers receive a safe, reliable and robust Wi-Fi service we also advise using up to date firewall and anti-virus software to guard against most attacks. We have always strongly recommended a secure remote access virtual private network (VPN) to protect against data interception. The industry as a whole has a responsibility to give users the option to choose to keep their sessions secure."
"We constantly review our approach to security and there will now be a direct link to security guidance from the BT Openzone landing page. We are also reviewing our proactive approach to providing secure and user friendly authentication."
"Security threats evolve and we constantly review our policies to combat these. The security measures we recommend are adequate against most attacks. In the instance of a cookie-based attack, our advice protects customers to the best of our ability."
"Our security advice protects our users from most attacks if executed to the letter however the industry as a whole has a responsibility to give users the option to choose to keep their sessions secure."
"Following your investigation, our landing pages at the hotspots will now feature a direct link to the relevant BT security information."
"BT Openzone provides encryption at log-in, and we advise customers to follow basic and familiar security measures including firewall and anti-virus software, plus installation of a VPN. Solving this type of attack requires BT to provide the above solution and for all technology suppliers to give users the option to choose to keep their sessions secure, which means their cookies are not recorded."
"BT is in the process of reviewing its approach to providing secure and user friendly authentication. This will include continued review of our frequently asked questions ("Common questions") pages."
"...we constantly review our approach but will take two immediate steps regarding the location of security information and reviewing our provision of secure and user friendly authentication."
The Cloud:
"The Cloud welcomes the opportunity to respond to the questions posed by Watchdog regarding the security aspects of public Wi-Fi networks. We take security very seriously and adhere to all of the current industry standards and protocols to run our networks.
The Cloud operates an Open (unencrypted) Wi-Fi network in the UK. It is the industry standard for Wi-Fi Internet Service Providers and is adopted by the vast majority of operators worldwide. It is considered a reasonable trade-off between ease of use, simplicity of deployment and security of access."
"Wireless communication in a public place however is intrinsically subject to threats and malicious security attacks. The use of private keys, such as WEP (Wired Equivalent Privacy) and more recently, the not entirely secure WPA (Wi-Fi Protected Access) protocols, are not suitable for public hotspots particularly when using mobile and hand-held devices, as the users would have to obtain security credentials before being able to access the network. This would make accessing the Internet beyond the skill levels of ordinary consumers."
"The Cloud has put in place a number of features which allows safer internet access. These are within the limitation of using unencrypted channels for wireless transmission between the User's computer and the Wireless Access Point. Among other features, The Cloud network includes:
- Firewalling and Network Address Translation, ensuring protection of the users within the hotspot from attacks generated elsewhere on the Internet.
- SSL (Secure Sockets Layer) encryption technology to protect sensitive details such as user names, passwords and credit card details when you interact with any of our hotspots. The SSL standard is used by a wide variety of online providers such as online bank accounts and provides protection from the interception of sensitive data by third parties, as well as the misrepresentation of access control and credit card processing services.
- Unrestricted internet access and VPN (virtual private network) pass-through, which allows clients to use their own VPN clients to connect to their home or corporate network securely.
"Ultimately, when using an unencrypted wireless channel, the responsibility for securing the end user device (laptop or Smartphone) must rest with the end user. Many Wi-Fi hotspot users do not fully understand the risks associated with using open wireless networks, so it is imperative that users must also take precautions."
In response to some of the specific questions you raise:
Cookie replay and Man in the middle attack
Cookie-Replay and Man-In-The-Middle attacks are well-known threats for unencrypted wireless networks, which is the industry standard for providing public WiFi Internet Access.
The Use of VPN tunnels, which is fully supported by our network and encouraged in the support section of the website and landing pages, would minimize the risk of such attacks. We are looking at different VPN technologies for future developments with some of our partners, however many existing solutions are device specific making it difficult for the Wi-Fi operator to cover all eventualities.
Security awareness on The Cloud's hotspot landing page
We take on board your feedback regarding more obvious warnings about security vulnerabilities on The Cloud's hotspot landing page. We always intend to provide the clearest and most up to date information about security. Both our Website and landing page currently have a help section which covers security aspects of our Network (see below). We have already taken steps to ensure the section on security is more easily accessible via our website.
VPNs
"Our security information, accessible via our website and landing page recommends the use of VPN technology. However we do recognise that they are not currently user friendly, especially for consumers. We are looking at how VPN technology can be developed in the future with some of our partners, however many solutions are device specific making it difficult for the Wi-Fi operator to cover all eventualities."
"We should also point out that without sufficient security, the same type of attacks could happen on Home Wi-Fi networks, whereby a technically proficient person with ill intent can sit outside a domestic residence and carry out the same attacks as demonstrated by your researcher on our Hotspot."
T-Mobile:
"T-Mobile takes the security and privacy of its customers seriously, especially as broadband internet has become an essential tool for many people. Wherever people are accessing the internet, whether at home or on the move, there are a small number of hackers who will use their specialist knowledge to take advantage of others by accessing their information. While most of the time customers don't experience problems, T-Mobile takes steps to offer protection to users of Wi-Fi HotSpots. On the landing page of the HotSpot service, advice is prominently displayed alerting customers they should use free software provided by T-Mobile. This VPN (virtual private network) software encrypts the radio link between the laptop and the HotSpot, providing a level of security typically enjoyed by business users."
"While T-Mobile takes all reasonable steps to ensure the security of its infrastructure, security is also dependent on users taking care to protect their information. Basic best practice includes checking the privacy and security settings of their computers and that virus protection is in place. Additionally, when using sites which may involve providing confidential information, people should check that the closed padlock symbol is displayed, indicating that the site is encrypted and therefore secure."
"We have revised the wording on the HotSpot landing page to emphasise use of a VPN connection for optimal security."
Let us know what you think - have you had any problems? Are you worried about security?
© MMIX~RS~q~RS~~RS~z~RS~37~RS~)
Comments
Sign in or register to comment.
If you always use the secure or https option with your email provider this should stop people snooping your password and username on a hotspot. In hotmail look for use enhanced security on the hotmail website.
Complain about this comment
Yet another No S**t Sherlock story from Watchdog. The WiFi Providers and Windows itself warn you when you connect to a public HotSpot. The reality is that people do not read or (to be fair) understand the warnings. The risk of course does assume that someone is sitting there capturing the data. Of course, I'm sure there will now be more people researching how to do it and giving it a go with the information and tools on the internet. You also didnt report on how to help make your own home WiFi more secure (although these days it is built in more often than not). You mentioned VPNs with very little explaination. Why not spend more time telling people how to protect themselves and less time on childish "acting" and "interviews" etc!?
Complain about this comment
I have a problem with my email account, I do not use Wifi, but someone is using my email address to send emails to foreign countries, I only know that they have been sent when they have been undelivered, what can I do to stop this
Complain about this comment
What am I supposed to do with my iPhone, usage of BT Openzone and the Cloud are included with my contract, and my iPhone automatically uses these hotspots when I am in range.
So, does this mean when I am using my email, which I am always connected to on my phone, or use the other application, which include services like PayPal, my emails or personal details are at risk?
Surley O2 who I have the contract with (which I am paying for), or Apple should offer some sort of protection, because with out that I can not make use of all the services that I'm paying for safely.
Complain about this comment
I have a problem with my email account, someone is using my email account to send emails to foreign countries, I do not use Wifi anywhere Just my home pc, I only know when they are undelivered and find them in my mail box what can I do????
Complain about this comment
Having just watched the programme, I think you could have indicated that if you use https (SSL) to acces the web services users are NOT susceptible to this form of attack. Mail providers like gmail have an option to enfore secure login.
Complain about this comment
I do not understand how they can do this if people used secure websites, (Secure Socket Layers) surely its only a risk if you do not use secure sites??
If the little padlock means nothing, what is the point in using it?
Complain about this comment
This comment was removed because the moderators found it broke the House Rules.
this happened to me, somebody got hold of all my details after using a wi-fi hotspot on the train about 4 months ago. it wasn't until about 2 weeks ago after getting a bank statement that i realised that payments were being made on my debit card to several internet companies. my bank has assured me that they will refund all the money taken, but this could take up to 6 weeks and until then i have no access to my bank account and no money! i have also had to cancel 2 debit cards and 3 credit cards. i can't believe that somebody has been able to get not only my debit card number, but has also managed to retrieve other personal information from my computer such as my address, phone number and date of birth. this makes me afraid to even be in my own home.
Complain about this comment
I've a few questions about using WiFi in public places:
1. I download email to Outlook rather than leaving everything in webmail. Can hackers get into my laptop and read mail previously downloaded into Outlook?
2. Am I vulnerable while Outlook logs in and collects and sends email and is there anything I can do to protect this using public WiFi?
3. Can hackers get into anything else on my laptop?
4. How about using a broadband mobile account instead of free public WiFi? Is this safe from hackers?
I'd be grateful for advice about these. Thanks.
Clare
Complain about this comment
Firstly, I think it's a good thing that you're letting people know about this.
However, the webmail client you were using was quite clearly [company removed], yet you failed to mention the facility to always connect via SSL, which goes some way (if not all) to protecting people from this sort of attack.
I understand you probably weren't allowed to mention the name on air for whatever reasons, but providing a set of links people can use to access their mail more securely would be a start.
[URL removed]
Complain about this comment
Incidentally, why did you pick the one webmail client that actually has means to protect against exactly this sort of attack?
Complain about this comment
Hi.
I recently got attacked by a hacker.
Both my email addresses we'r taken over and they used password recovery tactics to take over my other internet accounts including facebook ebay and paypal (That is also connected to my bank account).
I contacted the police about this and they just wasn't interested in doing anything.
I know who is doing it but I just can't legally do anything about it.
Are there any other authority that I can contact.
For now I don't trust WiFi either at home or public WiFi's.
I only use my home WiFi that has highest WPA2 encryption with a key that won't be found in a dictionary, But it was still compromised.
I recommend to everyone who can connect to there router with a cable to do that and turn the wireless on the router off. (Consult your router manual).
Hope this helps.
From Rob (Eastbourne)
Complain about this comment
This comment was removed because the moderators found it broke the House Rules.
Can you suffer the same problem via your mobile?? I try to use wi-fi as it is faster on my fone and i always check my emails etc. Am i at risk this way as well??
Complain about this comment
I have to agree most of the feature was spent with the scare factor instead of setting out the VPN details for laptops and mobile phones. Most should understand the risk I was quite alarmed the people were amazed how this could happen! Maybe they should be told to check they have secured their home wifi too. HTTPS scrambles the details for mail access at least one layer which wasn't covered in the program.
I came online to find the info on VPN set up and in order to use the BBC pages in full I was informed I needed Java Script and Flash! Two of the tools used to hide malware online adding more risk if I used JS and Flash!
VPN details really should have been shown or full article here especially for mobiles which can use VPN fine to warn everyone but the important info needed to be emphasised too.
Complain about this comment
This comment was removed because the moderators found it broke the House Rules.
Is the VPN option as secure as people think? In a middle man attack using a small box with big compact flash card inside and two radios you could route all traffic through your box and as all traffic is being relayed all the authentication data could be caputured.
Of course with 128bit encrption which is the same as most SSL connections use there are 2 multiplied by 2
128 times over combinations which is 339,000,000,000,000,000,000,000,000,000,000,000,000 (I think thats the right number of 000's) combinations to be able brute force attack a 128bit encrypted VPN
A lot of VPN's use 256bit so 2 multiplied by 2 256 times over. (not gonna even try and work out that one)
But with the speed of some mordern computers leaving a bit of software anayzing the data captured with the box and spotting keys is surly if not allready ;-) becoming more and more of a reality? So are the VPN's of companies not being put at risk?
Complain about this comment
The problems when you have already signed in. The only way for the mail account to tell if the person using the browser is the same person is by sending a unique id or session id on the url conbined with the IP address. As the hotspot shares the same IP address the hacker has the same ip address as you. So if you see a site like index.php?session_id=435345345435435 all they need to do is to get the session id. So if you log off the session id is expired. A VPN encrypts all the urls therefore it is safe.
Complain about this comment
[Blank entry]
Complain about this comment
The problems when you have already signed in. The only way for the mail account to tell if the person using the browser is the same person is by sending a unique id or session id on the url conbined with the IP address. As the hotspot shares the same IP address the hacker has the same ip address as you. So if you see a site like index.php?session_id=435345345435435 all they need to do is to get the session id. So if you log off the session id is expired. A VPN encrypts all the urls therefore it is safe.
Complain about this comment
Stupendook is right look for enhanced security on hotmail, also set up your "windows " corectly , go to Settings/network connections/ network catogary set this on public. then go to Control Panel. network and sharing centre set no file sharing, then make sure your firewall is set to have no exceptions, and is on.
Complain about this comment
I agree with most of the comments entered here and also would add: to create a vpn connection, another "point" is required. Whilst this does apply to users of corporate nature, home users are unlikely to have this type of configuration.
Another point is many sites also have https, although most people just type the domain name in the address bar (or search engine) and without redirects doesn't go to https unless the site considers it neccessary.
Complain about this comment
I am confused with all this technology..... I have an iphone that I connect to wi - fi on. Does this mean I am risk? Thanks
Complain about this comment
g7rpo2009 raised some good points.
It's all very well suggesting the use of VPNs, but most people aren't going to have the infrastructure to support this, and given all the data losses that have occurred recently corporate users are quite likely to be banned from using public hot-spots, encrypted or not, leaving only the tech-savvy using such methods to protect their data to/from their systems when using public WiFi.
Another excellent point was also raised on the use of SSL - this should be standard, not optional (or non-existent, in some cases). Yes it is slower - but which do you prefer: waiting another 30 seconds, or having your data intercepted?
Data security is far from peoples minds when dealing with the internet - it is time GOOD data security practice was advertised, and not this ill-informed scare-mongering that is currently going on.
A few simple steps to help protect yourself:
* Use a firewall, and know how to configure it properly so it isn't leaking like a sieve
* Use data encryption
* Use link encryption (SSL, IPSec are two major examples)
* Use strong passwords (fd65YTLKn* not 'mycatbiggles' or 'password')
fd65YTLKn* looks hard to remember/type, but look at the key groupings on the keyboard.
Hope it helps.
Complain about this comment
You've fumbled and dropped the ball on this issued. I'd much rather have had a detailed guide as to how to use a VPN (Virtual Private Network)for safe surfing than just the companies that provide some of the hotspots. You're a PUBLIC SERVICE broadcaster. Spend money and time on making sure this very necessary info is available for use. It's a better step than pointless acts like bringing in a tack and garish fake brick set. You'll better serve the people who pay the licence fee - which should be the point of the show.
Complain about this comment
Is there any particular reason the BBC chose to film about 50 Apple laptops in the course of this story? Have they forgotten their mandate for impartiality? Has the Cult of Apple become so powerful that even the Beeb are seduced?
Complain about this comment
This comment was removed because the moderators found it broke the House Rules.
This comment was removed because the moderators found it broke the House Rules.
I agree with most of what Orbital_Tech and other have been saying. The main problem is that most people don't have a clue how to use higher security connections, and saying the "we" should use VPN with no accompanying description makes things worse. Most people that can use VPN would do automotically. These are the people that are connecting to a corporate network, not hotmail etc. VPN is no use to the general public and should not have been mentioned in this show. What should have been discussed is how the general public should ensure they are using higher security. I don't think we should expect normal users to be able to configure their firewall, or know where to find data encryption any more than we should expect every car driver to be able to setup their fuel injection system.
The Gadget Show used to do stuff like this, but I haven't seen anything like it for a while. It's also pretty techy so won't appeal to the majority of E.Mail users.
Complain about this comment
Should this blog be advertsing what tools are available to hack in to hotspots? anybody that really wanted to know chould find it on the web, with some hunting. Now you've told everybody what to look for a lot of people with try it just for a lark.
Complain about this comment
Use of a VPN is overkill for securing a web browser session. Check with your ISP (Internet Service Provider) if they provide an SSL (Secure Socket Layer) Tunnel facility. This can be used to encrypt your web browser session, all your browsing will be secure and you don't need to worry about usernames and passwords being intercepted.
If your ISP does provide this facility, they should give you the instructions to setup the tunnel.
Complain about this comment
As Managing Director of an independent and small Wireless Service Provider, [company removed], I feel the need to comment.
As the recession took hold earlier this year, more and more businesses struggled to find ways to attract customers. One way they've done this is to start offering free wifi. In October 2008, 90% of our Wi-Fi Hotspots offered pre-paid access. This year, 90% of our customers now offer free wifi.
Our free Wi-Fi Hotspots see on average 15 unique users a day - that's 15 people that are visiting the business to use their Internet and enjoy a coffee / beer / pastry. We are actually generating business for the cafe / bar. This article just scares people off. What about the people that can no longer afford a broadband connection of their own - what are they to do...
This morning, a number of people have phoned us, concerned about their data. Why is it just our responsibility to protect them? If the email provider are asking for sensitive login details, shouldn't they protecting their customers. Banks already do it, google does it as do many others by using secure websites - it's that simple. It's not about VPN's.
The article has a damaging effect on The Cloud, BT, T-Mobile, [company removed] and all the others. It fails to point out that at least these providers give information about how to protect yourself from such threats. They'll also be tracking user's logins and recording mac addresses. Our system stops anyone other than the customers of the Hotspot from using the system. Unlike the larger companies that offer roaming agreements, access to our network is more restrictive - you can't just rollup and use the Internet outside.
There's more of an issue with people doing it themselves - sometimes they're so badly secured you can even login and grab all the login information from the router.
Another point is that one of the largest Wi-Fi providers is shipping wifi routers to their customers with a public hotspot already turned on. They've shipped 500,000 already this year - the majority of which will end up in homes that don't even know they have it. How is that responsible?
Before to long, no business will be able to offer Wi-Fi at all. Next week I'm in Zambia to install Wi-Fi for 5 rural African villages. This will be their only connection to the world, a way to generate an income for their family and a way to educate themselves. Should we be looking at stopping this too just because there's a danger of someone getting access to their email?
Simon
Complain about this comment
Wifi hotspots are insecure as by their nature they can be used by everyone without having to be provided with any access credentials. Basically if you are using public wireless then everyone using it could potentially have access to the data going over the airwaves. Its like having a shared phone line, anyone with access can listen in on what you say.
If you use them with any device, be it a laptop or iphone etc, then you are increasing the risk of having problems.
If you use an email client such as outlook or the built in iphone mail app then there is a good chance that you email is traversing the wireless network in the clear and not encrypted. A lot of email providers do have the capability of using a more secure connection but its usually something that needs to be specifically setup as its not the default.
If you use hotspots:
- Stick to using web based email unless you know your email software is using some kind of secure connection and even then don't use it unless you have to.
- If you use a web based system be it banking, email or shopping always make sure its a "https://" site (The s being secure) and that the browser is showing a padlock symbol. Not guaranteed but will stop all but the most determined and skilful attacker.
- If in doubt, stick to watching youtube!
Wireless at home is a different matter. As long as you have an up to date wireless router that uses the WPA or better still the WPA2 standard and the passphrase used to access it is nice and long and not something easily guessed then the chance of anyone getting in through your wireless is minimal. The usual way that a home computer gets hacked is through something being downloaded from a web page by the user without realising it.
Its good that the show brought it to the publics attention but I doubt it will have any impact on peoples habits.
Complain about this comment
The point every one is missing is yes when you login to your email this is secure HTTPS(SSL) the url looks something like
https://youremail.com (with a padlock)
However once you have logged in, a significant number of web mail sites switch to non secure connections and the url changes to
http://youremail.com (without a padlock)
This is when you’re at risk,
Complain about this comment
Sorry, but the whole film looks staged. The email account that is being logged into uses HTTPS by default, which prevents the interception of credentials by programs like Wireshark in the way that is shown in the film. Either the actor took the deliberate step of using the email service without encryption, or the whole thing was a hoax.
The other problem I have with the film is its focus on WiFi access points. Even if the access point was 'secure' and implemented features such as wireless isolation (stopping computers from seeing each other on the network), your data would still be transmitted over the internet in plain text.
If you're entering passwords and/or transferring sensitive information over the internet, *always* check that the site uses HTTPS and always check that the site certificate is valid (to avoid man-in-the-middle attacks), whether or not you're using WiFi.
Complain about this comment
Re VPN. Have investigated these and from What I find it seems these are only useful for connecting 2 computers together. It seems there is no facility for just accessing the internet. If this is not right then watchdog should let us know how to do it NOT just scare the pants off us then leave us to get on with it.
Complain about this comment
I am a freelance network security consultant and I think it is good to raise awareness of the internet security. However, the programme seemed to be more interested in scaremongering and "villainising" the wifi providers than actually addressing the security problems and giving useful advice.
Sending unencrypted communications across the internet always opens you up to possible attack. Whilst it is true that there is a larger window of attack when you are connecting through a wireless network, the fact remains that sending unencrypted confidential data over the internet is a very bad idea, no matter what method you are using to connect.
The programme touched on just one possible "solution" - configuring a VPN. However, not only is this far too complex for most users, it also doesn't solve the fundamental problem that your communications with internet content providers, such as Google Mail (which featured prominently in the programme), will still be sent unencrypted over the public network once they leave the VPN.
The solution to the problem is far simpler, and should be followed by all internet users, whether or not they are using wifi:
1. Never send unencrypted confidential data over the internet. If you are accessing a web site, ensure that the address starts with "https://" and that your browser shows a padlock icon before exchanging confidential data such as passwords and credit card numbers.
2. Pay attention to warnings about certificates used by secure services. If a third party is trying to intercept your encrypted communications then they must use a forged certificate to do so, and this will cause your web browser, email client, etc. to display a prominant warning.
Following these two simple rules ensures that the data is encrypted for its entire journey through the internet.
The programme also contained the comment that the emails could contain confidential data such as bank account details, but didn't take the opportunity to warn people that emails are not a secure communication medium, so sending sensitive information such as bank details through email should be avoided unless is is encrypted.
You wouldn't write your bank details on the back of a post card; communications sent over the internet should be viewed in the same way.
Complain about this comment
@Clare
> I've a few questions about using WiFi in public places:
>
> 1. I download email to Outlook rather than leaving everything in webmail. Can hackers get into my laptop and read mail previously downloaded into Outlook?
Not via wifi password snooping
> 2. Am I vulnerable while Outlook logs in and collects and sends email and is there anything I can do to protect this using public WiFi?
Yes, but if you use encrypted connections (imaps, pop3s, smtps or imap-SSL, pop3-ssl, smtp-ssl) then the session is virtually unsniffable (see previous comments about breaching 128bit encryption)
> 3. Can hackers get into anything else on my laptop?
Not via wifi snooping.
> 4. How about using a broadband mobile account instead of free public WiFi? Is this safe from hackers?
That entirely depends on whether the GSM session is encrypted or not, and if the login session itself is encrypted or not. Personally I'd err on the side of caution and only use passwords on secure website sessions, etc (look for URLs starting "https://" in your browser)
Complain about this comment
Story comment:
Brings up the point about using unencrypted sessions on wireless, but offered VERY POOR advice on operating in a safe manner.
If you're going to show a scare story then you can at least explain about secure websites and using encrypted mail sessions. VPNs aren't widely available and they have their own sets of problems - which may compromise the network at the other end of the VPN.
WRT sending mail as the "snooped" user. What was shown was far too complex. There are far simpler ways of spoofing any address on the Internet. Why would an attacker use the long-winded method?
Complain about this comment
A lot of hacker tools are available on the net which do not require a particular level of skill to make them work and for an individual to use them to exploit wireless networks.
Much of the work to prevent these incidents from occurring should be done by the company offering the Wi-Fi service as all data from end systems to the VPN gateway should be encrypted and authenticated, possibly using a strong authentication.
Needless to say part of the job should also be done by the end user who need to put in place best practice through the use of a high quality anti-malware software which combines anti-virus and anti-spyware operation for detection and blocking.
Rossano Ferraris, CA ISBU Research Team
Complain about this comment
Please, Please, Please, How are we " The victims" supposed to take the program seriously, when to boys on a motor cycle travel around the country making flippant comments about serious "scams" and fraud,
I hope they are never victims.
If watchdog take a different view on crime, it may help to deter criminals.
Regards
John
Complain about this comment
Good bit of info for the non-tech person who wants to secure their network! I learned a lot about my un-secured access point from this article. I am going to immediately change my administrator password.
Complain about this comment
I agree with Greenstanblog that more information was needed on how to be secure in wifi hotspots. The programme was interesting because it pointed out the problem but that's not much use as we want to be able to use hotspots. I write about this subject on http://www.geid.co.uk and hope some of my tips help. There are a number of ways you can stay secure, and some have been pointed out by other bloggers. As Greenstanblog mentions there should have been more explanation of VPNs (Virtual Private Networks). We can be safe in wifi hotspots and we want to use them. Don't just tell us it's dangerous and scaremonger - tell us what to do about it.
Complain about this comment
Watchdog could easily have shown the solution to this problem as there are easy-to-use and install encryption packages available. Perhaps they should follow up on another programme to show how this can be done. Then everyone can keep enjoying their coffee and wifi out and about.
Complain about this comment
View these comments in RSS