[ISN] Public Wi-Fi may turn your life into an open notebook

From: InfoSec News (alerts@private)
Date: Sun Apr 22 2007 - 22:16:34 PDT


http://www.latimes.com/business/la-fi-consumer22apr22,0,5309582.story?coll=la-home-headlines

By David Colker
Times Staff Writer
April 22, 2007

No one in the evening crowd at a Starbucks in Pasadena knew Humphrey 
Cheung.

But Cheung, quietly sipping hot chocolate and working on his laptop, 
knew things about them.

Several tables away was a guy sitting alone with his own laptop. "He's 
starting a business," Cheung said. And the young couple in the far 
corner? "They're getting married," he confided.

Cheung isn't psychic. He had hacked into the coffee shop's wireless 
Internet connection on his Toshiba laptop. It took him all of about five 
minutes to do so, using free software available online.

Public Wi-Fi is very handy for perusing the Internet away from the 
office or home. Just remember that you may have company while surfing.

Once hooked into the system, Cheung was able to monitor the online 
activity of other laptops in the shop.

Luckily for the people around him, he wasn't snooping for any reason 
except to make a point: As wireless hot spots proliferate, the tools for 
secretly monitoring these Internet connections are becoming more 
sophisticated.

"When people are on a public wireless connection, they have the same 
expectations about privacy as when they are on the Internet at home," 
said Cheung, 32, a computer security expert and an editor for TG Daily, 
a technology news website.

"But it doesn't work that way. Someone could be listening in."

Cheung was using a "sniffer" program that intercepted online signals as 
they flew back and forth from the laptops to a wireless modem hidden 
somewhere amid the coffee paraphernalia.

Mostly, the monitoring was limited to tracking the websites being 
visited. Numbers correlating to Web addresses flew across Cheung's 
computer screen, allowing him to see that the couple were viewing pages 
belonging to a wedding planning site.

The man a few tables away started with sites selling high-speed 
broadband service. He went from there to a page about managing websites.

Like in a mystery yarn, the clues kept coming in. "You start to get a 
story about someone," Cheung said.

Suddenly, the line "LLCs in the state of California" popped up on the 
screen. An LLC is a limited liability company, a type of business 
structure often used by small-business owners.

"He's in Google," Cheung said. "That's a search he typed in."

Sure enough, the next stop was a California secretary of state site with 
information about forming LLCs.

When approached, the man, Alex Auzers, 20, of Pasadena, confirmed that 
he was doing research on starting a business.

Asked if he had searched the exact phrase, "LLCs in the state of 
California," Auzers looked stunned. Then he shook his head.

"Is someone using a sniffer program?" he asked.

Auzers also is in the computer field he hopes to start a business that 
would service residential setups.

"I feel kind of stupid," he said, "because I know that kind of thing can 
be done."

The company that provides wireless fidelity, or Wi-Fi, signals at 
Starbucks is T-Mobile USA Inc. It manages about 7,600 HotSpots 
nationwide, including in coffee shops, hotels and airports.

On its website, the company warns that communications in the HotSpots 
"may be subject to unauthorized interception and are not inherently 
secure."

But good luck in finding that security warning. The link to it is in 
small print at the bottom of T-Mobile's HotSpot Web page, grouped with 
18 other links to various company Web pages.

T-Mobile offers a free software program, Connection Manager, to improve 
browsing security, said Mike Selman, the service's marketing director. 
"You can use this to make sure you are connected properly to our 
network," Selman said, "and that communications are encrypted from the 
laptop."

But the security program also seems to be more or less a secret. Not 
only does the name of the program not mention security, but the link to 
download it also is grouped with several other items in a dropdown menu. 
And if you have a Macintosh computer, you're out of luck: The software 
comes only in a Windows version.

Asked whether customers at a HotSpot should be told about the software 
as they sign on, Selman answered, "Not a bad suggestion."

At least Cheung couldn't read e-mails. Except in one case.

Most major e-mail sites on the Web such as those run by AOL, EarthLink, 
Google and Yahoo are protected by encryption. This is signified by the 
site address beginning with "https" instead of "http."

Major banking and e-commerce pages that ask for financial information 
are https, too. But the Web e-mail page for Internet service provider 
Charter Communications Inc. is plain old http and therefore not secure.

Cheung tuned into a Charter e-mail page being viewed in a Starbucks and 
began to read, "In an oiled casserole dish ."

It was a recipe for yam enchiladas.

"You definitely want to make sure that if you are using Web e-mail on a 
wireless connection," Cheung said, "that it's on an https page."

In response to questions about its non-secure service, Charter said in 
an e-mail that it was "currently exploring an https implementation as 
well as other security options."

On home Wi-Fi setups, password protection can be implemented on the 
modem, which offers a lot of security although some hackers say they can 
break through the most basic protection regimen, known as WEP.

Public Wi-Fi setups, whether paid or free, don't have the luxury of 
using passwords. That would defeat the purpose of allowing a great many 
people to use them.

T-Mobile, which charges about $10 a day for HotSpot use, is working to 
get more people to use them. Last month, the company finished installing 
a system at Los Angeles International Airport that covers 3.8 million 
square feet of space, making it one of the largest Wi-Fi deployments in 
the world.

Also, free Wi-Fi hot spots are being added to more outdoor areas by 
cities. Fullerton and Long Beach already have them, and there are plans 
to install a system at Pershing Square in downtown Los Angeles.

So, enjoy the freedom of Wi-Fi. But maybe you shouldn't surf to sites 
you wouldn't want people to know you're visiting.

"If you watch where people go, one site after another," Cheung said, 
"it's almost like you can read their minds."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Sun Apr 22 2007 - 22:33:15 PDT