Security experts and technology pundits have spent a long time now warning people about the dangers of unsecured wireless networks. As technology improves and more and more people go wireless and mobile, this has become an even bigger issue, and while we often look to quick technological fixes, more and more it looks like technology is making things worse instead of better.
Case in point? A little program released in October of last year called Firesheep has made it a snap for strangers to follow your browsing, and even log in as you to websites you’ve visited, on unsecured wireless networks.
The New York Times has an interesting piece on new (and not so new) technology that makes hacking wireless networks simple. Some of the programs showcased, like Firesheep, are relatively new and allow even users who can barely connect their printer to snoop on wireless activity. Especially troubling is the fact that those snoops can intercept your login information and access the websites and services that you used. A mild example would be a hacker taking your Twitter account info and posting spam under your name (something that has personally happened to me. It’s not fun to clean up after.)
A much more terrifying example would be a hacker stealing your credit card info if you used an e-commerce site that didn’t support SSL encryption (they’re out there, especially on smaller boutique e-stores). The take-away from this is never ever use a public, open wi-fi network to do anything unless you would be comfortable giving a play-by-play of all your activity to everyone around you by way of a megaphone. If you wouldn’t feel comfortable telling the barista at Starbucks where you’re surfing don’t surf there; save it for your home wired or secure wireless network.
Even secured wi-fi connections are not necessarily safe. The NY Times article does makes it seem easier than it actually is to break into a WEP secured network: aside from knowledge of the Linux operating system and the ability to use a command line interface, something most people blissfully kicked out of their minds when Windows replaced DOS, you also need a specialized wi-fi antenna that is capable of “packet injection”, something your standard laptop simply cannot do. Even with that disclaimer, though, it is incredibly easy to obtain both the tools and the training needed to be able to connect to any WEP-secured network in a matter of minutes. WPA-PSK secured networks, despite the NY Times’ article, are several orders of magnitude more secure, and with a long enough key (16 characters minimum, including at least one lower case letter, upper case letter, number, and symbol) would take years to crack using conventional methods, and WPA2-PSK is even more secure than that.
Now, most users no longer have to worry about securing their home networks, since for the last several years router and modem manufacturers have begun shipping their products with some form of network security turned on as the default option. On top of that, websites have for the most part updated their security standards to require passwords that contain multiple types of characters and have increased the minimal length to the point that most passwords that people have to set up are secure enough by default.
A much bigger issue, as this comic strip from XKCD humorously points out, is password reuse. Be very careful what websites you use your password on, as a site with low security can be compromised, or an unscrupulous site might sell your login information or simply use it themselves. This is especially true since most people use the same password for all of their various accounts. The best solution is to have multiple tiers of passwords, three will do just fine: use the lowest tier as a throw-away whenever you’re logging on to public websites that you either don’t have anything invested in or that seem sketchy (i.e. NY Times or other news sites, throw-away email accounts, rss feed aggregators, etc.), a second level for websites that can risk damaging your reputation if someone got a hold of them (including all social media passwords, blogs, forums, anything linked to your name or personal information), and a third tier for e-commerce and banking. This way, even if someone were to get a hold of the lowest level password, or even the middle level, the damage they could do would be mitigated.
The internet can be a scary place, but if you’re careful about how you treat wireless networks and what you broadcast over them, it doesn’t have to be nearly so. A little common sense and a little precaution can go a long way towards making sure that your information stays safe and secure, or as the old adage goes: “An ounce of prevention is worth a pound of cure”.