FBI: Beware the free wi-fi hot spot
posted at 5:30 pm on May 6, 2008 by Ed Morrissey
Send to a Friend |
Share on Facebook | printer-friendly
For all of those (cough, cough) who routinely try to exploit open-access Wi-Fi networks, be warned — it could be a trap. The FBI issued a warning today to all freeloaders that hackers could have provided that free Internet access, and they could be tracking every move you make over it:
You’re at the airport waiting for your flight. With time to kill, you’re thinking of connecting your laptop to the airport’s Wi-Fi to check your office e-mail…do some personal banking…or shop for a gift for your spouse.
But first, consider this: odds are there’s a hacker nearby, with his own laptop, attempting to “eavesdrop” on your computer to obtain personal data that will provide access to your money or even to your company’s sensitive information.
Here’s something else to consider: there are 68,000 Wi-Fi “hot spots” in the U.S. (see the graphic below for the top Wi-Fi countries), at airports, coffee shops, hotels, bookstores, schools, and other locations where hundreds or thousands of people pass through every day. While many of these hot spots have secure networks, some do not, according to Supervisory Special Agent Donna Peterson of our Cyber Division. And connecting to an unsecure network can leave you vulnerable to attacks from hackers.
How do hackers grab your personal data out of thin air? Agent Peterson said one of the most common types of attack is this: a bogus but legitimate-looking Wi-Fi network with a strong signal is strategically set up in a known hot spot…and the hacker waits for nearby laptops to connect to it. At that point, your computer—and all your sensitive information, including user ID, passwords, credit card numbers, etc.—basically belongs to the hacker. The intruder can mine your computer for valuable data, direct you to phony webpages that look like ones you frequent, and record your every keystroke.
It could be a little instant computing karma making its way around to the freeloaders, as well. After all, latching onto someone else’s network without compensating them may not exactly be stealing, but it’s hardly a good-neighbor policy, either. The hackers are exploiting exploitative behavior, and some may see this as just desserts.
Most airports now offer fee-based Wi-Fi access, but if one travels often enough, a Verizon card or an equivalent is probably the way to go. It offers a reasonably secure connection anywhere where a cell signal can be found, and the speed is usually equivalent or better than DSL. It’s about as expensive, but anyone who needs Internet access regardless of where they are should invest in one. Either that, or give the obsession a rest while traveling.
You must be logged in to post a comment.
Blowback
Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.
Trackbacks/Pings
Trackback URL
Comments
Places like Starbucks offer free Wi-Fi to attract people to their business. I don’t understand why you’d make a case that it’s in any way related to stealing.
Esthier on May 6, 2008 at 5:34 PM
Next thing you know you’ll be chilling waiting for your flight when a bunch of hackers show up in the Death Star and vaporize your PC. :)
Also, yeah this is scary. Next time I see a “free” network appearing in an unusual place I’m going to steer clear.
fiatboomer on May 6, 2008 at 5:37 PM
Oh great.
CP on May 6, 2008 at 5:38 PM
A little basic security completely invalidates the claim that “At that point, your computer—and all your sensitive information, including user ID, passwords, credit card numbers, etc.—basically belongs to the hacker.” If it was that easy, connecting your computer to any network would crater your life and destroy the human race… shades of Battlestar Galactica!
shirgall on May 6, 2008 at 5:39 PM
I think he was referring to people who glom onto their neighbors’ wireless networks.
rivlax on May 6, 2008 at 5:40 PM
Those aren’t the networks that the FBI is warning people about.
Ed Morrissey on May 6, 2008 at 5:40 PM
LOL…I would hope most would realize this anyway…
DCJeff on May 6, 2008 at 5:40 PM
It’s also amazing…how fast a hacker, who simply logs onto the same wifi hotspot (a Starbucks, say) and gain access to your computer. A couple of minutes is all it takes.
But anyone who would actually do banking, or things like that, on a public wifi is a knucklehead. Do what they did just fine back in the “old” days…go to the bank.
JetBoy on May 6, 2008 at 5:41 PM
And other places don’t offer it for free. It’s those places Ed is referring to, and taking their Wi-Fi without paying for it is theft.
paul006 on May 6, 2008 at 5:41 PM
They have access to everything on your computer?! Not just what you’re sending over the network? That’s good to know. I’ve only used publilc WiFi once. I was so paranoid I only checked my fantasy football scores. Apparently, it didn’t matter.
Spolitics on May 6, 2008 at 5:41 PM
Ed so what you are saying is if I go get my morning cup o’ joe, my coffee barista lady is now my hacker in disquise.
oh geez!
upinak on May 6, 2008 at 5:42 PM
ED-off topic but…..GO VOLS!!!
DCJeff on May 6, 2008 at 5:43 PM
Utter nonsense - there’s this thing called a firewall on my computer that prevents any information from being transmitted without my knowledge.
corona on May 6, 2008 at 5:45 PM
This is nothing new. Anyone can place a keylogger or get into your system to get credit card numbers, usernames and passwords for online banks, etc. with an unencrypted wireless network. Might as well write an article extolling ‘new malicious code called “viruses”‘.
Pent. on May 6, 2008 at 5:45 PM
Oh, great! First I have to beware the exit polls, and now I have to beware the free wi-fi hot spot.
Soon, you’re going to tell me to beware humping robots and the sexpert.
Attila (Pillage Idiot) on May 6, 2008 at 5:46 PM
corona…that firewall that you think is unbreakable…c’mon now…someone devised it..and you think it’s unbreakable?
DCJeff on May 6, 2008 at 5:47 PM
Oops, I missed the beware Latino voters in the Newt post.
Attila (Pillage Idiot) on May 6, 2008 at 5:48 PM
It also reminds me of ‘wardriving’. Wardriving is when you drive along with some friends with a laptop and see what sort of networks you can get into. For instance, we were able to access files on a wifi network called ‘5th Street Girls’. Fun times.
Pent. on May 6, 2008 at 5:49 PM
beware the Gorbacle Penguins!
upinak on May 6, 2008 at 5:50 PM
When we are traveling, I bring along my old IBM Thinkpad T22. I don’t have any personal info on it–no banking numbers or credit cards or anything. I use it to surf the web only. I don’t even have any documents on it. When we’re on the road, I’ll read the news or check traffic conditions. Denny’s usually has free wi-fi, so we’ll grab breakfast there.
But now that I read this, I’m not so sure! YIKES!
robblefarian on May 6, 2008 at 5:50 PM
I’ve seen this before. The issue is not people who glom on to someone else’s wifi, but people who think they are using a publicly provided hotspot, but in reality are connected, not through Starbucks or Panera or the airport, but through a rogue who’s set up his own free wifi in the area and is trolling for data. Just never automatically connect. Check to make sure you’re connecting through whom you want to be connecting.
.
Airport waiting lounges were featured prominently in the news story I saw on this, which is odd, because now you need a ticket to get in there. I guess it’s worth it to buy a ticket and not use it, but I would think security would wonder why these guys are hanging out in the airport so much, unless they’re all young middle-eastern males, in which case they’re free to set up shop.
boko fittleworth on May 6, 2008 at 5:51 PM
Not hard to guess who is the computer scientist here.
corona on May 6, 2008 at 5:54 PM
Believe it, hackers know their way around firewalls.
JetBoy on May 6, 2008 at 5:55 PM
Is Starbucks offering free WiFi now? I know Panera does. My solution is a little software program that allows me to use my Treo and my cell phone data account to access the internet. The software is a one time fee ~$30 and my regular cell bill. Not much faster than dial-up, but it does the job and since the Treo is tethered to the laptop, no wireless data… junefabrics.com.
kimsch on May 6, 2008 at 5:58 PM
Disclaimer: I am t3h IT security person.
Anyone who wants to see exactly how much havoc can be wrought on an unencrypted WiFi network should click here (some images are NSFW). For those of you who don’t want to click, it’s a demonstration of a program called AirPwn. “Airpwn is a platform for injection of application layer data on an 802.11b network.” In English, that means that for any web page (or other application, such as e-mail) that’s not secured by SSL or a VPN they can not only read everything going over the air, they can change things as well. In the demonstration, they replaced the images in web pages that people were viewing with a famously horrifying image. They could just as easily change the text you were reading, or change the messages you’re posting or sending to “I like to have sex with goats” or anything else.
When you use public WiFi, most of the stuff you send or view can be seen or changed by other people, pretty much as they see fit. When you use private WiFi, 99% of people aren’t much better off.
ErikTheRed on May 6, 2008 at 6:04 PM
Hackers are the lowest form of life. Even lower than Rev. Wright.
kirkill on May 6, 2008 at 6:04 PM
My husband jokes that that’s the reason we don’t network our household computers - he’s keeping it old school like Adama.
So how can you tell a fake wifi connection from a real one? I mean, if I’m at B&N goofing off on the laptop, can a hacker put up fake wifi that mimics what’s already there (will it say it’s AT&T, when it’s obviously not)? I hardly ever do this, and I’m not tech-savvy or anything. I will say that hubby has a good firewall/security setup on the laptop - he knows people who design that stuff for the gov’t, and they hooked us up.
the goddess anna on May 6, 2008 at 6:05 PM
Not to rain on your parade, but I wouldn’t trust a personal firewall further than I can throw it. It’s not a bad thing to have, and it can help. Except when, about once a year, hackers figure out a way to take over your computer by sending a specially crafted packet of information that actually hacks in via a flaw in the Windows Firewall itself. Oops.
Good security exists in layers and requires good processes and habits, but you’re never completely safe. Our (unfortunately factually correct) joke is the only way to absolutely prevent your computer from being hacked is to turn it off.
ErikTheRed on May 6, 2008 at 6:08 PM
But can they get access to files on your computer, or just what you send over the network. I re-read the above and I’m still not sure what the article was saying.
Spolitics on May 6, 2008 at 6:09 PM
Crackers are what you’re thinking of. ‘Hackers’, in general, are curious people who probe security systems just to see how strong/weak they are. There are ethical hacker licenses. Crackers are the ones who maliciously destroy files, steal personal information, etc.
Pent. on May 6, 2008 at 6:09 PM
Yeah, I’m not saying the FBI is pumping false IT information (they’d never do that!) but any and in fact every unecrypted Wi-Fi network, regardless of whether its free or not,is a major security risk.
And in fact, if you’re using only WEP, the most basic of Wi-Fi security, you can be cracked in about 5-10 minutes using a wireless card in permissive mode and hacker software.
Only if you’re using WPA and a key of relatively good strength can you possibly be considered safe. So far, things like AES 128 or AES 256 aren’t easy to crack iirc. Of course my information might be old on that one.
Also, if you’re connecting to secured websites using SSL, that should provide reasonable security as the payload within the frame is encrypted, even if they grab the frame.
apollyonbob on May 6, 2008 at 6:10 PM
If you have a shared directory, then it’s possible that your hard drive is visible to other computers on your local area network, which includes computers that are hooked into the same wireless network as you.
If you want your files on your personal computer to be secure, install something like ZoneLabs ZoneAlarm for free, and you’ll get pretty good protection. That doesn’t protect your connection, but they wont be able to get back to your computer nearly as easily. (By default, I believe ZoneAlarm blocks windows file sharing)
apollyonbob on May 6, 2008 at 6:13 PM
With a “personal” computer, there’s not much you can do - just assume that everything you do is public. In theory, if you connect to a “secure” web site (like your bank or credit card company or whatever) you’re safe, but the reality is that if a hacker is playing games with your connection you’ll just see some strange certificate warning that 99.999% of people will promptly ignore and bypass. The new Firefox 3 browser that’s coming soon actually puts up an appropriately strong warning in these cases.
If your computer is a “business” machine (or you have a few thousand dollars and / or the technical expertise to do this yourself), you can create a VPN (Virtual Private Network) connection - that is, a protected, encrypted, and safe connection - to a trusted network like the one at your home or office and run your Internet access through that. We do this for personnel at companies we work with so that they can safely use these public access points.
ErikTheRed on May 6, 2008 at 6:14 PM
You’re never completely safe from meteors, lightning, or plane crashes either. The point of security is not to be 100% absolutely secure, but secure enough to stop the vast majority of attacks - which a software firewall that’s kept up to date can do. Crackers aren’t going to spend hours trying to get around your firewall so they can spam you with goatse.
apollyonbob on May 6, 2008 at 6:15 PM
Cool. Thanks for the info.
Spolitics on May 6, 2008 at 6:17 PM
“IT’S A TRAP” -Admiral Ackbar
whatthecrap on May 6, 2008 at 6:20 PM
This will ultimately be a moot point..Intel has new powerful chips that will make future cell phones equivilant in computing power to today’s laptops. Your cell phone line will become your mobile internet data line within a year or so.
DayTrader
daytrader on May 6, 2008 at 6:21 PM
You can only brute-force AES, which is still impractical as long as there’s a strong shared key. There are plenty of good encryption schemes out there - even the RC4 scheme used by WEP is pretty good - WEP just implements it incorrectly. WPA uses RC4 as well, it’s just done right. WPA2 uses AES instead of RC4 which is considered more secure and faster as well. Anyway, the problem’s not the encryption, it’s the initial key exchange where the connection is set up. With WEP, the key exchange protocol sucks and another flaw in WEP lets a hacker force the key exchange to be repeated continuously until they have enough data to crack it. The key exchange system (TKIP) used in WPA and WPA2 is very good, but can still be sniffed and brute-force attacked (it’s not possible to get around this in any pre-shared key system). You are correct in that with a reasonably-strong pre-shared key, WPA and WPA2 are secure. The problem is that very few people use reasonably strong pre-shared key.
ErikTheRed on May 6, 2008 at 6:23 PM
I understand and agree, but I think it’s important that people be educated and aware of the situation. I tell my clients they can never be 100% secure, they can only be “reasonably secure,” at which point we have a meaningful discussion about what is “reasonable” for them. I just hate seeing people thinking “I’m using x product, and I am t3h unhackable!” The average person can and will make life difficult for hackers with a fairly small amount of effort, and that’s good enough. They just need to know the facts.
ErikTheRed on May 6, 2008 at 6:28 PM
I would, if it weren’t for HA :)
Entelechy on May 6, 2008 at 6:29 PM
Are you familiar with Hamachi? I’m learning how to use it now and am trying to figure out how to browse from my home network rather via public Wi-Fi rather than simply just getting access to my files.
Dead Hand Control on May 6, 2008 at 6:29 PM
Actually, yeah it is. All I’d have to do is set up a router on my laptop and if you connect to me instead of the real one . . .
Either that or have one in a van outside.
This is a variation on the fake ATMs.
- The Cat
P.S.
1. Don’t do banking or anthing that should be secure unless you know for sure where you’re connected.
2. Don’t let your computer auto connect. I’d ask someone at customer service what the router’s named.
3. Don’t have any drives shared.
4. If the FBI knows about it, they’ve already moved on to something better.
MirCat on May 6, 2008 at 6:40 PM
I’m sorry. I misunderstood you.
Esthier on May 6, 2008 at 6:49 PM
corona on May 6, 2008 at 5:45 PM
That’s entirely unrelated to this story.
What they are saying is that I might be a hacker. I might go to Starbucks and set up a wireless network that I helpfully name “StarbucksWiFi”. You might log into it and go check your bank accounts. I then might intercept your username, password, and the URL of your banks website.
A firewall simply acts as a middle man and/or prevents unwanted requests on various ports. It has nothing to do with what other people on other machines on a network can do with the data after you’ve sent it.
I
DaveS on May 6, 2008 at 6:50 PM
Krispy Kreme offers free wi-fi.
So do my next door neighbors.
The Ugly American on May 6, 2008 at 6:55 PM
It reminds me of years ago, when I was in a neighborhood with a bunch of robberies. The thieves would walk down a path (it was a bunch of condos on a greenbelt) and they would randomly try the patio doors. When they found one open, they walked in and stole a tv or stereo. The ones who just locked their door were never broken into.
I feel the same with computers, I use WPA (and keep all important numbers in a “safe”, I figure the guys will look at that and say, what the heck, the next guy won’t have anything at all. It is a matter of time and convenience. Why mess with me, when there are 20 others that can be cracked in moments.
right2bright on May 6, 2008 at 7:10 PM
I took Hamachi off, when I found it was easily hacked. Plus you end up sharing folders which is a no no, it lasted about 5 minutes on my computers.
right2bright on May 6, 2008 at 7:12 PM
While I may pause before typing in credit card passwords, you really should be safe using wi-fi. But for those who want to surf and be paranoid, here’s one absolutely safe way. Get a live Linux CD, for instance at
http://www.kubuntu.org/download.php
and use the live CD to surf the web. Unless you do deliberately tell the live CD to touch your hard drive, it won’t even touch the hard drive. Thus, you are surfing without even the possibility of revealing anything more than what you send over the wi-fi.
thuja on May 6, 2008 at 7:13 PM
OT: Best post in this thread!
Big Orange on May 6, 2008 at 7:18 PM
thuja on May 6, 2008 at 7:13 PM
What’s on the harddrive isn’t an issue here… the concern is that people will send confidential information across a “honey pot” type hotspot setup by a hacker.
DaveS on May 6, 2008 at 7:23 PM
HA, well i have fake financial and company info on my laptop.
custer on May 6, 2008 at 7:28 PM
Puhleeeze.
Social engineering does not require a wireless connection. If the FBI really put out this “warning”, then the agency is in competition for “Homeland Security” for the Lettuce Head award.
corona on May 6, 2008 at 7:34 PM
Thank you. It’s a personal one, and if we’re using it in public, we don’t buy anything or check the bank account. I feel a bit better now.
Off-topic: I just finished reading Starship Troopers (bought it this afternoon). It was frakking awesome. I got the recommend to read it from someone on this site - don’t know who, but thank you!
the goddess anna on May 6, 2008 at 8:24 PM
Care to elaborate on that last sentence?
And what about wired networks? I have disabled the wireless on our home router, but I am on the Internet all day, and my wife is, too, when she’s here. We also connect to her office network via a SonicWall VPN connection, but the process of connecting involves simply typing user name and password on the client, so theoretically anyone who has access to our network could log the keystrokes—right? Same with on-line purchases, bank access, etc., access to accountant via LogMeIn, etc. I run a Mac, and she uses a Windows PC.
MrLynn on May 6, 2008 at 8:34 PM
What ErikTheRed’s talking about is anytime you use WiFi, your internet activity is being transmitted so that everybody can see it. The difference between public and “private” WiFi is just whether or not somebody listening can crack your encryption; it’s not about whether or not they can actually see your traffic.
You shouldn’t have to worry about someone logging your keystrokes over a VPN connection, because the information leaving your computer isn’t your keystrokes, it’s your login info (hopefully encrypted). Additionally, on a wired network, somebody who wants to listen in has the additional problem of somehow fitting themselves into your network - they’d have to be connected somewhere inbetween you and your internet destination.
joe shmoe on May 6, 2008 at 9:20 PM
Right. A few easy steps at home will make you harder to hack. Disable SSID broadcast. Enable WPA with a lengthy key. Use a router with firewall. Get and use good virus and malware software. KEEP THEM UPDATED.
EriktheRed is correct. You don’t have to be invincible, just harder to hack than your idiot neighbor who has an unsecured network which broadcasts its address.
BacaDog on May 6, 2008 at 9:28 PM
Most live CDs (including Kubuntu’s, I belive) auto-mount the hard drive when they start up, so even though you’re not booting from the hard disk, any hacker that breaks into your live CD session would, I would think, have full access to your hard drive.
Even if you were using a live CD that didn’t automatically mount your hard drive, you’d still have to watch your traffic over the internet - it doesn’t matter if a hacker can’t access your drive if you’re emailing someone your bank password (email traffic going from one email provider to another is always unencrypted).
joe shmoe on May 6, 2008 at 9:33 PM
“I always think everything could be a trap. Which is why I’m still alive.”
inviolet on May 6, 2008 at 9:37 PM
You see, if you have a milkshake, and I have a milkshake, and I run a long straw…
deesine on May 6, 2008 at 10:12 PM
I’m sorry, but that is complete BS.
Firewall or not, the hacker would have to exploit the laptop, via the network to attempt to break into it. The ability of the laptop to accept this is not as easy as this is being presented as. With a simple firewall that would stop any inbound data accept that which was requested would hold off many methods of attack. It would not be impossible to attack but much harder. The presentation of just connecting to the hot-spot would cause a rampant exchange of data to take place is actually fear-mongering in its extent.
First, it would take a very good hacker to attack another computer and succeed in a few minutes, working on multiple avenues of attack simulaneously.
Second, it would make the assumption that every hot-spot has such a hacker on staff or in the immediate area wating for your computer to login.
Third, it makes the further assumption that you have NO protection on your system. Because many exploits have been protected by anti-virus software (not ALL, but many) which would help, and that there is no firewall at all…
This is just absurd.
As for the guy that found the files on the wifi system, if you just found them chances are that they were shared with the ‘Everyone’ group. That doesnt constitute your ability or the ability of Wi-fi to be hackable, but the ability of the user that setup the share to be an idiot.
As for the Rogue network, that is a DEFINITE possibility. That could provide you with a huge volume of information, but it would have to be unencrypted data. Most of those networks are setup to be proxy systems, which are like middlemen in a transaction. They can monitor your traffic and data, but if you go to a store that uses SSL, the data stream is encrypted, and not even a proxy can see the data in plain form. So, your encryption is between the client (your machine) and the server (store of your choosing) anything in between sees only encrypted data.
Now, if they knew what site you were going to go to, and could build a duplicate, then they could harvest the data as it would be on their systems. But, think about that, do you think that someone would duplicate all the possible stores that you could shop at, or even one or two of them. What are their chances to have you pick that one, two or ten stores they have duplicated out of the tens of thousands of stores out there…?
ErikTheRed is correct, but also the kicker to the equation is that Plain Text Surfing, or NON Encrypted data is visible only.
For all of the rest of you that are talking about the AES or RC4 or even WEP, all that is irrelvant. These are needed to crack into a network that is protected. The hot-spot is not protected, once you are connected to the network and another person is connected you dont have to break the AES, WEP or anything else to see their computer, your in the same network. The use of a VPN is also irrelevant, unless you are connecting to a machine like your company and then using their network to browse the internet.
B3 on May 6, 2008 at 11:17 PM
ALL YOUR WIFI ARE BELONG TO US
Rosmerta on May 7, 2008 at 12:59 AM
Coincidence alert…that movie was on AMC last night well after you posted this.
James on May 7, 2008 at 8:20 AM
These stories are stupid. Enough people think the interwebs are dangerous without this kind of reporting. If someone really wants the data on your laptop the easiest solution is to just steal the damn thing not mount some kind of rogue mossad/kgb operation at an airport.
manfriend on May 7, 2008 at 8:37 AM
This story is not BS! I’m an IT professional with experience in Data Security. At one point I hired consultants to attempt penetration of a major corporation where I managed all computer assets. I was amazed at what these two young guys were able to do. Once an experienced hacker has access to your system, you are dead! They have tools to launch brute force attacks to defeat any and all security measures you think you have implemented! Your security measures on your laptop are “child’s play” to a low-level hacker! Don’t take the chance, especially if you have your banking information and/or your credit card/personal information stored on your hard drive or in cache from previous browser sessions!
sabbott on May 7, 2008 at 8:58 AM
ALL HACKERS THAT ARE CAUGHT SHOULD RECIEVE 20 YEAR MINIMUM SENTENCES IN HARSH PRISONS!!!!!!!!
adamsmith on May 7, 2008 at 1:02 PM