Security Experts:

How Logging On From Starbucks Can Compromise Your Corporate Security

Do you allow your employees to surf using open wireless networks from their phones or laptops? What are the easiest ways that attackers can sniff email or gain access to corporate information from these devices? What are the best ways to protect corporation information on the go?

Open Wi-Fi is becoming increasingly pervasive on Main Street, but it's rarely secure. Ubiquitous franchise operations, including Starbucks and McDonald's, now offer their customers free wireless Internet access from tens of thousands of branches throughout the United States and beyond. A productivity boon to mobile workers using laptops, smartphones or tablets, these convenient services nevertheless present security risks of which security officers should be aware.

Is Public Wifi Secure?Facing the trade-off between user friendliness and security, operators of public Wi-Fi hot spots are increasingly choosing in favor of customer convenience. Free Wi-Fi can be a cheap loss leader to attract business, and making hot spots easily accessible reduces the time and expense required to retrain baristas as technical support operatives. This means, though, that the responsibility for data security is delegated to the user. But if the user is one of your employees who is using public Wi-Fi to access corporate systems such as e-mail, the onus is actually on you. Attacks over unsecured Wi-Fi are often surprisingly easy to execute, but there are defenses that can be deployed.

Packet Sniffing

Unencrypted traffic passing over the public airwaves is prone to be captured by attackers. Packets can be "sniffed" from the air and reassembled into usable information, such as passwords and cookies, on the attacker's laptop. Some older forms of wireless encryption, such as Wireless Equivalent Privacy (WEP), are not sufficient to prevent such attacks; tools have existed for several years that let inexperienced hackers crack WEP keys in as little as five minutes.

Sniffing attacks have been automated to the point where they are now available as browser plug-ins with handy graphical interfaces, usable by attackers with little to no technical ability. For example, the Firesheep plug-in for Firefox automatically sniffs out cookies for Web mail and social networking sites, and then it allows the attacker to log in as the victim and hijack the session with a simple click. Since social networking sites are being increasingly used as business tools to connect with customers, this kind of attack has the potential to cause real damage to brands.

Rogue Access Points

A common, simple strategy for opportunistic attackers is to entice victims to connect directly to their laptops over Wi-Fi by configuring their machines to act as rogue soft access points. Easily established, a rogue access point acts as a node in an ad hoc peer-to-peer network, becoming a bridge between victims and a real access point. These can often be spotted in coffee shops, airports and hotels disingenuously using network names such as "Free Public Wi-Fi." Victims connecting to such networks find themselves with Internet access, and may not be aware that the attacker is capturing all of their traffic. This is a form of the “man-in-the-middle” attack and, unless the transmitted data is encrypted, it should be considered compromised.

Evil Twin Attacks

The Evil Twin is a related form of attack that relies on the fact that operating systems often remember users' preferred Wi-Fi networks and attempt to auto-connect to them the next time they come into range. By capturing and rebroadcasting an identical network SSID (that’s to say, the name of the open Wi-Fi network), an attacker with an access point in his laptop can fool his victim’s machines into connecting to his device instead of the legitimate hub. The attacker may also arrange for the real access point to be taken offline, either physically or with a denial of service attack. The opportunity for such attacks becomes more straightforward when many branches of the same coffee shop or restaurant franchise all use the same SSID for their Wi-Fi services.

Encryption

CIOs must assume that many workers will at some point use company-issued or personal devices to conduct business on unsecured Wi-Fi networks. Outright bans of such behavior would be difficult to enforce and even counter-productive. Given that the types of attack under discussion here are generally opportunistic in nature, the level of security often may only need to be sufficient to bore the attacker into targeting a different potential victim sitting at a different table.

If you wish to enable employees to access protected corporate information, including email, from unsecured locations, a Virtual Private Network (VPN) client is a must-have. A VPN tunnel encrypts everything from the user to the edge of the enterprise network, regardless of whether the wireless signal itself is encrypted. If any packets are intercepted, they are useless to the attacker without the corresponding cryptographic key. VPNs that use Secure Sockets Layer (SSL) to create their tunnels also provide an adequate level of encryption for resources such as Web-based access to corporate email.

Secure Configuration

Some of the attacks outlined above can be mitigated with sound client configuration policies. For example, policies should mandate turning off the directory-sharing features of Windows. Firewall use should be strictly enforced. Users should be required to manually, rather than automatically, connect to Wi-Fi networks, to reduce the risk of accidentally connecting to a rogue access point. Agent software is available from several vendors to make the process of managing Wi-Fi preferences simpler.

Secure HTTP access (known as “HTTPS”) should be enforced for public websites whenever possible. Sites such as Twitter and Facebook, along with several Google services, are among those that now enable the use of HTTPS for every page on their sites, rather than only when they log in. Sessions encrypted this way provide a defense against attacks such as Firesheep, noted above. With social networking sites now becoming important business productivity tools for marketing and customer support, it's important to keep in mind that a hijacked Twitter session resulting from a sniffed cookie could quickly turn into a public relations headache with broader implications for your enterprise.

With the appropriate precautions, particularly the use of VPNs for accessing corporate resources, there's no reason why employees shouldn’t be permitted — and encouraged — to take advantage of free, open Wi-Fi while they're on the road. The rise of the iPhone, iPad and other phones and tablets means that mobile workers are increasingly eager to get online in environments you do not control. This trend should be embraced for the productivity benefits it brings, but in a secure manner.

Subscribe to the SecurityWeek Email Briefing
view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.