Secure Public Internet Access

Published: Jan 20, 2017   |   1109 words with about 6 minutes reading time   |   ©2022 by Bob Smith
Category: Technology   |   Tags: Black hat Pentest Pineapple

The digital economy continues to drive everywhere demand for WiFi access. Users demand convenience features that automatically connect them to these networks using stored passwords. Among these requirements lurks serious personal security threats. Basic awareness of the hazards and vigilance are all required to avoid entanglements.

The first 360 words identify personal threats and how to vanquish them. An additional 750-word investment covers the Internet security landscape unlocking the jargon.

The Essentials

Untrusted or open networks don’t require usernames or passwords, credentials, or are given freely to anyone. All that’s needed to get network access is usually accepting an online agreement. Meaning insufficient control as to who is on the network.

Trusted or closed networks restrict access to only known users with individualized credentials. When only user credentials are required, this is called single-factor authentication. But just because a network looks official asking for credentials does not guarantee it’s authentic or safe.

A Pineapple You Can Trust

Beware of public single-factor WiFi networks. Access points with authentic looking sign-on screens are easy and inexpensive to duplicate. These rogue devices, known as Pineapples, are named for the traditional sign of hospitality. They impersonate legitimate networks luring unsuspecting WiFi seekers into giving up their credentials. Since most use the same online credentials everywhere, the bandits also get the Amazon account, the bank account and more.

Often, the rogue device will pass the user onto the Internet providing the expected experience but with a man in the middle capturing every byte the user sends and receives.

Laptop and mobile device convenience features used to remember and automatically enter WiFi access single-factor credentials puts users in harm’s way without their knowledge. Identity theft isn’t a good trade for convenience.

A better way to assure security, for both parties, is an additional authentication step.  Multi-factor authentication requires additional challenges beyond single-factor authentication entry.

A common two-factor system challenges unrecognized computers to further authenticate by entering a code sent to another device like a mobile phone designated by the user. While the additional layer is better, if both devices are compromised, it’s useless.

More secure is a challenge of information known only to both parties. A user selected image presented for verification after initial authentication is impossible for a Pineapple to know.

Lastly, life and work styles that require frequent use of open networks should inoculate with a live virus checking application that scans network traffic real-time for sinister activity and quarantines potential damage.


The Rest of the Story

White is the New Black

Effective cyber security agents, whether exploiting or defending, are hackers using the same skills and tools to further their objectives. The security industry refers to White Hats as those who work to recognize and mitigate electronic threats. Black Hats work to detect and exploit electronic threats for social, political or profit motivations.

Network infiltration happens for three reasons.

  1. Retrieve digital assets like emails and credit card numbers;
  2. Deposit digital assets, like a small well-hidden program, bot, with a particular mission;
  3. Create mischief to cause damage or service interruption.

A prime example is luring unsuspecting users to download virus bots from legitimate looking websites. At a pre-set time, all devices activate and begin streaming random data to a specific site. Called Distributed Denial of Service (DDoS) attacks, they live up to their name by using many computers (distributed) to overwhelm (deny) a resource (service) to impede commerce or other activity for protest or ransom. DDoS attacks have been a favorite exploit since the beginning of the Internet because the devastation leveled is significant against the simplicity of execution.

A new variant, DDoS to Bitcoin (DDoS2B), leverages an unregulated international currency for certain and untraceable ransom attacks. Previously, Black Hats had to enter the international cat and mouse game of using PayPal to get their ransom demands.

Attacks aren’t limited to big corporations. Black Hats target smaller businesses by infiltrating and locking down every document it can find. An unlock key is offered, usually five Bitcoins (~$3,500) and up. A time bomb will permanently destroy all files if they take too long to pay the ransom.

Many attacks retrieve information or press trusted devices into creating trouble. Nothing prevents Black Hats from depositing potentially damaging files like kiddie porn onto unsuspecting computers.

Hacking Through the Wall

The more recognized form of security breaches popularized by Matthew Broderick in Ferris Bueller’s Day off (changing grades) and War Games (activating the game Thermonuclear War) involves gaining access to a trusted network from outside over the Internet. The corporate perimeter is protected by systems designed to allow only authentic and credentialed access, known as firewalls. The Black Hat probes the edge looking for defects to exploit allowing them to enter. Free and sophisticated programs have been freely available on the Internet since 1995.

Socially Engineered Breaches

Often, non electronic methods are simpler and less time-consuming. Small hard to detect devices smaller than a pack of cigarettes costing less than $35 placed inside a corporate location on the network can cause a ruckus.

Unsophisticated social engineering gets the rogue device onto the network. Posing as a copier serviceman, they enter the business on the excuse of a routine inspection and attach the device to the back of a copier. Few would notice it. After running for some period, the serviceman returns and retrieves their device now full of valuable information. The less outgoing may just have the appliance phone home the collected information at a particular time.

Getting Ready For A Much Larger Picture

The Internet of Things (IoT) will add another 20-billion devices to the Internet by 2020 (Gartner - 2015). These devices will slip into beneficial and crucial parts of our lives. Inexpensive, low powered, single purpose and many, these devices are an ideal platform for sinister activity to infiltrate and exploit.

A DDoS attack in October 2016 used Samsung smart refrigerators as unwitting accomplices. Thousands of refrigerators were programmed to join forces simultaneously and overwhelm key Internet address resolvers slowing down network performance for many.

Western Digital cloud-connected backup hard drives recently created an inadvertent attack. All their drives, upwards of 100,000, had a bad line of code. Simultaneously, they all went to work trying to connect to a mistyped web address overrunning key Internet functions in the process.

As discussed, threat awareness is key to not being a mark for Black Hats. Common sense vigilance not succumbing to sketch WiFi networks or allowing convenience to outwit your identity will make you a less attractive target.