Secure public Wi-Fi: Locking down employees' Wi-Fi security settings

When it comes to public Wi-Fi, it's safest to assume all hotspots are hostile. In this tip, Michael Cobb gives security strategies for preventing data leakage via public wireless networks.

Wi-Fi hotspots in airports, cafés and bookstores have turned Internet access into a 24x7 service, allowing individuals to make the most of their time out of the office. A person could be at the airport or a favourite coffee shop and fire off a quick email, download a forgotten file or check the time of the next train.

However, in order to make it quick and easy for people to use hotspots, most providers disable the wireless networking security features protecting laptops at the office or at home. This means there's no way to guarantee the privacy of a Wi-Fi connection, as anyone with a packet sniffer could intercept a user’s wireless communications. If you’re just checking the latest news and weather, for example, this isn't necessarily a problem, but if you log in to webmail or an office portal, the login credentials can be exposed. Other activities, such as retrieving and sending emails and downloading files using FTP, all transfer data in cleartext, including the login credentials.

Another danger is WiPhishing. In this scenario, an attacker creates a hotspot that mimics a genuine hotspot nearby, hoping users' laptops will automatically connect to it ahead of the real one. The sign-up page also mirrors the genuine website, so the unsuspecting user enters his or her login credentials or credit card details. A similar type of attack uses an ad hoc peer-to-peer network, again masquerading under the same name as a legitimate network. It is usually possible to access the Internet via this network because the victim computer is connected wirelessly to the attacker's PC, which allows Internet access via its connection. However, all the victim’s traffic goes through the attacker’s network connection, allowing the attacker to see everything the victim does online. If the laptop is configured to allow file sharing, the attacker could also access all the victim’s files and possibly even install malware. This can all happen without the user being aware of what's going on.

The easiest way to protect employees from these fake sites is to ban the use of hotspots and provide them with a mobile hotspot -- a portable mobile broadband device. As long as it is within range of a 3G network, the mobile hotspot can create its own Wi-Fi network for employee use. Not only does this solution end the frustrating search for a free and risky Wi-Fi hotspot, but it also ensures the connection is safely encrypted. You could also sign up for a paid subscription to a hotspot network such as Boingo or T-Mobile, which provides connection software that encrypts sessions automatically.

Another option is to alter employees' Wi-Fi security settings on their laptops to run the company's VPN automatically when at a hotspot. It's also possible to pay to use a virtual private wireless network such as HotSpotVPN, or use the free AnchorFree Hotspot Shield, which both make use of Windows built-in VPN capabilities.

Even with such safeguards in place, mobile workers should receive training in defensive computing so they are aware of the pitfalls of using hotspots and how to avoid them. They need to be vigilant while working in public areas and adjust their behaviour accordingly. Users should turn off the wireless and Bluetooth services on their laptops when not in use, and change the network configuration to manually select each wireless network they join.

Ad hoc mode is disabled by default, but this setting should be locked down to connect only to "Access point (infrastructure) network only" using Group Policy and the Wireless templates. Your users should be made aware of the dangers of ad hoc networks so they understand why this option should not be used. If they do connect to a public hotspot, they should always check the provider, the network name, and login page appearance to avoid potential WiPhishing networks. If they ever see two hotspots with the same name, they shouldn’t connect to either.

A Windows feature called Network Discovery makes a PC visible on a network so other users can see it and try to connect to it. To ensure other users can't connect to a laptop being used in public, file sharing needs to be turned off prior to connecting to a hotspot. Connections to public hotspots should always be designated as Public, as this ensures Network Discovery is turned off. These safeguards can be made easier for mobile users to remember by giving them a checklist they should step through when connecting to a public hotspot.

Shoulder surfers don't need to set up a peer-to-peer network to steal your data; all they need to do is peer over your shoulder as you type, so pay attention to your surroundings. If you can read the magazine of the person sitting next to you, they can probably read what's on your laptop screen. Make sure no one seems to be paying too close attention when they're directly behind or next to you. A privacy screen is a sensible safeguard to use.

The organisation's classification policy should restrict what information can be carried on a laptop. One option is for sensitive data to be carried on an external encrypted drive, which is only used when the laptop is disconnected or connected to a secure network. The same policy should also limit email, instant messaging and other forms of communication to non-sensitive topics over public Wi-Fi. Certainly, no sensitive data should be entered or transactions performed from a public hotspot. And, of course, all antivirus and firewall software should be kept up to date.

The overriding rule: There's no such thing as innately secure public Wi-Fi Private and sensitive communications or transactions should only be carried out in a secure environment, and all public hotspots should be treated as hostile.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Read more on Network security management