Mobile working Toolkit

Story: Be aware of wireless threats

• 
• 

Risks associated with wireless access are often misleadingly portrayed. It's all the worse when there is no real substance to the scare-mongering and when little or no practical advise is offered.

While common, this is unfortunate as it undermines already unduly low consumer confidence in what are generally 'secure' platforms (such as online banking and high profile commerce stores) and at the same time draws attention away from issues that are far more likely to effect everyday users.

Basic advice, such as; try to use WPA (or WPA2) encryption on your wireless connections rather than WEP, always have a local firewall active, tips on how to judge the trustworthiness of a site you don't know, and advice on how to verify the authenticity of a site, would all go a long way and be far more beneficial than vague warnings about the existence of an unseen threat.

It's worth being aware that everything you do on the internet can be intercepted by any host between your and your destination - not just your local wireless traffic.

This is one reason why end-to-end encryption between the client requesting the data and the server with the data is so important in the first place.

Not that you might think this from the impression given by some articles - including this one, but all online banking sites in the US and EU of course already use SSL encryption, as do all reputable e-commerce sites.

Likewise, any email that contains information you don't want to be viewable by a third party should be encrypted with a tool like PGP or GPG - or simply use a service like Hushmail.

Though it's worth pointing out if what your being sent is, as suggested, an update on how your sisters latest vacation is going, I think most people would be quite comfortable with the idea of putting that very same information on the back of an open postcard (as we've been doing for over a hundred years). That being the case, I doubt the idea of encrypting messages like that are going to be especially high on anyone's agenda.

What's more worrying however, is that if your using an unencrypted authentication scheme to actually get your mail (such as POP3 without SSL) someone could get a hold of your username and password and be able to read / delete all your mail (and, crucially, reset passwords on other accounts you have, thus gaining access to them). Fortunately, most reputable webmail platforms feature SSL sign-in which means even if people sniffing your traffic can read what your reading, they don't have access to your account thereafter.

In a similar vein, VPN clients for accessing remote networks (such as company file shares) are important on wired networks just as they are on wireless ones. As far as sensitive data is concerned, when your connecting over the internet, it's not just the wireless portion of the connection that's untrustworthy.

Tools to sniff and inject data into network traffic are not new - though it's fair to say they get a lot more publicity when the word 'wireless' comes up (and people tend to write whatever editors think will draw people to their publication). However, these tools work just as well on most wired networks and users would do well to remember that.

Your machine may be secure and patched up, but what about all your co-workers systems - or laptops from outside that get plugged in? The same also applies to some broadband cable installations - can you trust your neighbours, let alone the security of their systems?

There is no overriding logical reason to trust a wired network you don't know any more than you would trust a wireless network you don't know - and it can pay off to be sceptical even of networks you think you can trust.

In conclusion, while good wireless security is a worthy goal and extra vigilance is justified when joining an open network, at the end of the day if you want data to remain confidential during transmission you should always endeavour to use end-to-end encryption with a ver

• 
• 

• 
• 
• 

Full Talkback thread