Security using public wifi?

I've been on this digital security kick. I did the basic stuff before, but now I'm encrypting my harddrive, using cloud back up in addition to backing up at home. I also started wondering about using public wifi. How secure is that?

Right now my security measure basically involves avoiding doing anything sensitive while using public wifi (banking, etc.), and making sure the URL had an https whenever I need to send a password. But I remain queasy, partly because the technical knowledge is beyond me. What do you do to stay secure while using public wifi?

There are two issues associated with using an insecure wireless network.

The first is transmitting sensitive data. Don't do that without encryption. Don't accept certificate warnings from HTTPS websites without really knowing what you're doing.

The second risk specific to insecure wireless networks is that your computer might be compromised by an attacker connected to the same network. Keep your updates current for your operating system, browser, office software suite, and whatever else you're using. Use a host firewall; the firewall built in to Windows is quite good as long as you keep it turned on and don't configure exceptions.

While the utility of signature-based antivirus is limited, use one and keep it up to date. Some of the free ones (Microsoft Security Essentials, AVG and others) are quite good. Additionally, I strongly urge that you completely remove all forms of Java and Flash from your computer, which may mean not using some websites. These risks aren't specific to insecure wireless networks but are both common and serious.

I only use public wifi when I'm on my Galaxy Tablet. I keep no personal data on it, I never log onto a site that has my payment/financial information and I don't use it for banking or e-commerce. Just web surfing.

I am high-tech challenged
OK, I am near illiterate when it comes to computerized stuff

The other day, I put my Galaxy Tab near the laptop and was surfing and working on the laptop. When I shut off the laptop and grabbed the Galaxy , it had several notifications ( like some Apps have been updated, a screen shot had been taken earlier ..etc. ) Among those notification I was perplexed to see ( Remote PC ...)notification, and I started wondering if the Galaxy did communicate with the laptop, and what did "they say to each other" !!

Still wondering, and hope our high-tech gurus help.

Would setting up and using a VPN (Virtual Private Network)increase security when using "public" wi-fi networks, like in airport lounges or when using local ISP's when traveling overseas (e.g. using a local sim card in my phone to get internet)

I just got back from an extended trip in Eastern Europe, and these security issues were a bit of concern. I know nothing about VPNs other than they exist and that they claim to 1) increase security and 2) get by internet blocking (e.g. would have let me watch Netflix while sitting in an airport lounge for 6 hours)

I've never had anything running the Android OS. I understand that Remote PC is an Android app that allows for remote access of devices. Do you use such a thing? Was it included with your device? If the answer to both of those questions is "no," I would in your shoes be concerned that your tablet was compromised.

There is no security on the network. If you get on the internet, there is no protection. Encryption can be defeated, so whatever is on your hard drive can be read by others.

Work under the assumption that if you are going to be on the internet, whatever you do is unsecured, and whatever is on the machine you are accessing the internet with is unsecured. The only thing that is keeping your information and activities from being compromised is that you are a little fish, and not worth the effort for the moment, but that could change at any time.

Consider it a fact that someone(s) have already hacked your machines, looked to see if you have anything they are interested in, and probably moved on due to lack of interest. They have a list of all your passwords and should any of them ever want to get back into your system they can at will. The most likely hackers: government agencies.

Work under that premise, and you know where you stand.

There is no "secure" on the internet, regardless of what connection you are using.

I don't entirely agree with benjammin. I bank, shop and do my taxes via the Internet. As a home (not corporate or government) user, if you take reasonable steps to keep yourself secure your chances of suffering from a compromise can be significantly reduced.

However, if you are targeted by an advanced attacker, they're very likely to succeed.

With every risk you can choose to mitigate it, accept it, or insure against it. I've chosen to mitigate my risks significantly, and I also bought an identity theft rider with my homeowner's insurance.

There are a lot of "hacker" kids which may just try and succeed hacking any size of fish floating nearby just by an accident. So, obvious security measures, mentioned by chaosmagnet, should not be ignored, as well as a basic security threats and practices knowledge (i.e. change your password often, cover the keyboard typing the pass in public).

For the free (such as "cafeteria") wifi - I wouldn't be too concerned. It's usually too weak to efficiently brute force and download something significant, randomly searching strangers, or to deploy a targeted attack. Just not enough time for the given bandwidth. The typical hack of such a WiFi hotspot would be to fake their proxy server. But google browser will immediately tell you about that (not so sure about stock IE, though), just don't be ignorant to messages on the screen.

VPN is definitely beneficial to reduce your communications exposure, unfortunately it's quite complex solution for a newbie and have serious impact on performance of internet device.

Chisel, "Remote PC" Android notification might stand for the PC being discovered over BT or NFC (as a potential data exchange device), not necessarily as an act of unauthorized remote access.

Uninstall KB3035583 on your Windows PC to remove the Microsoft Spyware installer gwx.exe. Never use Public Wifi either. Never use Facebook or any other social media that can track your online behaviors. Encrypt your email. Enigmail plugin on Thunderbird works quite well.

Thanks guys

I only use th galaxy to GET ( not GIVE) info. For example I use the galaxy to surf stock trading forums for hints & insights but not to do trading.

Iam still new to the Galaxy thing and still stumbling around it. So when I logged in this forum to writr this I accidently found myself out. The first time it asked me if I wanted username & password saved. I chose NEVER option. Second time logging in I was starting to write username when it gave the suggestion (chisel) .. LOL. So much for NEVER!!

Internet security is much like regular security like door locks and car alarms. It's very difficult, impossible perhaps, to completely secure information, just like no home door lock is entirely immune to attack. Your goal is to make it so difficult and time consuming that the thief moves on to greener pastures.

Public WiFi does have it's security problems. If your worried about someone eavesdropping on you (and that's a very real possibility), there are several VPN solutions for Android.

I have used AVAST Antivirus for years (It's free and decent), and they make clients for both Windows and Android.

They also have a Secure VPN client just for Android. It's a subscription, and not free, but it works very well and would take the risk out of using public Wifi.

And looking through these posts, I can't help but comment on some of the more "Don't trust the internet, the government see's and knows all!" posts.

[redacted]

This was actually the first mention of government at all in this thread. This post was off topic and inappropriate.

UPDATED: It's been pointed out to me that there was a previous mention of the government in this thread.



chaosmagnet

While we're on the topic of computer security, let me ask about a situation I found myself in today.

My online backup service offers "default encryption" and "private encryption." In the former, the company would store your data encrypted, but you don't have to choose the key. In the latter, you choose your own key "for even greater protection." If you forget your key, your data cannot be decrypted (unless you're the NSA, I guess). Both systems use the 256-bit AES encryption. The tech support reassured me again and again that with default encryption, my data is perfectly safe, that their employees would have no access to my data. I kept asking, "But the key would have to be stored somewhere, right?" They kept avoiding answering that question. So that doesn't give me a lot of confidence. Even though I only have personal stuff, nothing of commercial or national importance, I still wonder whether using an encryption key I don't control is a gaping hole.

That's a really good question, Bingley. It's analogous to one of the most fundamental and important questions in information security, the key distribution problem.

Briefly, we can make encryption that cannot ever be broken through cryptanalysis of intercepted traffic, using a one time pad (OTP). Why doesn't everybody use OTP then? Because distributing the keys, securely, to everyone with whom you might want to communicate is an absurdly difficult problem if you're going to communicate with more than a few people or if you don't already have a secure channel already -- and if you have a secure channel already, why do you need an OTP?

Back to your questions.

First, AES256 is really, really strong, so strong that using current supercomputer technology it would take more time than there is left before the end of the universe to crack your key. Nation-state actors who want to decrypt AES256 need to get the key some way other than cryptanalysis.

Second, you're right: If you let your online backup service manage your key, that means that they have access to your key. While the service I use claims to -- and almost certainly does -- use strong internal controls to prevent unauthorized access to keys, keys could still be compromised by a sufficiently advanced attacker or by legal process.

So how do you balance the risk? For me, I read about the (claimed) security procedures used by the online backup service I subscribe to. I decided they were using a pretty secure method, and that the risk (to me) of key compromise was less than the risk of losing the stored data.

I let my online backup service manage my key.

Thanks for the thoughtful response, and for taking the time to compose it! You are truly a help. For me, it's also a matter of weighing the compromise. I just wish the tech support guy were more informative than repeatedly asserting "your data is safe!"

You're welcome. I've been doing infosec for my entire adult life. Your tech support rep probably wasn't trained to discuss the complexities of key management.

As the Prisoner once asked 'WHY?' to the General all those years ago.

Perhaps this Video JADE HELM (Master The Human Domain) decoded might begin to start answering that Question.

https://www.youtube.com/watch?v=oqGEz9IqOrE

I apologize, my comments here were not constructive to the conversation. I am truly sorry if I offended anyone.

Nor do I (no offense intended benjammin!)

There is a concept of "reasonably secure". For example, it is possible that I could be attacked by a shark here in Colorado. We could have a "Shardnado". But am I going to stay inside for the rest of my life because I'm worried about the possibility?

If you are using good encryption, there really isn't much to worry about. Yes, the NSA could probably hack you if they specifically targeted you and went to great expense and effort to do so. But you're more likely to run into a thief who would crack you over the head with a baseball bat and just take your silly computer from you, along with all the data it contains.

Personally, when using a WiFi hotspot (which is very rare for me), I VPN into my home network and then bounce out onto the internet-at-large from there. But setting up a VPN on your home router or other server is not for a computer lightweight or newbie.

Just about as secure, and an order of magnitude easier, is setting up an "SSH tunnel". Of course, that implies you know how to set up an SSH server on your home network. Again, not really for a computer lightweight.

My advice? If you wouldn't scream out everything you are typing to a crowd, don't send it over a WiFi connected web browser unless you are 100% sure you are connected using HTTPS (a little lock icon appears on most/all web browsers to indicate this type of connection). And even then, I wouldn't do something sensitive like banking or your online taxes over a public WiFi connection, even if HTTPS. Is it really that critical that you access your bank from Starbucks that it can't wait until you get home?

As far as trusting encryption provided by web file hosting or cloud services, I would never trust that. Of course they will tell you that they are ultimately secure. I'm sure that's what "Ashley Madison" told their customers too! I would only encrypt files locally, then send them up. if the hosting service wants to re-encrypt them, that's all well and good, but the salient point is that I controlled my own encryption and didn't rely on them. Note that doing things the way I recommend means that you cannot easily "share" your stuff between devices using the cloud. Each device would have to be set up to do it's own decryption (YOUR decryption, not the cloud hosting company's decryption). The solution to this is to set up your own personal cloud, controlling that with your own encryption. But we're back to "not for the computer lightweight" again, with that suggestion.

Of course, the bigger problem is that you can't really trust the info sec of your bank, the IRS, etc. I think we've seen that information security is in danger of becoming security theater. The internet as we know it was never designed with security in mind. Really it was never designed with any inkling that it would become what it now is. It's like a huge tent that you only intended to spend a week in; then you build on again and again until your tent is big enough to host a circus in. But no matter how big it gets it's still a tent! And how you lock the a tent?

According to the government as many as 1/3 of Americans SS #s have been exposed! That's maybe 100,000,000 people in the US alone! And how many retailers have lost the CC numbers of 40 or 50 million customers?

I'll tell you what's really scary, to me at least- biometrics. Because for it to work your input must be compared to a db somewhere that has your vital statistics. And if your SS# is compromised you can get a new one. But how do you get a new retina or fingerprint?

At some point when we move from IPv4 to IPv6 we need to enhance the security infrastructure of the entire net. But it's not like remodeling a house while you live in it; it's more like remodeling a spaceship while you're en route to Mars! Pretty hard to shut it down long enough to make the changes we need to make.

I'm not offended, but y'all say you disagree with me, then go on to basically support my point. Not a problem, we just have different ways of delivering the same message I guess.

Work under the assumption that there is no real security. Then you can prepare for if/when your security really is compromised.

It's like why I carry a concealed weapon. Chances are I will never have to use it to defend myself. Odds are that my lifestyle will preclude me from those sort of confrontations. I don't hide in my house to avoid crime, but I plan and take reasonable precautions because it is always a possibility. I take the same view about using the internet for anything. I still do business on the internet, including accessing public Wi-Fi connections and using mobile devices. I assume I have been/will be hacked somewhere along the line, so like y'all, I've taken steps to insure that no real damage could be done. Since I am not as tech-savvy as others, my methods for mitigation are to control the source more than the method. Hackers probably won't have a hard time accessing my info, but it also won't benefit them much either if they do. Seems like the easier route for me. YMMV.

We may not agree on the approach, but the objectives are similar. Making it not worth the bad guy's effort to come after us is good strategy.

My .02...
1) A WiFi network is only as secure as it was setup to be. As a general rule of thumb, public WiFi is not secure.

2a) The next generation of security is not going to be biometrics. It's two factor authentication. In addition to your username and static password, a second, changing, password is required. Microsoft offers an app with a code that changes every 30 seconds, Google will text you a one-time-use code. It all but eliminates brute force attacks, and unless someone is very very clever, requires physical access.

2b) With the recent SCOTUS ruling regarding compelling alphanumeric passwords (warrant needed) vs biometrics as passwords (no warrant needed), the industry is going to be very shy about biometric passwords.

3) Regardless of the connection to the net, anything more complicated then a basic cell phone is going to require antivirus. And, if used for two factor authentication, the ability to remote erase the memory.

4) Either don't store anything valuable on a mobile device, or encrypt the drive. Systems like the IronKey flash drives, with self destruct capabilities, are about as good as you're going to get for mobile memory.

5) There's not a flipping thing you can about somebody else's infosec. Operate on the assumption that they will be hacked. Encrypt whenever possible.

How complicated our modern life is! I have to back up my computer locally and on the cloud. Then I have to encrypt the computer, the local backup, and the cloud backup.

Then I have to encrypt the phone and the USB thumb drive. I have yet to look into how to back up the phone, too. And encrypt the backup.

Thanks for the reminder about mobile devices, Mark!

I used to backup my computers on a cloud backup service. However, the concept never sat right with me. What if I have no wifi to recover the backup? What if the corporation hosting the online backup suddenly closes its doors? What if their servers are damaged? Where are the servers that have my data anyway? What if their encryption algorithm malfunctions when I need to recover?

So, I currently use a combination of Dropbox and local real-time backup. I know Dropbox is not that secure, but the convenience outweighs the lack of security for me. Also, I encrypt sensitive data before it's uploaded to the Dropbox servers. With Dropbox, all three of my computers have the same data in real-time. Thus, each of the three computers and Dropbox is a backup.

Further, I run a dedicated local backup that goes to an external hard drive by using the simple Yadis Backup program. It makes a real-time mirror backup with versioning. The whole system works so smoothly that I don't even notice it until I need a recovery.

ireckon's plan is well-thought-out and sounds good for his needs.

In addition to a cloud backup I take full image backups onto local storage. I figure the chances of there being a disaster that takes out the cloud backup service, my computer, and my local backup more-or-less simultaneously will leave me caring a lot less about my data.

That's what the last dinosaur said!

Thanks for the ideas, ireckon and chaos. I, too, have a local backup in addition to cloud. I'm making it a project to be better and more organized about my electronic data.

Also, it appears my employer provides VPN. So I can use that while accessing this forum while enjoying my coffee and wifi at a cafe. I haven't started, though, unsecure me...

That is very true.

Many people worry about theft of information in transit to it's intended destination. The "unsecured WiFi" angle. While there is potential for theft there, the bigger potential is AFTER it's reached it's destination. And it doesn't matter what route your data took to get to that final destination - over WiFi, sent in a physical letter, faxed, communicated over the phone. All these big hacks you read about almost daily are not intercepting data from unsecured WiFi connections. They are hacking into the final destination servers and stealing entire databases of many peoples data. And if that final destination database is not well encrypted and protected, you're hosed. Doesn't matter if your data got into the database via WiFi, or from you sitting at a desk with a loan consultant at your bank typing it in on their hardwire connected desktop computer.

Thats where you can minimize the destinations. I went a few years ago and consolidated and closed down accounts at various places so my data is held by fewer destinations. I kept two banks and closed out all those credit cards and such at the others. Now instead of 10 different banks having my current information only two do. I now only have to connect to two to get statements, pay bills, etc.

Keep in mind that while the big hacks are making the news, the small hacks of individual PCs are happening constantly and not making the news. Insecure WiFi is still a significant vector for those sorts of attacks.

I guess I'm discovering this really late, but apparently many modems have default passwords that are all the same for a given model, and that includes admin passwords! What's more, you can get a list of the modem and their passwords on the internet!! And most people don't bother changing the password!!! I'm running out of exclamation marks!!!!

http://securityspread.com/2013/07/01/modem-secure/

Whose bright idea is this? I can understand if a modem comes with default passwords specific to that individual modem, but for all modems of the same model to have the same passwords...

So, boys and girls, change your modem passwords (including the admin password) if you haven't ever done so.

It's for manufacturing simplicity since it would be difficult to match a given manual to a given modem or it would cost more and add a step to put a correlated sticker on the box.

Also gives Tech Support a fighting chance to fix things.

Caveat emptor.

Of course they do. That way, when someone changes their password (as you should always do), then promptly forgets it, they can reset the modem to factory defaults (typically a small pushbutton on the device), look up the default password in the user manual or on the internet, then get back in.


I don't know if that's true. But if it is, yeah, people sometimes do dumb things, or fail to do smart things.


You would have a LOT of modems in landfills if people had to save and keep track of individualized default passwords. Folks would be locking themselves out right and left.

Typically. modems and routers have default passwords, but also by default, remote access is usually disabled. Meaning that clueless people who don't know to change their passwords would also probably be clueless about having to manually activate remote access. So with no remote access, their modems would still be "relatively safe", because someone would have to connect to the modem from inside the home to be able to use the default password. Still, change your passwords and don't depend on "remote access is disabled" to protect you, because sometimes it won't.

The cable modem/router combinations I've seen around here that are provided by the cable companies tend to have unique passwords by default, that are attached to the back side of the modem/router with a sticker. However, your cable ISP can still get into the modem from their end via a master password or some other backdoor built into the modem, regardless of what you set the password to.

Routers that you buy on your own however, always have default passwords in my experience. I've never run into one that did not.


Yes. And change the default combination to your pushbutton locks too. That combination you probably have now, "push two and four together, then push three", isn't very safe either...

Some manufacturers (not of any consumer gear that I know of) require a password change during the initial configuration.

You should take it as a given that if a threat actor gains physical access to your workstation, server, router, switch, or whatever, it's owned.