I'm sitting at a cafe, using their public Wi-Fi. I don't go on sensitive sites; I basically go to a music site and listen to a live stream, for which there's no login. I don't check my email or visit any password-protected sites. Some rare times, I visit Stack Overflow, for which I'm automatically logged in. I'm using Windows 7 64-bit with AVG Internet Security.
Can someone hack into my computer and see/download my files?
Is there anything risky about what I'm doing?
Maybe. The question is not whether there is a possibility that someone might be able to hack into your computer; the answer to that question is always yes, it might be possible. If you are connected to a network, we can't rule out the possibility that someone might be able to attack you. Rather, the right question is, how big is the risk?
In your case, if you use good security practices, the risk is pretty modest. Good security practices are things like turning on automatic updates to keep all programs updated with the latest security patches, using anti-virus, using a firewall (should be enabled by default on Windows 7), and not visiting any site that requires a login over public Wi-Fi.
Not especially risky. It sounds like your practices are relatively safe.
The biggest risk has to do with visiting Stack Overflow: because you are using a public Wi-Fi network, and because Stack Overflow does not use SSL (HTTPS), if someone there were malicious, they could steal your Stack Overflow login credentials and take control of your Stack Overflow account. They might not be able to learn your Stack Overflow password, if you never type it into your browser while using public Wi-Fi, but they could still learn the authentication cookie that's stored in your user and that's used to log you in. At that point, once they have the authentication cookie, they have control of your Stack Overflow account.
However, this risk is relatively modest, because it's just your Stack Overflow account, and let's be honest, it's probably not the end of the world if someone steals your Stack Overflow account. The Stack Overflow folks know about this security risk, and they've been asked to adopt HTTPS to mitigate this risk, but they have declined to adopt HTTPS because they consider the risk to be of low-severity and they consider Stack Overflow accounts to be not important enough to be worth worrying about very much.
I'd argue that anytime you're in a situation where someone can inject themselves into the data stream between the user (you) and any server/service provider/content provider, you incur a higher level of risk than not.
First, let's look at the attack surface of your laptop (i'm assuming you're referring to a laptop here). Every computer can be a client or a server. In many cases, it can be both. There's increased risk when your laptop runs as some sort of server for an application because running as a server usually implies that the laptop is running a service that is accessible by someone. The risk becomes exaggerated when server software isn't properly patched or when there's a new attack vector that the vendor has not issued patches for. Do a Google search for services like BIND, Sendmail, SSHD, and you'll start to see that there are some vulnerabilities that are remotely exploitable. Fundamentally, this means that when your laptop is accessible by someone and there's a vulnerable version of some server software, then it's possible for an attacker to gain access to your computer. This access might be limited to certain parts or it could provide the attacker with admin (root) rights. It depends on the vulnerability and the service. Most OS's today usually come with some form of host-based firewall. However, some people tend to turn off firewalls. Some other people might open access to certain applications, especially if running a server service is authorized.
Second, another attack vector is network services. When someone can inject themselves into the data stream, an attacker can modify traffic in transit. Considering that most public hotspots don't implement high levels of security and wifi is provided as-is without any warranty. If you look hard enough, you may find the hotspot and trace it back to some sort of switch/router. In such instances, an attacker can easily inject themselves into the data stream and start sniffing sessions. A more advanced attacker could easily make themselves into a proxy and launch man in the middle (MITM) attacks where all sessions pass by their systems. SSL/TLS might provide data encryption, but an attacker that's injected themselves into the data stream could easily see the contents of encrypted traffic as well.
To answer your question, can someone hack into your computer and see what you've downloaded? It's certainly possible. But I'd argue that a malicious attacker will likely attempt to install some sort of malware on your system to extract more valuable data in the long term than a access list of downloaded software.
Is what you're doing risky? Yes - every action comes with risk. Any public network simplifies the launch of an attack. Consider the ease at which anyone can setup a wifi hotspot. You'll likely see wireless networks like "Free Wifi" or "Free Hotspot" in many locations. Many users are smart enough not to connect to those networks. However, what if you went to a coffee shop and saw a wifi network called "ATT" or labeled as some coffeeshop name? The same people that avoid "Free wifi" networks may choose to connect to someone that looks more official.
With that said, if you have host-based firewalls enabled, consistently patch OS and applications (i.e. Flash, Acrobat, Office, etc), use some sort of AV (not really effective against modern malware (i.e. 0day) but still affords some level of protection), don't enable unnecessary services, and perhaps use a VPN connection, the risk of compromise will be lower overall. At the same time, attackers are becoming more organized and are after money. So if you don't access banking sites, access or store data that is sensitive, or otherwise use the laptop in such a way to not access sensitive data, then you'll be at lower risk of losing important data (i.e. identity stolen, loss of corporate data, etc).
I don't go on sensitive sites
You don't, but the software you are using might go to the most security sensitive servers: the repositories were they automatically download software updates.
Theses repositories are the most possibly security sensitive "sites" for you because if they were hacked (modified) or if some impostor were able to impersonate these servers, you would get, and possiby install, modified software. This corrupt software might then steal your passwords, copy your files, etc.
So the answer is:
Is the automatic update protocol secure? (for every program I use)
(The answer is a question, and I don't know its answer.)
I don't go on sensitive sites
You can't know where you are going to "go" when using a Web browser.
You might browse only nicekittenphotos.com, but this site might include resources from other domains (and you can't know that before going to nicekittenphotos.com - even if you have checked before, the site might have changed).
For example, many sites include scripts from google-analytics.com (http://www.google-analytics.com/ga.js). This implies that your www.google-analytics.com cookies are sent.
This works for any website were you have cookies. A rogue Internet gateway could collect your non-secure cookies on any website.
If you are logged in Google, your logins appears in some HTTP pages returned by Google and YouTube, so it would possible to learn your Google account name.
If these HTTP resources were modified by a rogue gateway, this could impact other more important web sites. If these HTTP resources are stored in the disk cache, this could impact other web sites for a long time.
You can mitigate this threat by emptying your browser cache after you disconnect from public Wifi.
I suggest that you use private browsing mode.
You could also use Tor, to trade the risk of a rogue Wifi AP to the risk of a rogue Tor exit node.
In addition to all of these great suggestions I would like to add if you are running Windows 7, then it would be a great idea to choose the public network profile in the Windows firewall, this will help a little bit more as it closes off certain ports from access on your machine. File and print sharing for example, gets blocked on the public profile, so when you join the network and Windows asks what type of network you are joining, choose the public option when you are on a public wi-fi network.
This should help a little bit more and definitely understand that whatever sites you are visiting if they require a password, even if you are not entering it in, and it has been saved on your machine. The information is being sent through the air and can be captured if the other person has the right tools. So basically if you are really concerned about that type of risk, don't go to sites that require a password, that should help minimize the risk.
One more scenario just for the sake of completeness and being paranoic:
1.Can someone hack into my computer and see/download my files?
2.Is there anything risky about what I'm doing?
Yes and Yes
For 1. When you connect on a public wifi dont have any idea where you connect your computer either. An attacker could be imitating the AP and force you to connect to his computer instead of the original access point.
2. Many browsers or plugins connect automatically to popular services (so if for example you have a plugin that downloads your twitter feed its as if you are connected to twitter)
You dont actually know which site you visit.
Solutions
1.For the transport layer (are my data safe when they are transported?):
2.When you give your password visit only https sites through a trusted ssh tunel or tor and make sure you cant be redirected to another domain
3.For the attacks on your computer layer: make sure that you dont have any daemons listening to any ports so that an attacker cant communicate with your computer and that you dont have any malware ofc
4.Be sure that the access point is what it advertizes itself to be (I dont know how this can be done)
To be realistic As far as your average starbucks goes unless you carry something importand enough in your laptop or you have something to loose (a hacked facebook account usually is not something disastrous) visiting only https sites and refraining from messing with online money on public wifi should be acceptably enough and the ssh tunel method should be almost perfect.
Here is the real deal. Explained by SWIM
If your wifi device is active and you are around random people, you are susceptible to penetration and intrusion. If you are on any connection that connects to the internet, or connected to a local private network that is connected to a server that is connected to the internet, you are susceptible.
Assume you are never completely safe. Like another said, what you should be evaluating is the risk. First of all, what are you concerned about someone having access to? Can you store that somewhere else rather than your laptop? If not, you can encrypt those files when they are not in use so anyone who did access them couldn't use them.
For simplicity sake, if you remotely concerned, download and install "Comodo Firewall". It won't make you invincible, but it will inform you anytime any action is going across your network, and will thwart 99% of wifi hackers. The last percent are unfortunately very difficult to stop, however, they are far less concerned with hacking your laptop. They are far more interested in high-value assets.
BUT
To be really honest, you are doing what you need to to stop those that are sniffing around you for something tasty. And the likelyhood of someone hacking you if incredibly slim, aswell, they are likely not interested in anything malicious. Most of your run of the mill hackers are doing it to see what they can do and how to do it. They may look at your data or even in rare cases "mess with you", but most are not interested in anything malicious.
Also be aware of where you are connecting to wifi. If it's a coffee shop and you see 1 other person on their laptop, it's probably a very safe place to use the wifi. If you go to a mall that has wifi and the foodcourt is loaded with people on laptops, that is a MUCH more dangerous place. I'd say it's likely there is someone interested in hacking at the same time that you are if you go there often.
So, overall TL;DR
If you are concerned, get Comodo Firewall software for your computer -it doesn't make you immune but it will make you aware and stop the average hacker
Pay attention to your surroundings when you are using wifi, if you have sensitive data, you are not safe
If you just use your computer for average things, and you are an average joe, and don't treat computer nerds bad, then you are VERY LIKELY, VERY SAFE.
And no, hackers will not hack you to steal your last few hundred dollars. WAY too much risk for WAY too little return, atleast here in America. Overseas hackers are a whole different ballgame. But you won't see them in your local coffee shop on their wifi. But they can get you at home or at the coffee shop.
