Gordon Hamachi, a software developer who lives in Mountain View, Calif., just started using the new free wireless computer network that Google has launched to cover the entire city.
Hamachi, 51, said he is concerned about security when he uses the free network because he knows there is a chance intruders could access unprotected data on a public network. But he is more worried about people like his neighbors, who are not computer savvy.
"There are wireless risks and there are Internet risks," Hamachi said. "I'll have to train them about being safe on the Internet. It's the equivalent of don't talk to strangers if you are a kid."
Free wireless computer networks are becoming widely available in Silicon Valley and elsewhere across the country. That means a host of newbies are joining the wild world of wireless computing. But it is a world fraught with more risk than wired computing, and many new users may not be aware of the potential for others to steal sensitive data. Nor are they taking precautions to secure their computers.
"A healthy dose of paranoia is helpful," said Sherman Hall, a task force agent with the Atherton Police Department, and a former information technology manager. "Assume others are monitoring your traffic."
What has raised Hamachi concern is that soon Silicon Valley and the Bay Area will be blanketed with wireless networks some of them overlapping:
- Last month, Google introduced its free Google Wi-Fi service to Mountain View, giving residents and employees free access to the Internet throughout the city that is home to the Googleplex.
- Sometime next year, another, even larger free wireless network sponsored by the nonprofit Joint Venture: Silicon Valley Network, should be up and running. Wireless Silicon Valley will span 36 towns and cities, from Santa Cruz to Millbrae.
- San Francisco is working with Google and Earthlink on a citywide wireless network, and San Jose has had free Wi-Fi in certain areas of downtown for two years.
There are dangers. In an extreme example, two of three cybercriminals were sentenced to prison in 2004 for stealing customer credit card data, which they accessed from an unsecured wireless network belonging to the Lowe's hardware store chain in the Detroit area.
While the Lowe's case is a rare one, it shows the vulnerability of wireless networks. Industry executives and security experts said the growing number of new users of Wi-Fi networks need to be aware of the potential for problems and protect themselves online -- even more so on free networks provided by a city or another entity.
When consumers use a wireless connection, they are literally sending and receiving data via the air waves, just like cell phones, TVs and radios. The data goes from a wireless access card in your computer, which translates the data into radio signals, and is then received by an access point. A wireless router in the access point then translates the data back into its original digital form and sends it to the Internet. So unless your data is scrambled or encrypted, it can be preyed upon by intruders as it is sent from your computer to the access point, and then over the Internet.
"When it's on its way, anyone can eavesdrop on that data," said Stu Elefant, a senior product manager for new initiatives at McAfee, the security software company in Santa Clara.
Typically, employees access their company's wireless network through a virtual private network, which scrambles the data and acts as a tunnel to secure the communication. Home networks, too, offer encryption options, but many home users don't bother to turn them on, or they want to share their Internet access with others.
Break-ins can occur in a variety of ways. Intruders can sniff out unprotected data as it crosses the airwaves, or they can access files on a computer connected to an unsecure network. This is typically done by piggybacking onto someone's network. Piggybacking, while seemingly harmless, happens when a neighbor uses the wireless network of another neighbor, often done because it's free and easy rather than because anyone's trying to pry or steal data.
Earlier this year, however, a man in Illinois was charged and fined $250 for remotely accessing another computer network without the owner's approval. Intruders can come into an open network and access files or data if the network or the computer are unprotected.
According to a study last year by the National Cyber Security Alliance, a group of security software and networking companies, nearly half of home wireless users failed to encrypt their connections.
But consumers can take a few steps to protect both their computer and their data when roving into free Wi-Fi networks.
Google, for example, offers customers its own virtual private network, or VPN, software for free download. Chris Sacca, head of special initiatives at Google, said VPNs are the most secure option. The most common wireless encryption standard, Wired Equivalent Privacy, has been broken into.
"Those traditional methods are not secure, they can be hacked," Sacca said. "Rather than lead people down a path of false sense of security ... we can offer the highest protection available."
Google also recommends other VPN options such as JiWire, which charges $24.95 a year for its HotSpot Helper. JiWire and others includes tech support, not available from Google, an option non-techie users may want to consider if they plan to go the VPN route.
Other security measures include installing personal firewall software on a PC or laptop, available from virus software companies like McAfee and Symantec, and anti-virus software, to detect intruders on a network.
One easy solution for consumers who may have a hard time dealing with VPN software is to practice safe behavior while on a public Internet connection by not sending e-mail with passwords or account numbers. Anyone who wants to do banking or buy something online should do so only at Web sites protected by a secure socket layer (SSL). This means the communication with that particular Web site is encrypted. A Web site is an SSL site if there is an icon representing a padlock in the lower right hand corner of the browser. There is also a notice that the browser is going to a secure Web connection.
"If you are connecting through SSL, you are reasonably safe," said Brian Hernacki, an architect at Symantec's research labs in Cupertino.
Hernacki was returning from New York, where he talked with many users, including one woman who had thought that, because she downloaded the security feature offered in one Wi-Fi network, it was automatically in use. She didn't know she had to install the software after downloading it.
"It's educational to get outside Silicon Valley," he said. "People have a different understanding of security."
------
What Users Need Know About Municipal Wi-Fi Securely
1. Protect your computer or mobile device
Install Internet security software that includes anti-virus, local firewall and intrusion protection, configured for a hostile environment.
2. Know your municipal network ID
When connecting through any log-in page, users should verify that the site is operated by the organization they expect.
3. Use a unique username and password
Users should create a unique username and password to set up any municipal Wi-Fi access. Don't use a password that is even close to other usernames and passwords for other accounts.
4. Don't send confidential information unless Web site has padlock icon
Avoid using confidential information (Social Security numbers, bank account passwords) when using municipal Wi-Fi, unless using a secure SSL Web site, noted by padlock, or an encrypted connection.
5. If possible, use a virtual private network (VPN)
A VPN provides good protection. Google offers a VPN and Wireless Silicon Valley plans to ask its vendor to provide a free VPN. May be hard for non-expert users to install. Free VPNs offer no tech support.
Source: Symantec, Mercury News research
WI-FI Glossary For Users
Wi-Fi: Term used to describe wireless networking using the 802.11 standard.
WEP: Wired Equivalency Privacy. Original Wi-Fi encryption standard. Not as secure as other encryption.
WPA, WPA2: Wi-Fi Protected Access. Security standard to replace WEP. WPA2 is more enhanced.
VPN: Virtual Private Network. Encryption software and service creating a secure tunnel for network computing.
SSL: Secure Socket Layer. Encrypts exchange of data between a user's browser and a Web server.
Piggybacking: Unauthorized tapping into someone else's wireless Internet connection.
Wardriving: Driving around with a laptop equipped with an antenna to find unsecured wireless networks.
------
(c) 2006, San Jose Mercury News. Distributed by McClatchy-Tribune Information Services via Newscom. Photo
