http://www.latimes.com/business/la-fi-consumer22apr22,0,5309582.story?coll=la-home-headlines By David Colker Times Staff Writer April 22, 2007 No one in the evening crowd at a Starbucks in Pasadena knew Humphrey Cheung. But Cheung, quietly sipping hot chocolate and working on his laptop, knew things about them. Several tables away was a guy sitting alone with his own laptop. "He's starting a business," Cheung said. And the young couple in the far corner? "They're getting married," he confided. Cheung isn't psychic. He had hacked into the coffee shop's wireless Internet connection on his Toshiba laptop. It took him all of about five minutes to do so, using free software available online. Public Wi-Fi is very handy for perusing the Internet away from the office or home. Just remember that you may have company while surfing. Once hooked into the system, Cheung was able to monitor the online activity of other laptops in the shop. Luckily for the people around him, he wasn't snooping for any reason except to make a point: As wireless hot spots proliferate, the tools for secretly monitoring these Internet connections are becoming more sophisticated. "When people are on a public wireless connection, they have the same expectations about privacy as when they are on the Internet at home," said Cheung, 32, a computer security expert and an editor for TG Daily, a technology news website. "But it doesn't work that way. Someone could be listening in." Cheung was using a "sniffer" program that intercepted online signals as they flew back and forth from the laptops to a wireless modem hidden somewhere amid the coffee paraphernalia. Mostly, the monitoring was limited to tracking the websites being visited. Numbers correlating to Web addresses flew across Cheung's computer screen, allowing him to see that the couple were viewing pages belonging to a wedding planning site. The man a few tables away started with sites selling high-speed broadband service. He went from there to a page about managing websites. Like in a mystery yarn, the clues kept coming in. "You start to get a story about someone," Cheung said. Suddenly, the line "LLCs in the state of California" popped up on the screen. An LLC is a limited liability company, a type of business structure often used by small-business owners. "He's in Google," Cheung said. "That's a search he typed in." Sure enough, the next stop was a California secretary of state site with information about forming LLCs. When approached, the man, Alex Auzers, 20, of Pasadena, confirmed that he was doing research on starting a business. Asked if he had searched the exact phrase, "LLCs in the state of California," Auzers looked stunned. Then he shook his head. "Is someone using a sniffer program?" he asked. Auzers also is in the computer field he hopes to start a business that would service residential setups. "I feel kind of stupid," he said, "because I know that kind of thing can be done." The company that provides wireless fidelity, or Wi-Fi, signals at Starbucks is T-Mobile USA Inc. It manages about 7,600 HotSpots nationwide, including in coffee shops, hotels and airports. On its website, the company warns that communications in the HotSpots "may be subject to unauthorized interception and are not inherently secure." But good luck in finding that security warning. The link to it is in small print at the bottom of T-Mobile's HotSpot Web page, grouped with 18 other links to various company Web pages. T-Mobile offers a free software program, Connection Manager, to improve browsing security, said Mike Selman, the service's marketing director. "You can use this to make sure you are connected properly to our network," Selman said, "and that communications are encrypted from the laptop." But the security program also seems to be more or less a secret. Not only does the name of the program not mention security, but the link to download it also is grouped with several other items in a dropdown menu. And if you have a Macintosh computer, you're out of luck: The software comes only in a Windows version. Asked whether customers at a HotSpot should be told about the software as they sign on, Selman answered, "Not a bad suggestion." At least Cheung couldn't read e-mails. Except in one case. Most major e-mail sites on the Web such as those run by AOL, EarthLink, Google and Yahoo are protected by encryption. This is signified by the site address beginning with "https" instead of "http." Major banking and e-commerce pages that ask for financial information are https, too. But the Web e-mail page for Internet service provider Charter Communications Inc. is plain old http and therefore not secure. Cheung tuned into a Charter e-mail page being viewed in a Starbucks and began to read, "In an oiled casserole dish ." It was a recipe for yam enchiladas. "You definitely want to make sure that if you are using Web e-mail on a wireless connection," Cheung said, "that it's on an https page." In response to questions about its non-secure service, Charter said in an e-mail that it was "currently exploring an https implementation as well as other security options." On home Wi-Fi setups, password protection can be implemented on the modem, which offers a lot of security although some hackers say they can break through the most basic protection regimen, known as WEP. Public Wi-Fi setups, whether paid or free, don't have the luxury of using passwords. That would defeat the purpose of allowing a great many people to use them. T-Mobile, which charges about $10 a day for HotSpot use, is working to get more people to use them. Last month, the company finished installing a system at Los Angeles International Airport that covers 3.8 million square feet of space, making it one of the largest Wi-Fi deployments in the world. Also, free Wi-Fi hot spots are being added to more outdoor areas by cities. Fullerton and Long Beach already have them, and there are plans to install a system at Pershing Square in downtown Los Angeles. So, enjoy the freedom of Wi-Fi. But maybe you shouldn't surf to sites you wouldn't want people to know you're visiting. "If you watch where people go, one site after another," Cheung said, "it's almost like you can read their minds." __________________________ Subscribe to InfoSec News http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Apr 22 2007 - 22:33:15 PDT