Do consider the public hotspot threat
Public Wi-Fi is often treated casually and resellers must work to keep deployments secure, says Jim Lehane
Troels Oerting, head of the European cybercrime centre at Europol, has reportedly warned people not to send personal data across networks they cannot trust, citing an increase in the use of Wi-Fi to steal information, identities, passwords and money.
The number of public hotspots is continuing to increase, as is the number of Wi-Fi-enabled devices, which are being used at monumental rates by a new breed of device-inseparable consumer. This is encouraging businesses to offer free connectivity – while users expect to connect on the move at the same lightning speed they get at home.
Unfortunately, public Wi-Fi hotspots have become a hunting ground for opportunistic drive-by hackers, targeting web surfers in a casual setting who may be more relaxed about security. The most common technique is frighteningly simple: recording user data.
Using a network sniffer, a hacker can observe and record unencrypted passwords, credit card numbers and the like. They can also go a step further to intercept an unsuspecting user's traffic; other techniques include injecting a fake Address Resolution Protocol (ARP spoofing) message into the LAN or creating a rogue access point with the same SSID as the genuine network. Both allow an attacker to appear as if they are the actual website the user is trying to visit.
Without doubt, there are big opportunities for the channel looking to sell to the public Wi-Fi market. People may be more confident about investing in the technology than a year ago. The greatest growth in traffic demand this year is expected from stadiums and events, shopping centres, wide outdoor hot zones and urban plazas.
Strong security features are a prerequisite. No business wants to lose trade because a security lapse has allowed a virtual pickpocket to hang out with its customers. Also, there are legal obligations on providers of hotspots – meaning technologies should be chosen that enable businesses to comply with even the most stringent regulations.
Under the Data Protection act, the European Directive for Data Retention Regulations 2009, the Anti-Terrorism, Crime and Security Act code of practice, the Regulation of Investigatory Powers Act 2000, and the Digital Economy Act 2010, venues must hold data and log all URLs visited as well as filter content and notify users on receiving reports of copyright infringement.
Look beyond traditional approaches such as issuing hotspot customers with a key code on a receipt. These may be deemed too cumbersome by customers who expect to connect quickly. Client isolation is a feature that offers good protection. It prevents two wireless users communicating with each other and stops attempts at a man-in-the-middle attack using ARP spoofing or poisoning.
Wireless intrusion prevention systems (WIPS) are also critical. These systems should scan their environment in real time and take pre-emptive action to trigger alarms and detect and contain rogue APs.
Take advantage of market opportunities by partnering distributors with the technical knowhow and expertise in design, deployment and support. In a complex information security landscape, a distie with constantly updated knowledge of the entire arena from information governance to security management can prove valuable.
Jim Lehane is director and head of technology at Espion