Tips for connecting online wirelessly in a hotel/cafe setting
Use VPN to Encrypt the Network Traffic
Establish a VPN back to your home or office. The VPN will encrypt the network traffic.
If you don’t have VPN access make sure you use SSL (HTTPS) whenever you login your email account, bank account, or anything else that's sensitive. Beware of ARP poisoning as well.
Also don't use applications that make use of protocols such as telnet, pop, imap, ftp, etc. These programs send data without encryption. Instead you should be using protocols with encryption such as imaps, pops, vsftp, ssh, scp.
If you want to set up a VPN server using Microsoft products check out their articles on how to do this. If you're using linux you can also find several free products to set you up with a VPN.
Perhaps the easiest though is to just buy a cheap VPN router or install an IPCop box or something to that effect. It really depends on your comfort level and skill level. VPN routers are pretty painless.
Make sure your laptop is PATCHED
It goes without saying but make sure you're up to date on your operating system's updates/patches.
Don't use public computers for sensitive tasks
Avoid using public computers for anything sensitive/personal such as checking email, online banking, etc. Its not your computer, you don't know what's on it, and its simply not secure. Enough said on that one. ;-)
Be aware that hotels and airports are prime locations for people to ARP poison you. ARP poisoning is a very trivial thing to do and most people won't even know that it's been done to you.
Some of the signs of ARP poisoning are SSL certificates that suddenly popup asking you to 'verify' them when you haven't gotten them before. Especially with sites like Yahoo mail, etc. These websites pay for root certs already installed on your machine. There shouldn't be a 'normal' reason to have to install their certificates. Cain will attempt to glean your userid and password to these sites by issuing fake certs and getting you to accept them on your machine. Once that happens, the ARP poisoner will then have access to your logon information even though you are connected via SSL.
You can try a program like XArp (which used to be free) but I've found that it returns a lot of activity and generally gets in the way.
As an aside, most AV programs will not notify on ARP poisoning...
Know if your can trust the hotspot.
How will you be sure that the hotspot is hosted by the cafe/hotel people (even if you can trust them) and, not by someone hanging around with a attack ready laptop on one of the other counters?
The name may even be more promising than the real hotspot when you connect.
If you ever see multiple hotspots be very wary.
And, even if its a single station, you never know if the original station has malfunctioned, been disconnected...
Some references:
-
Does Your Wi-Fi Hotspot have an Evil Twin?
- New devices make hotspots a hacker's paradise
- refers Tor encryption for security
- not sure how how much to trust that
I'd say, how much and when you use public hotspots should be dependent on the sensitivity of your communication and probably the strength of your paranoia :-)
Mostly just exercise the caution you always should:
- Always keep your OS fully patched
- Don't open any ports to the outside unless you have to. An nmap scan can help you find out if you have anything open you may not be aware of. Shut these services down, make them listen on localhost only, or check that they are secure (fully patched, secure passwords etc.)
- While using the hotspot, always assume that all your traffic is logged and analyzed. I.e., only work over a securely encrypted connection, i.e. encrypted VPN, SSH, HTTPS or similar.
- Don't disregard any warnings your encrypted connections give you (bad SSL cert etc.).
If you follow that advice (which is mostly always a good idea anyway), you should be pretty safe.
If you need to use loads of different services over the net, a VPN is probably the easiest solution. If you need just one service (a certain website, some remote login), it's probably easier to use application-level encryption, such as HTTPS or SSH.
If a service/protocol does not use encryption, an SSH tunnel can also be useful and easier to setup that a full-blown VPN.