As Richard Allen reported in his blog post, Public Wi-Fi Network: Consumers unaware of threat from hackers, Public Wi-Fi is not as safe as you might think.
Basically, Wi-Fi hotspots are risky because they don’t encrypt the information you send over the internet. If a network doesn’t require a WPA or WPA2 password, it’s definitely not one you can trust.
If you use an unsecured network to log in to an unencrypted site — or a site that uses encryption only on the sign-in page — other users on the Public Wi-Fi network can snoop on your activities. They can even hijack your session and log in as you thanks to hacking tools, which are available to buy or are even for free online — meaning that users with even zero technical know-how can hack into your laptop.
As the US Department of Homeland Security website, OnGuardOnline, says: “An imposter could use your account to impersonate you and scam people in your contact lists. In addition, a hacker could test your username and password to try to gain access to other websites – including sites that store your financial information.”
So what can any of us do to make using Public Wi-Fi safer and less likely to result in the types of fraud that Stephen Proffitt. Deputy Head of Action Fraud, has described?
Armed with the knowledge gleaned from Whitson Gordon's excellent LifeHacker article, How to Stay Safe on Public Wi-Fi Networks, I asked 7Safe’s penetration testing lead, Aleksander Gorkowienko, to comment on the practical steps that consumers and business people can take to reduce the risks.
(Picture: Aleksander Gorkowienko, 7Safe Lead Penetration Tester, by Stephen Bond).
Aleksander (Aleks): There are settings and apps that can keep you a lot safer than relying on chance. If the network you are using is shared by others in a public space, you could do worse than turn off what you don’t need because you are not at home. For example, sharing files, sending documents to your printer using a Wi-Fi connection, or even using a remote login from other computers on your home or business network … when you are sitting in a café, you probably don’t need to use these sharing services. Worse than that, you may find that you haven’t password protected the services that you use at home – even if your neighbours are near you! So I would start by turning off unnecessary sharing options for different network profiles. In Windows, open your Control Panel, find Network and Internet > Network Sharing Centre, then click Choose Change Advanced Sharing Settings. The obvious candidates to turn off are file and printer sharing. You may also want to turn off network discovery and Public folder sharing … unless you want other people in the café to access your ‘public’ documents. Since you are probably working on a laptop or notebook device in a situation where you are essentially solo-working or enjoying yourself, you don’t need to share. Note that Windows will do this for you automatically if you specify the network as public. In OS X: you need System Preferences > Sharing where you can uncheck all the boxes. Additionally, ask yourself do you trust the company which gives you access to their public WiFi? What do you know about their configuration? Think about what services could be enabled on your computer? What could you lose if an anonymous person would access this information?”
M: Can anyone in the café see that you are using the Public Wi-Fi network?
Aleks: Yes, although if you turn off network discovery, other people won’t see your machine (note: this would not stop hackers from identifying your machine in local network neighbourhood!). In Windows, look for advanced sharing settings. In OS X, look under your firewall advanced settings and select “stealth mode”. As the name suggests, this mode makes you invisible to other users on public wi-fi networks, reducing the chances of being hacked (reducing, but not removing them completely). I would stress though, it is still possible to discover you.
M: Do firewalls help?
Aleks: Yes, they will. Make sure that your firewall is turned on. You can select which applications are allowed to access the firewall – click on “allow a program or feature” in Windows or “advanced” in OS X. However, don’t fully rely on firewalling as protection.
M: What about website connections? Do web apps reduce our protection?
Aleks: Web site connections over HTTP are risky in public places because there’s a lot of plain text that hackers can sniff out. Make sure that you are not entering any passwords that are visible in this way. Use HTTPS for visiting websites and enable SSL when using applications that access the internet. Your Email client for example.
Facebook, Gmail, and other sites where you enter logins and passwords will do this automatically. Watch out though for “http” connections in place of “https” when entering passwords or other sensitive information. Also, ask yourself if it’s really necessary to access bank account in café when you will be home in an hour or two. The risk may outweigh the benefit. The same is true for email if your accounts are not SSL encrypted in their settings. Make sure that your domain supports SSL and that you have checked the “use SSL” box before you send confidential emails to the bank or anybody else. If you are not sure how to setup email clients and ports to enable SSL, you might be better off not using email – especially when you don’t really need to. And if you are a business user, make sure that your IT department has set this up for you. 7Safe’s penetration testers often find weaknesses like this. We can advise on what you need to do to achieve much more secure email clients.
M: What about sites that don’t offer SSL encryption?
Aleks: Hackers watch for signs of activity wherever traffic is not encrypted – and not all sites offer SSL encryption. Consider using a VPN – virtual private network – so that everything you do is routed through a private network even though you are on a public one, but again: ask yourself (an google the subject) do you trust the vendor of the solution? The protection is based primarily on a replacement of the user's IP address. A proprietary Windows VPN client like CyberGhost – as recommended by Whitson Gordon of LifeHacker - prevents identifying information about your device, such as its operating system and browser identifiers, from being seen by hackers.
M: Where can I get hold of a VPN?
Aleks: I would recommend reading ‘Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs’, a LifeHacker article again, for a useful list of providers. If you are a business user, before you download a VPN app, check what your organisation provides. Corporate users are often provided with IPSec or SSL clients anyway. – Once again, we can advise businesses on setting up VPNs.
M: How do you turn off Wi-Fi?
Aleks: Simple: In Windows, just right click on the wireless icon in the task bar and turn it off. On a Mac, click the Wi-Fi icon in the menu bar and select turn off Airport. Not much use if you want to access the internet … however, if you are sitting writing your latest novel or a business report, turning off Wi-Fi will reduce the chances of snoopers finding you in the first place. Once again, if you don’t need it, turn it off!
M: This sounds like a lot of hard work every time you want a cup of coffee?
Aleks: You can automate settings, customising them by opening your Control Panel and navigating to Network and Sharing Center > Advanced Sharing Settings. For each of the Profiles listed, you can turn network discovery, file sharing, public folder sharing, media streaming, etc, on or off. In OS X, you can install an app like ControlPlane that turns on your firewall, turns off sharing, connects to a VPN, and other stuff. It is much better think ahead rather than crying later when e.g. finding your private pictures at random places in Internet.
M: Are secure HTTPS connections to websites available that you can automatically select?
Aleks: The HTTPS Everywhere Firefox extension and its equivalent in Chrome is worth considering, in that it ensures secure HTTPS connections to any supported website that you visit. Look for https on every page you visit, not just when you sign in. If any part of your session isn’t encrypted, your account could still be vulnerable.
M: What’s your best advice for making Public Wi-Fi access as secure as possible?
Aleks: Make secure settings the default for the system that you carry around with you. So, by default, file sharing would be turned off, your firewall would be set to its most secure state, … and this would remain so until you return home when an app like Airport Location or NetSetMan, etc, would turn on your ‘less secure’ settings.
The message from Aleksander Gorkowienko is simple and clear: limit your exposure to the risks of Public Wi-Fi by paying attention to your settings and not making yourself vulnerable when you don't need to. However much extra time and effort this all entails, taking sensible cyber precautions will cost you less than a compromised system!
For all enquiries contact: Michael Shuff, 7Safe, on +44 176 326 7639
Looking for Cyber Security services you can trust – used by Government organisations and the Police? Click through to 7Safe’s information pages:
…before your organisation becomes the next high-profile victim of a cyber-attack.
Had a cyber-incident? Need to know who did to this to you?
Concerned about the online activities of an employee?
Collecting evidence that you can take to the Police or use in civil proceedings?
Read about our Digital Forensics Investigation services:
Or speak to one of our trained advisers in complete confidence on 0870 600 1667.