Ignorance of the of lack of security at public hot-spots prevails to be bliss.
Standing in a line at the local coffee shop, mulling over a variety of caffeine goodness, and selecting from the available Wi-Fi networks to connect to. But today something is different. The network name (SSID) is present twice. Once it is showing as SeriousCoffee and once as Serious-Coffee.
Naturally, it was easy to ask the barista: “Do you know which of these two networks is yours?“. The answer was: “Geee…, I don’t know. If it says Serious Coffee or something like that, then it should be ours. Try them both and see which one works.”
Sitting right behind me I saw an older gentleman with his laptop selecting the 1st WiFi choice available. His chances were fair – 50/50, or as someone in infosec business would say “…he was connecting to the fake hot-spot with discrete probability of 0.5″.
This made me sad. He just might have handed over some of his private or business information to an adversary whose only trick was to rename the network SSID to a similar name. So I decided to post the following 12 suggestions for public WiFi hot-spot hygiene.
1. Be 100% sure you connecting the right network
Before you connect to any WiFi network SSID, always verify that you are connecting to the right provider (the network name you trust). Airport-WiFi is not the same as Airport_WiFi or Free Airport WiFi! Every time you see more than one network with a similar name beware! This could signify that one of them is a dangerous decoy. (But it can also signify that the network admin was a moron, did not bother to name the networks properly and forgot to notify the staff 🙂
2. Tame the urge to connect no matter what
If you get to a well known place and the network signal you used to see is for some reason missing, do not compromise! It may be tempting to connect to another available network with a strong signal named free wifi or something similar but it can also be your worst mistake. I know what you may be thinking, “I’ll just connect a little bit to check my emails or Facebook.” There is no such thing as connecting just a little bit. It may so happen that the reason the trusted network signal is down is due to an adversary jamming the signal and offering his compromised free wifi instead. Don’t do it!
3. Your online activity is never secure or private
It should be clear that by connecting through a public network the online activity may be visible to an unknown number of 3rd parties. In general, online activity is visible to anyone with access to the hot-spot router, server (if present) and/or has software for intercepting wireless traffic installed. Many hot-spots log their traffic. When logging into a site through non-encrypted connection the page, it’s content and the username/password could be logged in a human readable – plain text. This means that anyone with access to these log files and/or the wireless traffic can see what you wrote and what your login credentials are. In some situations logging/browsing through the HTTPS / SSL can be compromised too. Bottom line, if you are using a public place, limit your online activity to those activities with low security and privacy rating.
Accessing your corporate database, FTP account or even logging into your WordPress blog is a bad idea. Below is a sample of the wireless datagram (packet) and how it is visible to others when sent through an unencrypted wi-fi hot-spot connection – easily readable by human eye.
4. Turn off your tablet’s, cellphone’s or laptop’s auto-connect feature
By default, most wireless devices are set to connect automatically to the network they remember from last time. They have a constant urge to search for any available signal without us even knowing. So the moment we enter the familiar hot-spot area, our devices will register the signal and will try to use the stored login credentials to see if connection can be established again. In general this is a great feature in terms of convenience but a total nightmare from the security point of view. In some cases, if a malicious hot-spot is present, your device may connect automatically to it by “mistake”. Turn-off the auto-connect feature for good. When ready to connect to wi-fi turn on your wi-fi and manually select the trustworthy SSID (network name) from the list.
5. Enforce HTTPS / SSL if you can, but do not rely on it
Most of us know that anything you view or send through an unsecured HTTP:// TCP/IP protocol is visible to anyone. Common knowledge states that when we use HTTPS:// prefix (if available), or see a small “secure lock” in front of the URL we may assume our connection is safe or private. Unfortunately it isn’t. Even though the security breach to secured connections takes another skill level and a whole new set of tools, it can be done. So the same as point 3 above states – try to restrict your public online activity to things that do not have much informational value, even if you are using the SSL connection. However, SSL connections are still a better choice than plain text and it is a good habit to force the secure connection (HTTPS) on sites offering it. You can use FireFox add-ons HTTPS-Everywhere or HTTPS Finder or similar.
6. Turn OFF your network discovery
This may be re-stating the obvious but make sure your computer is not set up to be visible on the network. While this feature is useful in home or work environment where you need to see all connected devices on the same network, it is a tragedy in public. In a nutshell any public network security measures are mostly void if anyone can turn-on network discovery and connect to your computer directly, having access to your computer without much effort. So, a gentle reminder, make sure the devices that you plan on using in public are set to be network invisible.
For Mac it is the “stealth mode” under the advanced firewall settings/security tab,
for Windows it is under the Network tab.
If the Network does not look turned-off (shown turned-off in the the image above), see the Advanced sharing settings tab below for the settings that need to be adjusted as follows:
If you are running Linux you can stop your Samba service with:
[php]sudo service smbd stop[/php]
7. Block incoming connections
Just because you made your computer invisible to the rest of the network, does not mean it cannot be connected to directly. As long as your computer is connected to public network and there is some network activity present, it still broadcasts enough information (to those who know what to look for) where your computer is located on the network. This location (not your physical location but a digital location of your device on the network) could become a doorway for others to connect to your computer. Therefore, your device should be set to reject/block incoming connections. That is done through your firewall settings. For Mac it is, again, under the firewall settings, for Windows it is under the advance firewall settings (see below):
for Linux, you can choose to use ufw or gufw for Debian based systems i.e.: Ubuntu or Mint and inspect the firewall status by typing
[php]sudo ufw status[/php]
or any corresponding utility for non Debian distros, i.e.: Fedora, which is using
8. Disable your unsecured POP3 connections
Many desktop based email clients can connect to your email account through the older, unsecured POP3 protocol. This means that if your Outlook, Thunderbird, AppleMail or whatever you are using tries to connect automatically to your email account (as is usual for the default settings) and your connection is set to be POP3; the email content, address and password will be broadcasted in plain text to anyone who can monitor traffic. If you are using Gmail’s or Yahoo Mail’s IMAP or POP3S protocols, your connection should be secure enough and there is less to be worried about.
Below is an example of Thunderbirds’ unsecured POP3 connection settings (similar to Outlook, etc.). If your email client has the following POP3 settings showing as a default protocol, change the email program settings from automatically check for new emails to manually check for new emails. This will give you the option to check your emails only when you initiate it.
9. Be aware who sits/stands next to you
This should be a basic instinct, but for those deeply immersed in cyberspace reality i.e.: texting or updating the Facebook wall – sometimes they do not even know they are crossing the street on a red light. So before you start logging into your accounts in a public place, take a quick look around to make sure no one is actually looking or recording what you are typing on the keyboard. For “hot target” individuals i.e.: CEOs, fund managers, etc. try to chose a place where even security cameras cannot read what you type. Remember, behind every security camera is a DVR which can be reviewed by anyone, anytime who has access.
10. Turn it off if you are not using it
Most laptops (unless set to not-to-sleep) are put into hybernation mode when the display is closed down and they tend to turn off the wi-fi adapter to save the battery charge. Unfortunately that is not true for most smart phones and tablets. They will try to connect to any available wi-fi hot-spot (if turned on) wherever you go, even if they are set to be in stand-by mode. Make sure to follow step 4 and turn off the auto-connect feature. Under Windows OS, check your network adapter settings, under others you need to investigate.
11. Install private tunnel if you can
So far, the best privacy and online security practice is the use of a trusted 3rd party virtual private network – VPN. For Windows, Mac OSX, Android 4.0+ and iPhone/iPad (iOS 4.2+) the setup is fairly simple. Sign up for the free or paid account. Download the installation file for your OS.
Install the file, enter your login credentials and you are all set. Next time you are in the public place, and based on your settings, your Internet connection will be automatically established through the encrypted private tunnel. If you are using Linux OS a OpenVPN-compatible client has to be installed on your computer. I.e.: for Debian it would be
[php]sudo apt install openvpn[/php]
then download the Private Tunnel user information .ovpn file, move it to your etc/openvpn folder, rename it to .vpn and restart. Next time your computer connects to Internet, it will be through the secure VPN. One important warning, if you are planning on making any FTP connections (i.e: connecting to your web-hosting files, etc.), VPN may not protect this connection from being plain-text visible. The FTP usually runs on ports 20 or 21 which are commonly not covered by most VPNs. By-the-way you should not be using any FTP connections in public anyway, use only SFTP or explicit FTP over TLS. Below is an example of the intercepted datagram (data packet) when secure connection is made through VPN – clearly unreadable:
12. Use a good anti-virus software
This applies mostly for Android and Windows OSs where security flaw exploits are most common. Running up-to-date quality anti-virus can inform you instantly if your system is getting compromised. While it may not protect you from everything it may notify about any unusual system changes or unauthorized connections which should give you enough suspicion that something is not right. Also remember that just because anti-virus program came pre-installed on your tablet or laptop it automatically means that is is a good one, do your research, ignore defaults.
While these 12 steps above should be a bare minimum for basic public wi-fi hygiene you may want to think twice before you connect to public wi-fi regardless if it is an airport, coffee shop or hotel room, they all have one thing in common – lack of privacy and poor security.