Monday, June 22, 2015

Cybersecurity & Civic Hacking # 2: Public Wi-Fi

[tl;dr -- You’re probably not safe when you’re on public Wi-Fi, you probably don’t realize how unsafe you are, and you don’t know how to change things so you can feel safe using public WiFi. The way to start changing this situation is to support a new NE Wisconsin cybersecurity initiative.]


Last week I wrote the post “Cybersecurity: A New Horizon For Civic Hacking?” and made an open proposal to launch a regional cybersecurity initiative in NE Wisconsin.

Today’s post covers public Wi-Fi, a topic highly relevant to cybersecurity. (Note: Wi-Fi is the 'official' format for this term; many authoritative websites and documents just use WiFi.) Although I haven’t done a survey to document the statistics, my feeling is that most people in this region have a lower level of WiFi cybersecurity knowledge and protection than they should have. I think we should work together to change that situation.

The goal of this post is to help you understand that you’re probably not safe and secure when you’re on public WiFi. After I’ve made that clear, I’ll point out a couple ways you can become more secure.

If we establish this NE Wisconsin collaborative cybersecurity initiative, one result is that people will have a highly knowledgeable local resource they can afford to go to when they want to (1) fully understand public WiFi security and (2) know that they have the best cybersecurity system when using public WiFi. Civic hackers involved with the Cyber Defense Force will also be able to answer questions related to articles about WiFi security, such as the one quoted below. (The focus of this post if public WiFi, but many points in the post will also apply to WiFi in other places, such as your home or business.)

When you use your phone, tablet or laptop on public WiFi at the airport, hotel, Starbucks, McDonald’s, Denny's, Dunkin' Donuts, Panera or similar places, how secure are you?

  • Can knowledgeable computer geeks see what websites you’re looking at?
  • Can they read your email?
  • Can they see or capture your passwords?
  • Can they record information you use to buy something from Amazon?
  • Can they watch you transfer money in your bank account?
  • Can they put viruses, trojans, keyloggers and other malware on your device?

Here’s one story of Wi-Fi insecurity:
From his vantage point at a coffeehouse, Brian Gragg gazed across the street at the darkened windows of a French provincial mansion. The lush River Oaks section of Houston’s Inner Loop had more than a few of these aging beauties, restored and pressed into service as quaint professional buildings. They sheltered doctors’ offices, architectural firms, law firms—and branch offices of east coast stockbrokers. It was this last species of suburban tenant that attracted Gragg...One of the brokers there had installed a wireless access point in his office but failed to change the default password and SSID. Better yet, the broker couldn’t be bothered to shut his machine off at night.
Gragg glanced down at his own laptop and adjusted a small Wi-Fi antenna to point more directly at the office windows. The broker’s computer screen was displayed as a window on Gragg’s laptop. Gragg had compromised the workstation days ago, first obtaining a network IP address from the router, and then gaining access to the broker’s machine through the most basic of NetBIOS assaults...In the past year Gragg had evolved beyond simple credit card scams. He no longer prowled bars passing out portable magstripe readers to waiters and busboys and paying a bounty for each credit card number.
Gragg now stole identities. His buddy, Heider, had schooled him on the intricacies of spear-phishing...Gragg was using the broker’s workstation to conduct an email campaign to the firm’s clientele. He had cribbed the phony marketing blather and graphics from the brokerage’s own web site, but what the email said was irrelevant. Gragg’s goal was that the phish merely view the message...When the user viewed the email, the OS ran a decompression algorithm to render the graphic onscreen; it was this decompression algorithm that executed Gragg’s malicious script and let him slip inside the user’s system—granting him full access. There was a patch available for the decompression flaw, but older, rich folks typically had no clue about security patches. 
Gragg’s script also installed a key logger, which gave him account and password information to virtually everything the user did from then on...What sort of idiot hung the keys to his business out on the street...These people shouldn’t be left home alone, much less put in charge of people's’ investments...More than likely the scam wouldn’t be detected for months, and even then, the company probably wouldn’t tell their clients...”
Brian Gragg is a fictitious character in the novel “Daemon” by Daniel Suarez. It’s an excellent book. The WiFi story above is fictitious, but scenes similar to the one described are happening in real life.

Below is an excerpt from “What we give away when we log on to a public WiFi network.” This is not fiction. This is a real-life example of insecure usage of public WiFi.
In his backpack, Wouter Slotboom, 34, carries around a small black device, slightly larger than a pack of cigarettes, with an antenna on it. I meet Wouter by chance at a random café in the center of Amsterdam...Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu...Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines.
It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of local cafe visitors. On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting the signals that are being sent from the laptops, smartphones, and tablets around us. We learn that Joris had previously visited McDonald’s, probably spent his vacation in Spain, and had been kart-racing. More text starts to appear on the screen. We are able to see which WiFi networks the devices were previously connected to...The waitress serves us our coffee and hands us the WiFi password. After Slotboom is connected, he is able to provide all the visitors with an internet connection and to redirect all internet traffic through his little device...My phone automatically connects itself to one of these networks, which all belong to the black device.
Slotboom’s device is capable of registering these searches and appearing as that trusted WiFi network. To demonstrate, I suddenly see the name of my home network appear on my iPhone’s list of available networks, as well as my workplace, and a list of cafes, hotel lobbies, trains, and other public places I’ve visited. My phone automatically connects itself to one of these networks, which all belong to the black device. Slotboom can also broadcast a fictitious network name, making users believe they are actually connecting to the network of the place they’re visiting. For example, if a place has a WiFi network consisting of random letters and numbers (Fritzbox xyz123), Slotboom is able to provide the network name (Starbucks). People, he says, are much more willing to connect to these...Already 20 smartphones and laptops are ours. 
If he wanted to, Slotboom is now able to completely ruin the lives of the people connected: He can retrieve their passwords, steal their identity, and plunder their bank accounts...The idea that public WiFi networks are not secure is not exactly news. It is, however, news that can’t be repeated often enough. There are currently more than 1.43 billion smartphone users worldwide...In 2013, an estimated 206 million tablets and 180 million laptops were sold worldwide. Probably everyone with a portable device has once been connected to a public WiFi network: while having a coffee, on the train, or at a hotel...spend a day walking in the city with Wouter Slotboom, and you’ll find that almost everything and everyone connected to a WiFi network can be hacked...”
Brian Gragg and his story about cracking into WiFi systems were fiction, part of a novel. Wouter Slotboom and his story about cracking into WiFi systems were real-life, non-fiction. Malicious people with Slotboom’s knowledge, skill and equipment are out there, doing things you probably wish you weren’t aware of. Google can help you find other real-life examples of WiFi cybersecurity problems and attacks, such as “Can hacks become hackers? What I learned exploiting websites with pros,” “Hacker demonstrates risks of using public Wi-Fi,” and “Even with a VPN, open Wi-Fi exposes users.”

After reading the above public WiFi stories, I hope you feel like your public WiFi cybersecurity is not as good as it should be.

The goal of this post is not to give you detailed step-by-step instructions for making you secure on public WiFi, but below are 14 useful action steps you should take to improve your public WiFi cybersecurity. If you’re doing all the items listed below, you’re more secure than 99.9% of people in Wisconsin.

  1. All computing device programs have the latest security updates via a secure network.
  2. High-quality anti-malware system updated and active on your device.
  3. Two-factor authentication used whenever possible.
  4. VPN (virtual private network) used for connecting to public WiFi.
  5. File sharing turned off on your devices and apps or programs.
  6. Legitimate network name verified with WiFi provider before you connect to it.
  7. WiFi connection marked on your device as a public network.
  8. Firewall updated and active.
  9. Only connect to HTTPS websites (Hypertext Transfer Protocol - Secure).
  10. Verify all the apps on your device are secure.
  11. Don’t enable automatic network connection and delete network from list when finished.
  12. Turn off your device’s WiFi radio when you’re not using it.
  13. Don’t use public WiFi for sensitive or financial transactions.
  14. Consider using only a Chromebook or a Linux bootable live system for public WiFi.

Details about the above public WiFi security items can be found at tech media websites (CNET, lifehacker, Forbes), at Microsoft and AT&T websites, and at computer security company websites (Kaspersky, F-Secure, Norton). Googling for “public WiFi security” will find many more related websites. You can also search for other specific questions related to public WiFi cybersecurity.

If you read this far, you’re probably at least somewhat concerned that your public WiFi cybersecurity is not as good as it should be. You’ve also read 14 tips for improving the security of your public WiFi use. So that problem’s taken care of, right?

NO, it's not taken care of.

The overall public WiFi cybersecurity of NE Wisconsin residents and businesses is probably no better now than it was before you read this post. Why do I say this?

  • Most people in NE Wisconsin didn’t read this post.
  • Most people who read this post won’t do some or any of the steps listed above. They’ve probably read similar information in the past about WiFi security and didn’t take all the actions they should have after reading about public WiFi cybersecurity problems.
  • Many of the people who read the post and want to do all the steps don’t have the tech knowledge, experience or confidence to implement the above steps.
  • The above information presents some conflicts about how you can truly be secure on public WiFi, such as ‘which VPN should I use and does it really make me safe.’
  • The above steps don’t cover all the tech aspects of public WiFi cybersecurity. Even if they did cover everything as of June 22, 2015, within a week or a month or a year, there will be new problems or solutions created relevant to public WiFi that you won’t be aware of, won’t understand, or won’t react to as needed to adjust your public WiFi cybersecurity system.

The only way you can be confident you’re securely using public WiFi is by having a trusted, reasonably priced, highly knowledgeable cybersecurity resource in NE Wisconsin that will (1) help you understand what your personal or organizational cybersecurity needs are, (2) help you figure out and put in place the lowest cost public WiFi cybersecurity system appropriate for your needs, and (3) help you develop and put a plan in place to keep your cybersecurity system updated to meet your needs in the future.

If you already have a NE Wisconsin cybersecurity resource like that, you’re one of the few people in the region who does. Please share that resource with me and with others you know.

If you don’t have an excellent NE Wisconsin cybersecurity resource like I described above and you want to have one, please read “Cybersecurity: A New Horizon For Civic Hacking?” then do these two action steps:

  1. Support the launch of the proposed collaborative NE Wisconsin cybersecurity initiative as presented in the blog post listed immediately above and as shown below.
  2. Contact your friends and influential people you know, and urge them to support the launch of this cybersecurity initiative. 

I propose one or several NE Wisconsin colleges launch a collaborative regional cybersecurity pilot initiative. Civic hackers known as the Northeast Wisconsin Cyber Defense Force (NEW CDF), in collaboration with a new college cybersecurity program, help area residents and businesses maintain the best possible computer security and personal privacy. NEW CDF is a cadre of ethical and knowledgeable technologists working together to improve and practice their cybersecurity knowledge and skills. CDF provides practical training for business and personal computer security at the CDF Cybersecurity Training Center or onsite at northeast Wisconsin businesses and organizations. This community of cybersecurity civic hackers also helps catalyze and spin off cybersecurity startups and other high tech businesses.

----------------------------------------------------

As stated above, the main value of this blog post will be if it prompts you to support, and to urge other people to support, the launch of a collaborative regional cybersecurity initiative. If we do not develop this type of a local cybersecurity resource, our collective NE Wisconsin cybersecurity will remain pretty much where it is right now:

  • Widespread concern about inadequate cybersecurity.
  • Poor to almost-acceptable personal and organizational cybersecurity.
  • No reason to expect significant cybersecurity improvement in the next few years.

If you want to know more about how the collaborative regional cybersecurity initiative will create a trusted, reasonably priced, highly knowledgeable cybersecurity resource in NE Wisconsin, contact me or watch for future blog posts on this topic. 

If you had already done all 14 of the cybersecurity measure listed above before you read this post, please contact Bob Waldron at bwaldron [at] gmail (dott) com. I’d love to meet with you and have your input or involvement in creating a collaborative regional cybersecurity system.

----------------------------------------------------

Short Situation Summary -- In April 2015, Alex Stamos, the cybersecurity chief for Yahoo, stated his concern for how unprotected the average digital citizen is. “I’m not very happy with where we are as an industry,” he said, with a grim look on his face. “We’re really focusing on the 1%,” he added, referring to the small number of companies that can afford to spend on cybersecurity teams and products, and the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online...“The vast majority of people are not safe using the internet everyday,” Stamos tells me..."

---------------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: This post, published June 22, 2015
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"

*****

No comments:

Post a Comment