Something Is In the Air; It’s Your Data

Your phone rings. You answer:

CALLER: “Bill, this is Sam. I know you are heading to that conference in San Diego. We need the files on the Smith project and they aren’t on the server. Do you have them with you?”
YOU: “Let me check and I will either call you back or send them to you. I have about 20 minutes before I have to board my flight.”

It is so convenient to have free Wi-Fi at the airport. You can just hop on there and do what you need to do. You can, but SHOULD you? Free Wi-Fi means no password needed, which means anyone can get on the network, which means anyone can be sniffing the network to see what they can see. It also means there is an opportunity for someone to set up rogue Wi-Fi connections to see if they can lure in the unwary.

The Smith project is really important to your company and you don’t want anything to go wrong. You just sat through a training session covering the new VPN project at the office that will be rolled out in a week. That will give you a secure connection to the office from anywhere. Avoiding public Wi-Fi is one of the reasons they are setting this up.

For select frequent travelers like you, the office gave out 4G hotspots so you wouldn’t have to rely on poorly secured public Wi-Fi networks. So, you fire up your hotspot after finding the needed files and get ready to send them off to work, confident that you have a secure connection since 4G isn’t nearly as open to snooping as wi-fi. Per your recent training session, it’s feasible that someone is snooping on your 4G connection,  but it takes much more effort than sniffing Wi-Fi. And, while you can impersonate a cell tower, it is too expensive for most hackers. Unfortunately, your training was wrong, but more on that later.

How Should Travelers Connect to The Internet?

Let’s look at the security issues for the traveler who needs to connect to the internet and possibly the home office. What options exist? Let’s examine three.

Option 1: Public Wi-Fi. There are big issues with public Wi-Fi. Since there is no password, traffic is not encrypted like it would be using WPA2 with a password. Much of what you do online will be visible to anyone else on the network with just a simple packet sniffer; no other equipment is needed. Public Wi-Fi may be subject to impersonation. For example, you are in Starbucks, you fire up your laptop and look to see what Wi-Fi is available. You see a network called Starbucks-1 and one called Starbucks. Which one is the right one? You won’t know unless you ask. Starbucks-1 could be someone with a rogue access point just trying to get people to connect so their traffic can be read at leisure. Appreciate too that nothing is free. What does the provider get? If you have to make a purchase in the store to get the password, there is the answer. If the provider asks for a bunch of information before you can log on, then your information is the cost of admission. Be wary of any network that pries for a lot of information before granting access.

Option 2: Mobile hotspot or tethering to your phone. We have now moved our access off Wi-Fi and on to the cellular network. This runs on a bunch of different frequencies that are different from Wi-Fi. The casual snoop will not bother to go to the effort to sniff this traffic. Does that mean we are totally safe? Well, you may have read or heard about a device called Stingray. It is typically used by law enforcement to force cell phones in a given area to connect to it so that anything going to and from those phones can be monitored. The version used by law enforcement cost about $400,000 in 2016. Not something that most hackers are going to consider. However, if you don’t need all the strength available in the Harris model (and if you are not law enforcement), you might consider the setup laid out in an article on vice.com. For $20 in hardware, they were able to intercept data from cell phones using some code from GitHub and an Ubuntu installation. Most black hats can afford that. How common is cell phone data interception? That is probably a big unknown, especially as hardware and software are so readily available and the technical bar to entry is very low.
As an added fly in the ointment is this article about how certain hotspots can be remotely compromised; if you go to a site and the hacker starts logging a person’s web activity, uses the hotspot as a way to attack devices connected to it, and redirects web traffic to more malicious websites.

Option 3: VPN. Provided you have a high-quality VPN, this is a very secure option. You have an encrypted connection that runs from your device to a secure server at the other end. Even if your traffic is intercepted, there is nothing for the intercepting party to work with. High-quality is the operative word here. Some free VPN software has been shown to be less than effective.

Security Doesn’t Equal Convenience

Keeping secure is not convenient. This is a sad fact of life. As ways to keep data in-flight secure increase in quantity and quality, so do the ways bad guys find to attack. That means that ‘eternal vigilance is the price of safe internet use’ is something that will be true for the foreseeable future.
Keep in mind that no matter how you connect to the internet, if you let someone phish you, you will have a problem. A secure connection that can’t be sniffed is not necessarily a safe connection if you connect to an unknown site.  Contact Ashton Technology Solutions at 216 397-4080 to learn more about the safest connections.