| As Los Angeles and hundreds of other communities | | | | the firewall is no longer in place. That means the |
| push to turn themselves into massive wireless | | | | computer is unprotected. Once hackers have "got a |
| hotspots, unsuspecting Internet users are stumbling | | | | toehold in a network, it's pretty much game over," |
| onto hacker turf, giving computer thieves nearly | | | | Bickers said. |
| effortless access to their laptops and private | | | | Most laptops are configured to search for open |
| information, authorities and high-tech security experts | | | | wireless points and common wireless names, whether |
| say. | | | | or not the user is trying to get online. That leaves |
| It's an invasion with a twist: People who think they are | | | | people open to hacking. |
| signing on to the Internet through a wireless hotspot | | | | In two new attacks, called "evil twin" and "man in the |
| might actually be connecting to a look-alike network, | | | | middle," hackers create Wi-Fi access points titled |
| created by a malicious user who can steal sensitive | | | | whatever they like, such as "Free Airport Wireless" or |
| information, said Geoff Bickers, a special agent for the | | | | an established, commercial name. |
| FBI's Los Angeles cyber squad. | | | | In the "evil twin" attack, the user turns on a laptop, |
| It is not clear how many people have been victimized, | | | | which may automatically try to connect. When it does, |
| and few suspects have been charged with Wi-Fi | | | | it is connecting to a fake access point, or "evil twin," |
| hacking. But Bickers said that over the last couple of | | | | and the hacker gets into personal files, steals |
| years, these hacking techniques have become | | | | passwords or plants a virus. |
| increasingly common, and are often undetectable. The | | | | The hacker can become a "man in the middle" when |
| risk is especially high at cafes, hotels and airports, busy | | | | he funnels the user's Internet connection through this |
| places with heavy turnover of laptop users, authorities | | | | false access point to a true wireless connection. The |
| said. | | | | unsuspecting Wi-Fi surfer may then proceed to enter |
| "Wireless is a convenience, that's why people use it," | | | | credit card information, access e-mail or reveal other |
| Bickers said. "There's an axiom in the computer world | | | | sensitive data that can be tracked by the hacker. |
| that convenience is the enemy of security. People | | | | Meanwhile, the session appears ordinary to the user. |
| don't use wireless because they want to be secure. | | | | Although the FBI has been aware of this kind of attack |
| They use wireless because it's easy." | | | | for about five years, its use has increased in the last |
| For Mark Loveless, just one letter separated security | | | | couple of years and is being seen as a "huge threat," |
| from scam. | | | | Bickers said. |
| Logging on to his hotel's free wireless Internet in San | | | | "The actual tools you need, the software, the |
| Francisco last month, Loveless had two networks to | | | | hardware, etc., to mount this sort of attack has |
| choose between on his laptop screen - same name, | | | | become insanely easy to acquire," Bickers said. "You |
| one beginning with a lowercase letter, one with a | | | | need a laptop, wireless radio and the ability to |
| capital. He chose the latter and, as he had done earlier | | | | download a free tool and run it. It literally is child's play." |
| that day, connected. But this time, a screen popped up | | | | The creation of the access point itself is not generally |
| asking for his log-in and password. | | | | considered criminal; it's what happens next - tracking |
| Loveless, a 46-year-old security analyst from Texas, | | | | people's Internet use - that can cross the line. |
| immediately disconnected. A former hacker, he knew | | | | These hacking techniques are considered to be |
| an attack when he saw one, he said. | | | | "tantamount to a computer intrusion and illegal |
| Most Internet users do not. | | | | interception of wireless communication that can be |
| About 14.3 million American households use wireless | | | | prosecuted under federal law," Bickers said. |
| Internet, and this figure is projected to grow to nearly | | | | But computer evidence and statistics are hard to |
| 49 million households by 2010, according to | | | | come by, said Arif Alikhan, a former federal |
| JupiterResearch, which specializes in business and | | | | prosecutor and former chief of the cyber and |
| technology market research. | | | | intellectual property crimes section for the U.S. |
| "There's literally probably millions of laptops in the U.S. | | | | attorney's office in Los Angeles. People can unwittingly |
| that are configured to join networks named Linksys or | | | | compromise their computers in a multitude of ways, |
| D-Link when they are available," said Corey O'Donnell, | | | | and often there's no trace. |
| vice president of marketing for Authentium, a company | | | | "You can tell how many burglaries occur because |
| that provides security software. "So if I'm a hacker, it's | | | | you're victimized, and someone knows they're |
| as easy as setting up a network with one of those | | | | victimized," Alikhan said. "People don't always know if |
| names and waiting for the fish to come." | | | | someone is using their wireless network, and it's very |
| Linksys and D-Link are two of the many commercial | | | | difficult to tell unless you trace back every single |
| brands of wireless routers, products that allow a user | | | | connection.... It happens more than I think we all realize." |
| to connect to the Internet using radio frequency. | | | | The U.S. attorney's office will not comment on pending |
| As the field of wireless connectivity expands, so too | | | | investigations; however, wireless hacking cases are |
| does a hacker's playground. More than 300 | | | | relatively new, and few if any current cases involve |
| municipalities across the country are planning or | | | | "evil twin" or "man in the middle" attacks, law |
| already operating Wi-Fi service. | | | | enforcement authorities said. |
| Los Angeles Mayor Antonio Villaraigosa last month | | | | "This is a classic case of law and law enforcement |
| announced plans for citywide Wi-Fi in 2009. USC | | | | being a little behind the technological curve," Bickers |
| already offers free wireless, and by the end of March, | | | | said. |
| Los Angeles International Airport will officially offer | | | | Other types of wireless-related Internet hacking cases |
| wireless at all its terminals under a new contract with | | | | have recently popped up across the country. |
| T-Mobile. | | | | Nicholas Tombros was found guilty in 2004, under the |
| Some airlines already offer Wi-Fi at LAX. "There are | | | | federal Can-Spam Act, of "war-spamming." He drove |
| no signs for any service at all, so if any passenger is | | | | around the Venice Beach area with his laptop and |
| accessing a free wireless service ... they should be | | | | used unprotected wireless access points to send |
| cautious," said Nancy Castles, an airport | | | | spam. He could receive up to three years in federal |
| spokeswoman. | | | | prison at his sentencing next month. |
| A survey at Chicago's O'Hare Airport by Authentium | | | | He is the only defendant who has been charged in a |
| revealed 76 peer-to-peer networks, or access points | | | | case involving wireless hacking by the Greater Los |
| that are connected to via another user's computer, | | | | Angeles section of the U.S. Department of Justice's |
| with 27 of them advertising access to free Wi-Fi - a | | | | cyber and intellectual property crimes division since it |
| trademarked term for the technical specifications of | | | | was established in October 2001, according to |
| wireless local area network operation. The company | | | | Assistant U.S. Atty. Wesley L. Hsu, deputy chief of the |
| also found that three of the networks had fake or | | | | section. |
| misleading addresses, one sign the hotspots could be | | | | "They are technically difficult cases.... They're difficult |
| hackers. | | | | cases to put together, so law enforcement is having to |
| "At a busy place like O'Hare, in one hour a bad guy | | | | sort of catch up," Hsu said. |
| could get 20 laptops to connect to his network and | | | | On Sept. 30, Gov. Arnold Schwarzenegger signed into |
| steal the users' account information," said Ray | | | | law the Wi-Fi User Protection Bill, which aims to block |
| Dickenson, vice president of product management at | | | | unauthorized sharing of open Wi-Fi networks and |
| Authentium, who conducted the survey last | | | | inform users of the dangers of unsecured networks. |
| September. | | | | Starting in October, warnings and tips will be required |
| Corporate networks are sometimes the most | | | | on all wireless home-networking equipment sold in |
| vulnerable, as employers push for a more mobile | | | | California. |
| workforce without always educating its users on the | | | | The law specifically addresses "piggybacking" - or the |
| security risks of wireless Internet. | | | | use of another person's wireless network to access |
| Many workers rely on corporate firewalls in the office | | | | the Internet - a problem that security experts say has |
| and an automatic default network setting that links | | | | been a concern for years. |
| them to their corporate networks. Outside the office, | | | | |