Recently in Internet security Category

Rick Coca of the Daily News had a story on the cover today concerning an FBI warning about hackers who set up their own WiFi router with the same SSID name as the public WiFi router you wish to connect to, with the purpose being to steal vital passwords and other information during your wireless Internet session.

While the article was short and didn't go very deep into the security issues surrounding WiFi and Internet networking in general, and laptop computers in particular, users of WiFi in general and public WiFi in particular need to be aware of what they should and shouldn't do.

The article did say that it's a good idea to have your computer configured to CHOOSE the WiFi router to which you wish to connect, because the consequences could be, for lack of a better word, bad:

Once in, a hacker can steal passwords and credit-card information and install viruses, worms and other malware — malicious software — on a computer that can spread to other systems you run.

(FBI cybercrimes supervisor Bryan) Duchene recommends that Wi-Fi users change their settings so they have to manually input the Service Set Identifier (SSID) they want to log on to.

While free-access seekers spawned the "wardriving" phenomenon — Wi-Fi users drove around with GPS systems and Wi-Fi-seeking laptops, marking locations of unsecured, free Wi-Fi sites — that practice eventually piqued the interest of criminals, Duchene said.

While WiFi does increase the risk of "bad" things happening, and the lack of encryption on almost all public WiFi connections doesn't help matters, I'm pretty confident in saying that if you are entering logins, passwords and other "sensitive" information over a secure connection — one with https:// in the Web address instead of just plain http:// — you are pretty safe, even over public WiFi.

But in cases where your login or password is NOT sent via a secure, encrypted connection, or for regular Web browsing on non-secure connection, it's quite possible that others can see what you're doing on the Internet.

That may bother you, or it may not.

But especially when it comes to e-mail, make sure you are using a secure, encrypted connection, either through a Web-browser interface, or via the settings in your e-mail client, be it Microsoft Outlook, Mozilla Thunderbird, the Apple Mail program or whatever else you're running.

The worst thing you can do is send sensitive information -- or any personal or private information -- via unencrypted e-mail over an unencrypted WiFi connection. That's just too much of a risk.

I've often said that I wish all Internet traffic — e-mail, Web browsing, file transfers, etc. — took place over secure connections. I think we're headed in that direction.

So here's my quick guide on what to do and not do over a public WiFi connection:

E-mail: Only read and send e-mail via a secure encrypted connection. That means if you're using a Web interface, make sure the ENTIRE session, from login and password to composing and sending the e-mail and logging out -- takes place in a secure environment with the https:// in the address box.

For Gmail, you can choose a secure connection with https://gmail.com ... BUT the last time I read about it, your Google login and password is stored as a cookie on your computer for easy access, and it can be easily stolen over a public WiFi connection.

For Yahoo! Mail, your login and password is entered in a secure environment, but the rest of your e-mail session is unencrypted, so don't use Yahoo! Mail over a public WiFi connection.

If you have an office-provided e-mail service via a Web browser, look for the https:// instead of http:// and ask your system administrator about whether your connection is secure the whole way through.

If you use an e-mail client like Outlook or Thunderbird, make sure your e-mail server allows secure connections -- and make sure your client software is set up properly to use it.

There are e-mail services that offer more security. For the extremely paranoid, there's HushMail, but my favorite is Fastmail.fm. Just make sure you use the secure version. I'll also put in a plug for my ISP, DSL Extreme, which offers Web-accessible e-mail in a completely secure session.

Antivirus, antispyware, firewall protection: Whatever you do, and especially if you're using Microsoft Windows, make sure you have up-to-date antivirus and firewall programs. This excellent though aging Washington Post page has links to many vendors of these programs, some of which are available free. For the PC, I prefer Avast. Avast also runs on Linux, although with that operating system you're only likely to pass along a virus, because almost all malicious code is aimed at Windows computers, which are much easier targets.

Web: For Web browsing, if you are on an unsecured connection, it's easy for snoops to figure out the URLs of the Web pages you're visiting. And from there those snoops can see what's on those pages, too.

While it's not conducive to privacy, this might not be a problem, depending on where you're browsing.

But ... if you're entering any logins, passwords or other sensitive information, make sure you're on a secure connection before beginning. AND make sure your computer is NOT set up for file sharing.

To be more clear, if your computer is free of malicious software -- key-loggers that record every keystroke, spyware, etc. -- an encrypted connection should give you enough security over WiFi.

IM is a problem: Most instant-messaging traffic is unencrypted, so don't IM anything you don't want others to potentially see. The last time I checked, Yahoo! Instant Messenger, AOL's AIM and Microsoft's MSN Messenger are all unencrypted.

And do yourself a favor: NEVER, EVER, EVER NEVER, install any kind of software from an untrusted source, over WiFi or a wired Internet connection. That's when the bad stuff happens -- when malicious software makes its way onto your computer. It's easier by orders of magnitude to attack from the inside than from the outside.

WiFi at home and work: Wireless routers that you control at your home or workplace can be set up for encrypted connections only. Don't use WEP encryption because it can be easily cracked. Instead, use WPA or WPA2, which are much, much more secure and robust.

And like it says in the Daily News article, make sure you change the SSID name of your router to something other than the default (usually something like Linksys, Netgear, or the name of whatever company made the router), and also make sure you have your computers set to only connect with YOUR router.

For more on this subject, here are a few links:

• USA Today's Complete Guide to Wi-Fi Security (make sure you read ALL the pages)
• Ask Metafilter discussion on encrypted WiFi
• Coffeeshop WiFi for Dummies
• Using Public Wireless Networks More Safely (from Microsoft)

A Wired article, seen via BoingBoing, makes an argument for running your wireless router completely open and unencrypted.

Bruce Schneier's argument takes into account security, potential violations of law and ISP policies, as well as the social benefit of both providing free WiFi and using it yourself when needed.

He does emphasize that keeping good security on your computer itself is important, and that the benefits of an open network outweigh the risks:

Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.

...

Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers. In my opinion, securing my wireless network isn't worth it. And I appreciate everyone else who keeps an open wireless network, including all the coffee shops, bars and libraries I have visited in the past, the Dayton International Airport where I started writing this and the Four Points Sheraton where I finished. You all make the world a better place.

What I'd like to know is what security precautions he is taking to protect his machines on the open network.

I'm far from an expert in this department, and the one guy I do trust in this realm -- George Ou -- thinks WPA encryption is the only way to go. Read some good articles by Mr. Ou:

How to protect your online privacy

A secure Wireless LAN hotspot for anonymous users

Why VPN can’t replace Wi-Fi security

Wireless LAN security myths that won’t die

We currently have comments on most of the Daily News blogs set to accept both "anonymous" comments -- meaning from just about anybody -- as well as Typekey-authenticated comments. And we haven't yet made the move to Movable Type-authenticated comments (see -- you have a lot of choices in MT 4 ... and while confusing, it's nice to have options), but that's where it's going, I'm told.

I was about to turn off anonymous comments, but then I got a sweet Distrowatch link about a week ago, bringing quadruple to quintuple the usual traffic, and I didn't want to shut potential commenters out.

I realize that many people might not want to sign up with Typekey, and entering a comment while logged into the Typekey system is confusing (the name, e-mail address and url boxes remain after you're logged in, but they SHOULDN'T BE filled out), and I'm pretty much waiting for the Web-biggies here to get the Movable Type login comments working.

So I decided to try adjusting the spam filter once again. Under Preferences -- Blog Settings, click on Spam, and see what your spam filter is set at. All of ours default to 0. I started with +4, but that caught too many legitimate comments, and I finally settled on +3. That flags most of the spam as spam, which I have set to delete when it gets 5 days old. That way I can quickly scan the spam to see if any legitimate entries got caught in the filter. But I don't have to do anything to the 99.99 percent of spam comments that I don't want on the system -- they just go away when they reach the age of 5 days.

So far, the only spam to get through has been these weird Obama entries that don't have a URL embedded in the comment (unlike 99.999 percent of the other spam). I suppose that the only problem is that "real" commenters who include URLs of any kind in their comments might not make it past the filter, but that's why I quickly scan the spam (Under Manage -- Comments, click on Spam Comments on the right side of the screen to see them -- and make sure you have your "view" set up for 100 rows with "action" buttons enabled on top and bottom, so you can restore/delete at the top or bottom of the long list).

And anybody who absolutely, positively must put URLs in their comment can sign up with Typekey and leave an "authenticated" comment. Right now, those go right through (though that parameter is also modifiable in MT 4).

I no longer spend a considerable chunk of time marking comments in "nonspam comments" as the spam they truly are. The easy change in spam-filter from 0 to +3 has taken care of it for me.

I think we're getting to that point. We all worry about accessing e-mail over Web portals (or via POP and IMAP servers) that are not encrypted and secure. Or we should be.

And using the Seamonkey browser in Puppy 3.01, I'm constantly being warned about information being exchanged that's not secure.

I appreciate the warning. I even started using my DSL Extreme mail account more often because not only is the Web-portal login secure, but the whole session is as well. And I also have encryption turned on when I access the mail server via IMAP.

And most people won't think of entering personal and financial information when banking or buying stuff online unless they see the "https://" before the address.

So why are we doing so much other stuff without the "s"?

I don't know what the particulars are, but I think we're at the point with the Internet where every single damn thing ought to be encrypted and secure.