Public Wifi / Unsecured Wireless Network Security Issues

(Please note: the information given below is for information only – we are by no means advocating the use of the techniques described below and by no means approve of their use for illegal activity. This information is given to highlight the dangers people can be opening themselves up to without using proper precautions while using unsecured wireless networks. Also note that the techniques described, even though directed at unsecured public wifi networks, could also be used on a home wireless network that is not secured correctly. Please ensure your home network is secure before using your Internet connection for more secure processes like email or online banking.)

With the ever increasing popularity of the Internet and the tools it offers (email, facebook, myspace, ebay etc) many people are beginning to use freely available public wifi hotspots in towns, airports, hotels and even restaurants / coffee shops more and more regularly each day. Using these freely available connections is ok, if you need to get onto the web urgently, but users should be aware that when connecting to most of these free hotspots they are using an unprotected wireless network, which is not only open to them but to anyone within its vicinity.

The risks posed by this fact alone are huge. Quite recently, an old hackers trick referred to as “session hacking” has become more prevalent with the introduction of some freely available tools on the Internet. Sidejacking, as it is now referred to, allows anyone with a very basic computer knowledge and a cheap laptop to connect to the same wifi network as you and others are using, and capture all activity that is happening on it at any given time. The information (packets) that are logged can then be used to gain entry into email accounts, bank accounts, etc and you would never be aware that anyone had stolen this information from you.

The way the system works is by filtering out all cookie information from the packets been sent around the network and then using this information to gain access to webpages you have recently logged into. The amazing fact is that people who are using these methods don’t need your usernames or passwords to get into your accounts – all they need is the ‘session cookies’ created when you first log in.

Whenever you log into an email account for example you will notice that the address of the login page should start with ‘https://’ – this https is showing that the information you send via this page is going to be encrypted. Once you send this information however, in most cases you will find the following pages only use ‘http’ in the address – in other words an unsecured http protocol. The ‘https’ was only there to encrypt your username / password when you first logged in – it will not encrypt what you are going to be doing once you are logged into your account. The way the services know who you are and what information to show you is because when you login with your username and password a ‘session cookie’ is created for you. This cookie is used to identify you on each page you request during your active session. Because of this method employed, if someone else has access to your session cookie they can also make requests under your identity by using the same session you are using – in other words they can login to pages as you without ever having to use a username or password to obtain a session cookie for your account. (Note: In some instances these sessions cookies may remain active for several days.)

So what can be done to protect yourself from such attacks. Well the best way to combat this type of attack is not to use services like email, ebay, facebook, etc if you are using a public wifi hotspot or an unsecured wireless network. If you only use these hotspots to browse the web in general then hackers may be able to see what sites you have visited but this information, in most cases, is not really going to give them anything of any value. If you are a person who needs to use email and other secure services (maybe a businessman who frequents different hotels and needs to access secure services for work …) then really you need to begin using a VPN (Virtual Private Network) to ensure your privacy. Some VPN’s are free, while others are available for a small amount each month. A VPN gives you a secure encrypted tunnel when you access the Internet, that your packets are sent though, so anyone ‘sniffing’ the network won’t have access to them.

This security flaw was recently highlighted on the BBC TV show – The Real Hustle.

For available VPN’s see the links section of our website.

Testimonials

  • Comments by David Morgan
  • Many thanks Dominic for your speedy response to our computer problems. You arrived promptly and solved the problems very quickly and helped us to understand a few elementary procedures at a very reasonable cost. We would highly recommend you to others who suffer computer problems and no doubt we will require your services in the future.

Submit Testimonial

microsoftcert Horsham PC Repairs Laptops Network Wireless


microsoftcert Horsham PC Repairs Laptops Network Wireless