Hasn't the LA Times and Humphrey Cheung ever heard of the Electronics Communications Privacy Act?

["Richard M. Smith" <rms () computerbytesman com>]

See:
 
http://www.floridalawfirm.com/privacy.html
 
Sec.  2511.  Interception  and  disclosure  of  wire,  oral,   or
electronic communications prohibited
 

http://www.latimes.com/business/la-fi-consumer22apr22,0,4976397,print.story?
coll=la-home-headlines

Public Wi-Fi may turn your life into an open notebook

Don't assume wireless hot spots are secure. 'Sniffers' may be hacking
nearby.

By David Colker
Times Staff Writer

April 22, 2007

No one in the evening crowd at a Starbucks in Pasadena knew Humphrey Cheung.


But Cheung, quietly sipping hot chocolate and working on his laptop, knew
things about them. 

Several tables away was a guy sitting alone with his own laptop. "He's
starting a business," Cheung said. And the young couple in the far corner?
"They're getting married," he confided. 

Cheung isn't psychic. He had hacked into the coffee shop's wireless Internet
connection on his Toshiba laptop. It took him all of about five minutes to
do so, using free software available online. 

Public Wi-Fi is very handy for perusing the Internet away from the office or
home. Just remember that you may have company while surfing. 

Once hooked into the system, Cheung was able to monitor the online activity
of other laptops in the shop. 

Luckily for the people around him, he wasn't snooping for any reason except
to make a point: As wireless hot spots proliferate, the tools for secretly
monitoring these Internet connections are becoming more sophisticated. 

"When people are on a public wireless connection, they have the same
expectations about privacy as when they are on the Internet at home," said
Cheung, 32, a computer security expert and an editor for TG Daily, a
technology news website.

"But it doesn't work that way. Someone could be listening in."

Cheung was using a "sniffer" program that intercepted online signals as they
flew back and forth from the laptops to a wireless modem hidden somewhere
amid the coffee paraphernalia.

Mostly, the monitoring was limited to tracking the websites being visited.
Numbers correlating to Web addresses flew across Cheung's computer screen,
allowing him to see that the couple were viewing pages belonging to a
wedding planning site.

The man a few tables away started with sites selling high-speed broadband
service. He went from there to a page about managing websites.

Like in a mystery yarn, the clues kept coming in. "You start to get a story
about someone," Cheung said.

Suddenly, the line "LLCs in the state of California" popped up on the
screen. An LLC is a limited liability company, a type of business structure
often used by small-business owners. 

"He's in Google," Cheung said. "That's a search he typed in."

Sure enough, the next stop was a California secretary of state site with
information about forming LLCs.

When approached, the man, Alex Auzers, 20, of Pasadena, confirmed that he
was doing research on starting a business.

Asked if he had searched the exact phrase, "LLCs in the state of
California," Auzers looked stunned. Then he shook his head.

"Is someone using a sniffer program?" he asked.

Auzers also is in the computer field - he hopes to start a business that
would service residential setups. 

"I feel kind of stupid," he said, "because I know that kind of thing can be
done."

The company that provides wireless fidelity, or Wi-Fi, signals at Starbucks
is T-Mobile USA Inc. It manages about 7,600 HotSpots nationwide, including
in coffee shops, hotels and airports.

On its website, the company warns that communications in the HotSpots "may
be subject to unauthorized interception and are not inherently secure."

But good luck in finding that security warning. The link to it is in small
print at the bottom of T-Mobile's HotSpot Web page, grouped with 18 other
links to various company Web pages.

T-Mobile offers a free software program, Connection Manager, to improve
browsing security, said Mike Selman, the service's marketing director. "You
can use this to make sure you are connected properly to our network," Selman
said, "and that communications are encrypted from the laptop."

But the security program also seems to be more or less a secret. Not only
does the name of the program not mention security, but the link to download
it also is grouped with several other items in a dropdown menu. And if you
have a Macintosh computer, you're out of luck: The software comes only in a
Windows version.

Asked whether customers at a HotSpot should be told about the software as
they sign on, Selman answered, "Not a bad suggestion."

At least Cheung couldn't read e-mails. Except in one case. 

Most major e-mail sites on the Web - such as those run by AOL, EarthLink,
Google and Yahoo - are protected by encryption. This is signified by the
site address beginning with "https" instead of "http."

Major banking and e-commerce pages that ask for financial information are
https, too. But the Web e-mail page for Internet service provider Charter
Communications Inc. is plain old http and therefore not secure.

Cheung tuned into a Charter e-mail page being viewed in a Starbucks and
began to read, "In an oiled casserole dish . ."

It was a recipe for yam enchiladas.

"You definitely want to make sure that if you are using Web e-mail on a
wireless connection," Cheung said, "that it's on an https page."

In response to questions about its non-secure service, Charter said in an
e-mail that it was "currently exploring an https implementation as well as
other security options."

On home Wi-Fi setups, password protection can be implemented on the modem,
which offers a lot of security - although some hackers say they can break
through the most basic protection regimen, known as WEP.

Public Wi-Fi setups, whether paid or free, don't have the luxury of using
passwords. That would defeat the purpose of allowing a great many people to
use them.

T-Mobile, which charges about $10 a day for HotSpot use, is working to get
more people to use them. Last month, the company finished installing a
system at Los Angeles International Airport that covers 3.8 million square
feet of space, making it one of the largest Wi-Fi deployments in the world. 

Also, free Wi-Fi hot spots are being added to more outdoor areas by cities.
Fullerton and Long Beach already have them, and there are plans to install a
system at Pershing Square in downtown Los Angeles.

So, enjoy the freedom of Wi-Fi. But maybe you shouldn't surf to sites you
wouldn't want people to know you're visiting.

"If you watch where people go, one site after another," Cheung said, "it's
almost like you can read their minds."

  _____  

david.colker () latimes com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.