1. Wireless Security Issues @ Home & Hotspotting
Ernest Staats
Director of Technology and Network Services (TNS)
MS Information Assurance, CISSP, MCSE, CNA, CWNA, CCNA, Security+, I-Net+, Network+, Server+, A+
Resources

2. Information Blowin' in the Wind
Wireless open by default
Wireless networks “broadcast” data into the air
Anyone can receive the broadcast
Certain steps must be taken to protect “users” of wireless networks
Since it is wireless anyone can listen to what you’re doing over the wireless because it broadcasts data in the open air. Anyone close enough can listen to whatever you are doing and see any data you are sharing. These next steps will help you better secure your wireless network.

3. Wireless Basics - 802.11 2.4 GHz (no license) band
Only 3 non-overlapping channels (in theory)
CSMA-CA (50% overhead)
Half Duplex (talk then listen)

4. Home Wireless Issues Not enough bandwidth (when downloading or gaming)
Updates chew-up bandwidth
Co-channel interference (Phones, Microwaves)
Old Firmware (check for updates every quarter)
No Security or worse, they use WEP
SSID broadcast on
Raises your risk factor that someone could obtain personal information or worse
Wireless Networking is one of the nicest features technology has to offer. Being able to move any where in the house or in the office is really nice, but it also comes with some major security vulnerabilities.
If someone gets on your WIFI
Slow down your Internet performance.
View files on your computers and spread dangerous software.
Monitor the Web sites you visit, read your and instant messages as they travel across the network, and copy your usernames and passwords.
Send spam or perform illegal activities with your Internet connection.

5. What Could Happen? Slow down your Internet performance.
View files on your computers and spread dangerous software.
Monitor the Web sites you visit, read your and instant messages as they travel across the network, and copy your usernames and passwords.
Send spam or perform illegal activities with your Internet connection.

6. Changing Default Settings:
Change the Default logon password and make it long!
All defaults are known and published on the Net
updated Jan 2007
AP Management Interface
HTTP, SNMP, Telnet
HTTP Login
Linksys: UID=blank PW=admin
DLink: UID=admin PW=blank
Generic: UID=admin PW=admin
SNMP (disable SNMP for home use)
All: PW=public
Change default no Open systems to WPA2 systems for home use a long passphrase
Most wireless routers today work straight out of the box, all you have to do is plug it in. That’s all nice and easy, but the problem is that wireless routers have a default password and default name. Anyone who can get close enough to your wireless can get on and change wireless settings which could be a real pain because they can lock you out, limit who can get on the wireless and encrypt it making it useless for you. So we highly recommend that you at least change the default password to protect your wireless router.

7. Cell Sizing:
How far is your WIFI signal going? (that is called your cell size)
I can pickup wireless when I go visiting family in ID or CO by just turning on my laptop
Can’t cover whole house?
Repeater
Better antenna
MIMO
802.11N (if you like Vegas)
Power Setting
The Cell size is usually adjusted by the power setting
Go outside your house and see how far your wireless single is reaching you will be surprised.
Another setting that should be changed is the cell sizing. There is no point in blasting wireless to your whole neighborhood if you’re the only one you want on the wireless. So when you get the wireless router change the cell size to a smaller size that still covers your house or small business office without broadcasting free internet

8. SSID Naming: Identifies network
Helps others identify whether or not you have left default settings on
Broadcast on by default (turn it off)
Once again with the default settings your wireless device broadcasts its name saying “my name is … connect to me
Turning off SSID cloaking is called Cloaking
Avoid naming your SSID a private or personal code (don’t make it your password or your name)
In order to connect to a wireless network you need the wireless devices name or SSID. The default names are all the same for each wireless brand so if you leave the name default from the company any passersby will automatically connect because it is a wireless name that windows has connected to before. So changing your SSID name can make it harder for outside people to connect to your wireless. This step goes hand in hand with the next step. If you don’t bother with the next step this step is pretty much worthless other than the fact you changed the name of your wireless.
Once again with the default settings your wireless device broadcasts its name saying “my name is … connect to me” This makes the last step you did totally useless. So for this step you should change it so that it doesn’t broadcast that the wireless is there. This is called cloaking, this is so good because if you cloak your wireless and change the name it makes it much harder for others to connect because they have no idea that the wireless is even there. Now this is not perfect
and will not totally secure because with the right tools you can make a cloaked wireless device tell you its name anyway but it still adds an extra layer of security. .

9. MAC Filtering:
“MAC Filtering” is where you tell your wireless device what other devices can connect to it.
A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made)
Can be spoofed but is still a good option for homes
Inside your device settings you can select this option and then you need to insert the MAC (or hardware number that is card specific so each card is different.) which can be found by popping open the case and locating the sticker on the network card. This step is probably the hardest but one of the most effective because it restricts access based on MAC address which is technically burned into a device. (it can be spoofed but we wont go into that.).

10. Obtaining Your MAC Address
WINDOWS NT / 2000 PROFESSIONAL or XP:
After clicking on the Start Button, click on Run.
Once a small black window appears, type in ipconfig /all (with a space between the g and the /).
Locate the number to the right of Physical Address. This is your MAC address.
Macintosh (OS X):
If your computer is running OS X, it is best to have it upgraded to at least 10.1
From the dock, select "System Preferences".
Select the "Network" Pane
With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres
Linux
On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info.
For example:
# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300
The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.
If you cannot find your MAC address in either the box or on the card, please follow the instructions below, depending on your operating system (Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000 Professional, Win XP, Macintosh OS, Macintosh OS X, Solaris/SunOS, Linux, FreeBSD, or HP).
WINDOWS NT / 2000 PROFESSIONAL or XP:
Using your mouse, click on the Start Button.
Click on Programs.
Next, click on Accessories, and then Command Prompt.
Once a small black window appears, type in ipconfig /all (with a space between the g and the /).
Locate the number to the right of Physical Address. This is your MAC address. or
After clicking on the Start Button, click on Run.
Type in the word command
Click on OK.
Once a small black window appears, type in winipcfg.
WINDOWS 95/98/ME:
In the white space of the window, type in the word winipcfg
Click on "OK".
Look under the info for the Ethernet adapter. (Your system may also have a modem.)
The number next to "Adapter Address" is your MAC address.
Macintosh OS (Pre OS X):
You will need DHCP to be working on your computer. DHCP allows your computer to have access to the artsci.wustl.edu server. In order for DHCP to work on an Apple computer, you must be running system or higher and have Open Transport installed.
Once you have made sure your Apple computer is running system or higher, and has Open Transport installed follow the instructions below to find the MAC address of your computer:
Click the Apple Menu.
Click on "Control Panels" to open your control panels folder.
Open the "TCP/IP" control panel
Go to the Edit Menu
Click on User Mode
Change the mode to "Advanced" and click "OK".
Click on the "Info" button
The Hardware address is your MAC address
Macintosh (OS X):
If your computer is running OS X, it is best to have it upgraded to at least 10.1
From the dock, select "System Preferences".
Select the "Network" Pane
With the TCP/IP tab selected, the number next to Ethernet Address is you MAC addres
Solaris/SunOS
On Solaris and SunOS systems, the ethernet device is typically called le0 or ie0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a le0: flags=863 <UP,BROADCAST,NOTRAILERS,RUNNING> inet netmask ffffff00 broadcast ether 8:0:20:f:c2:f8
Note: Solaris and SunOS strip off the leading 0 commonly included in the MAC address. In the case of this machine, the MAC address is 08:00:20:0f:c2:f8
Linux
On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 TX packets:69559 errors:0 dropped:0 overruns:0 Interrupt:10 Base address:0x300
The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.

11. Encryption: WEP – First Wireless Security
Cracked -- Any middle-schooler can crack your WEP key in short order
WPA
Cracked… but
Key changes
WPA2
Harder to crack than WPA
802.1x
Uses Server to Authorize User
Can be very secure
802.11i
AES encryption – “Uncrackable”
WEP: WEP stands for wired equivalent privacy. WEP is pretty old and has more holes than Swiss cheese. WEP is just about worthless other than it can keep your average Joe redneck from getting on. Anyone with a hacking tool can get on your wireless in seconds defeating the whole purpose.
Any middle-schooler can crack your WEP key in short order
Steps:
Collect a lot of packets (500k-1 million)
Use Aircrack (or others)
Reveals WEP key in seconds
With Key, All Data is Visible

12. Wi-Fi Protected Access (WPA)
WPA: WPA stands for Wi-Fi Protected Access. WPA is much better than WEP; we recommend that you put at least WPA on your wireless. It has been cracked, but it takes much longer and is almost not worth the effort.
For “workgroups”, laptop carts, home users, etc.
Keep “secret” long and obscure (set a long passphrase of at least 20 random characters. Better yet, use the full 63 characters by typing a sentence you can remember—just don't make it something that's easily guessed, like a line from a movie.)
Additional weakness in social engineering the “secret”
Weakness in initial exchange
Capture four-way handshake
Use protocol analyzer or Airodump
Run coWPAtty from a DOS prompt
coWPAtty
Performs dictionary attack
Success depends on weakness of WPA password
Could take minutes, hours, days
PC speed and completeness of dictionary are important

13. Wi-Fi Protected Access (WPA2)
WPA2: is very effective for keeping most “normal” people off your wireless.
Changes encryption from RC4 to AES
coWPAtty v4 can attack and crack it
Some hardware may not support it
Firmware upgrade may be necessary
Use it if available
It is set up so that the data is encrypted and the encryption is changed every few transmissions making it more difficult to crack.

14. Turn It Off:
The easiest wireless security option. When you don’t need it, TURN IT OFF.
On vacation
After a certain hour at night
Turn OFF access point / wireless router and your laptop’s wireless card (saves your battery life some also)
Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like x) to prevent computers from being directly reached from the Internet. Assign Static IP Addresses to Devices Or Limit the number of DHCP address your router will give out

15. Home Wireless Summary Change default settings -- SSID and passwords
Use WPA or (better WPA2)
Use a MAC filter
Turn off SSID broadcasting
Know how far your wireless signal is reaching
Turn off wireless when not being used for extended time periods & Turn off DHCP or limit DHCP
Disable remote administration
Update Firmware on AP and wireless cards semiannually
Secure your Home machines
Current AV
Firewall (if the wireless router has a firewall option turn it on)
Spyware protection
Auto update Windows
Common Sense (Check the “Secure Your Laptop Section”)
Tip: Write down your passwords on a piece of paper and store them in your home safe if you have one. If you don't have a home safe, store your passwords with your other important family documents.
Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network:
1) Secure your wireless router or access point administration interface  Almost all routers and access points have an administrator password that's needed to log into the device and modify any configuration settings. Most devices use a weak default password like "password" or the manufacturer's name, and some don't have a default password at all.  As soon as you set up a new WLAN router or access point, your first step should be to change the default password to something else. You may not use this password very often, so be sure to write it down in a safe place so you can refer to it if needed. Without it, the only way to access the router or access point may be to reset it to factory default settings which will wipe away any configuration changes you've made. 
2) Don't broadcast your SSID Most WLAN access points and routers automatically (and continually) broadcast the network's name, or SSID (Service Set IDentifier). This makes setting up wireless clients extremely convenient since you can locate a WLAN without having to know what it's called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbors and passers-by (though it will still be detectible by WLAN "sniffers"). 
3)Enable WPA encryption instead of WEP 's WEP (Wired Equivalency Privacy) encryption has well-known weaknesses that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. A better way to protect your WLAN is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is also easier to use, since your password characters aren't limited to 0-9 and A-F as they are with WEP. WPA support is built into Windows XP (with the latest Service Pack) and virtually all modern wireless hardware and operating systems. A more recent version, WPA2, is found in newer hardware and provides even stronger encryption, but you'll probably need to download an XP patch in order to use it.  
4) Remember that WEP is better than nothing  If you find that some of your wireless devices only support WEP encryption (this is often the case with non-PC devices like media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because in spite of it's flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, don't use an encryption key that's easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often-- preferably every week.   See this page if you need help getting WEP to work.
5) Use MAC filtering for access control  Unlike IP addresses, MAC addresses are unique to specific network adapters, so by turning on MAC filtering you can limit network access to only your systems (or those you know about). In order to use MAC filtering you need to find (and enter into the router or AP) the 12-character MAC address of every system that will connect to the network, so it can be inconvenient to set up, especially if you have a lot of wireless clients or if your clients change a lot. MAC addresses can be "spoofed" (imitated) by a knowledgable person, so while it's not a guarantee of security, it does add another hurdle for potential intruders to jump. 
6) Reduce your WLAN transmitter power You won't find this feature on all wireless routers and access points, but some allow you lower the power of your WLAN transmitter and thus reduce the range of the signal. Although it's usually impossible to fine-tune a signal so precisely that it won't leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN. 
7) Disable remote administration
Most WLAN routers have the ability to be remotely administered via the Internet. Ideally, you should use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Otherwise, almost anyone anywhere could potentially find and access your router. As a rule, unless you absolutely need this capability, it's best to keep remote administration turned off. (It's usually turned off by default, but it's always a good idea to check.)

16. Hot Spot or Public Access
Everything you do can be observed by other people; including your , logon and surfing.
Etherwatch (driftnet, etherpeg)
Capture and display images
Ethereal, Commview, AirMagnet…
Capture packets and display , web pages, etc.
Data is unencrypted
Unless an application does it
Your system can be probed to see if someone can get into your laptop
All wireless LANs have security issues, but wireless hot spots raise unique concerns. As with any wireless LAN, signals can penetrate walls and ceilings. That means that anyone in range with a standard wireless card can connect, even if they're sitting out in the parking lot.
Hot-spot services are designed for maximum ease of use, so they generally don't offer WEP or WPA encryption; if you connect to a hot spot, just about all the data you send is probably unencrypted. Since wireless LANs allow peer-to-peer connections, the computer-savvy guy at the corner table may be able to connect to your notebook and mooch your Internet connection, look at your unprotected files, or hitch a ride as you connect to your corporate LAN. He can also eavesdrop the airwaves with one of the many wireless sniffers available on the Web and watch as you unintentionally reveal your corporate network log-on information, your credit card numbers, IP addresses of your connections, and even the contents of s, instant messages, and file attachments. Anyone with malicious intent can do lots of damage with this information, both to you and the company that employs you. And of course, you're vulnerable to the same viruses, worms, and other attacks as you would be on any unprotected network.
So what can you do? Here are several ways you can protect yourself.
• Disable your wireless card's ad-hoc (peer-to-peer) mode. You can do this via the adapter's utilities or within Windows XP by clicking on Network Connections in the Control Panel. This will help prevent anyone from connecting to your notebook.
• Remove or disable your wireless card if you're working offline.
• Install a personal firewall. Windows XP offers the rudimentary Internet Connections Firewall, but more advanced personal firewall products, such as Symantec's Norton Internet Security and Zone Labs' ZoneAlarm, can prevent others from accessing your notebook and even alert you when an attempt is made.
• Install personal antivirus software from McAfee, Symantec, or another antivirus vendor, and enable automatic signature updates.
• Take advantage of your client's security features, particularly digital signatures and encryption. Digital signatures verify your identity to your recipients and ensure that messages are not tampered with during transmission. Microsoft Outlook lets you add digital signatures to messages and encrypt messages and attachments using S/MIME. If you're using a Web-based service, make sure it offers some type of encryption. Be aware, however, that in many cases with such services only the log-on information is encrypted, while text is sent in the clear. You may want to use third-party encryption utilities, such as PGP Corp.'s PGP Personal, which offers digital signatures and strong encryption for messages and attachments, as well as for files stored on your computer.
• Make sure you submit credit card information only to SSL-protected Web sites (look for in the address bar).
• For the best protection, use a virtual private network (VPN) to provide strong authentication and encryption for all your hot-spot communications. This is particularly important if you're connecting to your company's network, in which case you'll probably get VPN client software from your IT manager. Small-business users can install VPN-enabled firewall and router appliances from Netgear, SonicWall, 3Com, or Watchguard at the office or use one of the many small-business VPN services available, for example, from Sprint or Verio. Individual users can take advantage of inexpensive consumer VPN services such as HotSpotVPN ( Or they can limit themselves to protected hot spots, such as those from EarthLink and others that make up the Boingo Wireless network.
• Keep your OS and software up to date with security patches.
Before you use a Wi-Fi hot spot, mobile users need to take some precautions to ensure they are safely and securely connecting to their corporate network or to the Internet. Is your mobile gear secure enough to be using a hot spot?
Install a Firewall
Anytime you use your mobile gear on the road and especially in hot spots, make sure you have installed firewall software. Hot spots aren't secure access points and mobile workers need to take responsibility for their own security.
Hot Spot Security Precautions
Personal Firewall Software
Disable Wi-Fi Ad-hoc Mode
You should only allow access point networks that you have created using your Wi-Fi software or you can use network connections in Windows XP. Don't allow instant network connections that you have not approved of or are aware of. When in a hot spot you may pick up other Wi-Fi networks that you do not want to access or allow access to your laptop. Disable ad-hoc mode before entering a hot spot.
Definition of ad-hoc mode
Definition of access point
How to create a network connection in WinXP
Use a VPN
When connecting to a corporate network mobile users should use their company VPN. This provides additional security for your gear. Working in a hot spot can create new risk exposures and the potential for your data to be comprised.
Disable File & Printer Sharing
When using a Wi-Fi hot spot, mobile users don't need to have their laptops file and printer sharing enabled. Leaving this enabled while using a hot spot leaves you vulnerable to hackers. This is another item that should be disabled before entering a hot spot.
How To Disable File & Printer Sharing
Turn It Off
When mobile users aren't connected to a Wi-Fi hot spot, they should turn off their wireless devices. If you are working but don't wish to be connected, remove the Wi-Fi card. In Centrino-based systems there should be a manual switch to turn Wi-Fi off. You can disable the connection using the Wi-Fi software. To shutdown Wi-Fi in a Palm you hold down the Globe logo wireless navigation button. This will also save your battery in a Palm.
Don't Advertise Your Wi-Fi
When mobile users are in public areas such as a hot spot, it is not the time to brag to strangers about your Wi-Fi capabilities. Always be discreet when working and don't let others view your work. You could end up making yourself and your mobile gear a target for theft.
Make Folders Private
Making your folders private on your laptop will make it less appealing for a hacker to try and gain access to your documents. In a hot spot you don't know who is working around you or who might be attempting to access your laptop.
How to make folders private in WinXP
Password Protect Your Files
Another step to securing your data and making your work a less desirable target is to password protect specific files. There are a variety of software programs available which can provide you with password protection and the added peace of mind that it will bring. Remember to password protect any important files before using a hot spot.
1. Make sure you're connected to a legitimate access point! This first step is probably the least obvious, but one of the most important. Rogue access points in public areas have been springing up that have the same SSID as what you'd expect (such as "Wayport" or "tmobile"), but really connect directly to hijackers' databases to collect the passwords and usernames you use to sign in. Even worse, they can collect credit card data from people who sign up for new accounts.
So don't connect in places where there is no sign for a legitimate provider, and check the list of available SSIDs to make sure you are connected to the right one. Don't set your wireless card to connect automatically to any available network. Turn off the ad-hoc mode (which lets other clients connect directly to you!). And turn off your Wi-Fi card entirely as soon as you are done.
2. Encrypt sensitive data. As you beam s from your laptop to the wireless access point and back, or as you enter your username and password to check your bank account balances someone nearby can be intercepting those packets of data as they fly by. Much of the information -- even information that you might think should be encrypted -- is sent in clear text. That means that the person intercepting those packets may be able to read your s or learn your passwords.
Allume Stuffit Deluxe
While data sent to and from secure Web sites (those starting with is generally protected, you can also use encryption in other contexts. If you are sending a sensitive file via , for example, encrypt it first with a password. Most file compression programs, such as Allume's StuffIt Deluxe, offer encryption, and there are numerous freeware and shareware encryption programs as well.
3. Use a Virtual Private Network. One of the best ways to protect your data when using a public wireless network or hotspot is to use a virtual private network (VPN), such as JiWire SpotLock. A VPN establishes a private network across the public network by creating a tunnel between the two endpoints so that nobody in between can intercept the data. Many companies allow remote users to connect to corporate networks as long as they use VPN. This keeps the users' communications just as secure as if they were sitting at a desk in the building.
If you don't have a corporate VPN, you can be secure at any hotspot using JiWire SpotLock. SpotLock's IPSec VPN is supported by almost all wireless routers, both public and private, and SpotLock also includes full Wi-Fi connection management.
Top 10 Security Tips for Public Hotspots
Make sure you're connected to a legitimate access point.
Encrypt files before transferring or ing them.
Use a virtual private network (VPN).
Use a personal firewall.
Use anti-virus software.
Update your operating system regularly.
Be aware of people around you.
Use Web-based that employs secure http (https).
Turn off file sharing.
Password-protect your computer and important files.
4. Use a personal firewall. When you connect to a public wireless network you are joining a local network with other unknown computers. Having these computers on the same IP subnet makes them more dangerous than machines elsewhere on the Internet. Machines in your network and subnet range are able to more easily capture traffic between your computer and the wireless access point or attempt to connect with your computer and access your files and folders.
To protect your computer you should run a personal firewall program. There are many excellent choices. Some, such as Zone Labs ZoneAlarm, Kerio's Personal Firewall, and the built-in Windows XP Firewall are available for free for home or personal use. You should not install them on your corporate laptop, however, without purchasing the proper licensing or consulting your IT manager. Security software vendors such as Symantec and McAfee also make commercial personal firewall products.
A personal firewall will help you restrict the traffic allowed in and out of your computer. This protects you not only from attacks that originate outside of your network, but also those from other computers on the same network. Personal firewall software generally monitors both incoming and outgoing traffic, as well as applications trying to interact with other system processes or with the operating system. Should your computer somehow become compromised with a Trojan horse or backdoor program, a personal firewall application should flag the unusual communication attempts and alert you. Make sure you take the time to familiarize yourself with the product you choose and configure it properly to get the maximum protection without getting in the way of legitimate traffic and applications.
5. Use anti-virus software. When you are on your home network or even on your company network you can operate with a fair assurance that the other machines on the network with you are at least as protected as yours is against viruses and other malicious code. When you connect to a public network you have no such assurance. Suddenly it is more important than ever to have antivirus software installed.
Of course, antivirus software is only as good as its last update. If you updated your antivirus software a month ago there are probably at least 10 and maybe 50 or more new viruses, worms and other malware that you aren't protected against. Make a special effort to go to the vendor's Web site and download the latest update any time you hear about a new high-risk or fast-spreading threat, and take advantage of the auto-update features now found in most such programs.
6. Keep your OS and apps up to date. It seems that almost every week there's a new "security patch" for various parts of the Windows operating system or Office programs. And it's not just Microsoft. Apple has its own fair share of security updates, as do most utility and business software vendors. Most of the malicious viruses and worms that have plagued users recently spread through , so be especially cautious about opening attachments.
Windows users should enable Automatic Updates or visit the Windows Update site to scan your system and identify patches you may be missing. Mac OS users should enable the automatic Software Update feature in System Preferences; and Linux/UNIX users can visit sites such as Bugtraq or subscribe to receive bulletins and alerts from the Department of Homeland Security's US-CERT.
7. Be aware of people around you. When you're at an ATM, you make sure noone can see you type your PIN. Be just as careful about typing in your name and password at a Starbucks. You pay big bucks for your T-Mobile access!
8. Use Web-based when you're connecting at a public hotspot, instead of Outlook, Eudora, or Apple Mail. Most ISPs these days let you send and receive via a Web interface as well as downloading it into your program. These Web sites generally use secure sockets layer (SSL) or other security protocols, which protect your data while it's being transmitted.
9. Make sure file sharing is off! On home networks, file sharing is frequently used to copy files back and forth between computers. On a public network, this is the last thing you want to have on, for obvious reasons. If necessary, put a sticky note on the edge of your computer screen reminding you to turn it off before you close your laptop. Just don't write your passwords on the same sticky note...
10. Use passwords for personal data. Our final tip: use strong passwords for sensitive files and folders, as well as for access to your computer as a whole. This is especially important for mobile warriors whose laptops are attractive theft targets. Consider keeping your most important data on an encrypted USB keychain storage device, so even if you lose your portable, you won't lose your presentation or

17. Common Laptop Issues
Most laptop users leave wireless “on” all the time
Peer attack may be possible
Firewall might block
Access to shared folders or administrative share “C$”
\\Name or IP address\c$
Set WiFi client to “infrastructure”

19. Secure Your Laptop
Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK
BETTER YET use Another Firewall (i.e. Kerio, Jetico, or Zone Alarm)
Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck “This is a computer-to-computer (ad-hoc) network” > OK
Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck “File and Printer Sharing” > OK
Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your Administrator User Account, and reset the password

20. Infrastructure Networks Only
To allow only connections to approved access points:
In Control Panel, double-click Network Connections.
In the Network Connections window, right-click Wireless Network Connection, and then click Properties.
In the Wireless Network Connection Properties dialog box, on the Wireless Networks tab, make sure that the Use Windows to configure my wireless network settings check box is selected.
Under Preferred networks, make sure that the name of the network that you want to connect to is highlighted, and then click Advanced.
In the Advanced dialog box, click Access point (infrastructure) network only, and then click Close. Click OK.

21. VPN Solutions Paid VPN Solutions
AnchorFree's Hotspot Shield, a new free software download. Install it on a Windows 2000 or XP system
Paid VPN Solutions
WiTopia's personalVPN,
HotspotVPN (SSL)
JiWire's SpotLock (IPSec) software.
All charge for the VPN connections they provide, and require installation of a utility on the computer.
WiTopia and HotspotVPN support the Mac OS; HotspotVPN also handles Palm and Pocket PC handhelds. SpotLock's utility (Windows 2000 and XP only) doubles as a Windows WLAN connection manager and incorporates the JiWire hotspot directory.  

22. Security Tips for Public Hotspots
Use a personal firewall
Use anti-virus software (update daily or hourly)
Update your operating system and other applications (i.e. office. adobe reader) regularly.
Turn off file sharing.
Use Web-based that employs secure http (https) (beware of some SSL issues though)
Use a virtual private network (VPN).
Password-protect your computer and important files (make sure your administrator account has a good long password).
Encrypt files before transferring or ing them.
Make sure you're connected to a legitimate access point.
Be aware of people around you.
Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address
If you are using a browser, verify that it is using SSL to validate the T-Mobile HotSpot network via server-side authentication
Ensure that any website to which you are transmitting sensitive personal or financial information uses SSL technology. To confirm that a website is using SSL:
Look for the " in the URL address
Look for a closed padlock (or key) icon in the bottom right-hand corner of your Internet browser as indicators you are accessing a secure site
Do not ignore security warnings from the browser
Inspect the Web site address in your browser's URL field to ensure you are communicating with the correct, secure Web site
Use VPNs and personal firewalls
Use anti-virus software and keep the software updated
Be aware that others may be able to look "over your shoulder" to see your login, credit card, or other personal information while using the service. The use of a privacy screen on your computer screen may help prevent others from seeing what is on your computer.
Properly log out of web sites by clicking log out instead of just closing your browser, or typing in a new Internet address
Avoid using web-based or instant messaging that uses clear (unencrypted) text to send information you deem confidential
Remove or disable your wireless card if you are working offline on your computer and you are not planning to connect to the HotSpot service

23. TIPS for WIFI at Work
TO keep a work WIFI system so it does not drop users as they move around all vendors have some common suggestions.
Name all your AP's with the same name so if the single gets blocked by an individual standing in front of the AP or in front of another users laptop and they then get a stronger single from another work AP they do not have to re authenticate to the work wireless network.
Make sure all your AP's are on the same subnet if your are doing AD authentication. 
Make sure the network is the only one listed on the preferred networks under the wireless tab of the "wireless network connection properties" on the network card adapter settings in control panel.

24. TIPS for WIFI at Work (cont.)
Also on the wireless tab of the "wireless network connection properties“, click on the advanced tab and:
Make sure it is set on the (Networks to Access) section to only access the Access Point also called (infrastructure) networks only
Then make sure the Automatically connect to non-preferred networks is unchecked
These steps will greatly help you only once these steps are done, and if you still have issues then turning off Windows Zero Config for WIFI might help
Use 802.1x or (better) i in offices that need secure wireless.