No, nothing to do with drive-by downloads…
Our colleagues in Europe came up with a nice idea: an article on the dangers of web surfing on free wi-fi and some tips on staying safe. (A topic dear to the hearts of all of us who find ourselves out and about with our laptops from time to time, though I usually find myself sitting in airports and hotels rather than in parks or by city fountains. Ah well…)
I’m sure I don’t have to tell you that wi-fi is intrinsically not, in general, as safe as wired connections (and no, you shouldn’t assume that a wired connection is safe: there may be such a thing as a free lunch – I had one myself last week (thank you, AMTSO!) - but safe networks are another matter). So ESET have come up with a few tips on precautions that you can take to make your summer surfing experience a little safer, though most of them aren’t particularly unique to using wi-fi.
- Keep your system and applications updated. Of course, you should be doing this all the time anyway, not just in order to feel safe when you’re browsing in the park. And talking of browsers, while there are plenty of malicious sites that use drive-by browser exploits, don’t forget that a lot of current malware reaches its target via PDFs, Microsoft Office documents and so on. Which means that you need to keep applications like Adobe Reader and Office up-to-date with patches. Fortunately, the big players in those sectors, like Microsoft, Adobe, and indeed Apple and Linux, are getting better at making it hard to avoid updating than it is to update
- Change your passwords frequently: painful though most of us find this, it does limit the extent to which your systems are exposed if something does get through.
- Use different passwords for different accounts and resources, so that if one does leak, it doesn’t mean that an attacker has access to everything you own and every service you access.
- Use strong passwords or passphrases – a combination of upper and lower-case letters, numbers, and other characters. There’s a document I put together some years ago on selecting passwords here (actually, there are lots of good resources on the Saving Our eCity website: see the link at the end of this blog). There’s also a more recent document by Randy and myself due to appear shortly on the white papers page (also linked below).
- Create a specific user profile for public surfing. Don’t use your current profile, especially if it has administrator rights. Using a profile that doesn’t have administrator privileges is likely to restrict the amount of damage an attacker can do if he does get access to your system.
- Back up your data before you take your laptop out. Then, if your laptop is stolen or damaged, then you won’t have lost all that information (though you should still change passwords straightaway if the PC is lost. We can all take a lesson from this: when I was mugged in Windhoek last year, I was able to replace all the kit that was stolen, but it was only a matter of luck that I wasn’t carrying my laptop: if that had been gone, I would have lost some data, and it could have set me back many months.
- Make sure you your security software is updated regularly and automatically, but don’t assume it will protect you from everything. Wi-fi is inherently insecure and you need to use common sense as well.
- The guys in Europe quote Pierre-Marc on the subject of Man-In-The-Middle (MITM) attacks: “If someone else is on the network, he can modify network traffic and let you think you are dealing with your bank while, in reality, you are sending him all your credentials.”
- WEP encryption, as used on many Wi-Fi networks, is weak and easy to crack: later protocols (WPA and, better, WPA2 are better, but you shouldn’t assume that they’ll protect you from all kinds of attacks.
- I’d always recommend disabling the sharing of files or folders, but it’s not just the settings on your computer that can save you from the hacker’s grasp, but you also need to take care which sites you surf. Wherever possible, avoid connecting to websites that involve the transfer of sensitive information, such as online banking and if you must access webmail, use the HTTPS option. Also, make sure your browser and supplementary and helper applications such as Flash and Adobe Reader are kept fully patched, if you must use them, given all the Adobe exploits around at the moment.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/