[Part 9 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series is now available as a white paper at http://www.eset.com/download/whitepapers.php.]
Be Wireless, not Careless
Don’t connect to just any “free Wi-Fi” access point: it might alter your DNS queries or be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions. (When I have occasion to see what networks are being offered me in hotels, airports, even in the apartment block where I live, I have to wonder how many of them are legitimate…)
Our colleagues in Bratislava put up a nice article in 2009 on "Summer Surfing on Free Wi-Fi: Work or Play, but stay secured": see http://www.eset.eu/press/summer-surfing-on-free-wifi. Of course, many of the points made there are just as valid at any time of year. Here’s a summary of some of them:
Be aware of some common security issues with hot spots
- “Evil twin” login interception: this is a scenario where a network is set up by hackers to resemble legitimate Wi-Fi hot spots, in order to intercept your login credentials for legitimate networks and sites
- Previously unknown (zero-day) attacks exploiting operating system or application vulnerabilities
- Sniffing , or using computer software and/or hardware to intercept and monitor traffic passing over a network
- Other forms of data leakage using man-in-the-middle attacks
Be aware also of ways of reducing your attack surface and protect your computer:
- Ensure VPN pass through ports are enabled, but don’t allow a high port free-for-all: professional system administrators open only necessary ports. This doesn’t stop all attacks, but does reduce them.
- Use HTTPS to access webmail
- Avoid protocols that don’t include encryption wherever possible
- Disable sharing of files, folders, services
- Avoid connecting to sites that transfer sensitive info, your banking information, for instance, when connected to an untrusted access point
- Ensure you’re using sound firewalling, antimalware, HIPS and so on.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/