We asked information security specialists to explain to us the rules of hygiene.
Ever since we were children, we know that we have to wash our hands when we come in from the street. But we don’t think much about the fact that by the same principle (“from the street”) our mobile devices can also get sick. More specifically, your data can be stolen.
How to protect yourself from sly crooks taking advantage of the naivety of fans of free public Wi-Fi? We asked information security experts to explain to us the rules of hygiene.
I’m not afraid of anything, because I use strong passwords.
Difficult passwords are fine, but they can still be cracked. It just takes longer for programs to figure out the key relative to “qwerty12345”. In the case of Wi-Fi hotspots, the password has nothing to do with it, even if it contains over twenty characters, alternating Cyrillic/Latin, special symbols and numbers. The vulnerability appears at the moment when the device joins a public network.
Consider also that gadgets can automatically connect to known networks. For example, you went to a cafe and used a local hotspot, getting the password from the waiter. The next time you go in, your smartphone or laptop will connect to that network when Wi-Fi access is enabled. Moreover, in some establishments or public networks there is not even a password – anyone can connect.
What is the danger of automatic connection?
With the right skills an intruder can easily access the data from the computers connected to the point. Attackers can also create a doppelganger – a network with the same name (network ID, SSID) and password. Of course, there is no guarantee that the connection will be made to the “evil twin”, but this variant is possible: for example, such a network can have a stronger signal and you have an automatic connection installed or you will just be unlucky when choosing between two networks with the same name.
By pairing your device to a rogue network, you run the risk that the data sent from your gadget will fall into the wrong hands. Your accounts and bank cards are at risk, as well as information from the drive if viruses were able to leak into your computer.
So the first tip is to disable automatic connection to known networks in your device settings. This item is usually found in the wireless access settings.
You can recognize the twin only by indirect signs. Firstly, the browser can warn you of the potential danger when opening pages: by displaying an encryption error message or simply by not opening the site. Secondly, sometimes substituted pages are not always identical to the original. If suddenly you see different fonts on a familiar resource (and you did not change them in your browser), there is no animation or it is not the same as usual – this is a serious reason to beware.
With an “evil twin” a fake site may have the same URL as the real one. The malicious user will simply give you a fake site using his DNS.
We recommend that you change your DNS servers to Google’s DNS servers when connecting to a public network.
In practice, it is almost impossible to identify a twin. It is impossible to patent or license an access point name. Anyone can deploy access points with any name, even if similar ones already exist.
So what to do?
If your mobile operator has a financially acceptable plan, then use the Internet from your smartphone, and if necessary, distribute traffic to your laptop. But this is not always possible – say, when traveling abroad. You can go broke on Internet roaming traffic.
The first rule of working safely on public networks: never connect to public networks. The second rule of working safely on public networks: never connect to public networks at all.
If you really need to, follow these rules:
- Don’t use a public network to access mail, social networks, online banking and other important services. Searching on Google, watching YouTube is acceptable.
- “Proper” public networks should have an authorization page – you enter your phone number there, they send you a code.
- Check the certificate on the network’s authorization page. If the network does not have an authorization page, do not connect to it.
- The certificate on the authorization page must be trusted.
Okay, then what NOT to do?
- Try not to shop online or enter passwords while your device is connected to a public hotspot.
- As cliché as it sounds, make sure no one can see what password you are entering. Just in case, check to see if there’s a security camera above you.
- Do not connect to networks that do not require a password at all. The “MTS_wifi_free” may not be an access point of a well-known operator, but just a bait for gullible people.
The user should understand that when connecting to an open Wi-Fi network in a subway, hotel or airport, his data could be intercepted by an intruder. The risk of such connection is high, that’s why we advise against using Wi-Fi networks that do not have a password. Such networks are easy to connect to and just as easy to intercept any user’s data. Attackers with basic hacking skills can easily intercept traffic, including users’ passwords from Internet banking, email, etc.
And one more tip – when connecting, pay attention to the type of encryption: ideally, WPA2-Enterprise should be used.
What kind of encryption is this, and why do I need to know about it?
The type of encryption in Wi-Fi is a characteristic that has to do with the security of the network, not the user. The more complex the type of encryption, the harder it is to pick a password to access.
WEP encryption is the least secure because it transmits several bytes of the encryption key along with each data packet. Consequently, regardless of the complexity of the key, any transmission can be exposed by intercepting a sufficient number of packets. Using special software, the task will take a few seconds.
The strongest type of encryption is WPA2 (IEEE 802.11i). It uses the AES encryption standard (128-bit block size, 128/192/256-bit key) that is resistant to tampering. There are two varieties of WPA2:
WPA2-PSK (Personal) – login to the network is by a single password for all clients; WPA2-Enterprise – password is checked against a remote database on a third-party server. The password is unique for each node. As far as I know, no one has been able to crack WPA2-Enterprise yet.
WPA2-Enterprise encryption is available only in the corporate environment, and to rare users. This type of encryption requires an additional RADUIS-server – a separate protocol for the implementation of authentication and authorization.
WPA2 PSK (or WPA2-Personal) encryption has one key for all, this is convenient for home use, as usually all those connecting are trusted users. However, using WPA2 PSK in public places can lead to loss of sensitive data. Users should also avoid Wi-Fi access points if they have WPS enabled. This is a technology that is specifically designed to make it easier for devices to connect to a Wi-Fi network. An intruder can penetrate such a network, even if it uses strong encryption.
How else can I protect myself?
Use a VPN, also known as a virtual private network. It’s a generic name for technologies that are used for different purposes. For example, you can use a VPN to switch your location to access blocked resources in your country (let’s pretend we don’t know what sites we’re talking about).
In short, a VPN is a network inside a network. Imagine an oil pipeline with a cocktail pipe inside it – that’s what a VPN is. The technology forms a separate encrypted channel through which data is transmitted. If you want, of course, you can hack it too, but it’s not easy to do.
Also try to open sites starting from “https://имя domain”. HTTPS is an extension to the HTTP protocol, which allows for encrypted data transmission. Many resources, especially the larger ones, support it.
Some resources also use SSL to transfer information between the server and the client. It is considered secure even on public networks.
Conclusions
The basic rules of hygiene are as follows:
- If possible, do not connect to public Wi-Fi, and when it is unavoidable, choose the password-protected networks and use a VPN
- Do not make purchases or enter passwords to log in to accounts on resources when your device is connected to a public network without an urgent need.
