Ahh……. traveling through the countryside again.     I’m thrifty, and don’t have unlimited cell service.  I don’t want to use up all my cell phone data out here downloading movies for my kin.    That’s fine, free public wireless Wi-Fi networks are everywhere.    Everyone likes to get online for free.  But what does “free” often mean. There are a lot of security issues with public Wi-Fi.  I like to think of them as the wild-wild west.  This blog will go over the big dangerous amidst many public Wi-Fi spots and how to navigate them.

Malicious Hotspots

Howdy partner, welcome to free Wi-Fi.   So, you’re having dinner at the Texas Steakhouse.  Is the free public Wi-Fi really offered by the diner, or supplied by the guy renting an apartment next door?  Perhaps someone nearby setup a rogue network to entice people to connect and snoop on your web browsing.  It’s a good practice to ask an employee, or the front desk what the name of their Wi-Fi is before just jumping on the first network you find.  A legitimate Wi-Fi network will be less dangerous then a malicious hotspot that is anonymously owned.  You don’t want to shoot yourself in the foot, so to speak…

Wi-Fi sniffing

Just because you found the restaurant’s Wi-Fi network doesn’t make it safe either.  One of the tools that hackers are using on public networks is the Pineapple Wi-Fi device.  Originally developed for penetration and security testing, they can be repurposed for Man-in-the-middle attacks.  After determining what websites you access, the device can thoroughly mimic preferred networks.  All your information is then routed through the device. You may think you’re sending information to a HTTPS website, but it’s actually a spoofed website that the device created.  What’s worse is the Pineapple can save user session and cookie information and continue masquerading as your device, long after your gone.  You may need to call the local Sheriff on this network. 

How do you protect yourself?

When you connect be sure you select the Public network option when connecting to public Wi-Fi, keep your computer up to date, and leave your firewall enabled.  These options will protect your computer or device from being breached. 

When you leave a public Wi-Fi, be sure to delete, or “forget” the network in your phone or laptop.  This will keep your device from automatically reconnecting to a similar rogue network at another location.

Cautious browsing

So, we have learned how to protect your device, but what about protecting your online browsing transactions.  Limiting your internet searches to informational websites that don’t pass sensitive credentials is the best practice.  Logging into your online bank, even though an installed App should be avoided.  What about credit card purchases?  Just say no!  Ok, I just want to send an email.  Unless your email is encrypted (most isn’t) even email shouldn’t be checked on public Wi-Fi.  Do your email servers authenticate exclusively with secure HTTPS?  If you’re not 100% sure, don’t chance it.  So, what about Netflix, you like watching movies don’t you?  It depends….   If you can set your online accounts up with different passwords, in the event you are hacked they will only get onto that one site.  Not too much at risk with a compromised Netflix account if your passwords are all unique.  Plus, I get an email when another device logs on my account, so you know you can cut them off at the pass!

VPN – Circle the Wagons

What if you really need to get some work done, cellular service is not available and public Wi-Fi is your only option?  Well that’s when you need to invest in a VPN service.  A virtual private network (VPN) is a technology that allows you to create a secure connection over a less-secure network between your computer and the internet. This is beneficial because it guarantees an appropriate level of security and privacy to the connected systems. This is extremely useful when your Wi-Fi infrastructure may not support it.  It’s like sitting inside a protective circled wagon.

If your company can setup a VPN for you that would be the best option.  The next best would be a paid VPN service that’s based in the United States.  Most of these run under $10 per month.  Though there are many good ones outside of the States.    The following VPN Services have been highly rated by CNET for 2019. 

ExpressVPN
IPVanishVPN
Norton Secure VPN
Private Internet Access VPN

So, chock up and stay away from those free VPN services.  Because as we just learned from this blog, nothing in life is “free”.  Now head ’em up, and move ’em out

“Augmenting the human experience with a connected world”[i]

“Oh! Sorry I didn’t see you sitting there. It’s my morning break here at work, so I was checking a few things at home. Making sure that I locked the front door and checking to see if we had eggs in the fridge. Looks good. And the dog’s behaving.

So, do you remember back in 2019 when IoT was new and security was sketchy? I figured I didn’t have a lot to lose by installing that smart front door lock. After all, it was nice for the door to unlock when I pulled into the driveway, and then have it auto-lock when I left for work. I could even unlock it for my daughter who dropped by unannounced from out of town. Nice.

At that time, some people weren’t comfortable with the level of cybersecurity in IoT, so they stayed away. Others…they did their homework and only went with devices that were designed from the ground up for security. Smart.”

What’s Involved?

IoT (Internet of Things): “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.” So, many “smart” things are in this category: locks, thermostats, lights, alarms, toys, automobiles, garage doors, sprinklers, IP cameras, refrigerators, or your home DVR. Convenience and utility.

IoT can make your home more secure from burglars by automatically locking your front door when you leave, alert you to someone at your front or back door, make your coffee, turn your lights on and off, etc., etc. What’s not to like, right?

This transformational technology is growing geometrically and is poised for an explosion. IHS Market (a London-based global information provider) predicts that by 2025 there will be 73 billion IoT devices installed[ii]. That’s more than 9 per person on earth! With all these devices connected to the Internet, the bad guys are constantly attempting to gain access in order to steal information and steal your stuff.

Are they secure?

With all these advantages, the question becomes what is the risk of installing a smart device? It turns out that there is a lot NOT to like, IF you are not careful. Alas, most IoT manufacturers have no program for disclosing and reporting security issues. A December 2018 report explains that “90% Of Consumer IoT Vendors Don’t Let Researchers Report Vulnerabilities”[iii]. That could mean that if you are not technically inclined or are not willing to do the homework, you may want to wait until IoT technology is more mature and secure.

Here are some of the issues and possible consequences:

“As an example, an IoT thermostat very likely communicates to a cloud server to provide updates and to control the device remotely,” Jett [Justin Jett, director of audit and compliance for Plixer] says. “If the IoT security is robust, but the cloud security is significantly lacking, the entire system is vulnerable.”[iv]

What can you do?

For those who want to enjoy the benefits of current IoT tech, this may be a good time to do a little online research and get a smart lock for your front door or smart LED lights that turn on at sundown and can be controlled from anywhere in the world.

If you decide to take a step into the Internet of Things, remember that your smart device will be part of your local network. So, here’s what you should do.

• Choose your IoT devices not just based on convenience, but also on security.
  • Smart locks are very convenient, and they are as secure as traditional locks IF well designed and supported.
  • Make sure the manufacturer is actively supporting the device.
  • Keep a “good ol’ fashion” key handy when the keyless remote entry fails.
• Insist on strong security and check your devices’ configurations.
• Keep your computer and smart phones updated; they usually share the same network at your home.
• Install computer virus and malware protection
• Use multifactor authentication when possible.
• Don’t use public Wi-Fi without VPN.
• Only use known devices. E.g., if you don’t know where a USB thumb drive has been, leave it alone.

Here’s an excellent consumer guide for smart home devices, developed by the UK government.

The Future

California has enacted the first law covering IoT and this may drive future federal regulations. “The short IoT bill requires IoT manufactures to equip devices with “reasonable” security measures, appropriate to the function of the devices and to the information they collect or transmit.”[v] The move is toward more security and accountability, which is good for the industry and for consumers…like you.

Spectrum IT

The IT Team at Spectrum works behind the scenes to ensure that your investment and personal information is kept safe and secure. We also strive to make sure that Spectrum’s other teams have access to the information they need, enabling them to make the best timely decisions possible for you.

[i] “The next chapter of IoT is just beginning as we see a shift from digitally enabling the physical to automating and augmenting the human experience with a connected world,” says Carrie MacGillivray, IDC. https://www.idc.com/getdoc.jsp?containerId=US44390618

[ii] IHS Markit, The top transformative technologies to watch this year, 2018 (PDF, 16 pp., no opt-in)

https://www.marketwatch.com/story/7-ways-to-keep-your-smart-home-from-being-hacked-2016-10-17

[iii] https://www.forbes.com/sites/daveywinder/2018/12/13/the-silence-of-the-brands-90-of-consumer-iot-vendors-dont-let-researchers-report-vulnerabilities/#4f60977d9c88

[iv] https://www.scmagazine.com/home/security-news/lightly-secured-cloud-with-a-chance-of-iot-attacks/

[v] https://www.scmagazine.com/home/opinions/californias-new-iot-security-law-is-not-nearly-enough-we-need-a-gdpr-for-iotnow/