On conducting confidential business on wireless networks...

Many of you out there use wireless networks on a daily basis. Some of you may even conduct important, confidential business on a wireless network. The bursts of radiation that emanate from your wireless device can be fairly easily captured by passersby. Unfortunately, this is part of what you give up for the convenience of wireless computing. Fortunately, you can be prepared and as close to secure as humanly possible. This requires knowing a bit about wireless networks and the steps you can take to ensure that you're computing securely independent of the nature of the wireless network you happen to be using.

The first thing that you should know about is wireless network encryption. Encryption in general is a way of securely communicating between two people where the message is encoded into what seems like gibberish before transmitting (and then it is translated from gibberish on the other side). Most wireless networks have a few options when it comes to encryption: none, WEP or WPA.

No encryption means that the wireless packets transmitted from your wireless device and from the wireless network are not encrypted. An attacker could capture these signals and see almost exactly the information that you see on your wireless device.

WEP and WPA encryption are very similar. Both of these types of encryption ensure that the signals that leave and enter your wireless device are enciphered so that it makes it difficult for a passerby to eavesdrop. Unfortunately, WEP is both the most commonly used form of wireless network encryption and the most insecure. That is, with a good deal of traffic in the air (which serves as "data" for the intruder), WEP encryption can be hacked. WPA is a more robust encryption scheme where the encryption changes now and then which makes it much harder for an intruder--casual or determined--to eavesdrop.

Unless you don't do a lot of mobile wireless computing, you'll likely be using a mixture of the three encryption options above. For example, at UC Berkeley we have Airbears which is unencrypted.

With the ubiquity of unencrypted wireless networks (and even with the weak encryption afforded by WEP), there are a few things you should do in order to ensure that you can conduct confidential, secure business:

1. Secure terminal: If you read your email by opening up a terminal and telneting to a computer, you should make sure that you are using an encrypted telnet program. Their are proprietary programs but OpenSSH is a free(dom) version that does the job well.
2. Secure file transfer: For file transfer, you should always use SFTP as opposed to FTP. OpenSSH mentioned above provides SFTP with the SSH program.
3. Secure web surfing: Probably the most frequent use of the Internet, surfing, is the least secure on wireless networks. Anytime that you type in a web page that begins with "http://" on an unencrypted wireless network, your traffic can be seen by an adversary. Secure, encrypted surfing is provided by most web browsers through "https://" (the "s" means secure). Unfortunately, you can't just type "https://" in front of any web address to ensure security as most web pages don't offer an "https://" option. Have no fear, with a service like Megaproxy, you can surf using "https://" for any web page (the information is actually sent to megaproxy's servers unsecured and then encrypted and sent to your browser).

Posted by joebeone at Noviembre 30, 2003 09:37 AM