Wi-Fi optimize

10 Wi-Fi security tips for road warriors

Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home -- and that can mean dealing with unknown and possibly hostile Wi-Fi networks. Michael Kassner offers some simple tips to help mobile workers secure their computers and information no matter where they go

Wi-Fi security is a popular topic these days, and the "best approach" is being vigorously debated on many forums, including TechRepublic's. One fact I discerned from reading the various forum posts is that there are many opinions as to what's required to securely associate with unknown and possibly hostile Wi-Fi networks.

With this in mind, I'd like to look at Wi-Fi security concerns from the viewpoint of the road warrior. Since road warriors deal with unknown and usually wide-open Wi-Fi environments, a solution that works for them will offer some benefit to everyone. Here are 10 security tips that should allow the road warrior to have a secure encounter -- of the best kind -- with unknown Wi-Fi networks.

Note: This information is also available as a PDF download.

#1: Turn off the Wi-Fi client adapter when you're not using it

The reasons for this are twofold. First, it conserves battery life -- always a concern for road warriors. Second, it's the simplest way to prevent penetration attacks using a procedure named "Microsoft Windows silent ad hoc network advertisement." Basically, the attack takes advantage of the fact that Microsoft Windows Zero Configuration is set by default to allow anonymous ad hoc connections. For more details, check out my blog post "How to prevent automatic association with ad hoc networks."

#2: Verify that the SSID actually represents the provider's Wi-Fi network

Verifying the SSID will help prevent associating with an evil twin. Evil twin is patterned after the man-in-the-middle attack where a hacker sets up equipment to falsely represent the facility's Wi-Fi network. In elegant simplicity, the user unknowingly associates with the fake network, allowing the hacker to obtain every byte of traffic that is sent or received.

#3: Make sure a software firewall is running on your notebook

Microsoft Windows XP and Vista already incorporate a firewall, but in both cases, it's inadequate. There are many good freeware firewall applications that are more competent, providing the additional protection a road warrior needs. I use Online-Armor, a somewhat new application that's been getting good reviews.

#4: Disable Window's file and printer sharing

By default, file and printer sharing is disabled, but many users enable this feature to share printers or files while on a work or home network. Having this feature enabled while on the road is just asking for trouble. It allows unauthorized access to your files by anyone who happens to be on that particular Wi-Fi network. The Microsoft Knowledge Base article "Disable File and Printer Sharing for Additional Security" explains how to determine whether file and printer sharing is enabled and outlines the required steps to disable the feature.

#5: Avoid sensitive online transactions when using open Wi-Fi networks

This is self-evident, but I felt it important enough to mention.

#6: Keep your notebook's operating system up to date

Along with your OS, make sure your antivirus, firewall, Web browser, and Wi-Fi client applications are current as well. By doing so, you'll eliminate many attack venues caused by application vulnerabilities.

#7: Secure any personal, banking, or credit card details

Allowing the Web browser to remember personal information is another avenue hackers can use to easily retrieve sensitive material if the notebook is lost or stolen. I've been using Bruce Schneier's Password Safe for many years. It requires you to remember only one access password, which is useful even if you are not a road warrior.

#8: Use secure and anonymous Web surfing techniques

This is very important if a VPN service is not available or the VPN will not set up correctly. There are various Web services that provide SSL VPN solutions by creating an encrypted tunnel from the notebook to their secure server. This eliminates a whole slew of possible issues. Some of the more preeminent services are Megaproxy and TOR. I use a slightly different approach based on USB flash drive technology. IronKey is a secure USB flash drive with FireFox and TOR technology pre-installed. If Internet access is available, the device automatically configures an SSL tunnel to secure IronKey servers. See "IronKey: Simple, safe, and secure surfing over Wi-Fi" for more details.

#9: If required, use VPN technology

The problem with the previous tip is that it applies only to Web-based applications. What about e-mail applications, like Outlook? This is where the full-blown VPN comes into play. Most business road warriors use this approach exclusively. The VPN tunnel allows the road warrior to remotely become part of the home or office network. Then, all the normal business applications, file sharing, and Internet access are handled by the company's network. There are many hardware and software VPN applications to choose from. My choice would be OpenVPN.

#10: Use remote access applications for security

Not having any sensitive data travel over questionable networks to your notebook is a unique solution. This is possible by using a service like LogMeIn, which allows the road warrior to remotely control a home or office computer through an SSL tunnel. Web surfing, e-mail, and other applications are active only on the remote computer. So no data is being transmitted to the road warrior's notebook, unless so desired.

Final thoughts

Road warriors have to be creative. Besides their normal work, they are asked to maintain an almost continuous electronic presence while away from their office or home. These simple tips can help secure their computers and resident information no matter where they go.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

15 comments
squirrelpie0
squirrelpie0

A question. When using a laptop on an open WIFI network to connect to banking like CIBC or TD which has 128 encryption, How secure is the info you are sending and receiving?

Neon Samurai
Neon Samurai

Consider your own router or wifi repeater if you have such skills. I'm currently in a place where the wifi was not as advertised and would have setup a wifi repeater to boost the signal in my room if I owned and had braught such a thing.

khamelinck
khamelinck

If I am doing this unknowingly it is because I can't tell the difference - it is named the same. How do I verify?

deedeedubya
deedeedubya

In Firefox (maybe in other browsers too), you can set a master password that has to be entered before you can use any stored passwords. Using that feature is a good idea because the passwords will only work on sites that they're meant for. This means that if your bank is https://www.localbank.com/ and you get a link to go to https://www.l0calbank.com, it won't autofill the password and might save your butt from a phishing attempt. Maybe.

MGP2
MGP2

If required, use VPN. OK, well if it's required, of course someone has to use it. Maybe #9 should read "If possible...", "If it's available..." or something similar. If something is required, "if" is no longer part of the equation.

Michael Kassner
Michael Kassner

That is a great point, thanks for mentioning it. I personally carry a small wireless travel router by 3Com for that purpose. I also use it for rooms that only have wired Ethernet and you have more than one person wanting to use the Internet. Being able to encrypt the wireless traffic does help a great deal, but you still have to be concerned about your data traffic as it travels over the wired portion. Typically the facility is not that concerned with security on the guest network.

Michael Kassner
Michael Kassner

Thanks for asking, I should have went into more detail about this. The simplest approach would be to have an WLAN detection application like NetStumbler on your notebook. NetStumbler is freeware and detects active WLANs within range of your notebook. http://www.netstumbler.com/ NetStumbler will also publish the SSID, channel, and MAC address of all the devices it has found. This is important, because if more than one, you will want to check out the situation for sure. The next steps are more troublesome as you maybe talking to someone who does not have a clue about the location's Wi-Fi network. 1. Ask if that is indeed the SSID used by the company. 2. If more than one device is showing up, ask if they have more than one device for customer access. 3. If you feel lucky you can ask them what the MAC address is of the device they are using, as that registers on NetStumbler. I realize that approach is really cumbersome and more than likely going to not give you all the information you need. To avoid all of that you could just use a VPN tunnel, SSL proxy, or a device like the IronKey to turn your data traffic into encrypted gibberish as it travels to the location's network. I would be willing to bet that you will get dropped almost immediately. The hacker does not want to waste time on your encrypted and unusable traffic.

Michael Kassner
Michael Kassner

That is one approach, I am not that familiar with their encryption process, could you go into more detail about it? My personal preference is to use PasswordSafe setup on my IronKey so that it is actually doubly encrypted. I also prefer that Password Safe is open source and was developed by one of my heros, Bruce Schneier.

markm
markm

Sxipper, a Firefox add-on that functions as an OpenID authenticator + password manager + form-fill agent (I'm sure this is only a partially correct characterization) keeps sniffers away from data they crave.

Michael Kassner
Michael Kassner

When I wrote the post, I should have defined that tip in more detail. There are many times when a road warrior does not need to access the company network but just the Internet. We all know that using a VPN can be painful and overkill especially if the user has a alternate secure method to access the Internet. For example, the road warrior may want to use an IronKey while at a hotel to Google something rather than crank up the full-blown VPN to access the company network and then finally get out to the Internet. It is quicker, simpler, and usually provides better data throughput.

Neon Samurai
Neon Samurai

It has a Windows (keepass or keepassportable), *nix, osX, Palm winCE and other builds. The data file can be read by any of the platform front ends. I personally use it for Windows, Mandriva and Maemo (N800). It doesn't do forms but it's become a must have for my uname/password collection.

donnakline
donnakline

This article was really helpful The point of varying the level of security required by location might have been stressed more, especially for those of us who are less sophisticated about tech issues. For example, there may be more risk using the wifi in an airport lounge than in an upscale business traveler hotel, which hopefully will be more careful about security issues.