Don't fall victim to the 'Free Wi-Fi' scam
Preston Gralla
January 19, 2007 (Computerworld) The next time you're at an airport
looking for a wireless hot spot, and you see one called "Free Wi-Fi"
or a similar name, beware -- you may end up being victimized by the
latest hot-spot scam hitting airports across the country.
You could end up being the target of a "man in the middle" attack, in
which a hacker is able to steal the information you send over the
Internet, including usernames and passwords. And you could also have
your files and identity stolen, end up with a spyware-infested PC and
have your PC turned into a spam-spewing zombie. The attack could even
leave your laptop open to hackers every time you turn it on, by
allowing anyone to connect to it without your knowledge.
If you're a Windows Vista user, you're especially susceptible to this
attack because of the difficulty in identifying it when using Vista.
In this article, you'll learn how the attack works and how to keep
yourself safe from it if you use Windows XP or Vista.
How the attack works
First, let's take a look at how the attack works. You go to an airport
or other hot spot and fire up your PC, hoping to find a free hot spot.
You see one that calls itself "Free Wi-Fi" or a similar name. You
connect. Bingo -- you've been had!
The problem is that it's not really a hot spot. Instead, it's an ad
hoc, peer-to-peer network, possibly set up as a trap by someone with a
laptop nearby. You can use the Internet, because the attacker has set
up his PC to let you browse the Internet via his connection. But
because you're using his connection, all your traffic goes through his
PC, so he can see everything you do online, including all the
usernames and passwords you enter for financial and other Web sites.
In addition, because you've directly connected to the attack PC on a
peer-to-peer basis, if you've set up your PC to allow file sharing,
the attacker can have complete run of your PC, stealing files and data
and planting malware on it.
You can't actually see any of this happening, so you'd be none the
wiser. The hacker steals what he wants to or plants malware, such as
zombie software, then leaves, and you have no way of tracking him
down.
All that is bad enough, but it might not be the end of the attack.
Depending on how you've connected to that ad hoc network, the next
time you turn on your PC, it may automatically broadcast the new "Free
Wi-Fi" network ID to the world, and anyone nearby can connect to it in
ad hoc peer-to-peer mode without your knowledge -- and can do damage
if you've allowed file sharing.
While some of these ad hoc networks advertising themselves as
available for connection may be attributable to Windows behavior that
the PC's user is unaware of, wireless ad hoc attacks may be more
common that you think. Security company Authentium Inc. has found
dozens of ad hoc networks in Atlanta's airport, New York's LaGuardia,
the West Palm Beach, Fla., airport and Chicago's O'Hare. Internet
users have reported finding them at LAX airport in Los Angeles.
Authentium did an in-depth survey of the ad hoc networks found at
O'Hare, visiting on three different occasions. It found more than 20
ad hoc networks each time, with 80% of them advertising free Wi-Fi
access. The company also found that many of the networks were
displaying fake or misleading MAC addresses, a clear sign that they
were bent on mischief.
"You connect to one of these networks at your own peril," says Corey
O'Donnell, vice president of marketing at Authentium. "And you would
have no way of tracking down how you were attacked, because you would
have thought you were at an ordinary hot spot connection. Enterprises
are also at risk, because if someone uses a corporate laptop to
connect to one of these networks and gets infected, when he plugs back
in to the enterprise network, the whole network is put at risk."
How to protect yourself in Windows XP
Protecting yourself against these kinds of attacks is quite easy:
Never connect to an ad hoc network unless someone you know has set one
up and specifically asks you to connect. So no matter where you are,
if you see an ad hoc network, don't connect, no matter the name of the
network.
Be aware that someone can name an ad hoc network anything they want,
so they can even duplicate the name of a legitimate network. For
example, if you're at an airport, and the name of the airport's free
hot spot is AirNet, someone can set up an ad hoc network with that
exact same name. You'd see two networks called AirNet, one being the
legitimate one and the other being the scam ad hoc network.
In Windows XP, it's easy to differentiate between an ad hoc network
and a normal Wi-Fi network (Microsoft calls connecting to a hot spot
or access point being in "infrastructure mode"). In Windows XP, in
order to connect to a wireless network, you click the wireless network
icon in the system tray, and the "Choose a wireless network"
connection screen appears. You'll see a list of all nearby wireless
networks.
As you can see in the nearby figure, each network includes a name and
a description. Look at the description. If it's an ad hoc network, it
will be called a "computer-to-computer" network; normal wireless
networks are simply called wireless networks. In the figure, the "Free
Airport WiFi" network is an ad hoc network. You should stay away from
it
Windows XP displays the details of every nearby wireless network,
including whether it's an ad hoc network. In this screen, the Free
Airport WiFi network is an ad hoc network.
Windows XP displays the details of every nearby wireless network,
including whether it's an ad hoc network. In this screen, the Free
Airport WiFi network is an ad hoc network.
(Click image to see larger view.)
There are other steps you can take to make sure you don't accidentally
connect to an ad hoc network created by a scamster. For example, you
can make sure that XP never connects to an ad hoc network. To do it:
1. Click the wireless icon in the System Tray.
2. Click "Change advanced settings."
3. Select the Wireless Networks tab.
4. Click "Advanced."
5. On the screen that appears (pictured in the nearby figure),
select "Access point (infrastructure) networks only."
6. Click Close, and keep clicking OK until the dialog boxes
disappear.
Note: If a wireless icon isn't displayed in your System Tray, you can
get to your wireless connection by clicking on Start, going to
Settings, then Control Panel and then Network Connections. Then double-
click on the wireless connection icon to bring up the panel that
displays the "Change advanced settings" link. An alternate path on
some systems might be Start --> Control Panel --> Network and Internet
Connections --> Network Connections, then double-click on the wireless
network connection icon.
This screen lets you tell your PC never to connect to ad hoc networks.
This screen lets you tell your PC never to connect to ad hoc networks.
When you're at the "Advanced" screen, you should also make sure the
box next to "Automatically connect to non-preferred networks" is not
checked. If that box is checked, your PC will connect to any nearby
wireless network, without alerting you, which is a serious security
risk.
It's also a good idea when you're on the Wireless Networks tab to look
at all the wireless networks listed in the Preferred networks area
(shown in the nearby figure). These are networks that at one time or
another you've connected to. Highlight any that you are not absolutely
sure are secure, then click Remove. That way, your PC won't attempt to
connect to them.
Remove any unfamiliar networks from the Preferred networks list
Remove any unfamiliar networks from the Preferred networks list.
(Click image to see larger view.)
There's more you should do as well. You should also configure your
remaining preferred networks so that you don't connect to them
automatically. Why do that? Let's say your home network uses the
default name it shipped with --- for example, Linksys for a Linksys
network. A scamster can create an ad hoc network called Linksys, and
then anyone nearby who has Linksys listed as a preferred network will
automatically connect to that ad hoc network.
So in the Preferred networks area, highlight each network, select
Properties, then click the connection tab, shown in the nearby figure.
Uncheck the box next to "Connect when this network is within range"
and keep clicking OK until the dialog boxes close.
Make sure to tell your PC not to make any automatic connections to
wireless networks
Make sure to tell your PC not to make any automatic connections to
wireless networks.
(Click image to see larger view.)
Keeping safe in Windows Vista
Microsoft spent a considerable amount of effort making Windows Vista
more secure than Windows XP, but when it comes to wireless networking,
you're more at risk in Windows Vista from an ad hoc attack than you
were in Windows XP. That's because in Windows Vista, it's not as easy
to distinguish an ad hoc network from a normal Wi-Fi network as it is
in Windows XP. However, once you know the trick, it's easy to do.
In Windows Vista, you connect to a wireless network by first clicking
the network icon in the System Tray, then selecting "Connect or
disconnect." The "Connect to a Network" screen shows up, with a list
of nearby wireless networks. You see the name of each and whether the
network is encrypted or not; to get more details about any, hover your
mouse over it, as shown in the nearby figure. But those details don't
include whether the network is a true hot spot or an ad hoc network.
Before you connect to a new wireless network, the only way to tell the
difference between an ad hoc network and one in infrastructure mode is
to look at the network icon next to it on the "Connect to a Network"
screen. As you can see in the nearby figure, the icon for a normal Wi-
Fi network is one computer, while the icon for an ad hoc network
instead is several computers. That's it; there's no other way to
distinguish between the two.
The only way to distinguish between ad hoc and normal wireless hot
spots is to look at the network icon on this screen. An ad hoc
network's icon is made up of several PCs; a normal network is made up
of one PC.
The only way to distinguish between ad hoc and normal wireless hot
spots is to look at the network icon on this screen. An ad hoc
network's icon is made up of several PCs; a normal network is made up
of one PC.
(Click image to see larger view.)
Here's another oddity: If you right-click the list of available
networks, on the menu that appears, some of them have a Properties
menu item and others don't. Only those networks that you've previously
visited and saved to your network list will have the Properties menu
item. If you choose Properties, select the Connection tab and look
next to Network Type, you'll see whether it's an ad hoc network or an
access point (a normal hot spot).
But if you haven't yet connected to the network (or if you have
connected previously but haven't saved it), it won't have the
Properties menu item. So you can't use that method of distinguishing
between ad hoc and normal Wi-Fi networks when you're looking for a hot
spot on the road.
Other steps you can take
There are other steps you can take to keep yourself safe, including
turning off file sharing and running your company's VPN when at a hot
spot. You can also pay to use a VPN such as HotSpotVPN. For details
and many other tips for keeping yourself safe, see "How to protect
yourself at wireless hot spots".
In addition, Authentium is working with financial institutions to
create a product called VirtualATM, which will help protect you when
you connect to a financial institution. It's expected to be released
later this year.
Preston Gralla is a contributing editor for Computerworld.com, and the
author of more than 35 books, including How the Internet Works.
Related Discussion:
* Preston Gralla: Terminator turns into Girly Man over Wi-Fi bill
* IT Blogwatch: Nasty Wi-Fi 'sploit from MoKB (and golf POV aid)
* David Haskin: Wi-Fi as an addictive drug
* Douglas Schweitzer: Think twice before you "piggy-back" a
wireless connection
* Shark Bait: A networking tech confirms: Miracles can - and will
- happen!
http://www.computerworld.com/action/...icleId=9008399