Chris Pirillo’s Lockergnome email newsletter had a link to this article Travelers Who Use Laptop Computers: Beware and it made me realize that there are now even more people accessing Wifi hotspots than ever before and most of you are naked.

Back in January of 2005 I wrote “Are you naked?” as a post that had this paragraph in it: Security is an issue other than just at home…but it’s an underreported problem in internet cafes or public places that leave their networks wide open so it’s easy to get on them. Without a company Virtual Private Network (VPN) for your personal laptop, or some way to create a Secure Shell (SSH) to another computer for a secure tunnel, you’re vulnerable to prying eyes (email passwords go in the clear, etc.).

The latest discussions about the iPhone “hack” (which I posted about a couple of days ago here) is bringing more attention to the inherent insecurity of Wifi hotspots. While I know exactly what to do to ensure I and my loved ones have secure access when in a public hotspot, literally everyone else I know is completely clueless.

Case in point: while at the Web 2.0 Summit last October, I mentioned to several conference organizers that there were a significant number of ad hoc wireless networks setup (where a person sets up their laptop to act like a wireless access point) with names like “Free Wifi” or “Summit Wireless Access” placing attendees in jeopardy of nakedly exposing their data.  One conference leader who shall remain unnamed said, “Steve, of any group of people this one especially shouldn’t be stupid enough to connect to an ad hoc network.” You know what? In my informal poll of 20 people while there, every one of them had attempted to connect to one of these ad hoc networks since the main conference access point was either slow or they couldn’t get connected to it.

The good news? There are specific things you can do to make certain you’re secure when accessing a public hotspot.

[Read more...]

NEWS FLASH: If someone steals your iPhone, they can see all your contacts and make calls and send SMS messages on your account.

Apparently there is a new iPhone hack that allows hackers to take control of an iPhone and send off personal data residing in the iPhone memory — but it’s about as big a threat as having your iPhone stolen and I assume you keep control of your $500-$600 device. Upon seeing a link to this New York Times article, I was initially and instantly concerned and thought “Oh, that’s just great….the first security problem with the iPhone.” until I read it thoroughly.

Upon reading the site Exploiting the iPhone, I thought “What’s the fuss all about?“  The exploit is delivered via the Safari browser on the iPhone but the risks seem quite low. Read these three points very, very carefully before you get too excited or concerned about this so-called exploit:

1) An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.

2) A misconfigured forum website: If a web forum’s software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)

3) A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.

Are these real possibilities? Yes, but remote unless an iPhone user is a complete bonehead. Most forums disallow HTML in forum posts because of malicious stuff being put in and links in emails from those you don’t know should NOT be clicked on (and if you DO click on them, DON’T ANYMORE). Spurious links in SMS are rare, and who is getting spam SMS messages anyway?

Of course, I suppose most people are so naive and inexperienced that perhaps they don’t think critically about security online and I guess those of us more savvy have to protect them against themselves. I just don’t see the threat being all that big a deal unless you’re with that group of security researchers at Independent Security Evaluators who uncovered the ‘exploit’ and are certain to have done it to gain attention (which they got….thank you New York Times).

With my Dad in the hospital after surgery for the next 6-8 days, I’ve been spending a lot of time there. Thankfully they have free Wifi and I’ve taken my laptop along so I can get stuff done during down times or when he’s sleeping.

Yesterday I took only my iPhone. Getting it connected to the hospital Wifi was incredibly easy and when I came back later in the day I took only it and not my laptop. This got me to thinking about how many times I’d hoped for a smartphone (like my Treo 700p) which could’ve functioned as a laptop replacement for those trips or outings where I would’ve preferred to not take my briefcase with a 6 pound computer in it.

I’m not suggesting that I can be anywhere near as productive with a smartphone as I can with a laptop…especially one where I can also boot up Windows (in Parallels) and use that OS too. I use Photoshop, InDesign, Powerpoint and Keynote, Word, Excel and many other applications where screen real estate is key. But as more of my life migrates to the Web — as I’m certain yours is too — having such an easy to use device as the iPhone is critical.

I expect a triangulation to occur soon that will make the iPhone even more productive. There will be a middle man between the iPhone, the desktop and the cloud (i.e., the Internet) called an actually and finally useful .Mac service. Since it’s been laughingly simplistic for only the most newbie Mac user or family, having Steve Jobs publically say that Apple will “make up for lost time” with a new .Mac service, I expect a lot will happen. Perhaps I’ll be able to access my files and folders, use Google Docs and Spreadsheets in some sort of unified fashion, sync the iPhone with my digital life and feed the dog.