Trilight Zone

[trihub]

Article by Kenneth van Wyk
Source: http://www.esecurityplanet.com


The world just got a bit riskier for us “road warriors.” You see, there’s this perfect storm of risks lined up to make our lives a little more dangerous. Here’s why, and here’s what we can do to fight back.

In the last couple years, a new breed of mobile user has sprung up. Thanks in large part to the iPhone (and the iPhone-wannabees), the world now has a lot more mobile devices hungry for a live (and free) Wi-Fi connection. Sure, we’ve been using Wi-Fi for years, but at least for many of us, what was once the casual and even occasional laptop login has become a more convenient and far more frequent quick check for email, stock reports, headlines, etc.

We’re using our hyper-mobile devices all the time now. Standing in line at the coffee shop, we quickly fire up our pocket-sized devices to see what’s going on in the world.

Now, here’s where the risk storm comes in.

When you point your Wi-Fi interface at a local wireless access point (WAP), you’re implicitly trusting it. Say, for example, you’re in your favorite coffee shop and turn on your mobile device and see there’s a Wi-Fi net present—say, something like “Acme-wireless.” You see it’s not using WEP, so you blindly and courageously take the leap of faith and connect to it.

Once on the wireless, you bring up your browser and try to connect to a Web site. Looks fine, so you login to that web site, perhaps providing your login credentials (or a browser-stored cookie containing your login credentials). Away you go—and away your login credentials go. You’ve just fallen for the oldest trick in the book, the dreaded “man in the middle attack,” and your attacker now has your credentials/cookie.

How could that have happened, you ask? Well, when you signed onto “Acme-wireless,” you trusted that it was indeed “Acme-wireless” and that it is operated by an honest business. The only proof you had that it was indeed “Acme-wireless” was that it said so.

You’ve been duped.

Yes, it’s easy to do. It would be absolutely simple to configure a laptop PC to masquerade as “Acme-wireless” and then to collect login credentials from unsuspecting mobile users seeking a free Wi-Fi fix. After all, the Wi-Fi standard provides no mechanism for the user to authenticate the server. None. Nada. Zip.

And that’s just one kind of Wi-Fi-based attack. It gets worse. When you connect over Wi-Fi, a lot of relatively sensitive information (e.g., passwords, session IDs, cookies) is routinely passed unencrypted and is thus open to being trivially sniffed by anyone else on the same Wi-Fi site. That person sitting next to you in the coffee shop could well be running a sniffing tool like Wireshark and collecting anything sensitive that your browser or email client emits.

Now, combine all that with the fact that our hyper-mobile devices are getting smaller and smaller, while at the same time becoming more and more capable as powerful computing devices. Further, we’re starting to trust them more and more for connecting to sensitive network services, including financial services and such. That is to say that they are without a doubt becoming serious targets by the miscreants of the world who want to liberate your money from your wallet.


Jupitermedia Coorporation

internet.commediabistro.comJusttechjobs.comGraphics.com
Search:

WebMediaBrands Corporate Info
Copyright 2009 WebMediaBrands Inc. All Rights Reserved.

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs
Solutions
Whitepapers and eBooks
Internet.com eBook: Becoming a Better Project Manager
Microsoft Partner Portal: What Azure Means for Microsoft Partners
Internet.com eBook: Web Development Frameworks for Java
Internet.com eBook: Developing a Content Management System Strategy
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
SAP BusinessObjects Webcast: Unlock the Power of Reporting
Ipswitch Video: A Closer Look--WS_FTP Server
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Amyuni: PDF & PDF/A Engine for .NET and ActiveX Apps
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES