VPN-for-hire protection is worth it

Apr 14, 2007

By Glenn Fleishman

Special to The Seattle Times

Wi-Fi hot spots and hot zones are everywhere — in Seattle's libraries, in coffee shops and selected neighborhoods like the University District. But they're unsafe at any speed, to steal a line from Ralph Nader.

Wi-Fi signals can be received and analyzed by anyone in the vicinity using free and simple software. Open networks, like those at hot spots, reveal all traffic passed over the network. Any network data that isn't protected through encryption can be grabbed and stored by any other user of the network.

One network-analysis tool recognizes login patterns, and retrieves just usernames and passwords along with the site or server they're associated with.

Banking and e-commerce transactions are almost always encrypted using a long-available Web-security standard, but the content of your e-mail and other kinds of passwords are typically sent for all to see.

The solution to this security hole, as noted briefly by Patrick Marshall in these pages a few weeks ago, is a virtual private network (VPN) connection.

A VPN connection secures data as it traverses the local network and beyond. It's an encrypted conduit that links your computer to a server elsewhere on the Internet, beyond the prying eyes of other nearby users.

Corporations tend to require their traveling users to employ a VPN that they operate, but individuals don't have to be left out. You can turn to a VPN-for-hire firm. WiTopia and publicVPN each have downloadable Mac software that hooks you into their VPN servers.

WiTopia's personalVPN service is $40 per year (witopia.net); publicVPN charges $60 per year for its offering (publicvpn.com); publicVPN supports a large array of older Mac systems; both companies also support Windows.

To use a VPN, you first connect to a hot-spot network, entering whatever credentials or payment details needed (if any), or just clicking on an I Agree button on a page detailing appropriate network use.

Then you fire up the VPN, typically by selecting a Connect menu item. The VPN software on your Mac communicates with a VPN server elsewhere on the Internet. Within a few seconds, the connection is set up, and your data is secured to that remote server.

While the connection to the VPN server is secured, the network connection from that distant server to your traffic's destination — an e-mail server or Web site — is not. Still, the point is to mitigate the risk of a risky local network and its users. It's well worth the price.

Old Wi-Fi security: Along similar lines, many people who use Wi-Fi in their homes and small offices secure their networks with built-in protection that's part of the set of Wi-Fi standards. The oldest of these security methods, WEP (Wired Equivalent Privacy), was dealt its final death blow this last week.

When you secure a network with WEP, you invent a network password and enter that password on the Wi-Fi gateway. You then enter the password on every computer on a network that needs access.

WEP is the oldest Wi-Fi security standard, and researchers showed as long ago as 2001 that WEP had flaws that would render it less secure. By 2003, software could extract a WEP key by watching 15 to 30 minutes of a network's activity.

Researchers at a university in Darmstadt, Germany, have lowered that threshold to one to two minutes, and released both an academic paper and a cracking tool.

I recommend that any remaining WEP users upgrade to WPA (Wi-Fi Protected Access). WPA fixes the holes in WEP, making it trustworthy. A later version called WPA2 adds even higher-grade encryption options that are required for those in medical, government, or legal industries.

WPA and WPA2 are supported starting with Mac OS X 10.3.3. The original AirPort card can be upgraded to WPA, but not the AirPort base station. All Apple Wi-Fi gear shipped starting in 2003 — AirPort Extreme and AirPort Express — support both WPA and WPA2.

Most individuals and small offices use WPA/WPA2 Personal, which requires a shared passphrase, or a short sequence of text and punctuation that you enter on each computer. The passphrase should be at least 20 characters long and avoid words found in dictionaries for the greatest security.

Small- to medium-size businesses could opt for WPA/WPA2 Enterprise, in which each user has a unique login name and password, and a WPA/WPA2 encryption key is automatically generated for each login. The keys are distributed in a secure manner, and no user has access to their actual network key.

WiTopia offers a service that works over the Internet for this corporate flavor of WPA/WPA2. SecureMyWiFi starts at $10 per year, and fees are based on the number of users. You can also buy a software server for a one-time fee for either Mac OS X or Windows from Periodik Networks (periodiklabs.com, starts at $300, unlimited users).

Whether you're at a hot spot or at home, there's more reason than ever before to keep your data in transit secure. But the tools have also become better and simpler at the same time.

Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to gfleishman@seattletimes.com. More columns at www.seattletimes.com/columnists