From: Mike N. 

On Sun, 23 Jan 2005 11:46:48 -0500, "Dave Ings"
 wrote:

>If I'm connecting to my own household access point, it's a shared key
>mutually authenticated secure connection and (in theory) essentially
>impossible to hack into. (I don't run my access point in the out of the box
>unsecured mode.)

   You are essentially safe if you are using 802.11g.  I think they can
eventually break into 802.11a/b if they are determined.   There are so many
open networks that most people won't bother unless they are targeting
something big like a bank, etc.

>If it's a public access point, I connect (sans any passwords) and then
>establish a secure VPN connection back to the office and run a firewall on
>my laptop to ensure other public access point users can't see me.

   This is also safe because while the evil twin can point your VPN
connection attempt elsewhere, the connect cannot succeed and they cannot
get your VPN credentials.

>So this really sounds like a trap for the unsuspecting, average consumer.

   Most people would fall for this one.  To protect yourself before logging
into your bank account from a public VPN, you need to

   1.)  Verify the secure connection, the padlock and even the certificate
credentials.
  2.) Be aware of the customary bank URLs when logging in.  The bad guys
could set up something like
   https://www.banckofamerica.com

  and send your browser there when you type https://www.bankofamerica.com


  This is not so different from logging into your bank account from any
location, because as Rich is fond of saying, a corrupt employee at one of
the ISPs can freely manipulate your connection.  The only difference with
the wireless 'evil twin' is that they can target a busy location and get a
variety of unsuspecting, average customers.

--- BBBS/NT v4.01 Flag-5