"Securing Wi-Fi Wireless Networks with Today’s Technologies"
by The Wi-Fi Alliance, February 6, 2003
Witopia Personal VPN virtual private network to protect wireless communication privacy.
If you use your laptop at public hotspots, or in hotel rooms, or if your home WiFi can be accessed from the street or the neighbor's property, you really should understand the benefits available from a virtual private network. For a reasonable annual fee, you have the ability to have all your WiFi traffic securely encrypted.
"When your data passes through a public network--such as the Wi-Fi at the coffee shop or airport--it is at risk." I've been writing variations on that sentence for 10 years now, and I expect I'll be writing it for many more. That's because it's easy to snoop on such networks, and the data on them isn't safeguarded against those prying eyes. You have to take action to keep your data safe. Fortunately, doing so doesn't have to be hard.
You could encrypt networked data one service at a time, by securing your email sessions or configuring your Twitter and Facebook accounts to use HTTPS. (Actually, I recommend both steps regardless of whatever other security measures you take.) But that means adjusting settings in lots of different apps, one at a time. There's a more comprehensive solution: a virtual private network (VPN).
When you set up a VPN on your Mac or iOS device, client software encrypts all of your outbound data (wrapping it in something often called a secure tunnel) and sends it to a secure server. That server has the appropriate encryption keys and other credentials to unwrap the data and send it along to wherever it's supposed to go. Likewise, the server returns data--requested web pages, email messages, or even streaming audio and video--to the client through the same tunnel; only the client can unravel those responses or streams.
VPNs are valuable because several segments of the path between you and the Internet are easy to exploit. It could be the segment from your Mac, iPhone, or iPad to the coffee shop's Wi-Fi network. It could be the ethernet network behind the counter to which that router connects. In some cases, such as countries without a firm grasp on the idea of free speech, the weak link could even be the ISP that connects that coffee shop to the Internet at large. VPNs can help protect your data along all of those vulnerable segments. (That's why VPNs have become critical tools for dissidents worldwide.)
Corporations use VPNs all the time, to keep communications to and from remote workers as secure as those that take place inside the office. Companies often require mobile workers and telecommuters to use the corporate VPN to connect to internal, for-employees-only servers. Using such secure links, those remote workers can also take advantage of the company's Internet connection--including filtering, virus-checking and firewall--for general Net access.
If you don't have access to a corporate VPN, you do have an alternative: VPNs-for-hire that anyone can use, which provide many of the same protections as those company VPNs. These services rent VPN access by the month or by the year. Their servers live in data centers around the world, and you use the client software built into OS X or iOS to protect connections between your machines and those servers.
Settings and apps
Virtually all of these services try to take the pain out of configuring VPN connections by offering step-by-step instructions for entering all the specs--server, password, connection type, and other details--for the major software platforms, including iOS, Mac OS X, Windows, and Android. Still, this setup process almost always requires some tedious data entry; fortunately, you only have to do it once per VPN for each device. (Some services do offer downloadable packages for desktop operating systems which automate setup.)
In Mac OS X, you enter VPN details and manage those connections in the Network pane of System Preferences. It's a good idea to check the Show VPN Status in Menu Bar option for any VPN connection you set up in that pane; you can then connect to, see the status of, and disconnect from your VPN connection without reopening the Network pane.
In iOS, you use the Settings app (General -> Network -> VPN) to configure a VPN; once you've done that, a VPN on-off switch appears in the main Settings view.
There are also several iOS apps that seem to provide VPN services, but they are not quite what they seem: They're really conduits for payment to private VPN services, rather than VPN clients per se. They use in-app purchasing to let you subscribe to a specific VPN for a period of time; some also allow you to purchase a fixed amount of bandwidth to be used in that period.
These apps do provide you with the necessary configuration details, but you must still enter those details manually in the Settings apps. A few of them can also provide a mobileconfig file customized for your account. These files download then prompt you to accept them; when you do, they auto-configure your VPN account. Then you can just use Settings to activate or deactivate a VPN connection.
A few examples
These services differentiate themselves in their support for VPN protocols. Some of those protocols--L2TP-over-IPsec and PPTP--occasionally fail on public networks because the routers on those networks intentionally or incidentally block portions of the connection those protocols require. (On any given network, both might fail, or one might fail while the other works.)
PPTP is considered the weakest of the common VPN protocols from a security standpoint, because short PPTP passwords can be cracked. (If you do use that protocol, make sure to use a password of 12 or more characters that mixes text and numbers nonsensically.) If you've subscribed to a service that uses only PPTP, you might be stuck; subscribing to a more expensive offering, even from the same provider, could give you more flexibility.
Another way these apps/services differ: Some providers (especially those targeting iOS) may limit your monthly bandwidth, throttle overall speed, or recommend against video streaming (or require special configuration for it). Others offer multiple server locations, which you can choose to speed up a connection or to route around governmental snooping.
There are tons of private-VPN providers. Looking at three that have stood the test of time as examples, you can get a sense of the differences that distinguish all of them:
Witopia: Witopia has two services: personalVPN (Basic), which costs from $6 per month to $50 per year, and personalVPN Pro ($40 for 6 months or $70 for a year). Both versions support PPTP, L2TP-over-IPsec, and the Cisco flavor of IPsec used by iOS. The Basic flavor excludes a desktop SSL option, which may be needed in some countries or networks. Witopia provides unlimited bandwidth. WiTopia offers a desktop VPN management program that handles connections, bypassing the Network preference pane. But it also provides manual setup guides for mobile and desktop operating systems.
publicVPN: A combined PPTP and L2TP-over-IPsec provider, publicVPN charges $7 a month or $70 per year, with no bandwidth limits. You have to type or tap in the configuration details manually.
TunnelBear: Works in Mac OS X and Windows only, and requires a software installation. A free version includes 500 MB of use each month, while the $5 per month and $50 per year offerings get rid of the bandwidth limits. It's optimized for video streaming, especially to get video services that aren't available in your country.
Those are only three. A search of the Web and the iTunes App Store will find dozens of other options. If one of those three doesn't meet your needs, you shouldn't have too much trouble finding one that does.
Glenn Fleishman is a senior contributor to Macworld, and is one of the writers of the Economist's Babbage blog. He is also the author of Take Control of Your 802.11n AirPort Network (2012, Take Control Books.
You should always use very secure passwords to access any site that has access to information you want to keep private, or which can pretend to be you. An example of the former is your on-line bank account. An example of the latter is your on-line e-mail account.
You should have unique passwords for the different sites you access. If a hacker learns your password to one site, you want to be sure that won't allow access to any other site.
There are on-line sites that will test the strength of your password, and
even create secure passwords for you. Examples are:
The Password Meter: http://www.passwordmeter.com/
How Secure Is My Password: http://howsecureismypassword.net/
If you want to create a password that is both secure (hard for a computer to guess) and easy for you to remember, here is a method I tried. When I was a kid we had two dogs - a Great Dane, Stormy and a German Shepherd, Gretchen. From that I created a little sentence:
I tested that password in How Secure Is My Password, and it said, "It would take a desktop PC about 4 decillion years to crack your password". That is secure enough for my needs. Using that technique I could create passwords about family members, home locations, cars owned, etc. -- in other words, plenty for my needs.
You can no doubt do something similar. Or think of another method to design
your passwords. But whatever you do,
USE UNIQUE, SECURE PASSWORDS WHEN IT MATTERS.
Once you have established secure AND unique passwords for your on-line sites, you encounter the issue of remembering them all. Unless your memory is incredible or the number of sites is very small, you'll probably need some help. Here are some things I do.
Gibson Research Corporation
This site will perform free tests of your on-line vulnerability, and has a great deal of information about threats.
BUT ARE SINGLE-USE CREDIT CARDS WORTH THE HASSLE?
By Caroline E. Mayer
John Roos used to be afraid to shop online. ``I hate to give out my real credit card number,'' said the retired manager of a computer center.
But Roos, of New Rochelle, N. Y., recently bought a $500 TV online after he discovered a little-known credit card service that allows him to give Internet retailers a substitute credit card number for his account.
Offered to holders of Citi, Discover and MBNA cards, these ``virtual credit cards,'' or single-use card numbers, are designed to give some peace of mind to consumers concerned about credit card fraud.
Although the system slightly differs on each card, the principle is the same: For no extra charge, consumers sign up at the credit card's Web site, often downloading software on their computers. Then, when they're ready to shop, they receive a randomly generated substitute 16-digit number that they can use at the online store. The number can be used once or, in some cases, repeatedly at the same store.
``The only people who know the real number are you and us,'' said Jim Donahue, spokesman for MBNA.
Phone, mail purchases
Although initially designed for Internet shopping, the card number can also be used to buy goods and services over the phone and through the mail, but it cannot be used for in-store purchases that require a traditional plastic card.
MBNA has been offering its ShopSafe program for three years. ``It's very popular with the people who use it,'' Donahue said.
In fact, consumers who use the number tend to use it more often and spend more, according to Orbiscom, the Irish company that provides the technology to the three credit card issuers. Orbiscom declined to provide exact usage numbers, saying only that transactions are doubling every year.
Even so, credit card industry officials say it's not widely popular. American Express, for example, discontinued its virtual card last year because ``only a very small number of card members signed up,'' said spokeswoman Kim Forde.
``This technology has been around for six years and has never caught on, despite all that we hear about compromising data centers and stealing key consumer information,'' said David Robertson, president of the Nilson Report, a newsletter that monitors the credit card industry. ``Americans, by and large, are trustful of buying online.''
Yet some credit card issuers say use is increasing with each report of identity theft, including the June disclosure that more than 40 million credit card numbers may have been compromised after a computer hacker broke into a card processing center.
Overall, 3.9 million Americans were victims of credit card fraud in the year that ended in May, according to a study by the research firm Gartner. That's down from 5.5 million the previous year. The study found that 46 percent of victims had no idea how the fraud occurred, but 21 percent said they thought their credit card number was stolen off the Internet. The previous year, 18 percent blamed the theft on the Internet.
Steve Furman, Discover's marketing director for e-commerce, said its program, Deskshop, has ``grown at a fairly strong pace over the last six to eight months.''
Many Internet security and privacy experts, however, question its necessity. ``It's a good idea and clever, but I've never seen the need to use it,'' said Bruce Schneier, chief technology officer of Counterpane Internet Security. Noting that coogy officer of Counterpane Internet Security. Noting that consumers have, at most, only a $50 liability if a credit card is fraudulently used, Schneier said, ``I don't have a lot a risk here.''
``For the consumer, it doesn't really buy that much except for peace of mind,''
said Richard M. Smith, an Internet security and privacy consultant based in
BUFFALO, N. Y. – Lying on his family room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early morning wake-up call from a swarm of federal agents.
That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought.
"We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum."
"No, I didn't," he insisted. "Somebody else could have but I didn't do anything like that."
"You're a creep ... just admit it," they said.
Law enforcement officials say the case is a cautionary tale. Their advice: Password-protect your wireless router.
Plenty of others would agree. The Sarasota, FL man, for example, who got a similar visit from the FBI last year after someone on a boat docked in a marina outside his building used a potato chip can as an antenna to boost his wireless signal and download an astounding 10 million images of child porn, or the North Syracuse, N. Y., man who in December 2009 opened his door to police who'd been following an electronic trail of illegal videos and images. The man's neighbor pleaded guilty April 12.
For two hours that March morning in Buffalo, agents tapped away at the homeowner's desktop computer, eventually taking it with them, along with his and his wife's iPads and iPhones.
Within three days, investigators determined the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn't him. About a week later, agents arrested a 25-year-old neighbor and charged him with distribution of child pornography. The case is pending in federal court.
It's unknown how often unsecured routers have brought legal trouble for subscribers. Besides the criminal investigations, the Internet is full of anecdotal accounts of people who've had to fight accusations of illegally downloading music or movies.
Whether you're guilty or not, "you look like the suspect," said Orin Kerr, a professor at George Washington University Law School, who said that's just one of many reasons to secure home routers.
Experts say the more savvy hackers can go beyond just connecting to the Internet on the host's dime and monitor Internet activity and steal passwords or other sensitive information.
A study released in February provides a sense of how often computer users rely on the generosity — or technological shortcomings — of their neighbors to gain Internet access.
The poll conducted for the Wi-Fi Alliance, the industry group that promotes wireless technology standards, found that among 1,054 Americans age 18 and older, 32 percent acknowledged trying to access a Wi-Fi network that wasn't theirs. An estimated 201 million households worldwide use Wi-Fi networks, according to the alliance.
The same study, conducted by Wakefield Research, found that 40 percent said they would be more likely to trust someone with their house key than with their Wi-Fi network password.
For some, though, leaving their wireless router open to outside use is a philosophical decision, a way of returning the favor for the times they've hopped on to someone else's network to check e-mail or download directions while away from home .
"I think it's convenient and polite to have an open Wi-Fi network," said Rebecca Jeschke, whose home signal is accessible to anyone within range.
"Public Wi-Fi is for the common good and I'm happy to participate in that — and lots of people are," said Jeschke, a spokeswoman for the Electronic Frontier Foundation, a San Francisco-based nonprofit that takes on cyberspace civil liberties issues.
Experts say wireless routers come with encryption software, but setting it up means a trip to the manual.
The government's Computer Emergency Readiness Team recommends home users make their networks invisible to others by disabling the identifier broadcasting function (SSID) that allows wireless access points to announce their presence. It also advises users to replace any default network names or passwords, since those are widely known, and to keep an eye on the manufacturer's website for security patches or updates.
People who keep an open wireless router won't necessarily know when someone else is piggybacking on the signal, which usually reaches 300-400 feet, though a slower connection may be a clue.
For the Buffalo homeowner, who didn't want to be identified, the tip-off wasn't nearly as subtle.
It was 6:20 a.m. March 7 when he and his wife were awakened by the sound of someone breaking down their rear door. He threw a robe on and walked to the top of the stairs, looking down to see seven armed people with jackets bearing the initials I-C-E, which he didn't immediately know stood for Immigration and Customs Enforcement.
"They are screaming at him, 'Get down! Get down on the ground!' He's saying, 'Who are you? Who are you?'" Covert said.
"One of the agents runs up and basically throws him down the stairs, and he's got the cuts and bruises to show for it," said Covert, who said the homeowner plans no lawsuit. When he was allowed to get up, agents escorted him and watched as he used the bathroom and dressed.
The homeowner later got an apology from U.S. Attorney William Hochul and Immigration and Customs Enforcement Special Agent in Charge Lev Kubiak.
But this wasn't a case of officers rushing into the wrong house. Court filings show exactly what led them there and why.
On Feb. 11, an investigator with the Department of Homeland Security, which oversees cybersecurity enforcement, signed in to a peer-to-peer file sharing program from his office. After connecting with someone by the name of "Doldrum," the agent browsed through his shared files for videos and images and found images and videos depicting children engaged in sexual acts.
The agent identified the IP address, or unique identification number, of the router, then got the service provider to identify the subscriber.
Investigators could have taken an extra step before going inside the house and used a laptop or other device outside the home to see whether there was an unsecured signal. That alone wouldn't have exonerated the homeowner, but it would have raised the possibility that someone else was responsible for the downloads.
After a search of his devices proved the homeowner's innocence, investigators went back to the peer-to-peer software and looked at logs that showed what other IP addresses Doldrum had connected from. Two were associated with the State University of New York at Buffalo and accessed using a secure token that UB said was assigned to a student living in an apartment adjacent to the homeowner. Agents arrested John Luchetti March 17. He has pleaded not guilty to distribution of child pornography.
Luchetti is not charged with using his neighbor's Wi-Fi without permission. Whether it was illegal is up for debate.
"The question," said Kerr, "is whether it's unauthorized access and so you have to say, 'Is an open wireless point implicitly authorizing users or not?'
"We don't know," Kerr said. "The law prohibits unauthorized access and it's just not clear what's authorized with an open unsecured wireless."
In Germany, the country's top criminal court ruled last year that Internet users must secure their wireless connections to prevent others from illegally downloading data. The court said Internet users could be fined up to $126 if a third party takes advantage of their unprotected line, though it stopped short of holding the users responsible for illegal content downloaded by the third party.
The ruling came after a musician sued an Internet user whose wireless connection was used to download a song, which was then offered on an online file sharing network. The user was on vacation when the song was downloaded.