Using free public wireless internet

What do you do when you want to use the internet, but don't have your own connection? Most people will search for a wireless signal and try to get "free internet." Most coffee shops, airports, hotels, schools, etc., provide free WiFi. Everyone likes FREE stuff, but if you are sending any personal information, you may want to think twice because Mr. Stranger might be able to read it.

Imagine you are at a party, and you see two of your best friends. You have some wonderful personal news to tell them, and you get them together to share your news (in the middle of the crowd.) As you talk with your two friends, a nosy Mr. Stranger is curious about what's going on, walks by casually, listens intently, and overhears your conversation. Something similar could also happen when using free public wireless internet.

When you are using a wireless network, you are sending and receiving messages back and forth with the wireless router to which you are connected via radio waves. You're having a conversation with the router (although not a very personal one - the router is more like a middleman. It just relays the messages.) Any computers within distance (i.e. the radio waves can reach them) can also hear your conversation. Usually computers ignore messages that are not addressed to them. However, a malicious Mr. Stranger could use various tools on his computer to read those messages. (This is called packet sniffing, although packet sniffing is not always malicious.)


For example, in the picture above - all the computers could potentially see what messages others are sending to and receiving from the router (if the messages aren't encrypted.) Computer ABC can see the username and password Computer XYZ is using to log into the insecure web site toothbrush.com, as well as the email to Bob that you are sending. If you are just surfing the web, such as checking sports scores or the weather forecast, then you may not care if others can see what you're doing.

This is why it is important to make sure you are using encryption when sending confidential information over a wireless connection. Using encryption is like using your own invented language with your friends so that no one else can understand. People can still hear what you're saying, and who you are saying it to, but they won't understand what you're saying (unless they figure out your invented language.)

Turning on the gmail security setting suggested in the last post makes your computer and the gmail server use their own invented language.

Other web sites that require a password may or may not use encryption. Most will at least encrypt your password, but some possibly do not. If you use your own wireless network and have configured it so that you need a password to connect to your own router (e.g. using WEP or WPA,) then you are using encryption over your wireless connection - your computer and your wireless router are using their own language to talk.

More on what uses encryption (and how you can tell), and how to secure your own wireless network later.

Make your connection to Gmail a little more secure

For those of you who use Gmail, check off this little box "Always use https" in your email settings (click on "Settings" and go to the bottom of the "General" tab) to make your connection to Gmail a little more secure:



About a year ago (see this Gmail blog entry,) Google made this feature available - it is NOT on by default, and so YOU have to turn it on. (I'm surprised they don't have it on for everyone by default! They really should!)

What does this help protect against? Well, say you are at Starbucks using their free Wi-Fi (or just using any nonsecure network) - someone could easily "listen in" on your connection to Gmail and see the emails sent between Gmail's servers and your computer. This feature helps to protect against that.

Instead of seeing your message "Hi Joe, my account number is 23443212334. Can you transfer me the $20 you owe me?" someone attempting to view your mail will see junk like this: "k1q4w!mjherptjh7eff3kjahdnfxwweitunyxqwkhr8ej k5n3j875nsozj1j&h.3mi"

Note that this ONLY helps protect the connection you have between your computer and Gmail's computer. (Your message itself is NOT encrypted for the recipient.) It protects against those people at coffee shops and other nonsecure networks listening in on your connection with gmail.
It has NO effect at all upon the rest of the path your email must travel to get to your recipient. (Your email administrator could still read your mail. If your email is stored on an insecure server along the way, it could be read. Mr. Stranger could listen in when your friend retrieves the message you sent him on if he's using an insecure connection, etc.)

More on using "free public internet" later.

The importance of a good password (especially for your email account)

Imagine if some key/lock maker only made a few different keys - square, circular, and triangular. These locks would not provide good security at all - Mr. Stranger could easily try each possible shape and then get into your house, car, etc.

It's the same with passwords. Is your password easily guessable? Is it "password123"? If I tried every word in the dictionary could I get it? Is it your username (or some permutation of it)? Your username + your birth year? If you have a guessable password, Mr. Stranger could probably guess it eventually, after some number of tries.

Let's see what Mr. Stranger could do if he guessed the password to your main email account:
Obviously, he would be able to read ALL of your email. If you have any confidential information, such as other passwords, credit card numbers, social security number (which you shouldn't store on your email server anyway), Mr. Stranger would be able to see it.

He might be able to see where/when/with whom you are having dinner this weekend. A lot of personal information (how much email do you have stored?) could be extracted.
He would also have access to your contact list and all their email addresses (perhaps he'll make a copy for himself and sell this list to someone). He could send mail to them from your account without you ever knowing. (Hopefully he says something nice.)
If you use gmail, your gmail password would also provide access to any of the other Google applications you use - Mr. Stranger could view your calendar. He could see all your calendar events, read your google documents, make changes, etc.
If you use the same password for any other sites, Mr. Stranger now knows the password to your other accounts and could try using it.

Mr. Stranger could easily change your password and log into your account on any of those sites that use an email-based password recovery mechanism. Even if you use a different password for other sites, many other accounts are linked to your email address. For example, if you forget your password on Facebook, Xanga, Amazon, etc., you can ask them to send you an email with a temporary password or link so that you may reset your password.

Once Mr. Stranger gets into Xanga, he could read your private entries or read your friend's entries, write/delete/etc. any of your entries. He could do some pretty mean things.
If Mr. Stranger gets into Facebook, he would be able to see all your friends and their info (like telephone number, address, pictures..), and send them all messages (hopefully nothing mean or misleading), post pictures, delete stuff, etc. Just imagine the possibilities.
If Mr. Stranger logs into your Amazon account, and you have your credit card information stored and linked to your Amazon account, Mr. Stranger could order some items and have them delivered. (Luckily Amazon limits using saved credit card data to addresses you have used before.) He could delete emails/change the listed email address so you notice the purchases later than sooner.
If Mr. Stranger can find out your social security number, account number, or other information stored in your email somewhere, he might also be able to use it to log into your online bank account (he knows what accounts you have because he scanned your inbox) and do some damage there.

Pretty scary huh? (I don't mean to scare you, just showing you what's possible.)
Hopefully you don't have a square-shaped password.

Email is not encrypted (so it's not private)!

Chances are, you use email. And chances are, you don't use encrypted email.

Gmail, Yahoo mail, etc. are all not encrypted!

Sending an email is like sending a letter in the mail. Between the time you put it in the mailbox to when your recipient finally receives it, your letter will be handled by many different people and go through different mail hubs and delivery vehicles. Anywhere along the path someone could potentially open your letter and read it. Similarly, email is sent through various hubs and handled by different servers, and anyone along the way could potentially read it. And say a delivery truck or storage facility (or computer system/hardware device in the case of email) is left open and unlocked, that makes your mail even more open. Just because you have to type a password to get to your mail, or because your email is delivered to your blackberry which only you access, does not mean it was safe during its journey.

Actually, sending an email is more like sending a postcard. When you send a letter in an envelope, the recipient is likely able to see if the envelope has been tampered with. However, with a postcard, anyone can read it along the way. You cannot tell if the message on your postcard has been kept private. Email is like that. If someone (or multiple people) reads your email, there's no way you can tell.

Email is also like a telephone call. Anyone who can listen on the line can find out what your email is about. Worse, the message in your email is likely "played" multiple times while it’s being delivered – between each node in which it is transferred.

Furthermore, copies of your email are probably made along the way to being delivered. If anyone can gain access to any of the systems holding a copy of your email, then it can be read. (BTW, your email administrator could easily read your mail.)

The moral of the story is when using [unencrypted] email, you should NOT send information considered private (such as account numbers, passwords, SSN, personal information, etc.) (Would you send cash through regular snail mail?)

Intro - Be aware and be safe

I've seen and had friends tell me they were affected by this virus or that, or had their credit card stolen.. etc.. Or sometimes a friend will use some web site or technology in some way that I'd frown upon. I get a bit frustrated sometimes. These folks I know are intelligent people and are using web sites, tools, and other technology in a way that seems okay. However, what seems okay is not always safe.. but sometimes we just didn't know.

A parent teaches a child the importance of looking both ways before crossing the street and not talking to strangers. Airplane passengers are asked to always watch their luggage in an airport. Health officials remind us to cover our mouths and noses when we cough/sneeze. We live in a physical world with different kinds of threats, and we are all taught about things such as the above and why we do them.

We also need to protect ourselves in this age of technology. Every day users are doing more and more on the Internet, on computers, and with technology - making purchases, sending personal messages, paying bills, posting pictures, doing their taxes, etc. One thing that is different about the online world is that you don't see the bad guys. Also, technology is changing so fast, you might not be aware of the implications of using the latest cool tool.

Just like the physical world, the online world has its own threats - sometimes because some technology messed up, but mostly because there are malicious people out there who are using the technology and taking advantage of any potential holes. As we use the Internet and other technology more and more, we need to be aware and to know how to be safe.

I intend to post about various things that I think the average user should know and be aware of, things that I come across. Unfortunately, many people are victims of various online attacks before they even know it.