[BreachExchange] A freelancer's guide to wireless security

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 25 21:14:09 EDT 2018


https://blog.freelancersunion.org/2018/04/25/a-freelancers-
guide-to-wireless-security/

Who else loves wi-fi? Whether you freelance from home or rove the world as
a digital nomad, you can't beat it for convenience.

But how well can you stand up to hackers?

The importance of wireless security

Poor wireless security means the bad guys can spy on you and maybe even
hijack your network. It can mean stolen passwords, stolen bank details,
identity theft, ransomware, all your secrets revealed and your professional
reputation in tatters.

And here's the thing: as a freelancer, you probably don't have a team of
in-house IT professionals to fall back on. It's just you.

Good news: a few simple steps is all it takes to slash most of your risk.
Let's jump right in.

At home

Working from home means you've got your entire business running on your
local network–and probably all your household traffic as well.

So how do you keep it safe?

Encrypt, encrypt, encrypt

Wireless networks broadcast signals into the surrounding air. So what's to
stop anyone with an antenna from eavesdropping? Well.. nothing really.

That's why it's so important to encrypt these signals. You can't stop
anyone from listening in, but you can stop them from making sense of it.

There are three wireless encryption protocols in widespread use: WEP, WPA
and WPA2. You should avoid WEP and WPA. They are both outdated and riddled
with security vulnerabilities.

WPA2 has been in use now since 2004. That means just about everything you'd
want to use will support it.

Change the network name

Using the default network name makes it so much easier for an attacker to
work out what router you're using. Then it's a cinch to look up all the
known vulnerabilities on your device.

Imagine handing a jewel thief a map of your museum marking the contents of
all the safes and the locations of all the security cameras and guard
patrols. That's basically what this amounts to. Stop doing it. It's stupid.

While you're at it, don't use your own name, the name of your business, or
anything else that could identify you. Something bizarre and wonderful is
best. That makes it just that extra little bit more difficult to figure out
which wireless signal is yours.

Patch it

Here's the deal: people discover security holes in networking devices all
the time. Last October, there was a huge vulnerability found in almost
every wireless network on the planet. And countless problems have been
found in specific devices.

Keeping your computers, phones, and tablets up to date is pretty easy–if
they're set up to apply automatic updates, then you're covered.

The bit that most small business owners miss is the firmware on the
router–it's kind of like the operating system for the device. You'll find
the instructions for how to update it in the device's manual; google it if
you've lost the physical copy.

On the road

Okay, so now you've secured your home wireless network. But what about
using someone else's?

The bottom line is that you have no way to really know how seriously anyone
else takes wireless security. It's very likely that the firmware in the
router has never been updated. So assume the worst: that anyone could be
watching at any time.

Part of the problem here is that all the wireless networking standards in
widespread use today are designed so that anyone else on the same network
can see what you're doing. Wireless encryption can shield what you're doing
from outsiders, but it's no help against anyone on the same network.

Does this mean that nothing you do is ever secure?

A bit of paranoia can't hurt

In fact, dealing with all the finer points of this can be such a pain that,
for short trips, it might just be less hassle to avoid public wi-fi
completely.

You can instead connect your laptop to the internet with a 4G USB modem and
prepaid SIM card, which can be had for a similar price to your last tank of
gas. Your phone, of course, already has mobile data.

But what if that's not practical? Either because you're going somewhere
where the mobile network sucks, or because you're traveling through
multiple countries?

Web browsing

It's like this: when you visit a website address that starts with http,
that means everything you do on this website is visible to everyone else on
your network. That includes any passwords or credit card details you enter.

Websites with addresses that start with https encrypt their traffic. Make
certain that any website you submit any information to is using the https
protocol.

Here's one crucial website not to overlook: your own. If your website is on
an unsecured http address, that means that every time you log in to the
administration section, your username and password are visible to the whole
network.

The login details to your own website are a dreadful thing to hand over to
the bad guys

That's all they need to hijack your website to spread malware to your
customers, add links to Viagra websites or just hold you to ransom–there's
so much scope to screw with your livelihood here. So if you absolutely
can't avoid logging in to your website using public wifi, it's time to
migrate to https.

Using the https protocol is not 100% private–the whole network can still
see which websites you are visiting. But it keeps your usernames,
passwords, credit card details, and private messages secure, and that's
pretty great.

Stop reusing passwords

Once you start paying attention to which websites have https installed,
you'll notice that it's not Facebook and Gmail that skip encryption.

The websites that handle unencrypted usernames and passwords tend to be
more along the lines of privately owned internet forums and social sharing
websites. While it's definitely a pain to get these accounts get hacked,
it's not the end of the world.

But what if they can take those exact same login details and get into your
PayPal account? Well, that's a larger problem.

Not reusing passwords is good sense anyway. If you're out there using
public wi-fi, it's crucial.

Remembering so many unique passwords is, of course, impossible. This is
where using a password manager can make your life way easier.

Other services

It's not just your web browsing you need to protect. You hardly want prying
eyes reading your emails or hijacking your email account.

You can rely on the most popular webmail apps–like Gmail or Outlook–to
encrypt their traffic.

But if you use an old-school email client that downloads emails to your
computer, check the settings to make certain that it connects to your email
provider using an encrypted SSL/TLS connection.

If the connection is unencrypted, that means your username and password are
visible to everyone on the network. That's all anyone needs to hijack your
email account.

Do you use FTP to upload files to your website? Bad news: FTP transmits
your username and password in plain text, visible to the whole network.
That means the bad guys can upload whatever they want to your website.

Using a VPN

If you're a real road warrior, you might want to consider a virtual private
network, or VPN.

A VPN sends all your internet traffic through an encrypted connection to a
remote server–that makes it perfect for shielding you from prying eyes on a
public wireless network.

Some home routers can even be configured to work as a VPN server–this gives
you a free service that you can trust. But if your router's in Peoria and
you're in Paris and you suddenly need to switch it off and on again, it can
be tough to hook that up.

New tech will make this easier (one day)

Does this all sound like a total pain in the backside? Well... it kinda is.
But new wireless standards will make it easier to connect to wireless
networks safely.

Just last January, the Wi-Fi Alliance announced a new wireless encryption
standard to replace WPA2, imaginatively titled WPA3. You will start seeing
this in devices later this year.

One of the benefits of WPA3 is that it can offer individual encryption for
each person on the network. This will make secure wireless networking much
more painless for freelancers who rely on public wi-fi.

In theory, there's nothing to stop every hotel and cafe owner from buying a
WPA3 router the moment they hit the shelves. But in the real world, few
small business owners are that engaged with wireless security.

Dedicated coworking spaces will hopefully move to WPA3 not long after new
routers are available. But it will be a few years yet before you can assume
it's in every cafe from Bangkok to Boston.

Wrapping up

Using wireless networks without thinking about security is a bit like
driving an uninsured car: Most of the time, you'll probably get away with
it. But when your luck runs out, it can be so devastating that it's just
not worth the risk.

It's one of those situations where going to a little bit of trouble right
now can save you from a hell of a lot of trouble down the track.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180425/779f37b0/attachment.html>


More information about the BreachExchange mailing list