Surf Safely: Armoring Your Digital Life on Public Wi-Fi Waves

/in , /by

Protecting one’s data and devices on public Wi-Fi goes beyond protecting oneself on just the Wi-Fi aspect. Cyber security is holistic in its nature, meaning the devices hardware, software, and various forms of access control all need consideration.

I hear all the time that criminal hackers are so “sophisticated”. I suppose they are, but what they really are is organized, and they treat fraud like a business. Do you know who’s really sophisticated? White hat hackers also known as penetration testers. These are the security experts deployed to seek out vulnerabilities in your networks and to offer recommendations to tighten them up.

And for you laypersons, I’m going to let you in on a little secret that both criminal hackers, and the good guy hackers know: there are very basic, user-friendly tools that hackers on both sides of the fence use to “hack us” on public Wi-Fi:

The top three software tools that penetration testers commonly use to infiltrate and test the security of insecure Wi-Fi connections are:

  1. Aircracking: This is a comprehensive suite of tools for auditing wireless networks. It can monitor traffic, crack WEP and WPA/WPA2-PSK keys after capturing data packets, and check for vulnerabilities in wireless access points.
  2. Kismet: A wireless network detector, sniffer, and intrusion detection system. It can passively collect packets from both hidden and non-hidden networks, detect wireless access points and associated clients, and identify networks by probing them.
  3. Wireshark: A popular network protocol analyzer that can capture and inspect wireless traffic. It helps identify potential security issues by analyzing the data packets traveling over the Wi-Fi network.

These tools allow penetration testers to scan for and identify nearby wireless networks, capture network traffic, crack encryption keys, and exploit vulnerabilities in wireless access points and devices connected to the network. They are essential for comprehensively assessing the security posture of Wi-Fi networks during penetration testing engagements.

Keep in mind, anyone, and everyone, both good and bad have access to these software programs.

There are a number of vulnerabilities requiring consideration including:

Man-in-the-Middle (MITM) attacks: Hackers can position themselves between your device and the network, intercepting all your internet traffic to steal sensitive data like passwords, financial information, etc.

Malware distribution: Public Wi-Fi can be used to spread malware that infects connected devices, allowing hackers to access files, spy on activities, or render devices unusable.

Unencrypted connection: Many public Wi-Fi networks lack encryption, allowing anyone on the network to easily snoop on your online activities and data transmissions.

Rogue hotspots: Cybercriminals can set up fake Wi-Fi access points with legitimate-sounding names to lure users and monitor their traffic.

Snooping and sniffing: Hackers can use tools to eavesdrop on Wi-Fi signals and capture data like webpages visited, login credentials, and more.

Malicious hotspots: Hackers create malicious hotspots with similar names to legitimate ones to trick users into connecting, enabling MITM attacks.

Lack of authentication: Most public Wi-Fi is open with no authentication required, allowing anyone to join and potentially launch attacks.

The key risks involve exposing your private data and online activities to malicious actors exploiting the lack of security on public wireless networks.

Here are 10 ways to lock down your data and prepare yourself on free open public Wi-Fi:

  1. Verify the wireless network is in fact legitimate. Confirm the network name with staff at the municipality, airport, or wherever, or seek out posted signage before connecting. Wi-Fi hackers can create fake hotspots often known as “evil twins” with similar names to trick Wi-Fi users.
  2. Avoid accessing sensitive information. If possible, avoid logging into sensitive accounts such as online banking or entering passwords on public Wi-Fi as your data can be intercepted. Save the critical and sensitive data processing for at home or at work on a secure Wi-Fi connection.
  3. Use a VPN. A virtual private network encrypts your internet traffic, protecting it from snooping on public networks. The VPN software is free to a small fee, and is your best defense against digital Wi-Fi snooping.
  4. Enable two-factor authentication. Any and all Critical accounts need additional password protection and this is done generally via your mobile phone as a second form of authentication receiving a one time pass code via text. This extra login step code sent to your phone for accounts that offer it, prevents unauthorized access even if your password is compromised.
  5. Keep software updated. Install the latest operating system and software app updates which often include security patches to protect against vulnerabilities. Outdated software creates vulnerabilities that Wi-Fi hackers can seek out.
  6. Use antivirus software. Paid antivirus comes with antivirus, anti-spyware, anti-phishing, and a firewall. Antivirus programs are designed to detect and block malicious software that spies on you and can infect your device on unsecured public Wi-Fi networks.
  7. Log out after use. When finished on critical websites, log out of websites and shut down tabs or even your whole browser, and disconnect from the Wi-Fi network to minimize exposure.
  8. Enable firewall. By default, your firewall should be turned on. Keep your device’s firewall enabled to block unauthorized access while on public networks. The devices operating system should come equipped with a built-in, firewall, or do a search engine query for the name of the operating system in the word firewall for instructions on how to enable it.
  9. Avoid auto-connecting. In your devices Wi-Fi settings, you should be able to toggle off various known Wi-Fi hotspots. Disabling automatic Wi-Fi connection on your devices prevents joining rogue hotspots that may be set up as “evil twins”.
  10. Browse securely. By default, your browser should let you know if a particular website is at risk. Only visit HTTPS encrypted websites which are more secure than unencrypted HTTP sites when on public Wi-Fi.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

I Really Want My Phone to Be My Wallet. Don’t You?

/in /by

Wallets suck. Seriously. Mine hurts my butt when I sit down. I have to remember to take it with me, and then I’m always afraid of losing it. There’s nothing fun about it. And…well…it’s dirty. It really is—money is dirty, and the cards you hand to people with dirty hands that handle dirty cards all day are dirty. Can we please just use our mobiles as wallets?

There are a few technologies that are supposed to eliminate the wallet, but no matter how hard I try, I still need to carry one. More on that in a bit.

What’s in the works:

  • Isis is a mobile payment network comprised of the major mobile networks. It’s supposed to launch nationwide and there have been a bunch of pilot tests, but no official launch just yet.
  • Square is an app that accepts credit cards and allows you to pay with them in stores that accept Square-facilitated transactions.
  • Apple has the Passbook app, which stores your cards and works with an iPhone. It should have taken off, but it does squat.
  • Google Wallet is an app that has relationships with credit card companies and banks and uses near-field communications. It allows you to make payments, but only if you have an NFC-enabled phone—which is usually an Android—and the point of sale needs to be able to read it.
  • Starbucks is really the only company that has used its mobile app to accept payments, and it’s wildly successful. There’s no reason to even walk into a Starbucks with a wallet again.

So other than moving into Starbucks, I’ve found a temporary compromise.

  • Thinned out my wallet: This means I got a thinner wallet, too. I picked up a three-buck one from one of those sidewalk tables in New York City. For the rest of the world, you can find them all over eBay.
  • Keyring: This is an app available for iPhones and Androids that allows me to easily snap a photo of the front and back of my 50+ loyalty cards and use most of them at a retail counter. (Except Costco, which is stupid. Do you hear me, Costco?)
  • Hotspot Shield VPN: This is a virtual private network application installed on my mobile to protect my wireless traffic. So instead of having to remember my wallet and then putting my wallet into my pocket—which hurts—and worrying about losing it, I just use my mobile to make purchases online and have most everything shipped. Except, of course, at Costco.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Are You as Secure as a Fourth Grader? (Hint: No)

/in /by

Security is the big picture. Security is in the finest details. Security is software and hardware. Security is awareness, intelligence and vigilance. Security is obvious, is obscure and is theater. Security is a journey and not a destination. It’s a path you take, but not a place you ever really arrive at. Security is an illusion; it’s elusive, attainable and impossible.

Ever have dialogue with a nine-year-old? Kids that age are pretty smart. Most can navigate through life with enough awareness to get themselves in and out of trouble and have the understanding of how things work like a 30-year-old might. They also possess a certain innocence and lack the fear of failure or of retribution due to the fact they’ve yet to be burned as much as a typical 30-year-old has.

It’s that carefree outlook and lack of concern with authority that allows mastermind criminals to walk all over those of us who follow the rules—and those who enforce them.

Which brings us to a nine-year-old Minneapolis boy who was able to get through security screening and onto a Vegas-bound plane at the Minneapolis-St. Paul International Airport without a ticket. The only reason he was even caught was because he was…well…a boy. His Delta flight was not full, and the flight crew became suspicious mid-flight because the boy was not on the list of unattended minors. The crew contacted Las Vegas police, who met them upon landing and transferred the boy to child protection services.

That’s not all. Our stowaway rode on the train to the airport (probably snuck on there too), stole a bag from a luggage carousel, and went to an airport restaurant, where he chewed and screwed (dined and dashed) the restaurant out of their money.

I’m not done telling his story. Two weeks prior to the airport incident, he snuck into a water park, stole a truck, smashed it, and was caught driving on a highway and pulled over. And that’s just what was reported when he was caught.

So if you think your government, the TSA, Homeland Security or the police can protect your personal security—or your bank, your credit card company or all the organizations that have your information on file can protect your identity—then you’re no smarter than a fourth grader.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

The Legal Right to Delete Stupidity

/in /by

Anyone who is online and has ever posted something or sent something or liked something has a regret or two. And if you don’t have a regret, you’re arrogant and pompous and think way too highly of yourself and your musings.

Anyway, recalling a digital boner isn’t always easy. And now, when you hit enter or send, it’s pretty much a lost cause. But a new California law aims to make it a tad easier…but honestly, I think it will be a false fix and make people think they have more control while again, they don’t.

Ars Technica reports, “California has put into place the first state law that requires companies, websites and app developers to give kids under the age of 18 the option to delete a post. The law (SB 568), which was signed by Governor Jerry Brown [and] takes effect on January 1, 2015, imposes onto web companies and app makers this new requirement.” The article goes on to quote the law, including what those firms will be required to do: “Provide clear instructions to a minor who is a registered user of the operator’s internet website, online service, online application or mobile application on how the user may remove or, if the operator prefers, request and obtain the removal of content or information posted on the operator’s internet website, online service, online application or mobile application.”

It’s a mouthful, but here’s the deal: digital is forever; digital is repeatable; digital can be copied and pasted; and digital is subject to screenshots, shares and forwards. Digital begins with you, but it never ends.

Deleting stupidity is like killing mosquitoes: It’s just a matter of time until you get bitten again. Being aware, smart and conscious about what you post online is using your noggin and playing it safe. Never post in anger or under the influence of mind-altering substances, as nothing you post in that state of mind ever reads right sober. Trust me on that one.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Apple Makes Life Harder for iPhone Thieves

/in /by

You probably know that iPhones are high on the wish list of thieves all over the country—so much so that data from the New York City Police Department reveals that iPhone and iPad thefts have soared 40 percent compared with the same period last year, according to CNET. A total of 11,447 cases of stolen Apple devices were reported to the city’s police, an increase of 3,280 over the last year.

Apple has been paying attention, and the new iOS7 has made it difficult for a thief to sell or reuse that stolen phone. This is because of a feature that prevents a wiping/resetting of the phone without the user’s Apple ID.

Here’s how: iPhone users who upgrade receive an email explaining how the new theft deterrent works, along with information on what to do in the event someone sells or transfers an iPhone to another party. It looks like this:

Dear Apple iPhone Customer:

Congratulations on your update to iOS 7. As an iCloud user, part of your upgrade includes new features built into Find My iPhone that make it harder for anyone else to use or sell your device if it is ever lost or stolen.

With Find My iPhone turned on in iOS 7, your Apple ID (email@xxxx.com) and password will always be required before anyone can:

•           Turn off Find My iPhone on your device.

•           Erase your device.

•           Reactivate and use your device.

There is nothing you need to do except to keep Find My iPhone turned on and remember your Apple ID and password. For more information, read the FAQ.

Note: As always, if you plan to give your device to someone else, make sure to erase all content and settings before transferring it to the new owner. This will remove the device from your account and allow the new owner to activate it. For more information, read What to do before transferring ownership of your iPhone, iPad or iPod Touch.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

How to Protect Your Information Online

/in /by

5DEvery week I receive emails from people asking how they can protect their privacy online. It seems like there have been more and more data security breaches, and therefore awareness about the potential to have our information exposed is growing. In fact half of us worry about the amount of personal information about us that is available online compared to only 33% who were concerned about this in 2009.

recent Pew survey found that 86% of Internet users have taken steps online to remove or mask their digital footprints—ranging from clearing cookies to encrypting their email. And while most of us would like to be anonymous online, most of know that this is not always possible. Some other startling facts from the study:

21% of Internet users have had an email or social networking account hijacked, and 11% have had vital information like their Social Security number, bank account data or credit cards stolen

13% of Internet users have experienced trouble in a relationship between them and a family member or friend because of something the user posted online

6% have had their reputation damaged because of something that happened online and 4% have been led into physical danger because of something that happened online

Yet even though we want to keep our information private, most of us still knowingly post information online. The study found that half of us knew that our birth date was available online, and a whopping 30% knew that their home address was available online. And what else was revealing was that 26% of us didn’t’ feel that it was that important if people knew our location when we were online.

So while we may be concerned with privacy, there’s also a discrepancy in terms of what we have posted online or what we consider private or personal. Of course, this is a personal choice, but we should all be aware of things we can do to protect our information online, especially since it is not always in our control.

Be careful what you share online: Do what you can to control what information you reveal about yourself online. You should think about the Internet as akin to writing in permanent pen…once it’s there, it’s there forever.

Be cautious about where you give your information to: In today’s world a lot of information about us that is available online is not something that we posted ourselves. So think twice when giving your information, even if that’s in paper form since most employers, medical offices, etc, keep your information in electronic format and also what information you actually give out.

Lock down your privacy settings: Make sure you know how to use the privacy settings on social media sites, email, and other online applications and don’t connect with anyone you don’t know in the offline world.

Be careful what you download: Know what you are downloading, whether that be a photo from a friend or that fun new app for your smartphone. Many apps access information on your mobile device that you may not know about so make sure you check the permission it is accessing.

Keep your devices clean: Use comprehensive security on all your devices (not just your PCs) like McAfee LiveSafe™ service  and keep your devices’ operating systems and browsers up-to-date to protect your information online.

Use tools to help keep protect your privacy: You can use things like browsing in “incognito” mode or clearing your cookies. You should also make sure that you don’t have your browser set to “remember me” or your apps set to automatically log you in. That way if anyone else uses your computer or gets a hold of your mobile device, they can’t access that information.

While we can’t control everything about us that is online, we can be proactive about what information we post online about ourselves and what information we give out.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

5 rules for using coffee shop WiFi

/in /by

In order to compete with the likes of the chain coffee shops and now fast food joints, just about every coffee shop or small restaurant is supplying its clients with free WiFi. Unfortunately, there are people who don’t understand the rules of life as far as “give and take” in that you’ve got to give a little to get a little; they, unfortunately just take. They’re WiFi-sucking vampires who have no class and sit there for five hours and buy nothing.

You can’t walk into a coffee shop today and not see some guy taking up a table for four hours. He invariably has a laptop, tablet, mobile phone and even a mini printer all plugged into a power strip that he brought and plugged into one of few outlets in the shop. He and everyone like him are bad, shameless people.

Here’s how to play by the rules and not get dirty:

Remember that nothing is free. Paid WiFi anywhere is a minimum of 10 bucks a day. The coffee shop is a business supported by its customers. If everyone sat down and took and didn’t give, the shop would fold. Give back and spend at least five or 10 bucks for every mealtime you are there.

Minimize your impact. You are one person and should take up one chair, and maybe a small table. Bags go on the floor, not on chairs. Don’t hog bandwidth by downloading torrents.

Share. Only use an outlet if you absolutely need it. If you plug into an outlet, then precede that plug with a three-way power splitter with open receptacles, and don’t use an obnoxious power strip. When you see people looking to plug in, be kind enough to allow them to piggyback. They won’t ask, so offer.

Be quiet. Turn the sound off of your devices. Put your mobile on vibrate. When calls come in, speak softly as possible (really, just shut up; you’re very, very annoying). Better yet, suggest your would-be callers IM you instead. I’d tell you to walk outside, but…(see tip #5).

Think security. While you may become comfortable in your environment over time, don’t get up and leave any devices unattended while you go to the lav. They WILL be stolen. Know that free WiFi is unprotected WiFi, and your data is visible to anyone within 500 feet of the establishment. Use a virtual private networking application to encrypt your wireless communications.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Unsecured wireless video baby monitors hackable

/in /by

Baby monitors have evolved from simple one-way radio communications based on older radio waves to highly evolved IP based, internet-connected cameras that can be viewed on a smartphone or tablet. Back in the day, when cordless phones were 900 MHZ, it was common to hear someone else’s conversations on your own phone or easy enough to eavesdrop on anyone’s call with a store-bought scanner.

Today’s baby monitors suffer a similar fate. While it’s all wonderful for a parent who wants to check out their little Johnny from afar, there are security issues with wireless technology if not properly locked down.

CBS New York reports, “The Gilberts, a family in Texas, found that a hacker gained access to their video baby monitor and was yelling at their 2-year-old daughter by name, having read it off her bedroom wall. ‘He was saying, “Wake up, Allyson, you little (expletive),” said the girl’s father, Marc Gilbert. ‘It felt like somebody broke into our house.’”

Scary.

Out of the box, most of these wireless technologies that allow people to control various home appliances from their smartphones are generally secure. However, in some cases, software or firmware may need updating if vulnerabilities are found.

  • Always check with a device manufacturer’s website to ensure the latest software/firmware or critical updates are installed or available to install.
  • Most wireless vulnerabilities start at the home/office wireless network and not on the devices themselves. It is essential to encrypt wireless with at least the WPA standard built into your router’s software.
  • Just like you need to encrypt wireless for your home/office network, you also need to encrypt wireless on public or free networks to protect the data on your devices. Hotspot Shield VPN is a free VPN option that encrypts all wireless communications.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

Cellular Base Station Range Extenders Vulnerable to Attack

/in /by

Low-powered cellular base stations are often found in residential homes and small businesses where mobile coverage is scant. The device, which also known as a femtocell, connects to DSL or cable connections and extends cellular coverage to a functional level where cell towers simply don’t reach. Some cellular base stations can accommodate up to 16 devices indoors or outdoors. The benefits of deploying a cellular base station include better voice quality and stronger wireless internet connections over 3G or 4G.

A few of the mobile carriers offering cellular base stations include Vodafone, SFR, AT&T, Sprint Nextel, Verizon and Mobile TeleSystems. The devices cost under a few hundred dollars and offer a significant improvement in areas with poor wireless connections.

While all this is good and dandy, researchers discovered a flaw in the firmware of a top mobile carrier that may affect up to 30 other cell network devices.

The Register reports, “Security researchers have demonstrated a flaw in femtocells that allows them to be used for eavesdropping on cellphone, email and internet traffic. The researchers bought a femtocell for $250, and used open-source software to test out the bugging attack. They also managed to boost the range of the femtocell to enable a much wider radius of data-slurping beyond the advertised 40-meter radius. Since the firmware of femtocells is seldom updated, an attacker could eavesdrop for some time before being detected.”

Once notified of the firmware flaw, carriers are supposed to communicate with base station clients with a firmware update and instructions on how to install it. However, just like a consumer’s PC not being properly updated with antivirus or operating system-critical security patches, it is doubtful many of the devices have been updated.

If you have a cellular base station deployed in your home or office, it is advised that you contact your carrier and/or search out your cellular base station’s model number to see if there is a patch—and install it. Otherwise, anyone connecting to cellular base station should employ a virtual private network software such as Hotspot Shield VPN to encrypt wireless communications.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.

5 Ways to Limit Mobile WiFi Risks

/in /by

WiFi is everywhere, and some connections are more secure than others. There are five ways to ensure more secure use of a mobile WiFi connection:

Turn off WiFi. The most secure WiFi is one that is turned off. Disabling the WiFi signal on your device prevents anyone from seeing your device. If WiFi is turned off, your device will use your carrier’s more secure 3G/4G network for transferring data and will likely count against your data plan.

Forget networks. Auto-connecting to networks isn’t just a pain due to some networks not having internet access, which then disrupts whatever you are doing; auto-connecting is also a security issue. “Forgetting” or un-checking “auto connect” prevents your mobile from randomly connecting to just any available WiFi.

Never pirate WiFi. If you connect to a homeowner’s or small business’ random WiFi network without permission, that is illegal—and the WiFi may even be set up specifically to skim your data as it passes through the network.

Use a VPN. A virtual private network (VPN) uses encryption to protect your data from unauthorized access. You will need to connect to a server or use a service. A VPN server may be available through your workplace, or you can install one at home. A quick search in your mobile application store will result in numerous free and paid VPN client apps. Hotspot Shield VPN is free and fast and supported with advertising. The paid version is under 30 bucks without ads and is even faster. Refer to your device manufacturer or network administrator for more information.

Only use https. “HTTPS,” or hypertext transfer protocol (HTTP) with secure sockets layer (SSL, hence the S after “HTTP”), is a more secure option set up by a website owner who knows security is essential. Look for “https://” in the address bar to signify you are on a secure page. Even on an open, unsecured wireless connection, HTTPS is more secure than HTTP.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.