So, who can you trust?

There’s a big misinformation problem at the moment, you see Fake News been plastered everywhere by media outlets, but there’s a bigger piece of misinformation which, although well intended, puts you at significant risk – and not many people are willing to speak out against it!

Everybody knows, open wireless networks are the enemy. They offer no security, no encryption, and let bad guys capture, sniff and even trick you. Nobody likes being sniffed, especially without consent. So, don’t use them! Use anything but them! And whatever you do, stay away from them!

But, wait! What if I told you that you shouldn’t trust any network you don’t control? You probably wouldn’t listen, as it sounds like I’m scare mongering, it sounds like I’m putting more responsibility on you, right? It shifts the responsibility from the network provider to you, and you don’t like that, right?

TOUGH!

This is a real problem, with the focus being on open wireless networks being such a security risk, it actually means you’re letting your guard down elsewhere. If you do not control a network end to end, it cannot be considered secure – end of. This misinformation leads to so many bad habits, and the general public simply do not understand what is a secure network and what isn’t.

People think a PSK is secure – SPOILER: If shared to anyone but yourself, it is not.
People think a Captive Portal adds security – SPOILER: It does not!
People think a cable is more secure than wireless – SPOILER: It isn’t!
People think using a Public VPN will secure everything – SPOILER: It does not, no way, ever.

Instead of teaching the public good practice and good personal security whilst on the net, the public is taught to take precautions to avoid being exposed on the shortest transmission path of a networked conversation, and ultimately leave themselves exposed to everything beyond.
The bottom line is that unless you control every aspect of the network, end to end, you have absolutely no comfort of security and you should practice good habits to make sure you are secure wherever you go. Let me give you a little clue as to where this is heading – you don’t control the internet.

Here are some tips on how to stay secure when using Zero Trust Networks:

  1. Use HTTPS!
    Back in the day everything was HTTP, which literally sent everything unsecured, you could capture that traffic at any point in transit and see exactly what is going on. Always check for the little padlock in your browser, always ensure you’re using https, and never, not ever, should you ignore https error messages unless you really know what you’re doing. Even better still, when layered with HSTS it’s even more secure.
    Read here for more info: https://www.howtogeek.com/181767/htg-explains-what-is-https-and-why-should-i-care/
  2. Don’t trust Public VPNs!
    A Public VPN does encrypt your traffic over the local network, and it does encrypt it over some of the internet, thats a fact – I’m not arguing with that! BUT, your traffic has to pop out unencrypted somewhere, which is your VPN providers network. Why do you trust that it’s any more secure than your local ISP or network provider? Clue: You can’t.
    I’m not regurgitating other peoples content: https://www.youtube.com/watch?v=WVDQEoe6ZWY#action=share
  3. Keep your software up to date
    Obvious advice, but bugs and vulnerabilities exist in all software. Whenever that vulnerability is exposed the software is patched. Stay up to date, silly.
  4. Don’t reuse passwords
    Chrome and iOS have built in password managers now, so you don’t ever have to remember them, so don’t reuse them. Third party password managers exist like 1Password.
    Here are some tools which can assist you to understand if your details have been breached:
    Google: https://passwords.google.com/checkup/start?utm_source=chrome&utm_medium=ios&utm_campaign=leak_dialog
    Have I Been Pwned: https://haveibeenpwned.com/
  5. Use 2 Factor Auth
    Wherever supported, use 2 Factor Auth. This is basically a way of verifying that you are you – the 2 factors being something you know (a password) and something you have (a phone/app etc). Most popular websites allow you to use 2FA, and you can either use SMS or an app like Google Authenticator to store the codes.
  6. Use a Private VPN
    A Private VPN is a good way of protecting you from the local network and over the air, however it does not protect you from anything on the internet. You can run Private VPNs for free, and you just need a Raspberry Pi and https://www.pivpn.io/.
  7. Use Apps from verified sources
    If you know what you’re doing, then thats fine, but as a general rule don’t trust apps that have fallen outside of Apple, Microsofts or Androids vetting regime – if you’re unsure, don’t jail break, don’t root, use the app store – simple.
  8. Watch out for Phishing and dodgy emails
    If you’re unsure if an email is genuine, delete it, if it is important they will try contact you via other means.
    Don’t open them if you can avoid it, don’t click on links. Easy ways to spot phishing or spam emails is to inspect the content, check the ‘from’ field is the actual company you expected, hover your mouse over links to see if the URL is what you expected, check for spelling and grammar errors. If you are still unsure whether or not the email is genuine, go to their website in a browser and phone them.
  9. Always expect the worse
    This goes for all communication mediums, and is really the entire point of this blog, don’t trust! For example, if you get a phone call, letter, email or whatever from your bank, verify they are your bank – ring them on a familiar number! Remember, no company should ever ask you for your password or any pins and security codes, these are yours and only yours.

I could go on, but good security hygiene is crucial on line. There are thousands of articles offering advice, but the key bit I wanted to be clear about is that an open wireless network is not the enemy, and any way of trying to convince you that a network is secure by adding layers of encryption and the likes just clouds the matter.
Of course the security of your corporate wireless network for your corporate device is probably fine, but still be careful.
As I have mentioned, if you do not control the end to end network then err on the side of caution and be aware of what you are doing – unfortunately your personal security is down to you, and nobody else.

So yes, connect to that open wireless network, enjoy the free access to the internet, just be sensible.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.