Friday, March 16, 2007

latimes.com

Ensnared on the wireless Web

Hackers' latest tactic to steal information is setting up fake hotspots that users unwittingly use to access Internet.

http://www.cincinnatibell.com/images/elements/biz/wifi_hotspot.jpg
By Tami Abdollah
Times Staff Writer

March 16, 2007

As Los Angeles and hundreds of other communities push to turn themselves into massive wireless hotspots, unsuspecting Internet users are stumbling onto hacker turf, giving computer thieves nearly effortless access to their laptops and private information, authorities and high-tech security experts say.

It's an invasion with a twist: People who think they are signing on to the Internet through a wireless hotspot might actually be connecting to a look-alike network, created by a malicious user who can steal sensitive information, said Geoff Bickers, a special agent for the FBI's Los Angeles cyber squad.

It is not clear how many people have been victimized, and few suspects have been charged with Wi-Fi hacking. But Bickers said that over the last couple of years, these hacking techniques have become increasingly common, and are often undetectable. The risk is especially high at cafes, hotels and airports, busy places with heavy turnover of laptop users, authorities said.

"Wireless is a convenience, that's why people use it," Bickers said. "There's an axiom in the computer world that convenience is the enemy of security. People don't use wireless because they want to be secure. They use wireless because it's easy."

For Mark Loveless, just one letter separated security from scam.

Logging on to his hotel's free wireless Internet in San Francisco last month, Loveless had two networks to choose between on his laptop screen — same name, one beginning with a lowercase letter, one with a capital. He chose the latter and, as he had done earlier that day, connected. But this time, a screen popped up asking for his log-in and password.

Loveless, a 46-year-old security analyst from Texas, immediately disconnected. A former hacker, he knew an attack when he saw one, he said.

Most Internet users do not.

About 14.3 million American households use wireless Internet, and this figure is projected to grow to nearly 49 million households by 2010, according to JupiterResearch, which specializes in business and technology market research.

"There's literally probably millions of laptops in the U.S. that are configured to join networks named Linksys or D-Link when they are available," said Corey O'Donnell, vice president of marketing for Authentium, a company that provides security software. "So if I'm a hacker, it's as easy as setting up a network with one of those names and waiting for the fish to come."

Linksys and D-Link are two of the many commercial brands of wireless routers, products that allow a user to connect to the Internet using radio frequency.

As the field of wireless connectivity expands, so too does a hacker's playground. More than 300 municipalities across the country are planning or already operating Wi-Fi service.

Los Angeles Mayor Antonio Villaraigosa last month announced plans for citywide Wi-Fi in 2009. USC already offers free wireless, and by the end of March, Los Angeles International Airport will officially offer wireless at all its terminals under a new contract with T-Mobile.

Some airlines already offer Wi-Fi at LAX. "There are no signs for any service at all, so if any passenger is accessing a free wireless service … they should be cautious," said Nancy Castles, an airport spokeswoman.

A survey at Chicago's O'Hare Airport by Authentium revealed 76 peer-to-peer networks, or access points that are connected to via another user's computer, with 27 of them advertising access to free Wi-Fi — a trademarked term for the technical specifications of wireless local area network operation. The company also found that three of the networks had fake or misleading addresses, one sign the hotspots could be hackers.

"At a busy place like O'Hare, in one hour a bad guy could get 20 laptops to connect to his network and steal the users' account information," said Ray Dickenson, vice president of product management at Authentium, who conducted the survey last September.

Corporate networks are sometimes the most vulnerable, as employers push for a more mobile workforce without always educating its users on the security risks of wireless Internet.

Many workers rely on corporate firewalls in the office and an automatic default network setting that links them to their corporate networks. Outside the office, the firewall is no longer in place. That means the computer is unprotected. Once hackers have "got a toehold in a network, it's pretty much game over," Bickers said.

Most laptops are configured to search for open wireless points and common wireless names, whether or not the user is trying to get online. That leaves people open to hacking.

In two new attacks, called "evil twin" and "man in the middle," hackers create Wi-Fi access points titled whatever they like, such as "Free Airport Wireless" or an established, commercial name.

In the "evil twin" attack, the user turns on a laptop, which may automatically try to connect. When it does, it is connecting to a fake access point, or "evil twin," and the hacker gets into personal files, steals passwords or plants a virus.

The hacker can become a "man in the middle" when he funnels the user's Internet connection through this false access point to a true wireless connection. The unsuspecting Wi-Fi surfer may then proceed to enter credit card information, access e-mail or reveal other sensitive data that can be tracked by the hacker. Meanwhile, the session appears ordinary to the user.

Although the FBI has been aware of this kind of attack for about five years, its use has increased in the last couple of years and is being seen as a "huge threat," Bickers said.

"The actual tools you need, the software, the hardware, etc., to mount this sort of attack has become insanely easy to acquire," Bickers said. "You need a laptop, wireless radio and the ability to download a free tool and run it. It literally is child's play."

The creation of the access point itself is not generally considered criminal; it's what happens next — tracking people's Internet use — that can cross the line.

These hacking techniques are considered to be "tantamount to a computer intrusion and illegal interception of wireless communication that can be prosecuted under federal law," Bickers said.

But computer evidence and statistics are hard to come by, said Arif Alikhan, a former federal prosecutor and former chief of the cyber and intellectual property crimes section for the U.S. attorney's office in Los Angeles. People can unwittingly compromise their computers in a multitude of ways, and often there's no trace.

"You can tell how many burglaries occur because you're victimized, and someone knows they're victimized," Alikhan said. "People don't always know if someone is using their wireless network, and it's very difficult to tell unless you trace back every single connection…. It happens more than I think we all realize."

The U.S. attorney's office will not comment on pending investigations; however, wireless hacking cases are relatively new, and few if any current cases involve "evil twin" or "man in the middle" attacks, law enforcement authorities said.

"This is a classic case of law and law enforcement being a little behind the technological curve," Bickers said.

Other types of wireless-related Internet hacking cases have recently popped up across the country.

Nicholas Tombros was found guilty in 2004, under the federal Can-Spam Act, of "war-spamming." He drove around the Venice Beach area with his laptop and used unprotected wireless access points to send spam. He could receive up to three years in federal prison at his sentencing next month.

He is the only defendant who has been charged in a case involving wireless hacking by the Greater Los Angeles section of the U.S. Department of Justice's cyber and intellectual property crimes division since it was established in October 2001, according to Assistant U.S. Atty. Wesley L. Hsu, deputy chief of the section.

"They are technically difficult cases…. They're difficult cases to put together, so law enforcement is having to sort of catch up," Hsu said.

On Sept. 30, Gov. Arnold Schwarzenegger signed into law the Wi-Fi User Protection Bill, which aims to block unauthorized sharing of open Wi-Fi networks and inform users of the dangers of unsecured networks. Starting in October, warnings and tips will be required on all wireless home-networking equipment sold in California.

The law specifically addresses "piggybacking" — or the use of another person's wireless network to access the Internet — a problem that security experts say has been a concern for years.

Expert's tips for safer surfing

By Tami Abdollah
Times Staff Writer

March 16, 2007

Here are some tips for safer Internet surfing from Roland Dobbins, a network engineer who helps develop security solutions for Cisco Systems.

Do it yourself

Connect and disconnect from the Internet manually by right-clicking on the wireless Internet icon and either enabling or disabling the connection. This prevents your computer from automatically searching out possibly fake Internet access points without your knowledge.

Be unique

Change the default names of your network from "Linksys" to a unique name (not your home address), and change any default passwords as soon as possible.

Don't share

Keeping your network open or allowing others access to shared files leaves a big hole in your system for hackers. Deactivate all sharing. If you must share because you are on a corporate network, make sure you change the settings when you are outside the office.

Be selective

In the computing world promiscuity is a sure way of getting a virus or attracting a hacker. Connect to "infrastructure" points, or official access points, rather than "peer-to-peer" connections, or another user's computer. Set your network connections to only connect to infrastructure points. (The default searches for all open hotspots.)

Sensitive must be secure

Only do sensitive computing — banking or anything else you would hate to have a hacker gain access to — on your personal, wired (to the wall) home computer.

Make sure you enable at least "WEP," a basic encryption on your computer, when setting up your home network. The default setting is usually no encryption.

Stay trendy

This means making sure your browser, all your antivirus software and firewalls are up to date. Stop clicking the delay button, and have antivirus software and firewalls updated on your computer.

Be wary

If you get an e-mail from your bank, make sure the e-mail is indeed from your bank, and that you are being routed to the bank. Put your cursor over the link and look at the address, or right click on properties and see where it will lead you. Always go to the bank site via its main site in a new window, not via a link in an e-mail.

Also, if your computer pops up with a security certificate warning, do not click away without inspecting the certificate and the signature. Even then, certificates are easily faked. If you must continue using the Internet, do not do anything sensitive. Best thing to do? Sign off.

Go exclusively corporate

If you can, use a Virtual Private Network while surfing wirelessly.

...And if you fail?

Computers get compromised all of the time. Your reaction can save you a lot of agony. First, turn off your computer immediately, do not reboot, and disconnect it. Then call your help desk. Once you get your computer back up, change all passwords.
http://www.netikus.net/pics/muddy_waters_wifi.jpg