Pages

Wednesday, 26 November 2014

WiFi users easy target for criminals

23 NOVEMBER 2014


This post is on Healthwise


HOW often have you asked “Is there free WiFi connection here?” or heard someone in a coffee shop or hotel asking the question. WiFi connectivity is a must-have service these days and many don’t seem to be able to do without it.
What’s pushing this need for WiFi is the huge uptake of mobile devices like smartphones and tablets packed with apps and services. Not wanting to use up their limited data or pay a rather high price to consume data on 3G/4G networks, especially when roaming, the first thing they do when in a public place is to look for free WiFi to connect to the Internet.
A research by online accommodation booking service, Hotels.com, also revealed that free WiFi connectivity mattered most to global business, as well as leisure travellers. More than 50 per cent of business travellers and 35 per cent of leisure travellers picked a hotel based on its free WiFi offering.
This insatiable demand for WiFi has led to the tremendous growth of WiFi hotspots around the world and the numbers are set to grow from 1.3 million in 2011 to 5.8 million next year, marking a 350 per cent increase, according to research published by the Wireless Broadband Alliance (WBA), and compiled by market research company, Informa Telecoms and Media.
Even telecommunication companies providing cellular network connections are now offering WiFi hotspots as means to offload mobile broadband networks and to provide a value-added service to their customers.
In five years, according to some studies, 52 per cent of mobile traffic is expected to be offloaded onto WiFi networks from cellular networks.
F-Secure Corporation Sdn Bhd security adviser Goh Su Gim said while everything looks good, there were obvious weaknesses as WiFi networks were not built with security demands in mind and people usually logged onto public WiFi without question about the security of the network.
Criminals were exploiting the weaknesses and setting up rogue WiFi access points to deceive users and steal personal data, he added.
“The key issue is that public access points are not regulated, which means any one can put up access points and let anyone connect for free. It’s fine if it is done with good intentions.
“However, the reality is that there are people with malicious intentions. Unlike home wireless networks, public WiFi can be a risky platform to be on as it has strangers using it, and even more petrifying is that these WiFi access points may not be genuine.”
Goh, who studies the threat landscape on networks, explained that these fake points could be used to conduct a man-in-the-middle attack.
Such an attack takes place when an attacker dupes users to connect to a malicious WiFi network and then intercepts their communications to steal valuable information or personal data.
Even an existing genuine WiFi service, such as that of a hotel or cafe, can be “forced out” by using an access point with a stronger signal and no password on it that allows everyone using the service to reconnect without realising they are now on a rogue system.
“This actor can actually see every bit and byte of information that users are sending across the network as he has placed himself between the users and the resources they (the users) are communicating with.
“For instance, if it’s a financial transaction, they will get hold of the user’s credit card information. As long as the data is not encrypted, e-mail or WhatsApp messages in plain text, can be viewed easily,” said Goh.
A fake WiFi network was almost impossible to identify and this, he added, made it even more difficult for users to protect their privacy.
He said many websites used HTTPS (Hypertext Transfer Protocol Secure) connections to encrypt the transfer of data but even this could not be depended on to keep users protected.
HTTPS is based on the Secure Sockets Layer (SSL), a standard security technology for establishing an encrypted link between a server and a client, such as a website and a browser. SSL allows information, such as credit card numbers and log-in credentials, to be transmitted securely.
“Today, a hacker can pretend to be that encryption certificate authority and trick users into conducting their online transactions as though they are on a safe platform. This is why users have to be careful when on public WiFi — you can never tell what is bona fide.”

Relying on Internet security software, he said, could not guarantee your data was protected when on public WiFi. The capability of such software is limited to protecting devices from viruses but it would not be able to protect the data that users sent out from falling into the wrong hands.
http://www.nst.com.my/node/55550

Go to Healthwise for more articles




‘People susceptible to threats as they’re trusting’

23 NOVEMBER 2014 @ 8:08 AM


WiFi connectivity is a must-have service these days.


IN an experiment conducted in London recently to find out how readily people would connect to an unknown WiFi hotspot, it was revealed that consumers carelessly used public WiFi without regard for their personal privacy.
The experiment by F-Secure, an anti-virus, online security and content cloud solutions provider, involved setting up “poisoned” WiFi hotspots in prominent business and political districts of London. Unsuspecting users exposed their Internet traffic, their personal data, the contents of their emails and even agreed to an outrageous clause.
“People, in their hastiness to get connected to the Internet over public WiFi, often overlook how susceptible they are to threats. They don’t even read the terms and conditions (T&C) before agreeing to the service.
“In the experiment, people were willing to give up their firstborn child or most beloved pet in exchange for WIFi use. This showed us the lack of attention people pay to T&C pages,” says Goh Su Gim, a security advisor at F-Secure Corporation Sdn Bhd.
The independent investigation, supported by law enforcement authority, Europol, was carried out on behalf of F- Secure by the UK’s Cyber Security Research Institute and SySS, a German penetration testing company.
“In a 31-minute period, 250 devices connected to the hotspot, most of them probably automatically without their owners realising it. Some people sent Internet traffic by carrying out web searches and sending data and emails.
“The researchers also found that the text of emails sent over a POP3 network could be read, as could the addresses of the sender and recipient, and even the password of the sender.”
According to Goh, with the information available online, it is easy for any one to set up a hotspot, give it a credible-looking name and to spy on users’ Internet activity.
“SySS built a portable WiFi access point from components costing about RM600 and requiring little technical know-how.
“The portable WiFi access point, used in the experiment, was built using a Raspberry Pi mini-computer system, a UTMS aerial, a WiFi aerial, a battery pack with a life of about two days, a USB port and a number of elastic bands.
“The device could be built by anyone with no specific knowledge. The device can be easily concealed in a bag and deployed in seconds.”
Lydia Chia, F-Secure’s regional marketing and communication manager, APAC, said a similar experiment would be replicated locally to gauge how the public react to free WiFi.
“We hope to get it wrapped up before the end of the year.
“We are getting support from our local regulatory body to make sure we are doing this ethically and not violating the law.
“The experiment in London revealed the widespread ignorance among the population on the issue of WiFi security.
“We believe it is the same world over: People trust technology and are not aware of the implications of that trust.”
Go to Healthwise for more articles