Cliff Skolnick, FreeNetworks.org
cliff@freenetworks.org
http://www.freenetworks.org/best_practices/
Sitting in an cafe, drinking a latte, and surfing the web may seem like a peaceful thing to do but it is not. Machines are more vulnerable to attacks from other machine on the local network, and you have just carried your machine into a battle zone. It can be attacked with malicious intent, or just exposed to machines with a virus.
If your machine gets infected at a cafe, you will carry that infection back to your other machine, or worse into your work place where you we be remembered as the person who infected the office. If your home AP is unprotected, you can also be infected by a guest on your network. Be safe. XXX insert story?
Here is a short checklist that you must complete before you even think about going on-line at your local coffee shop or your friend's network. You are not only hurting yourself by not performing the below actions you are potentially putting everyone on the network at risk.
After updates, be sure to check again for more updates. Some updates can undo previous updates, requiring a second run. This is especially the case when multiple updates are installed at the same time. Updates can also change settings, be sure to check that an update did not change the file sharing setting or disable your firewall.
Since every communication on the network is visible you might consider a setting up a VPN. If your are unable to do this yourself and your IT staff at work can not help you, there are companies that will provide VPN service for you. XXX link to hotspot vpn and boingo.
People are generally aware that when you use an open access point you never really know to what you are connecting, and it is good to keep that in mind. A popular type of attack called man-in-the-middle is made easier with wireless. This style of attack requires that the attacker intercepts exchanges between the user and the network server, and can result in the modification of messages or compromise passwords over channels believed to be secure. In many cases the attack goes unnoticed by either party.
Public wired networks are also vulnerable to the above and many other types of attack, even switched networks. Anything out of the ordinary, such as a window questioning the validity of a certificate when you try to access a web site can mean that an attacker is trying to impersonate that site. Of course it could also mean the web site never has a trusted authority sign their certificate and instead are using a self signed certificate.
I once was at a coffee shop with free wi-fi internet access. A person came in, sat down with their laptop and used the network. They did not purchase anything, and in fact over the next hour asked the staff for free water twice and did not even put a penny in the tip jar. This will be a sure path to the plug being pulled.
When visiting an establishment or accessing any open network be courteous to the operator. Purchase something and don't overstay your welcome, especially if there is a shortage of tables. Showing up to download 4 CDs of the latest linux CD is OK as a quite time, but if there are 10 other laptop users perhaps waiting is an option. Be kind to others.
Peer to peer file sharing is a network problem, and this is not about an ISP turning the shop into the RIAA. Most free wi-fi locations use a DSL or cable connection, and just one user using the small upload allotment of bandwidth will severely degrade all users on the network. Using peer to peer file sharing programs is not being kind to other users of the network.
A VPN is a Virtual Private Network, and is an excellent tool for most people to secure their wireless traffic. If you or your company don't have their own VPN server you can easily subscribe to one of the many VPN services available on the net for less than $10 per month. If you are lucky, perhaps even your ISP provides this service for a small additional fee.
The best way to protect your passwords is to make sure everything that may send passwords, either stored or typed, over the network is using secure protocols. Email clients, web browsers, and file sharing application all should be considered to pass plain text passwords unless they have been explicitly configured to be secure.
Most users read their email via POP3 (Post Office Protocol) or IMAP (Internet Message Access Protocol), and may not even be aware of their SSL secured version POP3s and IMAPs. Usually these are selected with a "use SSL" check box during mail account setup, but if your ISP does not support them you are out of luck. For technical people you can use ssh tunneling, but for most users you will probably want to use a VPN.
Securing your outbound mail without a VPN or ssh tunnel is even more difficult than securing your incoming email. Many email clients will have a check box referring to "StartTLS" or "SSL", and checking those may encrypt your mail. Be aware that sometimes SMTP will fall back to unencrypted if an encrypted connection can't be made, so again a VPN of some type is better.
If you are surfing a site with a "https://..." URL you are likely safe, but it is not 100% since some elements of the page could be transferred with regular "http://..." requests. For this reason protecting your web surfing is also best done with a VPN. The are some moderately complicated methods, such as using a proxy over a SSH tunnel, but those are left to the folks familiar with type of configuration.
Ask a potential ISP if they support IMAPS or POP3S for reading mail, how about StartTLS for sending mail? If they do not support those, how about reading mail via an HTTPS connection.
Does your ISP offer a VPN service? It might be $5 or $10 extra a month but it can make a big difference.
Last Modified