Four years ago I wrote a post about the risks involved in using Public Wifi called “The Good, the Bad, and the Ugly.” While the information is still current, the suggestion to use a VPN has only recently reached mainstream awareness. This is due to Congress voting to allow Internet Service Providers (ISP) to sell users’ browsing data. Now the market for VPNs has exploded creating a confusing array of options. Even worse, most people don’t even know what VPN stands for much less how it provides security and protects privacy.
VPN stands for Virtual Private Network and it means that when you connect, your data is encrypted (i.e., safe and private). However beyond the basic definition, even a Google search is a bit misleading on how to use one. As the graphic shows, the first suggestion is “VPN Free” and experts agree that completely free VPN is worth what you pay for it… nothing! These search results point to companies that sell your private browsing information to make money. So a VPN not only has to work technically, but it has to be backed by an ethical company. Remember, poor Dan from the last post of this series would have been safe from hackers if he had used a reputable VPN. After connecting, his next step would have been to activate the VPN (some “persistent” VPNs even do this automatically). A hacker cannot intercept data encrypted by a VPN, it just looks like random characters.
But finding a reputable VPN company is tough because the VPN world has become a little like the anti-virus world, a confusing mess of spammy advertising posing as reviews. Also, certain VPNs are better for certain applications (privacy or security), usage levels, devices (Windows, Mac, Android, iOS, etc.), speed, and ease of use.
After considerable research, the options below are a good starting point, especially the website “The Best VPN.” I didn’t believe this was a legit website at first either, but it has a very well written article on Public WiFi with an excellent infographic about a quarter of the way down. The first three suggestions (out of ten) are the best:
- Be mindful and proactive – Hackers can quickly plug in a flash drive with malware into an unattended computer or easily record video of keystrokes.
- Turn off “Sharing” – A complex topic, but the article outlines the steps
- Use a VPN – Of course! (don’t worry about Tor, that’s an advanced topic)
Finally, keep in mind that the VPN world is changing quickly: websites with honest reviews can change hands and become biased, VPN providers can merge, and new options are appearing everyday. Do a little research and don’t signup for “lifetime” VPN subscriptions.
Before we start on what sounds like a boring topic, here’s a story that should help make it more interesting.
After work, Dan decides to indulge in a quiet cup of coffee in his favorite local shop with free Wifi. Opening his laptop, he notices a guy nearby hunched over working intently on a laptop. He must be a hardcore techie because his computer is covered with stickers and has a small antenna attached to it. The heavy metal band logo on his hoodie confirms Dan’s suspicions. A moment later, a beep from Dan’s phone reminds him that he has at least a dozen personal messages to read so he connects to the first network on the list “Free Coffee Shop WiFi.”
As he waits for the webpage to load, he thinks, “How strange, yesterday it was just called Coffee Shop WiFi, maybe they want people to know that it’s really free?” Soon he sees the familiar login page and signs into Gmail. It rejects his password. That’s also strange, he was so careful to type it correctly. He enters it again and it works. Annoyed now, he chalks it up to his new crazy complex password that he is using for his most valuable accounts. “Oh well, can’t be too safe these days.” Somebody at work suggested a password manager, but who has time for that nonsense. Besides, typing it once a month is no big deal.
You probably know where this story is going. Dan has just been hacked and his Gmail login and password stolen. As soon as he leaves, the hacker will change it to prevent Dan from getting back in and try to access his bank, social media, etc. Dan won’t get the warning emails because he can’t access his account anymore. The hacker has reported his phone lost and erased it remotely.
Hopefully, this story demonstrates the need for something security professionals call “layered security.” It’s actually not that hard to implement. Earlier parts of this series have already discussed parts of the technique such as confirming the website address in the browser, HTTPS security, strong/unique passwords, and using a password manager. In this case, a password manager would have prevented the hacker from stealing Dan’s password. How? Since it wouldn’t have entered the password because the hacker’s fake login screen wouldn’t have matched the website used when the password was stored. A password manager can also prevent a hacker from video recording Dan’s fingers typing his password. Oh, those clever hackers!
To wrap up this post, below is a summary of the layers of security involved in Dan’s sad story and the associated parts of this series of posts.
- Part 8 – The next post will explain why a Virtual Private Network (VPN) should always be used on public Wifi to avoid others eavesdropping. Remember, most of the time hackers are not looking to hack you personally, they are looking for easy targets.
- Part 3 – Never reuse passwords across sensitive accounts.
- Part 2 – Look for secure connections to websites (the padlock symbol = HTTPS) and logout when done.
- Part 4 – Use a password manager and secure it with a unique, very strong password. Below is a comic strip that explains how and why courtesy of XKCD.
- Part 10 – Use something called two factor authentication (2FA) to secure your most sensitive accounts. 2FA stops hackers by requiring “two factors” to login, typically something you know (such as a password) and something you have such as your cellphone (a code received as a text message).
A recent podcast on Recode, “How do I protect my privacy online?” featured digital security expert Tony Gambacorta answering questions about online security and privacy. He said, “The greatest threat is our own ignorance.” In terms of security, on the top of his list were many of the topics that are already in this series of posts, but the part about privacy was particularly interesting. In terms of privacy, his biggest concerns focus on the so-called Internet of Things (IoT) devices such as Amazon Echo, Google Home, and “smart home” cameras, thermostats, light controllers, security systems, Smart TVs, etc.
These are devices that provide useful features in return for legal access to what most consider their private world such as conversations and activities in their home. For example, some people cover their laptop webcam with tape when their Smart TV has an embedded camera and microphone controlled by much less secure software. Many WiFi cameras that are used to monitor a home fall into this insecure category. Gambacorta also explains that a $20 device can be used in a coffee shop to anonymously eavesdrop on unencrypted web searches, emails, etc. For these reasons, a VPN service is critical when using public WiFi and will be explained in detail in a future post, but in general avoid free VPNs, they are often free because they are not private.
His privacy suggestions for people who aren’t tech-literate?
- Don’t put something like a WiFi camera or Smart TV in a sensitive area of your house (or put tape on the lens).
- Buy from people you know and trust. Buying a $70 Android phone from a user called “ThePhoneBoss” on eBay might not be the best choice for security or privacy.
- Email is never private (unless you’re an expert).
- Use your browser’s “Incognito” feature if you are searching for anything you wouldn’t want somebody else to know about (or something that you don’t want to see ads about in the future). This is also known as a “Private” or “InPrivate” window. As the graphic below shows, it is shocking how little privacy is involved when web surfing.
Well, that’s more than a few words, but let’s just keep that between you and me…
Today many people carry their entire digital life around in their smartphones. Emails, text messages, address books, calendars, to do lists, banking apps, music, and photos are just a few of the valuable items found on these small slabs of metal and glass. This makes the humble cell phone an attractive target for hackers. Recently, the news has been filled with stories about smartphone security. This is a result of the fact that the president was known to have been using an ancient, insecure Android phone from 2012 (Samsung Galaxy S3). He finally upgraded to an iPhone this week.
Why was an iPhone chosen for the President of the United States? Probably because it’s the most secure phone on the market today. It is amazing the lengths Apple goes to and they do it without much fanfare. Buried toward the end of the iOS webpage is a section called “Privacy and Security” with a short paragraph on security:
iOS offers the most advanced security of any mobile operating system. For starters, hardware and firmware features are designed to protect against malware and viruses, while iOS features help to secure your personal information. Touch ID lets you use your fingerprint as an easy alternative to entering your passcode each time, preventing unauthorized access to your device. And we give developers tools to make the safest apps possible, including top-notch encryption, app transport security, and more. The point is, security runs throughout the entire system — everything from the hardware to iOS to the App Store.
Deep down though, iOS security is hidden universe of its own. The IOS Security Guide explains the details in 63 pages and there is an interesting lecture on Apple’s Developer website that covers the highlights in 25 minutes. To make a long story short, since Apple has control of both the iPhone hardware and iOS software, they can insure security from the moment the iPhone is turned on and even when it is turned off. They don’t even allow downgrading iOS software since that would make a secure iPhone insecure. Also, each iPhone has a completely separate security microprocessor called the “Secure Enclave Processor”(SEP) that includes a unique code burned into it. This means that only your iPhone can decrypt your data. Finally, Apple enforces its commitment to security on its App developers as well as on how a device securely communicates with the outside world.
To be fair, Google / Android does care about security and implements many of the same measures in the most recent versions, but only 3% of Android users have upgraded compared to 80% of iOS users. Apple’s security philosophy is a great example of something called “layered security” which professionals recommend as the best practice to stay safe online. A future post in this series will explore layered security in detail.
As explained in the last post in this series, a good password manager is critical to staying safe online. It is also the key to working efficiently. With more and more websites requiring a new login each time they are used, the lowly username screen has become a source of stress for many.
Luckily, there are many options and here is a summary of the best of them.
1Password is definitely at the top of the list and well worth the small cost of $3 a month. It works on MacOS, iOS, Android, and Windows devices and can synchronize passwords between them. It even has a family plan for $5 a month that can organize shared passwords while still allowing each member to store private ones in the same account. As a bonus, it can store much more than passwords, including WiFi logins, credit card information, drivers license, and secure notes. Finally, it has a well written tutorial for new users that can be found here.
The next option is for MacOS / iOS users and is called iCloud Keychain. Apple’s free solution is great due to the integration with their default browser Safari. Once turned on, it fills in passwords automatically, suggests strong passwords for new websites, offers to save existing passwords, and synchronizes passwords between devices logged into the same iCloud account. It can also securely store and fill in credit card information to making online shopping quicker. The website 9to5Mac recently published a post on iCloud Keychain that is worth reading, “iCloud Keychain and Answering Your Common Password Management Concerns.”
For Windows users, Microsoft’s Edge browser built-in password management is fine too. For complex reasons, it is a little less secure than professional solutions, but better than nothing. The biggest drawback is that it cannot synchronize passwords between Windows and a mobile device like an iOS or Android phone.
Finally, KeePass is a free and open source password manager, but more complex to install and use. You can find it at http://keepass.info/.
There is a constant stream of online articles on the best practices for password management. The 9to5Mac posts, “How to Approach and Manage Passwords” and “How to Implement and Benefit From Password Management Software” dive deep into the subject. For people short on time, they both end with an excellent summary simply called, “Do This.” So what are you waiting for? Do This!!!