WiFi Wisdom: Watch for Wicked Wireless

A regular listener wrote in with a reference to a USA Today article warning users about the dangers of using public WiFi connections and the security dangers of such. One such concern, referred to as the "evil twin" in the report's headline -- is certainly worth repeating here.

Computer criminals can "sniff" the traffic in a cafe, or set up a fake hot spot that you might innocently log into. When that happens, watch out: Everything you type goes directly to the host computer, known as an "evil twin." In that scenario, as soon as you get into your online bank account, the evil twin is ready to grab the password.

As portable computers without WiFi connections are now in the minority, users of public hotspots are increasingly subject to attack. Here are a few of my own wireless safety tips when using public hotspots:

• Connect only to known hotspots. Look for signs in airports, hotel lobbies, coffee shops, and anywhere else you might find a hotspot. If there isn't a sign, ask a staff member, especially if your computer recognizes multiple open networks. If you run a public hotspot yourself, make this information easy to find.


• It's all in the name. Starbucks uses T-Mobile to power their hotspots. These hotspots are generally named "t-mobile". While it might sound appropriate for there to be a WiFi hotspot called "starbucks" -- that's exactly what the bad guys want you to think, it could be a trap.


• Watch for "Computer-to-Computer" connections. While only a warning sign and not an absolute guide, those networks that show up in your list of available connections as a "peer-to-peer" or "computer-to-computer" are more likely to be the data thief sipping a mocha across the room. Some computers can be set to hide computer-to-computer conections as an added safeguard.


• Increase your own security. Firewall software is essential -- most newer operating systems have it built-in. Keep your anti-virus software current by downloading the latest definition files. Finally, update your operating system to fix known vulnerabilities before they are exploited.


• Change your passwords. Sometimes using a public hotspot is unavailable (same applies to internet kiosks) -- a good tip after using a public wireless connection is to change your email password when you return to your home computer. (Changing a password on a potentially tainted computer could be a bad idea if you think about it.) Even better: Change your password at regular intervals!


• Don't access sensitive data. The best way to ensure you're being protected is to avoid accessing personal data such as banking information or email while using a public hotspot or internet kiosk. If possible, wait until you're back on your own connection or hardwired. And don't forget to look for the "s" or closed padlock indicating an encrpyted connection to the site you are accessing...


• Bring your own (secure) wireless. Many hotels are offering wireless connections in addition to ethernet jacks in guest rooms. Even when a hotel offers their own wireless signal, I prefer to make my own using a portable router such as Linksys' WTR54GS Travel Router or Apple's Airport Express. I've used and recommend both devices.

While not completely fool-proof, being cautious -- and using common sense -- will help protect you from those trying to steal your personal information for purposes of identity theft.

If you've got a tech tip you'd like to pass along, or want more information on how to keep yourself safe while surfing, email me -- tech (AT) brianwestbrook (DOT) com.

Sensitive data at Goodwill? Wipe that drive!

A recent story on KXL.com caught my eye today, one that has sadly become all-too frequent: a laptop with sensitive data is in public hands.

This latest episode of an ongoing saga involves a portable computer purchased for eight dollars from a Goodwill store in Portland, Oregon. The buyer got more than their eight bucks worth when they found a spreadsheet with medical records on the used laptop. According to the report, Goodwill generally erase hard drives before reselling computers. Apparently this one fell through the cracks.

So how can you protect yourself and your data when you pass along your computer for recycling or reuse? What should you do to keep your sensitive history from the bad guys?

Wipe that drive!

And of course (or I likely wouldn't have much to blog about ;-) ), it's easier than it sounds. Sorry folks! Simply erasing or formatting your hard drive isn't quite enough. When a hard disk drive is formatted, sure it makes the drive available for re-use and shows no files found, but a clever hacker or curious computer buyer can often dig up the digital remains.

To protect yourself, and be confident the data is gone, gone I recommend the following steps:

• Use a wipe utility that destroys the data completely -- formatting isn't enough as your files may still be hidden beneath the curtain.
  
• Remove the hard drive -- take the drive out and toss it in a shoebox, recycle it seperately, or: destroy it physically (also great agression-reduction therapy!)
  
• Send your computer to a computer recycle shop -- many of the specialists have policies and standards to wipe hard drives... ask when you drop off your old computer.
  
• A business subject to Sarbanes-Oxley controls should ensure their IT department is following appropriate handling of used hard drives.

My favorite computer recycling facility is Free Geek and they have the type of policy you should look for to ensure your hard drive is properly wiped:

At FREE GEEK, we will never boot from a hard drive before it has been wiped of data. Hard drives we are going to keep first have their partition table removed, and then are overwritten five times in the process of testing. If we are not going to reuse a hard drive, it is physically destroyed in our facility before we send it to a responsible e-waste recycler. We do not give or sell hard drives to places that do not have a similar policy. Data on donated hard drives is safe.

(freegeek.org)

I've talked about computer recycling (and Free Geek) on Portland's Morning News before, in case you missed it -- I've got an archive from my hard drive here: kxl_techexpert-recyclepc_20060724.mp3

Finally, if you're looking for tools to wipe a drive, here are a few that do the trick (Please use these tools CAREFULLY -- especially around drives with data you intend to keep, I can't be responsible for their use or misuse):

• Dariks' Boot and Nuke
  
• Kill Disk