Wi-Fi's dirty secret - Evil Twins

I recently read that Comcast is offering non-customers free access to their XFINITY Wi-Fi network, from Memorial Day to July 4th. In and of itself, not particularly blog worthy - other than the instructions for accessing a Comcast Wi-Fi hotspot. The instructions are pretty simple, you look for a Wi-Fi network called "xfinitywifi" and click on a link for non-Comcast customers. What Comcast doesn't say however is huge: the name of a Wi-Fi network tells you nothing. Nada. Zilch. Assuming that an available wireless network called "xfinitywifi" actually belongs to Comcast is a leap of faith. A big part of Defensive Computing is being aware of what is guaranteed to be true and what is not. When someone calls you on the phone, the calling number that caller ID displays may or may not be true. The return address on an envelope in your mailbox is usually true, but it's not guaranteed. The same applies to the FROM address of an email message. Likewise, while the name of a Wi-Fi network is usually an indicator of its owner, nothing insures this. Bad guys can easily create a Wi-Fi network called "xfinitywifi" in the hope of attracting victims that don't have a nerd whistleblower in their family. Anyone who connects to a scam Xfinity Wi-Fi network can have all the data coming and going from their computing device watched and logged by a bad guy. If they are lucky. Unlucky victims will have their data traffic actively manipulated. Things don't get much worse than that.
Comcast customers, in particular, that connect to a wireless network identified as "xfinitywifi", have to enter their Comcast email address and password. I leave it to your imagination what a bad guy could do with that information (or, see this). This is not to pick on Comcast. Time Warner, for example, offers almost identical instructions for logging on to their Wi-Fi networks. And both are way a head of Starbucks. One page on their website says the Wi-Fi network is called "STARBUCKS", another page says the network name is "attwifi" and a third Wi-Fi page doesn't even bother mentioning the name of their network. The critical point however, is that nothing prevents a bad guy from giving his network a name that people in the area expect to see. So, how can we tell a legitimate Wi-Fi network, run by a reputable company, from an evil twin (the official term for this sort of thing)?
We can't.
What to do?
OVER THE SHOULDER
My first suggestion is psychological rather then technical. While connected to any public Wi-Fi network assume a bad guy is standing over your shoulder watching everything you do and act accordingly. Feel free to catch up on the latest news at CNN, but anything sensitive is best done elsewhere.
This may sound like familiar advice, but the warnings that have been written millions of times to date, are inevitably about open Wi-Fi networks. That is, non-techies are only warned about wireless networks that don't require a password and these are typically referred to as "open" and/or "public" networks. But, when I used the term "public" in the previous paragraph, I was referring to any network that you don't control.
Being aware of evil twin networks means not trusting networks even if they require a password. In the case of Comcast, it means not trusting networks that require both an email address and a password to login.
VPN
The best technical defense is a VPN (Virtual Private Network).
Many companies offer VPN services to individuals, which is separate and distinct thing from the VPNs used by large companies. VPN services targeted at consumers provide encrypted communication between your computing device (laptop/tablet/smartphone) and a server run by the VPN company. This protects you from eavesdropping by anyone in your immediate vicinity.
Using a VPN after it has been configured is normally simple. Getting to that point however, is not.
To use a VPN, you first connect to the Internet, then connect to the VPN company. If all goes well, everything subsequently coming into and out of your computing device is encrypted.
Perhaps the most popular operating system at public Wi-Fi networks is iOS version 6. To connect to a VPN server on an iOS 6 device, go to Settings -> General -> VPN and move the VPN slider from OFF to ON (it was easier in iOS 5). This assumes, however, that the VPN provider offers a type of VPN supported by iOS 6.
Dealing with the various types is the first pain point when setting up a VPN for yourself. To begin with, there are four popular types, each with its pros and cons. For example, the oldest type of VPN, PPTP, is known to be the least secure.
Many VPN companies fail to support all four types and the same is true for most (if not all) operating systems. Like a dating service, you need to match up the types of VPNs supported by your operating system with those offered by any particular VPN company.
To that end, below is a list of the assorted types of VPNs natively supported by some popular operating systems.
  • iOS versions 5 and 6 offer built in support for L2TP, PPTP and IPSec VPNs
  • Windows 7 does L2TP and PPTP
  • Windows XP only supported PPTP natively
  • OS X Mountain Lion does L2TP over IPSec and PPTP
  • OS X Snow Leopard does L2TP over IPSec, PPTP and Cisco IPSec
  • Android 2.3 does PPTP, L2TP and L2TP/IPSec with either a pre-shared key or a certificate
  • Android 4.1 does PPTP, L2TP/IPSec PSK, L2TP/IPSec RSA, IPSec Xauth PSK, IPSec Xauth RSA and IPSec Hybrid RSA VPNs
If an operating system doesn't support a particular type of VPN that a company offers, then chances are the VPN company will provide software that adds support for their type(s) of VPN. This would not be my first choice however.
There are some free VPN providers, but security and privacy strike me as services worth paying for.
Personally, I pay $70/year for VPN service from Witopia. They are neither the cheapest nor the most expensive. At this price, Witopia offers four types of VPNs: PPTP, L2TP, IPSec and OpenVPN SSL (for whatever reason, half the world refers to this type of VPN as "SSL" while the other half refers to it as "OpenVPN").
 
By Michael Horowitz
Source and read more:

0 yorum: