7 essential security tips for using free Wi-Fi networks

Image courtesy of iStockphoto

Fear is an excellent deterrent. It saps our confidence, curtails our energy and tempers our judgment. It forces us to change our direction and our thinking.

Rarely though do we let it change our behavior. The consequences of fear must be palpable, looming, for that to happen.

A recent article by Maurtis Martijn for the Dutch crowdfunded site De Correspondent reminds us however that even when a threat is real, our response to it can be irrational.

Martijn wrote at length this month about the danger we face when joining unsecured public wi-fi networks — those that do not require a password to join. To demonstrate that danger, he strolled through central Amsterdam with self-described “ethical hacker” Wouter Slotboom — not the snooper’s real name — looking for cafés that provide free wi-fi.

At each location, Martijn and Slotboom sat at any table. Then Slotboom pulled from his backpack a small black device that he placed on the table and obscured with a menu. He then linked to the device with his laptop and in moments discovered the identities of every other laptop, smartphone and tablet used by every customer in the café.

Moments later, Slotboom obtained the network identity of those customers and with that was able to discover personal information about each.

“All you need is 70 euros (for the device), an average IQ, and a little patience,” Slotboom told Martijn.

The marketplace affords Slotboom and shady sorts of his ilk plenty of potential. More than half the U.S. population of 316 million owns a smartphone or laptop, and the number of tablet owners is catching up to both. All of those devices have connected to an open wi-fi network at least once, often without a device owner’s knowledge (the default on mobile devices is set to discover available networks).

And as the mobile market grows, more doors open for hackers. The threat intelligence firm Risk Based Security, Inc. estimates nearly 1 billion records — credit card information, medical records, passwords, social security numbers, etc. — were breached in 2013, with 65 percent of the activity occurring in the United States.

Risk Based Security says we’re on a pace to suffer well over 1 billion breaches this year.

The numbers are new but the rationale for them is not; stories about wi-fi security predate the advent of public hotspots. Yet many of us disregard the threat or expect strangers to respect our personal security. We choose convenience over caution. We invest trust where none was earned.

Such behavior today borders on irresponsible; lax personal security compromises the security of others if their information is on our devices. And the threat is not looming or imminent — it’s here, happening now, via unsecured wi-fi networks across the country.

It may even be happening to you now while you sip your latte.

So, curtail the risk and subdue your paranoia by taking these small, simple steps:

Choose the correct network — During Slotboom’s staged “man-in-the-middle” attacks, he created fictitious wi-fi networks on his computer for café customers to join, and dozens did. This simplified the task of discovering passwords and account numbers; people typed them directly into his network thinking it was legitimate. Slotboom often named the networks after real businesses to make them appear authentic. He urges users of free wi-fi to verify the network, either by asking the proprietor or checking the address on signs that promote the service, to avoid joining rogue networks by mistake.

If the option exists to pay for access to a secure network, take it. A little fee trumps a big headache.

Choose ‘htpps’ — That “s” extension after the “http” at the beginning of a Web address indicates the connection is secure and the connection to the Web server is authentic. Not all websites have this; still others provide both. Even so, only certain amounts of traffic are encrypted, not all of it. Regular users of unsecured networks help themselves by doing homework on whether the sites they visit have this layer of security before surfing in public, and they should never, ever, shop or do anything online involving a credit card while using unsecured wi-fi.

On some sites, you can add the “s” yourself. The Electronic Frontier Foundation distributes a browser extension called HTTPS Everywhere that encrypts communications between major websites and is available for Windows, Mac and Linux.

Use ‘two-step’ authentication — Many email providers and commercial websites have the option of a second login, where users receive a texted code they must type after their initial login to gain access. Two-step or two-factor authentication reduces the chance a hacker can gain access to an account with just the password.

Use a password manager — Sometimes we feel as though there is only enough RAM in our heads to get us through the day. This leads us to concoct simple or repeated passwords for the many websites we use that require a login. A password manager program generates unique and complex passwords for each site and keeps them locked up with one master password. Password managers also guard against keylogging — the surreptitious recording of keystrokes by hackers — by automatically filling in a site’s password field.

Turn off sharing; turn on firewalls — The sharing feature allows mobile devices to connect with other devices and networks. Free wi-fi users should disable this feature when not in need of sharing. (The instructions are different for Windows and Mac.) At the same time, make sure the device’s firewall (Windows/Mac) is active and working.

Invest in a VPN — A virtual private network, or VPN, encrypts traffic between devices and designated VPN servers, thus creating a private network across a public network. VPNs run shared data through a point-to-point connection that shields the data from unwanted interference much like an umbrella shields you from the rain. Many businesses employ VPNs to let employees access company networks remotely.

The best VPNs cost a small fee for full protection. VPNs also slow down page-load speeds somewhat. Still, they add an element of confidence in an uncertain environment.

Update all software — Finally, make sure your antivirus and anti-malware programs are up to date, and install all the latest operating system upgrades. These upgrades not only enhance overall performance, they also contain patches and fixes that help hold back the most recent security threats lurking across the Web — or across the room.

(Editor’s note: This post first appeared on Net Worked, the technology blog for the Society of Professional Journalists.)

The party is over for Twitter

Twitter logoIf someone asks you to explain Twitter, say this: Twitter is a cocktail party.

Or it was until Friday.

At these parties, people mingle and move from one conversation to another, from one group to another. Discussions are mixed with fact, fallacy, innuendo and rumor, but they engage us, entice us. We soon perceive the party to be a community bound by the threads of its distinct blend of interactions.

Now, imagine someone bursts into the party and into your conversation while blurting comments unrelated to the discussion.

That sort of rude, boorish behavior is considered an apt description of Twitter’s new policy to inject tweets into users’ feeds while simultaneously abandoning chronological display of tweets, arguably one of the platform’s best and most logical qualities. Twitter made the change formal in a recent blog announcement but has been toying with the platform’s dynamics all summer.

Call it the triumph of algorithms over logic.

“Choosing who to follow is a great first step — in many cases, the best tweets come from people you already know, or know of,” Twitter product team member Trevor O’Brien wrote in the blog. “But there are times you might miss out on tweets we think you’d enjoy.” (Emphasis added.)

Twitter measures interactions much as Facebook does and depends on users’ broad interactions to maintain viability. The more followers a user has, the greater the user’s audience engagement.

But Twitterers need time and constant tweeting to develop a large following. Twitter has figured that by altering the dynamic it can save users time and effort, which likely increases overall audience engagement. This in turn would make the platform look more appealing to investors.

Twitter obviously sees a trend that must be followed to maintain the platform’s viability. That or maybe Twitter had tired of seeing us talk to the same people over and over.

By pushing people uninvited into conversations, Twitter risks alienating its constituency, reminding users of the times they engaged in conversations and somebody who was inebriated or arrogant or uninformed, or singularly cursed with all three qualities, butted in.

Pleas abound urging Twitter to not be that kind of platform.

Social media is, above all else, a conversation. The tools can be fancy and fun, but subtract those and what remains is mere dialog — the communication of thoughts, hopes and experiences to create a bond, however briefly, between individuals.

In creating that bond, we enter into an informal social contract, roughly defined as an agreement between participants to keep the conversation relevant and pertinent to one another’s interests. When other people interrupt, the tolerant among us weigh for an instant whether the intrusion adds value. The intolerant among us give more weight to the intrusion than its rationale.

Occasionally, interruptions are acceptable. But when the interruptions are constant they become annoying and we resist them, ignoring any potential value added to the conversation.

Twitter’s greatest strength was its ability to maintain order and logic to digital discussions. Lacking that strength, Twitter becomes a party nobody wants to attend.

Journalism conference avoids Opryland controversy

Wi-Fi logo

(This post originally appeared on Net Worked, the technology blog for the Society of Professional Journalists.)

The Internet service controversy that warranted a federal fine against owners of the Gaylord Opryland Resort and Convention Center in Nashville, Tenn., did not affect Excellence in Journalism 2014 last month.

Joe Skeel, SPJ’s executive director, says wi-fi access was generally good for the 950 or so members of the Society of Professional Journalists and of the Radio Television Digital News Association who attended the three-day conference, Sept. 4-6.

So, too, was the price SPJ paid for a dedicated network.

“We didn’t hear complaints directly,” Skeel said in an email to Net Worked about attendees accessing the Internet in the conference meeting space and the hotel rooms. “There was some early chatter on social media, but that seemed to subside once we increased our bandwidth.”

On Friday, the resort’s owner, Marriott International Inc., announced it had agreed pay a $600,000 civil penalty ordered by the Federal Communications Commission for its practice of blocking access to personal wireless hotspots created by Gaylord Opryland guests, thus forcing them to pay for access to the resort’s dedicated networks. The complaint that spawned the penalty dates back to March 2013.

The resort also was accused of charging individuals, small businesses and exhibitors up to $1,000 per device for access to those networks.

“It is unacceptable for any hotel to intentionally disable personal hotspots while also charging consumers and small businesses high fees to use the hotel’s own wi-fi network,” the FCC said in a statement.

Marriott International responded by saying it defended Gaylord Opryland’s actions as a means of protecting the resort and its customers “from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft” and asked the FCC to clarify its policy.

Besides the civil penalty, Marriott International must cease all wi-fi blocking at Gaylord Opryland and come up with a better way to monitor network security at all of its 4,000-plus properties.

EIJ15 is scheduled for the World Center Marriott in Orlando, Fla.

Skeel said SPJ contracted for free dedicated wi-fi for EIJ14 and the overall cost for that amount of service at Gaylord Opryland was significantly less than at previous EIJ venues. He declined to disclose the contract’s terms.

“Given that SPJ negotiated free wi-fi in guest rooms and meeting space for attendees and exhibitors, I don’t see how this issue came into play for EIJ14,” Skeel said. “If an attendee was blocked from using a personal hotspot, she would have had access to our network — free of charge. I’m not excusing Opryland from the practice. But I don’t think it was an issue for us.”