How Not to Pay the Price for Free Wi-Fi

Part of globe-trotting nowadays is flitting from one free Wi-Fi network to the next. From hotel lobby to coffee shop to subway platform to park, each time we join a public network we put our personal information and privacy at risk. Yet few travelers are concerned enough to turn down free Wi-Fi. Rather, many of us hastily give away an email address in exchange for 15 minutes of free airport Internet access. 

So how to feed your addiction while also safeguarding your passwords and privacy? If you’re not going to abstain (and who is these days?), here are four rules for staying connected and (reasonably) safe while traveling. 

1. MAKE SURE THAT ANY SITE YOU VISIT HAS ‘HTTPS’ IN FRONT OF THE URL. Those five letters indicate that the page is encrypted, which prevents others from seeing what you’re doing. If you’re browsing the web in a Starbucks or any place with an open network and you do not see “https,” it’s possible that someone there with nefarious intentions can see the site you’re visiting and the exact pages you request on that site. 

“They can see that you’re connecting to Amazon and that you’re looking for remedial algebra books,” said Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania. Indeed, the only part of an e-commerce site that may be encrypted is the page where you access your account information or enter your credit card number.

Sites like Gmail.com and Yahoo.com use “https” by default, but type your password into a web-based email site that does not use it and a third party could see (and steal) that password. This sort of eavesdropping is easier than you might think. There are a number of tools that allow anyone who downloads them to see all the data that flies back and forth between a browser and a web server, said Jason Hong, an associate professor at the Human Computer Interaction Institute at Carnegie Mellon University. 

Moreover, anyone can set up a Wi-Fi network for criminal purposes and give it a legitimate-sounding name. Say, for example, you’re in the Paris Métro and you join a free network that looks like an official city initiative. “You have no idea what Wi-Fi network that is,” Professor Heninger said. “It could be set up by a hacker.” And if he or she has malicious intentions, when you go to a popular site like Facebook you may actually be logging into a fake page that allows the hacker to steal your password. “It is surprisingly common,” Professor Heninger said.

But surely, using Wi-Fi at a hotel is safe, right? “That’s only marginally better,” Professor Hong said. On the bright side, he said it’s unlikely that a criminal would bother monitoring the hotel’s traffic for a few passwords because the cost-benefit is simply not there. That person would get a bigger payoff from phishing emails, Professor Hong said, in which the sender masquerades as a known source like your bank or credit card company to get sensitive information like your banking passwords.

Even so, protect your computer by ensuring that your web browsers are up-to-date. Turn on your firewall and turn off file sharing.

2. USE A VIRTUAL PRIVATE NETWORK, OR VPN. If you work for a corporation, chances are you either already have one or have a technology department that can give you one. Using a VPN essentially encrypts all your online traffic, ensuring that no one can eavesdrop. It also routes that activity through whoever owns the VPN (your employer). So if, for example, I’m in a hotel in Japan using my VPN, all of my traffic gets sent to The New York Times’s servers and is then redirected again so it appears as if it is coming from The Times rather than from a hotel room in Japan. To access the VPN, users are typically given a name and a password and often also a constantly changing set of numbers on a fob that must be entered to access the network.

Don’t have a VPN? There’s Tor, software that prevents third parties from seeing your location or the sites you visit. “It’s totally free and fairly easy to use,” said Professor Heninger, who uses Tor. The software can be downloaded at Torproject.org.

3. SIGN UP FOR TWO-STEP VERIFICATION. More and more sites — Facebook, Twitter, Yahoo, WordPress — allow users to set up their accounts so that signing in requires two ways of proving who they are. The most common method requires a password you create plus a code that is sent to you — via text message or through a special app — each time you wish to sign in.

For instance, let’s say you logged onto a fake Facebook page and hackers captured your user name and password. If that happened without two-step verification (known on Facebook as “login approvals”), the hackers could access your account when you log off. If, however, you had enabled login approvals, even though your user name and password were captured, the hackers would not be able to log into your account because they wouldn’t receive the requisite code. Now, if you’re someone who uses the same password for everything, this is where you still run into trouble. Here’s why: If your user name and password for Facebook are the same as those for another website that does not have two-step verification, hackers might figure that out and break into your other accounts. Yes, I know, you can’t keep all your passwords straight. That’s why there are password managers like 1Password and LastPass, which can create and store long, unique passwords. 

4. BRING ONLY WHAT YOU NEED AND TURN OFF WHAT YOU’RE NOT USING. The latter goes for Wi-Fi and for Bluetooth. “It’s just another way to be compromised,” Professor Heninger said. And don’t give away your email address or download an app in exchange for free Wi-Fi.

“Think about the recipient of that information,” she said. “You have no idea who set up that Wi-Fi network,” she continued, adding “You might have just downloaded an app that will download all your contacts.”  

When it comes to travel booking and organization apps, one security concern is how much of your personal information the app is sharing, and with whom. Professor Hong said that, in general, apps that charge a fee are better because they have a revenue model. Those that do not are more likely to sell your information. He added that whether they are free or not, apps are also a potential security risk because they do not always encrypt your data when communicating to Web servers.If you’re seriously concerned about security, Professor Heninger suggests creating a special travel email address and password. And she recommends buying a “travel laptop” that you load with only the information you need.

Indeed, Professor Hong said he would worry more about the theft of your computer than your various passwords. He cited an incident in 2000 in which the laptop of the Qualcomm chief executive at the time, Irwin Jacobs, disappeared at a conference in Irvine, Calif. “He turned his back and the laptop was gone,” Professor Hong said.

Average travelers, he continued, should be just as mindful, if not more, of having their smartphone plucked from their hand by a thief on the street. 

“Attackers usually go for the easiest thing,” he said. “Don’t ever underestimate the power of snatch and grab.” 

Source: nytimes.com 

Google, Facebook, Yahoo and others automatically encrypting all emails

SAN FRANCISCO: The volume of email cloaked in encryption technology is rapidly rising as Google, Yahoo, Facebook and other major internet companies try to shield their users' online communications from government spies and other snoops.

Google and other companies are now automatically encrypting all email, but that doesn't ensure confidentiality unless the recipients' email provider also adopts the technology.

In an analysis released Tuesday, Google said that about 65% of the messages sent by its Gmail users are encrypted while delivered, meaning the recipient's email provider also supports the technology. That's up from 39 percent in December. Incoming communiques to Gmail are less secure. Only 50% of them encrypted while in transit, up from 27% in December.

Encryption reduces the chances that email can be read by interlopers. The technology transforms the text into coding that looks like gibberish until it arrives at its destination.

Google and other internet services rely on a form of encryption known as Transport Layer Security, or TLS. Security experts say that encryption method isn't as secure as other options. But encryption that is tougher to crack is also more complicated to use.

Gmail, with more than 425 million accounts worldwide, was one of the first free email services to embrace TLS. Yahoo, Facebook and AOL also are encrypting their email services. Microsoft, whose stable of email services includes the Outlook, MSN and Hotmail domains, has started encrypting many accounts as part of transition that won't be completed until later this year.

Less than half of the correspondence from Hotmail accounts to Gmail wasn't encrypted as of late May, Google said. Security is even worse at Comcast.net and Verizon.net, where less than 1% of the traffic coming to and from Gmail is encrypted, according to Google.

Comcast spokesman Charlie Douglas said the internet service provider plans to start encrypting email to and from Gmail accounts within the next few weeks. Microsoft reiterated that it is still rolling out encryption in its free email services.

Verizon didn't have an immediate comment on Google's statistics.

The Google report comes a year after the first wave of media reports about the US government's intrusive techniques to monitor online communications and other internet activity. The National Security Administration says its online surveillance focused on people living outside the US as the agency tried to defuse threats of terrorism.

After lashing out at the government spying, Google and other internet companies began encrypting email and other online services in an attempt to reassure users worried about their privacy. The internet companies are hoping their efforts to thwart government surveillance will make Web surfers feel comfortable enough to continue to visit their services. The companies make more money from online ads if their audiences keep growing.

Edward Snowden, the former NSA contractor who leaked documents revealing the online espionage, is among critics who believe the encryption methods deployed by Google and it peers are inadequate. In a March appearance at a technology conference, Snowden described TSL encryption as "deeply problematic" because US government operatives merely needed to obtain a court order or hack into data centers to obtain users' emails and other information.

Like many privacy activists, Snowden prefers "end-to-end" encryption, a more complicated step that requires a key to decrypt the information contained in emails. Theses encrypted keys are only held by an email recipient, making it virtually impossible for an unauthorized user to know what's in the message. This form of encryption takes more technical expertise to do right and can cause more headaches if passwords are forgotten because they can't be reset. That raises the risk of the email being inaccessible even to the recipient.

Google hopes to make end-to-end encryption easier by releasing an extension for its Chrome browser later this year. The company released the coding for the planned extension to security specialists Tuesday in an effort to detect any weaknesses before making it available to everyone.

Source: TimesofIndia