3 Rules of Using Free Public Wi-Fi to Prevent Session Hacking of Your Laptop or Other Device

Ever done this? You go to a coffee shop, connect to their free wireless internet, and were never provided a secure wi-fi password to get in. You just showed up and used it. You then promptly logged into Gmail, Facebook, or something else. You are potentially exposed. Not to foster the kind of ongoing panic that is intentionally injected into any discussion of internet security, but we should take things like Firesheep seriously.

ImageThe Sheep are Watching: Firesheep is a plugin for Firefox that allows anyone on an open wi-fi network described above to capture the browser cookies of other users on the network and instantly log-in to anything from e-mail to social networking sites as that person. It literally just presents them a list of who is using the wi-fi in the coffee shop that has log-in info stored in their browsers in the form of cookies. One click, and they’re in your e-mail account, etc.

Yes, You Actually Do Care: Don’t think it’s of no consequence if your e-mail is penetrated – that usually is the chief windfall of crackers trying to get your data, because it lets them reset passwords to more secure accounts (like Paypal), and discover past information sent to you (e.g. account info) as well as potentially track your online behavior (which sites you have accounts on). Ever said “I’m not doing anything wrong, and I don’t have anything to protect, so I don’t worry about privacy and security”? Yeah, a lot of other people said that in the years before identity theft, but they’re not talking that way now. Sure, we still hear occasionally, “I’m too old to care. If they want to steal my identity, let ’em. They get my debt too.” What about your grandkids? That photo they shared with you still in your e-mail or social media account? What about their names? Ordinary e-mail headers tell us where someone is e-mailing from, too. Even if you’ve got no money and don’t care about yourself, you could be exposing everyone you have contact with, and without them knowing about it – same as typhoid, only remotely. If you don’t care at all, you’re actually a sociopath and probaby don’t need this article.

Nothing is truly foolproof: If you have Remote Support turned on in Windows, or folders or hard drives shared on that laptop, and then you connect to public or unprotected wi-fi, or are ‘borrowing’ wi-fi from the neighbor down the street, those are vulnerabilities that can be exploited to get in. That’s why you should never connect to one of those wi-fi connections in the airport or hotels or tourist areas that are labelled “free public wi-fi” just to avoid paying for a connection. They’re just waiting for you. Even the official free airport or hotel wi-fi is a serious risk. And if your own home wi-fi is unprotected, anyone can just drive by in their car and get into your e-mail account, probably with one click now – but even before Firesheep it wasn’t that hard. Of course, you can also click on a fake Paypal e-mail and “update your account” – providing your login credentials to a stranger in Nigeria or follow a bogus Facebook “app” that lets you see who is looking at your page (you can’t) which then spreads a trojan to your friends list. There are lots of ways to get taken for a ride. Networks are inherently unsafe.

Do something about it, anyway: What if we pointed out that cars are inherently unsafe? Would it make sense to then just drive down the center line, lights off at night, no seatbelt, and taking no precautions? If you can increase driving safety, you can increase your internet safety. You’ll never achieve 100%, and you don’t want to, because the thing would be so rigidly, hassled, and controlled, you’d prefer going back to analog. Because networks are inherently unsafe, safe networking is a basic, elementary level skill that anyone using a network (like the internet or wi-fi) should possess – like basic driving safety. People tell themselves they can’t function without those manuals “for Dummies” or there’s nothing they can do when things go wrong, except buy a new computer or reinstall Windows (if you don’t actually need a PC, why aren’t you using a Mac, anyway?).

Fortunately, there are some general rules to foiling most basic cracking by anyone who can download a plugin and show up at a local coffee pub:

  1. Don’t engage in unprotected wi-fi: Don’t connect to insecure wi-fi sites. It’s one thing to have free wifi provided by a coffee shop, but if they don’t at least password protect it (so that they must provide you a password to use), then any cookies stored in your browser are up for grabs. You can bring your own 3G connection instead – some devices have them built-in, or you can “tether” your phone (a method of using the 3G internet from your cell phone to broadcast wi-fi to your laptop or other device), or you can get a USB 3G solution (e.g. from Cricket Wireless) or a MiFi solution fairly cheaply.
  2. If you must engage in unprotected wi-fi, don’t log-in: If you must connect to insecure wi-fi sites, clear all cookies from any browsers you use, so they aren’t being shared in browser sessions, and then do not log-in to any web sites (which creates new cookies). Once you have deleted all existing cookies (and it might be advisable to further turn off cookies temporarily – though you still need to have deleted existing ones), then you can browse sites that don’t require a log-in with more safety.
  3. If you must have unprotected wi-fi and log-in, use additional protection: a) consider using a VPN (Virtual Private Network) which carries a monthly fee and slows you down a bit, but “tunnels” your connection securely using external servers. b) consider using a browser plugin like HTTPS EVERYWHERE for Firefox (there are plugins for Chrome too) or ForceTLS that forces HTTPS (https:// – the secure version of HTTP) even after login (because many social networking and e-mail sites may have HTTPs login, but revert to insecure HTTP after logging in) – a plugin can help with that.

Tell them about it: If your coffee shop, library, school, town, restaurant, or other venue provides unprotected wi-fi, do them a favor and give them this article and/or [this one]. One qualm I have is that it’s not a good idea to use TOR, like they recommend, for security. TOR is for anonymity (and it’s not perfect there, either -you can be found!), but it’s not – definitely NOT – designed for security. Even if the coffee shop is not worried about *your* security on unprotected wi-fi, if they use their own connection to log in to something, the chances are *they* are vulnerable and the most obvious target, since they are there all the time. It’s a target virtually painted on their front door. Remember, there are tons of sites that map and share public wi-fi locations to the world – anyone can contribute to them – and they often specify whether it’s protected or not. Free doesn’t have to mean unsafe. Just create an easy to remember set of login credentials and put them up on the blackboard every day to let customers know. Remember (please, to save frustration) it’s case sensitive, and “0” and “O” are not the same.

A word on VPN privacy: If you decide to use a VPN service for anonymity (not just security), the anonymity may not be enough, especially if the VPN keeps log files. HideMyAss, once the most popular VPN service going, is notorious now for turning over logs in the UK to satisfy a US law enforcement request that resulted in members of the LulzSec hacking group being identified. This has so angered the privacy community that HMA may never recover. After all, think about the dissidents for whom discovery may mean torture, death, and the same for their families. There are other VPNs like AirVPN, BlackVPN, and Mullvad that indicate they prevent logging, keep no logs, or destroy logs every few hours, etc. You can use [BestVPNService.com] to compare services or see [this article] for good examples. Just keep in mind, what you’re also looking for is high speed (lots of bandwidth coming off their servers), OpenVPN based security, and constant up-time. Expect to pay $7-$10/month. If you need to watch streaming video over VPN (e.g. through Netflix or Amazon movies), you’ll need US servers. If not, European servers often have advantages. FYI: if you read Usenet, then giganews.com comes with VyprVPN included in the subscription. If you’re technical, you could set up an Amazon ECS server with Debian or Ubuntu and compute at about 6cents/hour and use the OpenVPN protocol, but that’s only good for security, not for anonymity.

There are and will be other ways to protect against “session hacking”, but basic safety principles are good for another reason – they help us understand the technology we are using in a way that encourages us to adapt, in common sense ways, as risks develop. If the rule is “don’t give out your personal info to salespeople on the phone”, what do we do when they’re not on the phone but contact us through social media, or when they say they’re not salespeople? We have to learn more generalized approaches to network safety and security so that, regardless of the threat or risk, we are prepared to act for our own wellbeing.

Same as safe driving – we don’t just learn to use a turn signal when we turn – we learn, if we’re good drivers, the importance of letting other drivers know our intent well in advance, the importance of being predictable. That way we can apply it in situations not involving a turn signal, and create safety instead of enhance risk. The internet is no different. Be safe. If you’re going to use the net or networking, then engage in safe networking – use the basics of safety.