As communities push to turn themselves into massive wireless hot spots, unsuspecting Internet users are stumbling directly onto hacker turf, giving computer thieves nearly effortless access to their laptops and private information, authorities and high-tech security experts say.
It’s an invasion with a twist: People who think they are signing on to the Internet through a wireless hot spot might actually be connecting to a look-alike network created by a malicious user who can steal sensitive information, said Geoff Bickers, a special agent for the FBI’s Los Angeles cyber squad.
It is not clear how many people have been victimized, and few suspects have been charged with Wi-Fi hacking. But Bickers said that over the past couple of years, these hacking techniques have become increasingly common and are often undetectable. The risk is especially high at cafes, hotels and airports, busy places with heavy turnover of laptop users, authorities said.
“Wireless is a convenience, that’s why people use it,” he said. “There’s an axiom in the computer world that convenience is the enemy of security. People don’t use wireless because they want to be secure. They use wireless because it’s easy.”
For Mark Loveless, it was just a letter that separated security from scam. Logging on to his hotel’s free wireless Internet in San Francisco recently, Loveless had two networks to choose between on his laptop screen — same name, one beginning with a lowercase letter, one with a capital. He chose the latter and, as he had done earlier that day, connected. But this time, a screen popped up asking for his logon and password.
Loveless, a 46-year-old security analyst from Texas, immediately disconnected. A former hacker, he knew an attack when he saw one, he said.
Most Internet users do not.
About 14.3 million American households use wireless Internet, and this figure is projected to grow to nearly 49 million households by 2010, according to Jupiter Research, which specializes in business and technology market research.
“There’s literally probably millions of laptops in the U.S. that are configured to join networks named Linksys or D-Link when they are available,” said Corey O’Donnell, vice president of marketing for Authentium, a security company that provides security software. “So if I’m a hacker, it’s as easy as setting up a network with one of those names and waiting for the fish to come.”
Linksys and D-Link are two of the many commercial brands of wireless routers, products that allow a user to connect to the Internet by radio.
As the field of wireless connectivity expands, so too does a hacker’s playground. More than 300 municipalities across the United States are planning or operating Wi-Fi service. Google and EarthLink are working to bring wireless access to all of San Francisco.
A survey at Chicago’s O’Hare International Airport by Authentium revealed 76 peer-to-peer networks, or access points that are connected to via another user’s computer, with 27 advertising access to free Wi-Fi — a trademark term for the technical specifications of wireless local area network operation. The company also found three networks had fake or misleading addresses, a sign that these hot spots could be hackers.
“At a busy place like O’Hare, in one hour a bad guy could get 20 laptops to connect to his network and steal the users’ account information,” said Ray Dickenson, vice president of product management at Authentium, who conducted the survey in September.
Corporate networks are sometimes the most vulnerable, as employers push for a more mobile workforce without always educating its users on the security risks of wireless Internet. “Once they’ve got a toehold in a network, it’s pretty much game over,” Bickers said.
Many workers rely on corporate firewalls in the office and an automatic default network setting that links them to their corporate networks. Outside the office, the firewall is no longer in place. That means the computer is unprotected.
Most laptops are configured to search for open wireless points and common wireless names, whether or not the user is trying to get online. That leaves people open to hacking.
In two new attacks, called “evil twin” and “man in the middle,” hackers create Wi-Fi access points titled whatever they like, such as “Free Airport Wireless” or an established, commercial name. In the “evil twin” attack, the user turns on a laptop, which might automatically be trying to connect behind the scenes. When it does connect, it is connecting to a fake access point, or “evil twin,” and the hacker gets into personal files, steals passwords or plants a virus.
The attacker can become a “man in the middle” when he funnels the user’s Internet connection through this false access point to a true wireless connection. The unsuspecting Wi-Fi surfer then might proceed to enter credit card information, access e-mail or reveal other sensitive data. Meanwhile, the session appears ordinary.
Although the FBI has been aware of this kind of attack for about five years, its use has increased in the past couple of years, Bickers said.
“The actual tools you need, the software, the hardware, etc., to mount this sort of attack has become insanely easy to acquire,” Bickers said. ” … You need a laptop, wireless radio and the ability to download a free tool and run it. It literally is child’s play.”
The creation of the access point itself is not generally considered criminal; it’s what happens next — tracking people’s Internet traffic — that can cross the line.
These hacking techniques are considered to be “tantamount to a computer intrusion and illegal interception of wireless communication that can be prosecuted under federal law,” Bickers said.
The U.S. attorney’s office cannot comment on pending investigations; however, wireless hacking cases are relatively new, and none prosecuted thus far involve “evil twin” or “man in the middle” attacks, law enforcement authorities said.
“This is a classic case of law and law enforcement being a little behind the technological curve,” Bickers said.
– – –
Here are some tips for safer Internet surfing from Roland Dobbins, a network engineer who helps develop security solutions for Cisco Systems.
Do it yourself
Connect and disconnect from the Internet manually by right-clicking on the wireless Internet icon and either enabling or disabling the connection. This prevents your computer from searching out Internet and possibly fake access points automatically without your knowledge.
Be unique
Change default names of your network from “Linksys” to a unique name (not your home address) and change any default passwords as soon as possible.
Don’t share
Keeping your network open or allowing others access to shared files leaves a big hole in your system for hackers. Deactivate all sharing. If you must share because you are on a corporate network, make sure you change these settings when you are outside the office.
Be selective
Connect to “infrastructure” points, or official access points, rather than “peer-to-peer” connections, or another user’s computer. Set your Network Connections to only connect to infrastructure points. The default searches for all open hot spots.
Sensitive material must be secure
Only do sensitive computing — banking or anything else you would hate to have a hacker gain access to — on your personal wired (to the wall) home computer.
Make sure you enable at least “WEP,” a basic encryption on your computer, when setting up your home network. The default setting is usually no encryption.
Stay trendy
This means making sure your browser, all your software, antivirus and firewalls are up to date. Stop clicking the Delay button and have antivirus and firewalls installed on your computer.
Be wary
If you get an e-mail from your bank, make sure the e-mail is indeed from your bank and that you are being routed to the bank. Put your cursor over the link and look at the address, or right-click on properties and see where it will lead you. Always go to the bank site via its main site in a new window, not via a link in an e-mail. Also, if your computer pops up with a security certificate warning, do not click away without inspecting the certificate and the signature. Even then, certificates are easily faked. If you must continue using the Internet, do not do anything sensitive. Best thing to do? Walk away.
Go exclusively corporate
If you can, use a virtual private network while surfing wirelessly.
And if you fail? Computers get compromised all the time. Your reaction can save you a lot of agony. First, turn off your computer immediately, do not reboot, and disconnect it. Then call your help desk. Once you get your computer back up, change all passwords.
— Tami Abdollah




