I’ve heard that instant messages through AOL/Yahoo/MSN can be read by
hackers that “sniff” the messages leaving my network. Is this true?
It’s actually true for all the data that comes and goes on your internet
connection: web pages, emails, instant messaging conversations and more.
Most of the time it simply doesn’t matter. Honest.
On the other hand, there are definitely times and situations when you really
do need to be careful.
Data traveling on a network such as the internet can be seen by many other machines. Local machines connected via a hub, for example, all see the data being sent to and from all the other machines connected to the same hub. As the data travels across the internet, it actually travels across many devices each of which can “see” the data.
The good news is that’s actually pretty hard to find data transmitted to and from a specific machine unless you’re on the same network segment. For example, if you’re connected to the internet via DSL, other machines sharing that DSL connection might watch your traffic, but random machines out on the internet would have an extremely difficult time tracking it down.
It’s not something I worry about much at home.
However, there are scenarios that you should be very aware of.
Wireless access points operate much like a hub. Any wireless adapter within range can see all of the network traffic in the area. Visited any open (meaning not WPA-encrypted) wireless hotspots lately? Anyone in the coffee shop or library, or even just outside on the street or a nearby building, could be sniffing your traffic.
Hotel or other third-party provided internet connections are also vulnerable, since you have no idea what, or who, is sharing or watching your connection. It’s possible that you’re on a hub, and the room next door or down the hall could be watching your traffic, or it’s possible that the hotel staff themselves are tapped into the internet traffic to and from all the rooms.
Landlord-provided internet connections, or those provided by or shared with a roommate or housemate fall into the same category: whomever set it up could very easily be watching the internet traffic going to and from the connection(s) that they provide you.
Your connection at work can also easily be monitored by your employer. In fact, the only difference between your employer and a hotel or landlord provided connection is that in most places the employer snooping on your use of their connection is legal, whereas the others typically are not.
So, what to do?
Aside from avoiding the situations listed above where this kind of eavesdropping is not only possible but often downright easy, the answer boils down to encryption of one form or another.
If you can, make sure that your own wireless hotspots are configured to use WPA2 encryption. (WPA if that’s all that’s available. There’s no point in using WEP, as it is trivially cracked.) This way your wireless connection is secure. Even if someone does sniff and see your data going by, all they’ll see is encrypted noise.
If, as in most of the examples above, you do not have control over the wireless connection, and have no control over the actual connection to the ISP, then additional steps are necessary.
As a start, if you’re on the road you might simply wait until you’re home to access sensitive sites like online banking or others.
In terms of technologies to help keep you secure, the list includes:
https (as opposed to http) connections are encrypted. Even traveling over unencrypted media like wired connections or open WiFi hotspots, the https protocol securely encrypts the data that is being sent to and from the web site being accessed. In addition, it also provides an additional level of security that the site you think you are connecting to is, in fact, that site. Not all sites support https (Ask Leo! is one such example) but sites that provide you with access to any potentially sensitive information – including your web-based email – should provide an https connection, or should be avoided.
Secure email connections should be used with your desktop email programs such as Outlook, Thunderbird, or any program on your computer that uses POP3/IMAP and SMTP. By default most email services have you configure your email connection for downloading your email using unencrypted protocols. Many now offer the ability to specify encrypted equivalents. If you’re in any of the situations above, only encrypted protocols should be used.
VPNs or virtual private networks are technologies that can be used to secure your entire internet connection by creating an encrypted “tunnel” to a third party. All of your internet traffic goes to this trusted third party – encrypted – and from there it connects to the rest of the internet. All your internet traffic traveling between you and that third party is safe from sniffing by virtue of being encrypted.
The “third party” might be your place of work, if they offer such a thing, and as noted above, if you trust them. Other alternatives include services like HotSpotVPN which are targeted at folks traveling a lot who make regular use of open public WiFi and other fundamentally unsecure internet connections.
In general, when people ask about the security of their data it falls into one of two broad categories:
Privacy and Security or folks who are concerned that they’re being spied on. My general response is that most of us as individuals just aren’t that interesting, and it is rarely anything to be concerned about.
Opportunistic Theft or situations where someone’s looking not specifically for you or me, but rather for someone who’s allowed their bank, email or other secure information to be available for stealing. By leaving information available out and available to thieves, you can become a victim.
The good news is that the advice and technologies above go a long way to addressing both issues. The bad news, of a sort, is that it’s still your responsibility to make sure that you’re secure and using them appropriately.
(This is an update to an article originally published in February, 2005.)