Welcome to the Fast-Air Tech Talk newsletter. The Tech Talk newsletter is a free service for all Fast-Air customers. Please feel encouraged to suggest newsletter topics.
Considering the security challenges, are there ways to use public wireless networks without risk? There are two simple starting points.
- Presume the network is not secure and encrypted.
- Ensure connections are secure and encrypted.
The presumption is especially true when using public computers. When using personal computer devices the presumption still holds, but can be overridden with the second point. Do everything possible to create a secure and encrypted connection before using the public hotspot.
When available, use public hotspots using encryption.
Presume somebody is looking over your shoulder. Both physically and electronically. Remember to look behind you when using a public hotspot. Somebody might be looking over your shoulder to harvest private or personal information. This precaution includes security cameras.
Electronically looking over your shoulder means presuming the network is not secure. Computers are visible to one another when connected together on a public wireless network. Strangers can see your computer and vice-versa.
Do not configure a computer device to auto-connect to any available wireless service. Only allow auto connection to known trusted wireless networks, such as at home or the office. The connection default should always be to manually connect to new networks.
Recognizing secure and unsecured wireless networks usually is straightforward. When the operating systems’s network manager finds a new wireless network, the context menu or popup dialog will show a traditional closed lock for a secure network. That means a password is required to connect to the wireless network.
Do not name computer devices using identifiable personal or private information.
Configure email clients to send passwords encrypted. Most email clients call this SSL or TLS encryption. This is smart even when using a computer at home or the office. Remember that although encrypting the password prevents malicious actors from capturing the password, the default is for exchanging emails using clear text. If the public wireless network does not use a secure connection, the contents of all emails are easily viewed by anybody sniffing the network. Those emails might contain sensitive information.
Never let email clients automatically check accounts without first connecting to a secure connection.
Do not login to any remote account without first connecting to a secure connection.
Do not open a web browser without first connecting to a secure connection.
Disable shared services and folders.
Enable the operating system’s firewall. Because computers are visible to one another when connected together on a public wireless network, they can communicate with each other. The firewall has nothing to do with encryption but prevents nearby malicious actors from compromising your computer.
Although bank web sites are designed to use encryption and HTTPS, avoid browsing such web sites when using public hotspots.
Use HTTPS as much as possible when browsing the web. The browser add-on HTTPS Everywhere will help and is useful at home or in the office too.
Using HTTPS helps when falling victim to man in the middle (MITM) attacks. The malicious actor sees the content but all of the content is encrypted.
Avoid using passwords unless using HTTPS. A challenge with this simple precaution is human nature. Many people choose convenience over security and configure web browsers to store passwords. This feature allows for auto-logging into various sites. When using a public network that is not secure, this feature sends the password in clear text despite not typing anything.
Do not ignore web browser or email client certificate warnings. All web browsers and email clients are designed to validate HTTPS security certificates. A certificate warning could indicate a malicious actor.
When no other option is available, avoid transmitting personal information or conducting sensitive business. Just don’t. Surf the news on the web but not much more.
There are ways to overcome the lack of a secure public hotspot and still use that service.
- Use a smart phone as a hotspot. Some phone providers might charge extra for this option. The phone can be configured with the WPA2 Personal protocol and AES encryption. Use a lengthy password or pass phrase. As long as the phone can connect to the vendor’s network, the phone will act like a hotspot. Any computer device connected to the smart phone will have an encrypted connection between the computer and phone.
- Use a Virtual Personal Network (VPN) server. A similar method is using Secure Shell (SSH). Both methods create an encrypted secure connection.
VPNs are common in businesses to allow employees to securely connect to company networks.
Many people provide online VPN services. Which providers can be trusted is a topic of much debate among computer enthusiasts. Many people therefore create a VPN at their home or office. When using a public network, they connect to their own VPN to encrypt the connection.
A challenge is needing to first connect to the unsecured public hot spot before connecting to the VPN. Modern operating systems are designed to be connected 24/7. This is true with Windows 8/8.1 and 10 as well as Android. Android is used in smart phones and tablets. That is, the moment these devices are powered on, various apps begin connecting to upstream services. These connections might include passwords. Do not launch apps or allow apps to connect online until completing the VPN connection.
Some operating systems provide different network connection types. This feature might be useful to automatically configure firewall settings on-the-fly. For example, selecting a “Public” network configuration rather than a “Home” network connection will invoke more restrictive firewall rules.
Some public networks are intentionally configured to prevent using secure web connections (HTTPS), Secure Socket Layer (SSL), or VPNs. There are legitimate reasons for doing that, but that means all connections are unencrypted. Some public networks are configured to restrict users from using preferred DNS servers. Vote with your feet and wallet — do not use such public networks.
The goal of these strategies is to provide a secure connection when using public networks. When a secure connection is impossible, then the goal is to protect private and sensitive data. That means establishing security and privacy aware habits, which is a challenge for many people.
There are tips for public wireless providers too.
- Configure routers with WPA2 Personal and AES encryption. Customers using the service must type a password to connect.
- Configure the connection with AP isolation. This feature prevents each device on the subnet from seeing other devices.
- Conspicuously post the Service Set Identifier (SSID), Basic Service Set Identifier (BSSID), IP address, and whether encryption is used. A simple sign of providing “free wireless” is insufficient.
Public wireless providers often create a captive portal splash page outlining the terms of service (TOS). The TOS should boldly and fully inform users when not using encryption. Important to remember is a captive portal provides no security or encryption.
There are risks involved with using a public hotspot. If all of this makes your head swim then do not use an unsecured wireless hotspot.
Technical trivia: During the early days of public access to the Internet, a common sight in many postal mail boxes was floppy disks and CDs promoting online services. The mailings were so abundant that some people accumulated so many disks that they were able to “wallpaper” entire rooms.
Next issue: The End of 2016
Pure joy.
Video
- Free Gift Phishing Scams (Notice 2020-001) - January 15, 2020
- Tech Support Phone Scam (Notice 2019-001) - March 14, 2019
- VPNFilter Router Malware (Notice 2018-007) - May 30, 2018