Security at WiFi Hotspots

Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good time, but it could ruin your day. It's wise to assume that all hotspots harbor predators, and take appropriate precautions. [example] [more]

Using a computer at a library, Internet cafe, or hotel "business center" is even more risky than using your laptop at a hotspot. [solutions] And while you're out and about, don't forget about the physical security of your laptop.

Before you read your email, or do any business at a WiFi hotspot...

Assume that persons unknown, with intent to commit grand larceny, are lurking wherever you use a paid or free public Internet connection. :^)
- Rogue hotspots are common at airports, hotels, coffee shops, truck stops, and other popular WiFi venues. They may identify themselves as "Free WiFi", but many of them have more innocent looking names.
- A wired Ethernet connection is not a safe alternative to a WiFi hotspot. A hacker in another room can intercept all the traffic on a hotel's network, and can also easily attack any vulnerable computers. [more] [solutions]
- Windows networking can drop it's guard and treat rogue hotspots as safe local networks, not as unfiltered Internet as it should. Your computer, not just your data, is then open to attack. [more] [Also see the Caffe Latte and Evil Twins items below.]
The hazards above are reasons you should only connect to secure (WPA2 encryption) networks, particularly for business transactions. WPA2 networks require a network security key (obtained from the hotspot host) or require a password on an SSL (https:// and padlock icon) page for sign in. Once you're connected, you can use Windows' "Network Connections" utility to see the hotspot's encryption level.
Take the following precautions: [instructions]

Be sure your firewall is on.
Set your network location to "Public". {Vista and Windows 7}
Disable all file and printer sharing.
Use the "infrastructure networks only" wireless option. [Turn off ad-hoc mode]

Make sure you use a secure connection to check your email. Otherwise it's easy for a lurker to access your email account from a nearby laptop. And change your passwords when you get home just in case. ;-) [Example: Select "Always use https" for your "Browser connection:" under "Settings" in Gmail.]
You can use OpenDNS as a pre-emptive measure to guard against DNS poisoning. [cheatsheet] OpenDNS will also improve your computer's Internet connection performance, and provide other safeguards. [instructions] [video]
Update: Some trouble using OpenDNS on some VPNs (virtual private networks) has been reported.

Here's an excerpt from Microsoft's page about picking "Public network" for best security at public locations:

Choose Public network for networks in public places (such as coffee shops or airports). This location is designed to keep your computer from being visible to other computers around you and to help protect your computer from any malicious software from the Internet. HomeGroup is not available on public networks, and network discovery is turned off. You should also choose this option if you're connected directly to the Internet without using a router, or if you have a mobile broadband connection.
If you know you won't need to share files or printers, the safest choice is Public network.

Some features of "Public network" is implemented via the Windows firewall. If you're using another firewall, you should consider how to configure it for similar protection.

More things to consider

Bluetooth exposes another route of hacker entry. Even if you're not using your Bluetooth mouse, for example, you still need to turn off the Bluetooth service in your laptop. Oh bother. ;-)
Be sure that any sensitive data, including usernames and passwords, is encypted before it is sent or received. That means that you should only send it if you're at a site using SSL (https:// URL and the closed padlock icon should be present). Or use a VPN (virtual private network) or other form of encryption such as PGP instead.
Programs that update themselves automatically can be easily hijacked at Hotspots (or any WiFi network) to download malware. Any of your programs that provide that option should be set up as shown in this Firefox example (ask me what to do) to prevent these attacks.
If you're on the go a lot, consider renting a VPN (virtual private network) to give you security at hotspots. VPNs use encryption to "tunnel" right through insecure connections.

Personally, I'd never do online banking or make other financial transactions at a public venue unless I used a VPN (virtual private network). There are just too many unknown factors.

VPNs (virtual private networks) for serious business

You always face serious risk when using public Wifi hotspots, public broadband (Ethernet) connections, such as those at hotels or truck stops. It is even more risky to use public computers at libraries, Internet cafes, or hotel business centers.

And don't count on SSL (secure connections with https, and the padlock) to keep your information private. They may have fixed it by now, but as an example, it has been possible to "sidejack" the highly-regarded Gmail application by simply listening to traffic at a hotspot, using nothing more than a laptop and a little free software.

VPNs offer a good way for serious road warriors to avoid these problems. VPNs use encryption to "tunnel" right through insecure connections. You can rent VPNs by the month or by the year at Witopia or HotSpotVPN. Hotspot Shield is a free (ad-supported) VPN service recommended by Sunbelt Software (security software) and others. [more solutions] [compare] [update]

Wireless hotspot service providers -- e.g., TMobile Hotspot, Boingo Wireless, iPass -- provide a degree of enhanced security. But they still recommend that you use a VPN [more].

The security scene at Starbucks and other public hotspots.

"By exploiting driver flaws, exposed fileshares, and user mistakes, one can easily and invisibly attack WiFi laptops and phones in public venues like airplanes, hotels, and cafes."
The Caffe Latte Attack: How It Works—and How to Block It
"An Evil Twin, sometimes referred to as Wiphishing, is a potential security threat to users of WiFi, predominantly in public hotspots. A hacker sets up what is called a “rogue access point” which mimics the characteristics of the network to which users expect to connect. Users unknowingly connect to the rogue access point and the hacker’s network instead of the intended network."
Evil Twins FAQ -- WiFi Alliance document
"While waiting at Hartsfield-Jackson Atlanta International Airport for a connecting flight to San Francisco, Joseph Angelo thought he'd catch up on his email and do a little Web shopping at a WiFi hotspot near the departure gate. After firing up his notebook and going through the regular logon screens, everything looked as it should with the online store's slick graphics, professional-looking design, and even its annoying animated ads." Read more...
Does Your Hotspot Have An Evil Twin?-- PC Today

Reading your email safely at hotspots without using a VPN -- if you dare.

Robert Graham, the CEO of errata security, has demonstrated that it's easy to intercept session-IDs (cookies or random strings in the session URL) from nearly all popular web applications, such as Gmail, Hotmail and Yahoo Mail, when you're using WiFi. Interception works even if you're using Secure Sockets Layer (SSL) [https://mail.google.com/mail (with the padlock closed icon)].

The web server does not use your password to authenticate each exchange during a session. It sets a cookie, or other session identifier, at the start and then interrogates the ID to validate subsequent transactions. All the attacker has to do is clone your cookie or other ID and he/she can also connect with your account. In fact you can both access your account at the same time. The attacker can then download all your email messages, and even send messages as you. :-(

Here's how Larry Dignam at ZDNet explains it: "Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available. [more] This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it wont be able to connect to anything. At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data."

The conclusion at this time is that you can't trust web mail. Not just current messages, but all stored messages are vulnerable. So, what's the solution? If you're going to use web mail, using Gmail can help, but it's not foolproof. Be sure you log off from Gmail each and every time when you finish using it. That prevents transmission of the unencrypted Gmail cookie before you log in at the next hotspot.

The solution is to use an email client such as Thunderbird, not Web mail, to connect with your email account. And make sure it's using SSL or TSL (Transport Layer Security, successor to Secure Sockets Layer (SSL).