some wireless hotspot security tips

Andy, ITGuy pointed out an article on Computer World 10 things to do to be more secure when using public wireless hotspots. Nice article.

The good tips that will slowly disappear as Windows fixes its wireless management:

– disable ad hoc mode
– turn off network discovery

The just plain good tips:

– turn off file sharing
– disable your wireless adapter when not in use
– turn on your firewall
– watch out for shoulder-surfers

Then Preston has a few more interesting suggestions. He suggests to encrypt your e-mail, but sadly gives no more information about how to accomplish this. For most consumers, they will stop there, give an annoyed huff, and skip that step. Encrypting one’s email is not as easy to many users as it can be, and is completely email provider-specific. It might be as easy as changing a couple connection settings in the client, or as complicated as figuring out PGP or some other service that claims secure email (by simply never transmitting it off their webmail servers and forcing your recipients to make accounts to retrieve the mail…bleh!). Some users will just be out of luck when it comes to secure mail transmission and won’t have corporate recourse for checking mail beyond port 110 and cleartext messages. In those cases, just don’t do it.

Carry an encrypted USB drive. I’m not sure if this is worthy of a bullet point, but if someone will be going through the trouble of using an encrypted USB drive for data, why not encrypt the whole laptop disk? Besides, if an attacker takes over the system, they should be savvy enough to impersonate an admin or the user and access most encryption. It makes some sense, but I think it is more effort than is necessary. I dislike having to track multiple “portable” devices, especially ones that can be lost as easily as a USB drive. To me, data encryption on the disk is a “data at rest” issue, not a wireless security issue.

Protect yourself with a virtual private network. I’m not sure I would suggest people use a third-party VPN service. Home consumers on their own equipment, sure, but not corporate users who think it would be safe to transmit possibly-sensitive information through a third-party who may or may not be credible. Too many people think that just because they pay money for it, it must be on the up-and-up. Instead, corporate users should look into what their corporate support is for VPN use. Home users can go the *very* technical route of hosting their own VPN/proxy system, or utilize the pay-for service if they want. I think if email is encrypted, web site logins are protected via SSL, and cleartext IM service not used, most users will be fine without a VPN.

Beware phony hotspots. First, I hate the term “evil twins.” We’ve had a better term for this for years now: “rogue AP.” While there is not much most users can do to protect against the rogue AP problems, I do like his two suggestions. Ask the staff if they have a hotspot and what the name is. And if you see two of the same name, don’t connect to either one. Any futher security against a rogue AP is either overkill for most users, or is really the responsibility of the hotspot establishment.