Fear is an excellent deterrent. It saps our confidence, curtails our energy and tempers our judgment. It forces us to change our direction and our thinking.
Rarely though do we let it change our behavior. The consequences of fear must be palpable, looming, for that to happen.
A recent article by Maurtis Martijn for the Dutch crowdfunded site De Correspondent reminds us however that even when a threat is real, our response to it can be irrational.
Martijn wrote at length this month about the danger we face when joining unsecured public wi-fi networks — those that do not require a password to join. To demonstrate that danger, he strolled through central Amsterdam with self-described “ethical hacker” Wouter Slotboom — not the snooper’s real name — looking for cafés that provide free wi-fi.
At each location, Martijn and Slotboom sat at any table. Then Slotboom pulled from his backpack a small black device that he placed on the table and obscured with a menu. He then linked to the device with his laptop and in moments discovered the identities of every other laptop, smartphone and tablet used by every customer in the café.
Moments later, Slotboom obtained the network identity of those customers and with that was able to discover personal information about each.
“All you need is 70 euros (for the device), an average IQ, and a little patience,” Slotboom told Martijn.
The marketplace affords Slotboom and shady sorts of his ilk plenty of potential. More than half the U.S. population of 316 million owns a smartphone or laptop, and the number of tablet owners is catching up to both. All of those devices have connected to an open wi-fi network at least once, often without a device owner’s knowledge (the default on mobile devices is set to discover available networks).
And as the mobile market grows, more doors open for hackers. The threat intelligence firm Risk Based Security, Inc. estimates nearly 1 billion records — credit card information, medical records, passwords, social security numbers, etc. — were breached in 2013, with 65 percent of the activity occurring in the United States.
Risk Based Security says we’re on a pace to suffer well over 1 billion breaches this year.
The numbers are new but the rationale for them is not; stories about wi-fi security predate the advent of public hotspots. Yet many of us disregard the threat or expect strangers to respect our personal security. We choose convenience over caution. We invest trust where none was earned.
Such behavior today borders on irresponsible; lax personal security compromises the security of others if their information is on our devices. And the threat is not looming or imminent — it’s here, happening now, via unsecured wi-fi networks across the country.
It may even be happening to you now while you sip your latte.
So, curtail the risk and subdue your paranoia by taking these small, simple steps:
Choose the correct network — During Slotboom’s staged “man-in-the-middle” attacks, he created fictitious wi-fi networks on his computer for café customers to join, and dozens did. This simplified the task of discovering passwords and account numbers; people typed them directly into his network thinking it was legitimate. Slotboom often named the networks after real businesses to make them appear authentic. He urges users of free wi-fi to verify the network, either by asking the proprietor or checking the address on signs that promote the service, to avoid joining rogue networks by mistake.
If the option exists to pay for access to a secure network, take it. A little fee trumps a big headache.
Choose ‘htpps’ — That “s” extension after the “http” at the beginning of a Web address indicates the connection is secure and the connection to the Web server is authentic. Not all websites have this; still others provide both. Even so, only certain amounts of traffic are encrypted, not all of it. Regular users of unsecured networks help themselves by doing homework on whether the sites they visit have this layer of security before surfing in public, and they should never, ever, shop or do anything online involving a credit card while using unsecured wi-fi.
On some sites, you can add the “s” yourself. The Electronic Frontier Foundation distributes a browser extension called HTTPS Everywhere that encrypts communications between major websites and is available for Windows, Mac and Linux.
Use ‘two-step’ authentication — Many email providers and commercial websites have the option of a second login, where users receive a texted code they must type after their initial login to gain access. Two-step or two-factor authentication reduces the chance a hacker can gain access to an account with just the password.
Use a password manager — Sometimes we feel as though there is only enough RAM in our heads to get us through the day. This leads us to concoct simple or repeated passwords for the many websites we use that require a login. A password manager program generates unique and complex passwords for each site and keeps them locked up with one master password. Password managers also guard against keylogging — the surreptitious recording of keystrokes by hackers — by automatically filling in a site’s password field.
Turn off sharing; turn on firewalls — The sharing feature allows mobile devices to connect with other devices and networks. Free wi-fi users should disable this feature when not in need of sharing. (The instructions are different for Windows and Mac.) At the same time, make sure the device’s firewall (Windows/Mac) is active and working.
Invest in a VPN — A virtual private network, or VPN, encrypts traffic between devices and designated VPN servers, thus creating a private network across a public network. VPNs run shared data through a point-to-point connection that shields the data from unwanted interference much like an umbrella shields you from the rain. Many businesses employ VPNs to let employees access company networks remotely.
The best VPNs cost a small fee for full protection. VPNs also slow down page-load speeds somewhat. Still, they add an element of confidence in an uncertain environment.
Update all software — Finally, make sure your antivirus and anti-malware programs are up to date, and install all the latest operating system upgrades. These upgrades not only enhance overall performance, they also contain patches and fixes that help hold back the most recent security threats lurking across the Web — or across the room.
(Editor’s note: This post first appeared on Net Worked, the technology blog for the Society of Professional Journalists.)