Question: Can a stranger connected to that same WiFi network download the files from you computer? Can the stranger look at your files?
Yes, but it requires significant carelessness on the victim's part.
On Windows, for starters, you'd need to tell the system that the network you're connected is either Home or Work, not "Public". Since you should know you're in an airport, this is unlikely.
Then you should allow guest login (by default it isn't).
Alternatively, you must access some external unencrypted system supporting Windows authentication. The service should be outside the airport and allow logins from the Internet, and very few would allow it to run unencrypted.
Finally, that system and your own box must use the same user and password. This way, the password captured in the previous stage will also allow external logins on your system. OR you must have an easily guessable username, and the same password of some cleartext service you accessed.
Otherwise, the attacker might poison your DNS cache and "convince" your system that the Facebook server or the GMail server or what-have-you is actually inside his suitcase. Then he would either force a HTTPS connection (e.g. via a MitM attack, which you must ignore) or fake it in the clear (and you must not notice the fact that you're running in plain HTTP). This way, again, the attacker can get one of your passwords. If it is good for your system, or allows a password-retrieval attack on some other system, you (and/or your online banking account) are about to be pwn3d.
This is not the WiFi you were looking for
Actually the attacker needn't do much to gather access to your transmissions. He might have been the owner of the WiFi network all along, who just set up a rogue AP declaring itself to be "Airport Free WiFi". The fact that the AP name seems legitimate means nothing: there are systems already designed for this - buy one, charge it overnight, go to the airport and start trolling for fish. The system will optionally "massage" the data flowing through to ensure the maximum exploitability of passwords and credentials.
Once you are connected to a site you trust (or so you believe), you can be tricked into downloading and executing something that will give the attacker complete control, either directly (e.g. in Windows through WSH) or through some exploit.
On Linux the only relevant difference is that you should either share your disk or have remote administration port 22 (SSH) open. Both conditions are usually false in any sane distribution I know of.
But it's not just your files...
Having your disk safe is no guarantee for your online banking account, Dropbox, email etc. - the problem lies in credential thefts and/or impersonation; what is actually done with that comes after.
Which is why:
- You should avoid using unknown networks,
- If you do, use them through an encrypting VPN,
- Always keep system security high (only declare "Home network" your network in your home)
- Keep the system updated, with a suitable antivirus
- Never reuse important passwords for different sites
- Maintain situational awareness - notice things such as the "green lock" on HTTPS sites, small glitches in login screens that don't feel "right", and weirdnesses in URLs (e.g. "myonlinebank" becoming "myonIinebank")
Eternal vigilance is the price of liberty.
5
yes. I once accidentally entered the wrong computer when trying to copy a file from my friend's laptop while we're connecting to the same public wifi at a cafe. Guess what? The owner put their adult videos in the public documents folder. Of course it's due to the carelessness as mentioned below. You can find more information in https://security.stackexchange.com/q/36263/89181 https://security.stackexchange.com/q/14927/89181
– phuclv – 2018-03-26T09:57:53.3672@LưuVĩnhPhúc: You mean "their" as in they'd filmed them?! – Lightness Races with Monica – 2018-03-26T17:01:57.780
The answer depends on the operating system and what all services and daemons are being run. – can-ned_food – 2018-03-26T20:16:02.467
@LightnessRacesinOrbit I mean "their" as their possessed file, not the recorded movie of their own (because even I don't know whose laptop is that) – phuclv – 2018-03-27T03:19:21.007
@LưuVĩnhPhúc: Jokes – Lightness Races with Monica – 2018-03-27T12:07:07.610