An innocent-looking cafe may harbor a nest of fraudsters, identity thieves and other miscreants, security experts warn.
Although companies may think they have taken all the right steps to secure their networks, they could still be vulnerable if their employees access wireless hotspots, such as those at a local cafe.
In a report issued by security vendor Fortinet Inc., Richard Hanke, U.S.-based vice president of product management, says most mobile users do not realize that once connected to a wireless hotspot, they become a member of a connected community of users - most or all of whom are strangers.
And he warns this poses significant security risks as there is often little or no control of what can pass from user to user via a wireless access point, and that can have disastrous consequences.
"A hapless, latté-sipping web surfer can easily become infected with a virus or worm that has been picked up by a neighboring user," writes Hanke.
But he says the real damage occurs when the newly infected user returns to work and connects to the organization's wireless access point.
A worm picked up during the coffee break can then race unhindered into corporate networks and could cause significant damage.
"That innocent cup of coffee just cost your company thousands of dollars and sent you scrambling to clean the network," states Hanke.
Local security guru Tony Krzyzewski, managing director of Kaon Technologies, says the risks posed by wireless cafes are no different to those faced with any other method of connecting to the internet.
Although the risks can be reduced by basic security precautions, Krzyzewski warns that portable computers are one of the most common carriers of threats into corporate networks.
"Which is why it is absolutely essential to have a personal firewall, spyware control and antivirus up to date on portable computers," he says.
But John King, managing director of Auckland security specialist Expert Solution Providers (ESP), says wireless networks are dangerous because they are a shared medium.
"If users are not sitting in their own WLAN [wireless local area network] or using encryption to talk from the client to the access point, then all the traffic is visible to all the users," he says.
"You would need nothing more complicated than a copy of a serial freely available on the internet to capture packets."
Meanwhile, Hanke warns once a user is authenticated and connects to a wireless access point, the wireless channel - even if encrypted - can easily deliver content threats into the wired network, from inside the organization's typical perimeter defenses such as a firewall.
King says many wireless hotspots are not based on a meshed network where the user is dropped in a WLAN with a sign-on and an encrypted link.
"A lot of wireless networks are easy to set up. The problem is control of access points. Most internet cafes spend $149 on an access point, which gives you nothing in terms of security," he says.
By using tools freely available on the internet, King says, hackers could access a wireless network's SSID (service set identifier) - which uniquely names that network - in 45 seconds, and bypass filters on access points in five minutes.
This leaves users open to virus or worm infections and denial-of-service attacks, while sensitive data can be intercepted.
"A personal firewall will prevent other people from getting to you on that wireless network, but it won't prevent your traffic being grabbed," he says.
Krzyzewski says that although organizations know of these dangers, there is still some room for improvement in how they protect themselves.
"The majority of organizations are aware of these risks - how they actually control them varies dramatically," he says.
"We always recommend you put adequate protection on the remote machine and if those machines are connecting to the corporate network you put adequate defense and authentication methods in place to protect the connection back into the organization."
Krzyzewski and King agree with Hanke that multiple layers of security - residing at the network gateway, on internal servers and on individual clients or endpoints - are required to offer complete protection, while education is the first step in establishing all those barriers of security.