Table of Contents

Convenient or Invasive - The Information Age

Acknowledgements

Preface

I. PERSONAL INFORMATION PRIVACY

1. Campus Invasion: Security Breaches and Their Trends in Universities across the U.S.

2. Is Banking Online a Safe Alternative to the Old Fashioned Paper and Pen

3. FICO Scores: Uses and Misuses

4. Privacy Issues Pertaining to Gender Identity and Sexual Orientation


5. Politicians and Privacy

II. CONSUMER PRIVACY

6. International Privacy and Travel

7. Biometrics: Does Convenience Outweigh Privacy?

8. Advertising and Technology: How Advertisers Are Trying to get Into Your Head

9. Paypal’s Phishing Dilemma

10. Are Marketers Crossing the Line with Online Tracking?

III. SOCIAL NETWORKS AND PRIVACY

11. Can Your Friends Make or Break You?  The Analysis of How Friends Portray Each Other

12. Social Networking Privacy and Its Affects on Employment Opportunities

13. Privacy and Online Dating



14. How does Cyworld and Personal Networking Communities effect people’s communication and relationships?

IV. CORPORATE PRIVACY

15. Email Regulation of Employers and Implications on the Workplace

16. Celebrity CEOs and Privacy Issues

17. A Balancing Act: Privacy, Regulation, and Innovation in Hedge Funds

IV. EMERGENCY TECHNOLOGY AND PRIVACY IMPLIMICATIONS

18. Wireless Location Tracking



19. The Evolution of Global Positioning Systems



20. Consequences of Camera Phones in Today’s Society



» 21. Risky Business at Wireless Hot Spots



22. Citywide Wireless: Process, Implementation, Execution and Privacy

 


Download Entire Book [PDF]

Download Entire Book [Word]



Ethica Publishing


Leeds School of Business
UCB 419
Boulder, CO 80309-0419

303.735.6448

Kai.Larsen@Colorado.edu


21


Risky Business at Wireless Hot Spots

Travis Rabii and Kim Ward


» Download PDF

Introduction

It has been a long week and the prospect of tucking yourself into bed has never seemed so inviting.  You head up the stairs and notice your front door is not only unlocked, but propped open for anyone who happens to walk down your busy street; however, you continue on to bed instead of locking it up to keep safe.  You are inviting anyone off the street to waltz right in and make themselves comfortable with the personal items in your private space.  That is essentially what you are doing when you log on to any free wireless network.  You are leaving your computer’s front door unlocked and wide open. 

The United States currently has the largest number of wireless networks offering free Internet access to a growing number of users.  These free access points are becoming more readily available with each passing day.  While a year ago it was common for public and private institutions and libraries to have networks set up for users, now businesses are capitalizing on the growing technological needs and desires of their typical consumer.  Now more than ever, cafes, coffee shops, airports and even many restaurants offer free wireless to customers. Vice president for Gartner, a marketing research company, Ken Dulaney predicts “100,000 hotspots within the next five years” will become available (Vaughan-Nichols 17).
Businesses are offering this incentive to customers, because free Wireless networks, also known as hot spots, are inexpensive to implement, and therefore, have become the ideal way to deliver wireless Internet access. Wireless networks have several advantages over wired networks. First, hotspots are substantially less expensive.  Second, the hotspot user has the ability to move around without having to worry about maintaining a connection. This is especially beneficial to business employees on the road. For business use, the ability to roam reduces operational costs while increasing employee productivity.  Lastly, hotspots cover a much larger physical area (Gruteser 11).   But with all this ease and luxury comes risk.

Wireless networks are substantially riskier then wired networks. Wirelessworks operate like wired networks by using both access points and a mobile host. But unlike wired networks, Wireless networks send information via radio signals through a shared channel. Because the information is being sent through radio waves, other hosts can easily gather data being transmitted (Aura 6).  This can be problematic when a victim is located in the vicinity of a hospital, law firm, or business, and the information being sent is data on patients or clients.  By purchasing inexpensive hardware, a hacker can install an access point and access data that is transmitted on the frequency. 
Public concern over privacy issues is steadily growing as more individuals become victims of identity theft.  Internet users have expressed concerns for their privacy. ”For example, according to one survey 94% of web user have denied a request for personal information and 40% have provided fake data” (Gruteser 12).  Two forms of exposure are of biggest concern to users.  First, users do not want to reveal names on anything which would allow someone to have a unique identification of the user. Second, users do not want personal information like salary, job title, age, sex, address, religious views, or political affiliation given to others (Aura 2).
The danger is not necessarily in the networks themselves, but rather in the individuals who use them to plant viruses and spy-ware or steal information.  This leaves the question: Of what toll is this seemingly convenient and free service taking on consumers’ privacy and the health of their computers?

Who?

 

The risks of free Wireless affect many different people even if they are not directly connected to a network.  One example is the business owner whose reputation could be harmed if a customer’s computer security was breached at their place of business.  These proprietors are trying to provide the service as an incentive to visiting their shops, not to expose their customers to danger.  Another group of victims could be the users of a computer who are unaware that the security of a pc had been compromised while at a free Wireless spot.  For example, take the family that shares a laptop.  If the mother is not aware her son had used free wireless at a coffee shop on the way home from school, where the computer has been implanted with spy-ware, why would she be concerned with accessing the family’s bank accounts from the safety of their home?  Another rising danger is business’ users who work with trade secrets.  If an employee unknowingly logs on to a peer-to-peer network, everything that is not properly protected on their computer is in danger of being stolen.  That could include their employers’ private data on recent deals, new products and strategies. 
The need for wireless Internet access has also been seen by hospitals and clinics.  Doctors can send information on a patient to the desired locations with amazing speed.   If a wireless network is set up at a local hospital, then ideally, the radio signal would only be accessible to recipients within the building.  However, radio signals can “leak” outside the building, thus allowing external hackers to use radio waves to receive the information being sent (NIST 6).
Naturally one would think the risks of free Wireless would cease when the user disconnects from the network, but unfortunately that is not the case.  Once spy-ware is implanted on a computer, it is sometimes difficult to fully remove unless the user reformats the hard drive.  Also, Peer-to-Peer networks do not disconnect completely; all the hacker has to do is get in a range close enough to another computer to link back up and have full access to documents.  Anytime a user logs on to an illegitimate network, they can be affected by wireless risks.  

What are the Risks Associated with Hot-Spots?

 

Despite the constant warnings relating to privacy issues, consumers easily forget the risks when they feel comfortable and secure at their local coffee shop.  What people tend to overlook is who is sitting two tables away and what information that potential hacker can retrieve when they share the same network. 

Four Types of Attacks on Wireless Networks
Wireless networks are vulnerable to four common types of attacks: jamming, active, passive, and man-in-the middle.  Jamming attacks are when RF frequencies interfere with the operation of a wireless network. Jamming is a type of a Denial of Service (DoS) attack.  It disables the use of the wireless network, usually due to another type of device that operates on the same Radio Frequency as the wireless network.  This is not a large threat to wireless users, because while the attacker has to invest a lot of work into the attack, the damage is only a few minutes of lost communication. 
There are two other types of interrelated attacks to be aware of in the computing world known as passive and active. Passive attacks are difficult to detect and occur frequently. They are not necessarily malicious in nature so they are not a large focus when it comes to security. However, passive attacks are important to mention because they are what allow active attacks.  An active attack can range from unauthorized access, spoofing, Denial of Service (DoS), flooding, introduction of mal-ware, and/or theft of devices (Shimonski).  In extreme cases, a hacker may use the information gathered in order to inflict physical harm to an individual.
One of the scariest types of attacks is known as a man-in the middle attack.  With this attack, a hacker sets up an “ad-hoc” or “P2P” network outside the legitimate network. Ad hoc networks are set up within a larger framework, such as an airport, to lure users to connect to the internet.  Because they are an alternative to the “infrastructure network,” they are generally unprotected.  Essentially, the hacker allows users to access the Internet through their computer, therefore, all of the user’s information is available to them. Authentium, Inc. conducted a 3 day research study on ad hoc networks at the Chicago O’Hare Airport. The study “found more than 20 ad hoc networks each time, with 80% of them advertising free Wireless access.” The company also found that many of the networks were displaying fake of misleading MAC addresses, a clear sign that they were
“bent on mischief” (Gralla). 
If a computer is configured to allow file-sharing, the hacker can access all of the files and data and also plant mal-ware on the computer. This is possible because even if a user is in a trustworthy place, this “Free Wireless” may pop up and appear to be a legitimate Internet source.  These “men-in-the-middle” are able to breach user’s security
with as little as two pieces of knowledge about the wireless network.  All they need is Server Set ID (SSID) and the rogue access point (AP).   They use this information to set up an unauthorized access point.  As wireless networks become common place, users are adjusting to logging on to a free network without authenticating or proper security checks.  Because these hackers are not protected, any risks they expose
themselves to can then be transmitted to the victim.  

Why are People Willing to Expose Themselves?

 

The most common reason people expose themselves to free wireless risks is a lack of knowledge.  Especially when in a trusted environment, security issues are not the first priority to many people.  Also, businesses that might experience a high number of hackers would not be inclined to warn users because that might lead to a decline in business.  Despite the constant warnings about privacy issues and identity theft, operating under the “It will never happen to me” notion allows users to connect and ignore the risks.  Lastly, the convenience of being able to access email, account information, or even entertainment aspects of the Internet for free while outside the home weighs heavily on the benefit side.  This is especially true when on the surface the cost to the consumer appears to be nothing, at least in the monetary aspect. 

How do Attackers Operate?

During their time on the internet, a user of a wireless network frequently sends and receives data via radio waves.  This data can be easily obtained by anyone with an access point, because it is being sent through radio waves. When data is obtained by attackers, it is analyzed to determine the approximate location of a Wireless user. Information on this location can be discovered in each layer of the network stack (Marco 14). Information like IP addresses does not give real world names of users or other personal information. However, it can be used to identify such things as MAC address or the Mobile home address.  Also, IP addresses are set up to lead to a specific geographical location, like a university campus.  This however is not applicable when firewalls and proxies are implemented. Access points at the physical and link layer can reveal the approximate location of a transmitter.  Packets must be within a 50 to 100 meter range to be received by a transmitter.  The Domain Name System (DNS) for routers usually includes broad location information like the names of cities. This means trace route based approaches can locate the proximity of a user’s location (Gruteser 16). 
The wireless network operators are the individuals assigned to maintain base stations of wireless networks.  When acting as a router, they have access to “physical layer information” of packages sent through the router.  Even when the package is intended for a different location, the operators may have the ability to eavesdrop on the
information (Gruteser15).  These risks are usually not relevant when the user and provider are bound by contractual agreements.  But when the provider of a wireless network is unknown to the other party, such risks exist. Network layer and application layer information can only be obtained by parties within close proximity to a transmitter.  This means this information can only be observed by a small number of network operators. One may draw the conclusion that these risks can be ignored because it pertains to a small population.  But this risk increases dramatically when access points are densely populated like they are in major cities (Grutuser 17). 

Ways to Protect
 
        The first line of defense for Wireless users is an understanding of the risks associated with using a wireless provider. Users must understand that a privacy policy does not protect from having private information taken. Individuals within the service providing company can potentially obtain information the user would not want them to have (Grutuser 21). 
Virtual Private Network (VPN) software allows for the messages being sent to be encrypted. Encryption means putting the communication between the two parties in code. By encrypting the communication, it becomes much more difficult for a hacker to eavesdrop. The University of Colorado at Boulder’s ITS department offers free VPN software to all students and can be used even when a student is not on campus (http://www.colorado.edu/its/security/
awarness/wireless).
Other encryption software, such as Wired Equivalent Privacy (WEP) and Wireless Protected Access (WPA), will also provide extra security. Even when encryption measures are being used, it is still recommended to use the latest in spy-ware and anti-virus software and implement firewalls. Another method of protection is to avoid sending messages which include sensitive information like social security numbers or bank account information unless using a VPN or Secure Socket Layer (SSL).  The less time spent on a network, the less chance a user has of becoming a victim of a wireless hacker. Therefore, turning off the network router when it is not in use adds an additional layer of security. By setting up who is allowed to access a particular computer, a user increases privacy protection.  MAC addresses are unique to each computer, so a user’s computer will recognize frequent addresses and only allow those permitted. However, hackers have the potential to fake MAC addresses, so further security may be needed
(http://www.colorado.edu/its/security/awarness/wireless/).
Different location sensing technologies range in their resolution. The more resolution this technology has, the more information is given on an individual’s location. Therefore, having location sensing technology with a lower resolution will lead to less
information on the location of a user (Gruteser 14).  Proxy servers are intended to improve the performance of a computer’s varied operations like access to the internet. They also provide some form of security to the user by hiding the user in a larger population.  When the user is hidden in a large population, it is nearly impossible to locate and identify the user.  Proxy servers also act as a means of security to the user, because a proxy hides the mobile nodes connected to a wireless network (Aura 7).

Research Methods

        In this chapter, in order to research the vulnerabilities Wireless spots create, a variety of methods were used.  First, it was essential to assess how aware wireless users were of some of the risks and whether or not they would be willing to prevent such risks.  In order to measure this, a survey was conducted with wireless users ranging from ages 19-65.  The survey was conducted via a web-based survey on SurveyMonkey.com.  Next, the authors tried to find out why Boulder business owners offered these networks and if they knew about the risks.  To do this, two Boulder businesses were surveyed who offer non-password protected wireless internet. Phillip Logue of the Brewing Market on Baseline and Broadway and Paul Cattin of Pekoe Sip House in North Boulder were both willing to speak on providing free wireless access.    To learn the logistics of wireless networks and how hackers can infiltrate, numerous academic and technological articles were used.  A personal interview was also conducted with Dr. Marco Gruteser, a former Ph.D. student from CU who focused on Wireless Location Privacy protection.  The technology behind wireless networks was also studied.

Interviews with Proprietors that offer Free Wireless

Philip Louge of Brewing Market was completely aware of the security implications of a wireless network, but was hopeful that his customers and users of the network were as educated on security as he was.  He also hoped the users were just accessing sites such as “Google” for school research and not personal accounts. When asked if he offered the wireless to draw in business, his initial answer was “yes” and that he wanted to serve the student population to the best of his ability.  He said, “When our network goes down, so does our line.”  Paul Cattin of Pekoe Sip House expressed the same thoughts.  He provided free internet, because he believes wireless is becoming available everywhere and it is a necessary option for customers to use in order to keep a competitive advantage.   
These are prime examples of proprietors who are trying to keep customers happy.  Lucky for them, thus far their networks have operated without security breaches.  Hopefully, both of them will never have to experience any security breaches while their shops are in operation. 

Survey Results

 

The survey conducted included 55 responses.  The responses came from an age range of 18-50+.  Fifty percent were ages 18-24 and 39% of respondents were 50+. The survey aimed to gauge respondent knowledge of wireless risks and to examine their familiarity with terms that are red-flags of danger.  After preliminary knowledge and awareness questions, interest in protective software was measured. 
Of the 55 surveyed, everyone used Internet for at least a half an hour per day.  The majority, 55.6%, answered that they spent five plus hours online and the other large fraction, 22.2%, spent one to three hours.  On average, of these hours only .81 were spent at free wireless hot spots.  Only 42% spent any time at all at free wireless spots.  A surprising finding was that respondent decisions were not affected by the price of the wireless access.  When asked if they felt more secure if they had to pay a fee for the wireless access 33% respondents replied yes, 37% replied no, and 29% were undecided.  That could be seen as a good sign for Internet knowledge across the board if people are concerned even when they are paying for wireless internet.
Importantly, seven out of 51 answered yes to accessing personal data at free wireless spots.  That means over 13% of the sample log into personal accounts while on these possibly dangerous networks.  Below is a chart depicting how secure people believe wireless networks to be.  A score of one indicated feeling completely secure accessing all personal information while a score of 10 indicated not even feeling comfortable using the connection. 

It is impressive and a good sign that the majority of people that answered this question were wary of free wireless networks.  Also, when asked if they had ever been victims of identity theft or thought they could be, 66.7% replied yes demonstrating their awareness of security dangers.  The most worrisome result discovered was the lack of knowledge of what peer-to-peer (P2P) networks or ad-hoc networks were.   Of 54 people that answered the question, 30 were unaware of the meaning of these networks.  That means that 55% of people would not even recognize the difference in connecting to a P2P network rather than an infrastructure one. 
Research also sought to identify if people would be interested in software that would protect them and what attributes were important in the software.  The first aspect was cost.  Considering the research related to “free” Wireless networks, it is fitting that 41% would only use the software if it was free of cost.  Only 3.8% were willing to pay more than $75.00 for the software. 
Next, respondents were asked how important four specific characteristics were to using such software.  The results are below:

 

Very Important

Important

Somewhat Important

Not
Important

Response Total

Affordability

51% (25)

35% (17)

12% (6)

2% (1)

49

Trial ability

 

37% (18)

31% (15)

18% (9)

14% (7)

49

Image

12% (6)

22% (11)

31% (15)

35% (17)

49

Relative Advantage

44% (22)

40% (20)

12% (6)

4% (2)

50


Once again, affordability is the main concern of respondents and relative advantage over other products.  Thus, in order to impact the market, software designers and sellers need to make an affordable product that has a sufficient trial period and proves its advantages to the user.  Looking back to cost analysis, 35.8% said they were willing to pay $10.00-$30.00 for software that would protect them. 

Conclusion

 

        After research into the increasing popularity of free wireless hot spots and the risks that come along with them, the most sensible solution is to educate not only the users, but also the business owners that are offering these networks.  Awareness is increasing as security issues become more prevalent in society.   It is important to encourage business owners to warn users of privacy threats or possibly have a disclaimer page when they log on to the free network.  Although users may be turned off at first by seeing a warning page, they will realize it is to benefit their personal security.  As wireless technology develops, new threats will materialize, but keeping consumers aware and educated is the most effective way to keep free wireless networks a viable place to access the internet.  

Works Cited

 

Galla, Preston. "Dont Fall Victim to the "Fee WiFi Scam." Computer World (2007). 08 Feb. 2007. 

Gruteser, Marco, and Dirk Grunwald. "A Methological Assessment of Locatio NPrivacy Risks in Wireless Hotspot Network." University of Colorado Science Department:  12. 08 Feb. 2007. 

Gruteser, Marco, Bill Schilit,  and Jason Hong. "Wireless Location and Privacy Protection." Invisible Technology. 08 Feb. 2007. 

Shimonski Robert. “Wireless security”. Microsoft Security (2004). 20 Jul. 2004
Vaughan-Nichols, Steven J. "The Challenges of WiFi Roaming." Technology News:  1-3. 08 Feb. 2007.  "Wireless LAN Security." Symantec (2004). 09 Feb. 2007. 

 


Back to Top