Author: Jeffrey M. Jones, CISSP, CISA
Even if you don’t work in the Information Technology or Information Security space, it’s important to understand the risks posed how and where you access the Internet. From hospitals to airports to departments stores to fast food restaurants, Wi-Fi access is available for free just about everywhere. But make no mistake, these “free” services almost always come at some cost. And the risks are plenty. Here are a few of the problems and risks, and what you can do to protect yourself.
Problem 1: FWAP. No, that acronym is not an abbreviation for an obscure hip-hop artist, but stands for “Faux Wireless Access Point.” The SSID (Service Set Identifier) is the Wi-Fi name you connect to when at home or (via hot spot) when on the go. To be clear, there’s nothing sacred about SSIDs and anyone can walk into an airport and establish an access point called “Free Wi-Fi.” And there are even instructions on the internet for setting up a FWAP.
The Risk: The probability and impact are both moderate to high that you’ve connected to such a connection unknowingly. This is considered a variation on a man-in-the-middle (MITM) scenario where an attacker secretly relays and/or records communication between two parties who think they’re communicating directly.
What can I do about it? Start by thinking. Before connecting to the first random open SSID available, think! Look to find some publicly posted information that:
- Substantiates the offering of the service,
- Identifies what the legitimate SSID is, and
- Clarifies whether the service is free–yes, there are still tightwads that charge for wireless service, mostly in the hotel industry
Additionally, be sure to pay attention to spelling of SSIDs. The number zero(0) can sometimes look a lot like the character, capital “O,” when displayed in proportional fonts; thus, while McDONALDS and McD0NALDS may look similar, they are not the same.
Problem 2: Unencrypted public access point. These would be legitimate access points you’re likely familiar with at coffee shops, airports, etc. While convenient, you should be aware that ANY data you transmit when connected to such sites is visible to anyone who chooses to listen. Let me repeat: Your data is visible to anyone who chooses to listen. By contrast, most informed users are well aware that at home, their WAPs should utilize strong encryption (e.g., WPA2) and a well-constructed, alpha-numeric access key to shield their data from prying eyes. While on the go, however, people expect and relish in the fact that wireless access is free, but think nothing of the fact that the service provided typically has no encryption.
For instance, If you use one of Starbucks’ free AT&T-provided Wi-Fi networks at one of their coffee shops, you must agree to their Terms and Conditions. Like most of us, you probably didn’t read them. But if you did, buried in these Terms and Conditions is the following sentence: “If you have a VPN, AT&T recommends that you connect through it for optimum security.”
The Risk: The probability and impact are both moderate depending on where you are. Companies utilize Terms and Conditions to defer liability, and whether you know it or not you explicitly “accept” by clicking a button to connect.
What can I do about it? If you have the privilege of occasionally working from home, then you’re likely familiar with Virtual Private Networks (VPN). A VPN connects two computers securely (and privately) via the Internet, even if utilizing a public network. Now connecting to work is one thing, but connecting for general surfing while protecting your own privacy is another. There are plethora of service options for VPN services, some of which are free.
Just keep in mind: You get what you pay for!
Problem 3: Poor Authentication. Administrators everywhere just made a collective sigh, because even with enforcement policies in place people manage to select passwords that are not sufficiently complex. In fact, every year there are organizations that publish the worst of the worst passwords, and inevitably the same passwords float to the top of the list. Whether you’re using Wi-Fi or a hardwire connection, poor authentication—characterized by short, easily-compromised passwords—are a substantial risk.
The Risk: By definition, simple passwords are easy to compromise. The impact is high to very high depending upon the nature of sensitive data you’ve “secured” via simple authentication methods. Don’t make it easy on those who might be looking to do your reputation, finances, or personal data harm. Fortunately, there are some things you can do to protect your data better.
What can I do about it?
- Manage your passwords better! Here’s how…
- Make your everyday passwords more complex. Passwords should be a minimum of 8 characters in length, be case-sensitive, and include letters, numbers, and special characters to the extent the latter is supported by the system
- Never, ever, ever, write your passwords down or share them with anyone. Not with family, friends, or with the HelpDesk Admin guy at your job. No one. No password is secret if stored where it can be easily accessed by bad actors.
- Don’t use the password cache functions in popular browsers. Sure, most use some form of encryption, but anyone who has access to your machine will also have access to your credentials!
- Don’t overlap your work passwords with those you use for personal and home devices. If your credentials are compromised in one area, you don’t want to put the other area at risk for the sake of convenience.
- Don’t use the same passwords for multiple sites. It’s like having the same key to every door, car, suitcase, and storage area you have access to. A better way is to obtain a password vault from a reputable source such as CNET or PCMagazine. A good password vault will also have a utility for creating distinct, complex passwords for the sites you visit. Create a master password that is complex, and store all other passwords in your vault.
- Change your passwords (at least) annually. Password vaults are particularly handy for making this task easy.
- Create a complex password. Simple passwords—particularly those using words from the dictionary, sports teams, pet’s names, etc.—are easy to crack. Do yourself a favor and get in the habit of using a complex password. Here’s how…
- Start with a simple phrase you can remember easily: “The Dodge Challenger and Jeep Wrangler are my two favorite cars.”
- Take the first letter of each of those words: TDCAJWAMTFC
- Make the password case sensitive: TDCaJWamtfc
- If the site or tool accepts them, add complexity by incorporating numbers and special characters: TDC&JWam2fc!
- You can add additional complexity by padding your passwords with a prefix or suffix of characters. For instance, you could use your graduation year, but hold the shift key. 1987 à !(*& which would produce: TDC&JWam2fc!!(*&
- Use Multi-Factor Authentication. If a site offers multi-factor authentication (MFA), which requires you to enter a) something you know (e.g., a password or passphrase), and b) something you have (e.g., a code from a token or mobile phone, a pattern, a fingerprint) use it! Most banks, stock trading sites, e-commerce sites (e.g., eBay, Amazon), and even Facebook support MFA. And while MFA alone is not a panacea, it still a sufficient deterrent to get malicious users looking at someone else’s data instead of yours because of the difficulty to compromise.
Problem 4: Questionable sites. Steer clear of them. Sounds obvious, I know; but even the most trustworthy of sites can steer you to obscure places via links and ads.
The Risks: Too many to list. Here are just a few:
- Malware – Malware (Malicious Software) is software developed to compromise data, bypass access controls, or harm the host computer. Malware is a broad term that characterizes several categories of malicious programs.
- Viruses – A form of malware that is capable of copy itself and spreading to other computers. Viruses often spread by attaching to an executable file, but can also be spread through documents, script files, and cross-site scripting (XSS) vulnerabilities in web applications.
- Adware – Adware (Advertisement-supported software) is a type of malware that automatically delivers advertisements. Common examples of adware include pop-up ads on websites and advertisements that are displayed by software. Software and applications offer “free” versions that come bundled with adware.
- Bot – Bots (or ‘Bots) as you may have guessed is a play upon the word, robot. Bots are used for harmless tasks in gaming and internet auction sites; however, they can also be used for malicious purposes—e.g., Distributed Denial of Services (DDoS) attacks, and for sending spam email (spambots).
- Rootkit – Rootkits are designed to provide remote access to a computer without being detected. Once installed, it’s possible for the malicious user to remotely execute files, modify system configurations, and access information.
- Worm – A worm is a type of virus, but worms have the ability to self-replicate. Worms are typically spread via mass emails with infected attachments.
- Ransomware – A form of malware that effectively locks your access down and holds your data hostage until you comply with demands.
What can I do about it?
- Anti-Virus (AV) Software – There is plenty of coverage on anti-virus software comparisons—commercial and free. If you don’t already have an AV package installed, pick one, get it installed, and set for daily signature updates. Pronto!
- Patch Management – Windows and Mac OS users alike are familiar with operating system patches that download and (sometimes) self-update if you permit. What about all of that other software you have? Some package update only upon use. Others do so in the background—and eat precious resources in the process. How can you be sure you’re current? Secunia—now Flexera Software—offers a free Personal Software Inspector (without adware) that inspects your system for applications and monitors the patch status for every software title installed. If the software is out of date, it prompts with a notice indicating the update available (or sunset date if the software is no longer supported). It’s never been easier to keep your software current.
- Personal Firewall – Personal firewalls are like the virtual moat around your data in your castle. You typically have one on your operating system, and another on your router/switch at home. Be sure the former is enabled, and test the settings that most stringent that still allow you to do things you typically do—web surf, stream video, play networked games, etc.
- (For Crying Out Loud,) Be Smart! You shouldn’t have to get burned to know that blue flames are hot. Similarly, questionable sites have a look and feel that are all too obvious—typos, no brick & mortar address, no contact information are all telltale signs. It’s (sometimes) okay to look around. But don’t be like the kids in a horror movie who go inside the home after they’ve heard or seen something strange. When a site you’ve never heard of starts pumping you to enter your credit card information, run for the hills!!!