Online Security Part 8 – Being Safe on Public WiFi

Four years ago I wrote a post about the risks involved in using Public Wifi called “The Good, the Bad, and the Ugly.” While the information is still current, the suggestion to use a VPN has only recently reached mainstream awareness. This is due to Congress voting to allow Internet Service Providers (ISP) to sell users’ browsing data. Now the market for VPNs has exploded creating a confusing array of options. Even worse, most people don’t even know what VPN stands for much less how it provides security and protects privacy.

VPN stands for Virtual Private Network and it means that when you connect, your data is encrypted (i.e., safe and private). However beyond the basic definition, even a Google search is a bit misleading on how to use one. As the graphic shows, the first suggestion is “VPN Free” and experts agree that completely free VPN is worth what you pay for it… nothing! These search results point to companies that sell your private browsing information to make money. So a VPN not only has to work technically, but it has to be backed by an ethical company. Remember, poor Dan from the last post of this series would have been safe from hackers if he had used a reputable VPN. After connecting, his next step would have been to activate the VPN (some “persistent” VPNs even do this automatically). A hacker cannot intercept data encrypted by a VPN, it just looks like random characters.

But finding a reputable VPN company is tough because the VPN world has become a little like the anti-virus world, a confusing mess of spammy advertising posing as reviews. Also, certain VPNs are better for certain applications (privacy or security), usage levels, devices (Windows, Mac, Android, iOS, etc.), speed, and ease of use.

After considerable research, the options below are a good starting point, especially the website “The Best VPN.” I didn’t believe this was a legit website at first either, but it has a very well written article on Public WiFi with an excellent infographic about a quarter of the way down. The first three suggestions (out of ten) are the best:

  • Be mindful and proactive – Hackers can quickly plug in a flash drive with malware into an unattended computer or easily record video of keystrokes.
  • Turn off “Sharing” – A complex topic, but the article outlines the steps
  • Use a VPN – Of course! (don’t worry about Tor, that’s an advanced topic)

Finally, keep in mind that the VPN world is changing quickly: websites with honest reviews can change hands and become biased, VPN providers can merge, and new options are appearing everyday. Do a little research and don’t signup for “lifetime” VPN subscriptions.

Additional Resources:

How Southwest Airlines Treats Passengers

I just had a great experience on Southwest Airlines and it is worth writing about considering that most airlines passengers are back flying their favorite horrible low-cost carrier. Southwest is not perfect: no seat assignments, full flights, and very limited food options, but they are mostly on-time, treat passengers well, and don’t “nickel and dime” with hidden fees such as checked baggage. Maybe a seat assignment doesn’t matter considering what people have to put up with on other airlines? Besides who on earth flies to enjoy a good meal?! Plus their frequent flier program is without equal with no blackout dates and generous rewards for their credit card.

Now they are flying to Mexico, the Caribbean, Central America, and will soon add Hawaii. It’s the best time ever to make the switch and start building up miles.

Finally, after complimenting the flight attendants during a recent trip, I found myself being handed this gem of a card as I walked off this plane, “Thank you, for being an amazing customer.” Thank you Southwest, for being an amazing airline!

Online Security Part 7 – Techniques for Layered Security

Before we start on what sounds like a boring topic, here’s a story that should help make it more interesting.

After work, Dan decides to indulge in a quiet cup of coffee in his favorite local shop with free Wifi. Opening his laptop, he notices a guy nearby hunched over working intently on a laptop. He must be a hardcore techie because his computer is covered with stickers and has a small antenna attached to it. The heavy metal band logo on his hoodie confirms Dan’s suspicions. A moment later, a beep from Dan’s phone reminds him that he has at least a dozen personal messages to read so he connects to the first network on the list “Free Coffee Shop WiFi.”

As he waits for the webpage to load, he thinks, “How strange, yesterday it was just called Coffee Shop WiFi, maybe they want people to know that it’s really free?” Soon he sees the familiar login page and signs into Gmail. It rejects his password. That’s also strange, he was so careful to type it correctly. He enters it again and it works. Annoyed now, he chalks it up to his new crazy complex password that he is using for his most valuable accounts. “Oh well, can’t be too safe these days.” Somebody at work suggested a password manager, but who has time for that nonsense. Besides, typing it once a month is no big deal.

You probably know where this story is going. Dan has just been hacked and his Gmail login and password stolen. As soon as he leaves, the hacker will change it to prevent Dan from getting back in and try to access his bank, social media, etc. Dan won’t get the warning emails because he can’t access his account anymore. The hacker has reported his phone lost and erased it remotely.

Hopefully, this story demonstrates the need for something security professionals call “layered security.” It’s actually not that hard to implement. Earlier parts of this series have already discussed parts of the technique such as confirming the website address in the browser, HTTPS security, strong/unique passwords, and using a password manager. In this case, a password manager would have prevented the hacker from stealing Dan’s password. How? Since it wouldn’t have entered the password because the hacker’s fake login screen wouldn’t have matched the website used when the password was stored. A password manager can also prevent a hacker from video recording Dan’s fingers typing his password. Oh, those clever hackers!

To wrap up this post, below is a summary of the layers of security involved in Dan’s sad story and the associated parts of this series of posts.

  • Part 8 – The next post will explain why a Virtual Private Network (VPN) should always be used on public Wifi to avoid others eavesdropping. Remember, most of the time hackers are not looking to hack you personally, they are looking for easy targets.
  • Part 3 – Never reuse passwords across sensitive accounts.
  • Part 2 – Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done.
  • Part 4 – Use a password manager and secure it with a unique, very strong password. Below is a comic strip that explains how and why courtesy of XKCD.
  • Part 10 – Use something called two factor authentication (2FA) to secure your most sensitive accounts. 2FA stops hackers by requiring “two factors” to login, typically something you know (such as a password) and something you have such as your cellphone (a code received as a text message).

Online Security Part 6 – A Few Words About Online Privacy

A recent podcast on Recode, “How do I protect my privacy online?” featured digital security expert Tony Gambacorta answering questions about online security and privacy. He said, “The greatest threat is our own ignorance.” In terms of security, on the top of his list were many of the topics that are already in this series of posts, but the part about privacy was particularly interesting. In terms of privacy, his biggest concerns focus on the so-called Internet of Things (IoT) devices such as Amazon Echo, Google Home, and “smart home” cameras, thermostats, light controllers, security systems, Smart TVs, etc.

These are devices that provide useful features in return for legal access to what most consider their private world such as conversations and activities in their home. For example, some people cover their laptop webcam with tape when their Smart TV has an embedded camera and microphone controlled by much less secure software. Many WiFi cameras that are used to monitor a home fall into this insecure category. Gambacorta also explains that a $20 device can be used in a coffee shop to anonymously eavesdrop on unencrypted web searches, emails, etc. For these reasons, a VPN service is critical when using public WiFi and will be explained in detail in a future post, but in general avoid free VPNs, they are often free because they are not private.

His privacy suggestions for people who aren’t tech-literate?

  • Don’t put something like a WiFi camera or Smart TV in a sensitive area of your house (or put tape on the lens).
  • Buy from people you know and trust. Buying a $70 Android phone from a user called “ThePhoneBoss” on eBay might not be the best choice for security or privacy.
  • Email is never private (unless you’re an expert).
  • Use your browser’s “Incognito” feature if you are searching for anything you wouldn’t want somebody else to know about (or something that you don’t want to see ads about in the future). This is also known as a “Private” or “InPrivate” window. As the graphic below shows, it is shocking how little privacy is involved when web surfing.

Well, that’s more than a few words, but let’s just keep that between you and me…

Cuba Is NOT Covered in Your T-Mobile Data Plan!

But over 140 other countries are included at no charge and wow, thank you T-Mobile for this honest and useful text message!

It is amazing how mobile communication has unified the world. A T-Mobile customer can take their phone from Argentina to Venezuela in South America and from Bahrain to Zambia in the Middle East / Africa enjoying free 2G data and texting at no charge. Voice calls are only $0.20 a minute.

To be fair, T-Mobile has its share of problems. Some truly terrible customer service, overloaded networks, a lack of coverage outside of major cities, and a load of salespeople in stores that could benefit from adult supervision top the list, but overall they are pushing the industry toward more open and fair access for all. They have also forced the duopoly of AT&T and Verizon into cleaning up some of their horrible business practices.

Some people think the world gets worse and worse every year, but in truth some of the changes brought about by technology are for the better. Global communication is one area that is critical to creating a better world. On a side note, one of our fellow travelers pre-paid AT&T $5,000 for unlimited voice / data service in Cuba. Ouch!