Free Wi-Fi at the Café? Read this Before You Connect

Fancy a utility that allows even novice users to hijack an active social-networking session with a click of the mouse?  That's what Firesheep, an add-on for the Mozilla Firefox browser does.  Of course, victims must first be connected to an open wireless network for this third-party software to do its trick, which I outlined in a blog post yesterday.

SMBs must understand, however, that Firesheep was created to bring attention to the fact that practically all free or public Wi-Fi Internet connections are not encrypted.  As such, it is easy for it and similar applications to intercept and recover information that users assumed was private.  So what can SMBs do to ensure that employees are not putting critical business information at risk?

I know this might sound counterintuitive, but the best solution is simply to not use public Wi-Fi access points. The exception would be to only use public wireless access points via a VPN connection. (More on this later)  You see, the wireless nature of Wi-Fi means that it is susceptible to brute-force cracking and other tricks that could let a hacker in.  While it is true that some encryption schemes and configurations are not considered breakable, the ability to differentiate between them is beyond the technical ability of the typical employee.  To make matters worse, it is also relatively easy for a determined intruder or hacker to physically tamper with a public Wi-Fi access point in order to snoop on it.

Ultimately, it does not pay to disregard the amount of sensitive data that gets transmitted over an insecure network. Even in the short span of time that it takes to quickly connect and check some movie times, browser plug-ins or other software could perform a software update, which could result in personally identifiable data being leaked inadvertently. That's not all. Applications such as your IM client could also attempt a login, or the e-mail client could check for new e-mails, too.  Usernames and passwords information will be compromised if this software are not already configured to use encryption.

Use a VPN

The most secure method of accessing sensitive data while on the move is to use a VPN.  A VPN server can be deployed by repurposing an existing server, purchasing new network equipment with support for this functionality or by simply acquiring a dedicated VPN appliance. A modern operating system such as Windows Vista or Windows 7 can be configured to establish an encrypted channel to most VPN equipment on your network with relative ease in most cases.

SMBs not willing to spend any money on infrastructure can also pay a VPN service provider for access to VPN gear.  This works in cases where the number of employees who require VPN services is low or where the technical complexity of setting up and hosting a VPN server proves to be too high.  In both cases, all Internet or network-bound traffic will be automatically funneled through the protected VPN connection, making it safe from snooping.

No Access to VPN?  Some Alternatives

What if the use of VPN is not an option? Well, one reasonable alternative for a slightly more secure Internet connectivity would be to use a more "private" Internet connection such as a 3G or MiFi modem.

In addition, it is always a good idea to enable encryption in applications that support it.  This could range from the use of FTP Secure (FTPS) when performing file-transfer operations or enabling SSL encryption when accessing e-mails via IMAP or POP.  And, of course, to always access Web sites using HTTPS where supported.