Securing the Digital World

Slow Down! You're in a Public Environment

Jan 03, 2017 | by Kayvan Alikhani |

These days, if you're planning to spend time at an airport terminal or a coffee shop - it's likely that you'll look for a public Wi-Fi hotspot to connect to, and perhaps a charging station, to make sure you don't run out of power.

While our distraction level is high when we're out and about (with all the things going around us), and we're eager to stay connected...we really need to be "digitally diligent" at all times.

Recently, I spoke with NBC (coincidentally, at an airport), and shared the challenges that users should be cognizant of, when using public Wi-Fi hotspot and charging stations.

Here's more color on what to digitally watch out for...

Narrow your online activity to "browsing"

  • First off, if you're connecting to an open Wi-Fi network, try not to log-in to online services that are just password-based. Why? Because one of the biggest issues with public Wi-Fi networks is "eavesdropping:" cybercriminals are sniffing the network for potential targets, and are looking for your private information, especially your passwords. Also, there's the chance you're connecting to a malicious open Wi-Fi network, and fall prey to a ploy known as Wi-phishing... This is a tactic where cybercriminals pre-empt valid hotspots with their own. This is particularly compelling approach, when the cyber criminal's hotspot has a stronger signal and a legitimate-looking SSDI name. Something like "Airport Wi-Fi" looks pretty good on paper. And, once your device connects, cybercriminals could show you fake log-in screens for practically ANY web-site, ask you for credit card info, or, redirect you to malicious sites. So, try and only visit sites that don't require you to "log in".
  • If you really need to "log in" to something (service/app), make sure the sites or services use 2 Factor-Authentication (2FA) or better yet, multi-factor authentication (MFA). These authentication options apply methods other than just a password to make sure that you're who you claim to be. The service may use your fingerprint, or other forms of biometric verification; or the service may ask you to use something else you have, like a second device or an RSA token, to use a one-time-password (OTP), so you'll need to confirm you're in possession of that second device. Most good services these days offer 2FA or MFA. If you haven't seen an MFA option during log in, contact the site or service provider & ask them how to turn on MFA; it's for your mutual protection.
  • Consider the important data you have on your devices and the services your device has access to (your bank, your 401k, your medical records, etc.), and be sure to take this into consideration when evaluating whether to use public Wi-Fi, and where to make sure the service you're accessing uses stronger authentication.

Slow down, and pay close attention to security warning messages

We're like kids in a candy store, quickly pushing "accept" and "OK" on warning notification messages that inconvenience us or delay our access to our beloved sites and apps. But, as users, this is a behavior we need to adjust. Let's hold ourselves digitally accountable for the consequences of our actions.

  • If you see messages such as "your connection is not secure," "Your Wi-Fi connection is not secure," or "there are problems with this certificate," - go back to step 1 and re-read it!!
  • AVOID open SSID networks (service set ID) If a device has previously joined a network, it will join networks with that same name again whenever a network with that name is within range. The problem is, the new network may be malicious. To prevent this, users should turn off network discovery options like "Remember previously joined networks," or remember to manually remove the network's SSID after each Wi-Fi session, especially for connections they made while in public.
  • Consider encrypted local Wi-Fi: If you're connecting to business apps, IT administrators can now offer users "encrypted local Wi-Fi" solutions, allowing you to create private networks among your multiple devices from any location.
  • Don't change settings to install apps: If an app or site asks you to change your device settings, so it can get installed on your device - don't do it. Often times, by pressing "OK" to download such apps, we may, in fact, be installing malware on our own devices. In other words: Always assume its Malware, and work your way back from there.
  • Juice-jacking: USB based public chargers can be problematic. USB Juice-jacking occurs when a user connects their device to what appears to be a "Public USB charger," but, it's actually a malicious USB host system. If a user is not careful with the prompt messages that appear on their phone when asked if they want to "allow access" to their device (or "trust this computer") - they select "allow" without realizing what has been done.
    A cybercriminal can then potentially access or delete the user's data (such as photos, videos, etc.) and copy malicious content to the user's device.

To avoid USB juice jacking:

  • If and when possible, use an electric power connector instead of directly connecting to a public USB charger.
  • If your only option is to use a USB charger:
    • Turn your device OFF before connecting to USB chargers
    • If you are expecting an important call or message, keep your phone locked while charging
    • if you HAVE to use your device while charging with a USB cable, use a "charge-only" USB cable, which prevents any data transfer over the cable

Turn it off when you don't use it

  • In public environments, unless you're using the Bluetooth capability of your device, you should turn it off. Not only does it save battery, but it also reduces the chance of accidental or intentional pairing of your device with someone else's device or a rogue application.
  • Similarly, for Wi-Fi connections in public environments, users should turn off a) print & file sharing, and b) network discovery (also known as either the "network notification" or "notify me" Wi-Fi setting) on their devices.
  • Avoid the tethering on your device, without appropriate Wi-Fi security (for example, avoid: Open, WAP; Use: WPA2)
  • Lastly, it's tough to know which Wi-Fi network is "good" and which one is malicious. So, once you're done with your browsing activity using your device for making calls, checking your email, etc. - you should turn off the Wi-Fi and Bluetooth, and then lock the device's screen. Keep in mind: locking the screen does NOT automatically turn off Bluetooth/Wi-Fi/USB based connections from the outside.

Accountability applies to companies as well (not just users)

Reducing public digital vulnerabilities is not just an end-user behavioral concern; organizations can plan better as well.

  • Businesses are re-evaluating their security strategies end-to-end, to tie security requirements with business risk, or what we at RSA call business-driven security.
  • Knowing their services will be accessed from devices and networks they can't control, and knowing that identity is now the most consequential security aspect of any modern IT system - companies need to incorporate secure identity assurance measures into their business solutions.

Times have changed

Less than a decade ago, this wasn't as big of an issue. For example, consider company workers; they were provided company managed devices that worked on well-defined networks within contained perimeters. The use of passwords for user identification on company-owned device, business owned- and operated-apps, and company firewalls was not as consequential of a security threat. Today, users own their devices, they connect to public networks, and they access 3rd party managed cloud-based software and re-use the same passwords when accessing non-company services. As a result, the perimeter has clearly changed. User identity protection is the new perimeter that we need to defend - both on an individual and an organizational level. Organizations today need to adopt Identity solutions that encompass users accessing apps and services from a variety of devices, on a diverse mixture of networks, and using an evolving collection of identification methods. As users, we all need to be more attentive about our digital behavior, especially in public forums, where we should play closer attention to messages, warnings, and signals. It's important for everyone to be vigilant and "digitally diligent" - particularly considering this evolving cyber security battleground: public environments.

Check out my interview with NBC about insecure networks, here.