For nearly as long as public wireless networks have been available, the best security advice has been to avoid them altogether. Why is this? Is there a way to be safe on public wireless networks? And what about the ones that use a password? Let’s take a closer look at where the security advice comes from, and how you can stay safe now that we are once again venturing away from our home networks.
Generally speaking, there are two kinds of wireless networks: password-protected and unprotected (also known as “open”) Wi-Fi. Now, think about the words “public” and “private.” You might think that an open network is automatically public and a password-protected one is private, right? Not necessarily. Even wireless that asks for a password to connect can be considered “public” if that password is regularly given out; for example, a coffee shop posting the code on a bulletin board or on the bottom of every receipt. Anyone who is connected to the same wireless network can theoretically spy on network traffic happening on the same network — password or no password.
Using a method known as ARP poisoning, someone can trick your computer into thinking their computer is the router, so all your information passes through to them. They can read (and even change) information that is sent unencrypted, that is, through regular HTTP. Any secure traffic, through HTTPS is difficult to impossible to read and manipulate. This is the main reason behind the security advice “Look for the padlock” in your address bar; this tells you whether information on a website is potentially visible to some other party.
What about using a VPN? Virtual Private Networks can protect your internet traffic from eavesdropping, but there are a couple of caveats there as well. First, the VPN must be full tunnel, not split tunnel. Basically, a split tunnel only encrypts certain internet traffic, while a full tunnel encrypts everything. If you are given a VPN connection through your organization, they will be able to tell you which type they use. Secondly, the VPN solution you are using must be trusted as well. Since a VPN will encrypt traffic between your computer and some remote server, if you don’t trust the place your traffic is going, then you run the same risks that you do on public Wi-Fi.
Follow the steps below to keep you safe when you use Wi-Fi.
- Do only you and the individuals you trust know the password to this wireless network? And is the password long, complex, and would not be found in any password-cracking dictionary? If the answer to both questions is yes, the network is safe and can be considered private. If not, proceed to the next step.
- Do you have a full tunnel VPN solution that is provided by your place of work or a provider that you really can trust? If yes, you can access private information on the network such as financial or other confidential data. If not, proceed.
- You should assume that anyone can see or even manipulate your web browsing as it is happening, just as if someone were standing over your shoulder watching what you do. You should not use this network for anything that is sensitive in nature. Alternatively, if you have access to a cellular network such as a hotspot device or your phone’s built-in hotspot function, you can safely use that as long as it is configured to satisfy question 1.
Another thing to look out for: fake wireless networks that exist to harvest your passwords. It is fairly simple for someone to set up a device that acts like a free public access network. When you connect to it, it presents a landing page similar to what you see when you connect to a coffee shop or hotel. This is called a captive portal, and it is possible to set one up that asks for your social media login details in order to access the network. Instead of granting you internet access, it will redirect you to a fake error page that will appear to go nowhere. What has actually happened behind the scenes is your username and password have been stored in a way that can be recovered by a malicious actor. Never enter your real login details on any landing page such as this.
Public wireless networks are still as much of a concern as they have ever been, but with a little due diligence and some help from technology, you can make the best decision for yourself and your data.
Chris Tuzeneu is the Vice President of Information Security for CivITas Bank Solutions, which exists to help community banks with IT and Information Security needs. For more information contact info@acivitas.com.