English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

WiFi + Airport = Lost password

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted February 12, 13:00  GMT
Tags: Wi-Fi, Identity Theft, Data Encryption, Data leaks
0.3
 

As most travelers know, many airports and VIP lounges offer Wi-Fi connectivity but, unfortunately, these connection are rarely encrypted.   Here’s an example:

 
All data sent and received travels in clear text, which means anyone could intercept the data for malicious purposes.  This unencrypted data could include passwords, logins, financial information like PIN codes, etc.
Many people also know that it’s always better to use a VPN connection.  However, in many cases,  VPN connection are filtered out and blocked by rules on the network firewall. I tried two different protocols and both were blocked.  Mostly network administrators don’t allow using VPNs from Public WiFi access points only because they want to make sure the network isn’t be used for malicious purposes without any readable network logs.  These policies actually allow to the bad guys to launch really easy  man-in-the-middle  attacks when all traffic pass through a malicious host.

The reality is that using a public Wi-Fi service can expose your really sensitive data to cybercriminals. Recently, we saw some famous people lose their Facebook and other social network passwords by using open (insecure) Wi-Fi connections.

So what is the solution when your VPN is blocked? Well, in some cases, an SSL (https) connection may help. Please, before going to any Website, type in the address bar https:// and then the domain name. After the page is loaded, please check if the certificate used for encryption is a valid one and issued to the site you’re visiting. If you see something wrong with the certificate, stop using the site.
Another solution is to use a cable Ethernet connection instead of a WiFi. Many lounges have such connection as well; it will be much safer for you.
In any case if you’re connected from a public place, it’s better not to use eBanking or ePayment services. That data is the main target for criminals. So, travel safe and keep your personal data safe as well!


10 comments

Oldest first
Threaded view
 

Debojyoti Das

2011 Feb 12, 20:22
0
 

Questions !

Hi Dmitry,

Today you blogged about a topic that has always led me to thoughts. I will be extremly happy if you please explain a few things to me. I really use the Airport lounges, being a PriorityPass member, and I too use WiFi. And it's always unprotected. So say when I am logging in to my Gmail account, can a guy with WireShark et al gain access to my login credentials? If I check my bank transactions, can he gain access to those credentials also?
Btw I am a Kaspersky Internet Security customer and I have got it installed in my Notebook. Does it protect me anyhow? And my mac has Eset Cybersecurity for Mac. Am I protected? Please clear my doubts !
Best, Jeet.

Reply    

Dmitry Bestuzhev

2011 Feb 12, 21:38
0
 

Re: Questions !

Hello Mr. Debojyoti

Thanks for your comment and the question. Basically the problem is on the network layer which is globally managed by the network administrator. In this case the better solution is to use always a strong VPN encryption (connection), so passwords couldn’t be stolen. However as I mentioned in the blogpost it’s not always possible due some restrictions by the administrator. In situations like this, when no VPN is possible to use, and there is an attacker with the man-in-the-middle attack on-going, any password can be stolen… even if you use a SSL. The problem is the attacker can fake any certificate, so he/she will easily decrypt all traffic.

So, if no VPN then use an Ethernet cable connection.

Reply    

Debojyoti Das

2011 Feb 13, 05:57
0
 

Re: Re: Questions !

Thank You so much Mr. Dmitry. Now I really know the answer a long asked question of mine. Thanks Again.
Best, Debojyoti.

Reply    

Konstantin

2011 Feb 21, 19:00
0
 

Re: Questions !

Hi Jeet,

I think that SSL connection to your Gmail account will be secure enough. Use this link to login https://gmail.google.com and check the server's sertificate, it should be in VerySign hierachy, which proves the site identity, and in addition SSL encrypts all communications with the server.

Best Regards,
Konstantin

Reply    

Nico

2011 Feb 13, 07:33
-1
 

RE "Wi-Fi service can expose your really sensitive data to cybercriminals"

Just opinion...
Wireless connection or wired... Secured traffic is secured traffic. If you talking about security and exposed credential, it is no matter what "last mile" do you have. People, who are hunting, personal credentials, encryption certificates and so on, will do their job even with your existing VPN (pairing traffic for PKI extraction for example, especially on M$ Windows platforms).

It is just talking about egg and chicken. So, if KaspLab placed egg affront and says "this is solution" (making money BTW), why not?

low level education in IT security of regular users is just a reason to have such of product on-board of their laptops, PCs, etc. It is kinda business, is it?

Simple solution is:
1. Enable firewall on your netbook/laptop/PC, and carefully research what traffic do you use, and what is necessary to pass in and out (DO NOT TRUST wizards of any firewall software, each wizard leaves back-door for "technical" reason even KaspLab products)
2. Be aware of what you gonna explore in Internet. Even you have super cool antivirus or any security enabled controlling software, this will not warranty that you will not get trojan-style virus, or rootkit, or fake login pages or any related which may be not yet recognizable by installed antivirus on your HW.
3. Even you have simple and proved traffic protection on your PC, you are not protected. Your PC is your PC, but rest of the world is opened even you are protected incide of your PC. Strong advise of ANY more less in mind security specialists — change your password, do not be lasy, change your personal credentials frequently (once a week, once a month, once... as «once» as possible)
4. Do not use M$ products. Tobe honest, it is rare situation that commercially delivered operating system is most patched, even KspLab products just developed as extension of file system interfaces, networking interfaces (as patch alternative of own M$). Did you think ever why? So, try alternative OSs, and enjoy most virus-free and stable user environments.
5. If you have business needs to access to your banking or incorporate resources, the best solution is to use dynamic encryption of traffic access for VPN access on numbers of ports (even on HTTP, HTTPS). What is dynamic encryption? It is mostly hardware implemented pass phrase generator for access to remote secured areas via VPNs. Yes, yes, VPN ports can be blocked, ask sysadmins to add for binding additional ports that can be available anywhere.
6. Never, never and never exchange your e-mails WITH NO SSL/TLS encrypted connection!
7. Do not afraid to use open Wireless networks – no difference in general will you use WiFi, GPRS or HSDPA.

Again, this is just opinion.

Reply    

Nguyen Nam Thanh

2011 Feb 15, 11:12
0
 

Need more information

Nice article sir,
I would like to know more information regarding "many famous people losing their password". Who are they?
Thanks

Reply    

Dmitry Bestuzhev

2011 Feb 15, 19:03
0
 

Re: Need more information

Thank you and there are some examples. Just think about some Missouri state representatives :)

Reply    

Dmitry Bestuzhev

2011 Feb 15, 19:09
0
 

Re: Re: Need more information

Some details about the incident here: http://www.stltoday.com/news/local/govt-and-politics/article_b6e40444-1414-563a-bf25-d28869ca4f0a.html

Reply    

roland90

2011 Sep 11, 07:30
0
 

how secure these solutions

I have found some vpn solutions but these are all free, I guess both are not so secure, in the middle of the way nothing and something. Here are the links: http://www.bfvpn.com/
https://www.vpnreactor.com/
What's your opinion?

Edited by roland90, 2011 Sep 11, 07:52

Reply    

CrySpy

2011 Oct 04, 16:51
0
 

Solution On Phone?

Sir, What is the best solution if we are browsing on our phone using WiFi that doesn't support VPN/Https? , because using cable is (almost) impossible
thanks

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog