Sunday, June 14, 2015

With Wi-Fi becoming more and more prevalent in the places that you frequent, are the services safe to use with your mobile devices?

The free connections in cafés and hotels don't encrypt network traffic so others on the network can read your traffic and possibly hijacked your sessions. One of the solutions we try to use, SSL Encryption, has its issues is as well. You initiate this when you insert the HTTPS:// in front of the url that you are wanting to access or in many cases the site itself redirects to an SSL session automatically. This is the case with many financial sites as well as anything that needs to be HIPAA compliant.

Using a VPN Tunnel to your site helps to encrypt the session from your device to the site but you will need to use a proxy service in the cases when you are not connecting back to the corporate or provided VPN controlled site.

While this is a much more secured connection, there is a security hole that can be taken advantage of. In many cases you must open a browser to a "'captive portal", which comes from a local router when you ask to connect to the Internet. You may have to manually accept a terms of service agreement before your session can start.

While this is occurring your VPN has not yet begun and depending upon the software that you run you might be exposed at this point. If you have services running on your mobile device that begin checking for updated data automatically, like email, you are not going through a VPN to access the. The data that is streaming through is potentially available for anyone to see.

While this Coverage may only be a matter of seconds, that could be enough to expose valuable information like logon credentials. So how do you protect yourself?

Shaun Murphy, a founder of PrivateGiant (www.privategiant.com), which makes products to protect the security and privacy of online communications, suggests that you do it with a software firewall, either one that comes with your operating system or a third-party one:

The basic approach is to prevent all inbound and outbound connections on your public networks (or zones) with the exception of a browser that you use to connect to captive portals and such. That browser should be one you only use for this purpose and, perhaps, some lightweight browsing (certainly not email, social, or any other personally identifiable purpose.) Using that same firewall, set up a profile/zone for VPN traffic where inbound / outbound traffic are less restricted (I recommend blocking outbound connections by default and then adding in programs as needed, it's surprising how many programs call home... all the time.) The nice thing about this approach is your email client, primary web browser, and other applications you use will be useless unless you are actively connected to the VPN. 

And the real solution to this problem isn't hacking with firewalls. What we need is encryption being provided by default in public Wi-Fi. We don't see this very often now because that would mean supplying passwords to you the client, and the support overhead would be just too great in a busy environment like a café or restaurant. The result is that we have an insecure environment with bad but adequate usability.

In an article written by Larry Seltzer for arstechnica.com he talks about a solution has been available for years. He goes on to tell us that it is beginning to gain traffic and that hopefully will see this as the go to protocol in the future.

The Wi-Fi Alliance has had a solution for this problem nearly in place for years, called Passpoint. The Passpoint protocol was created to allow for Wi-Fi "roaming" by creating a way for access points to grant access by way of a third-party credential, such as your Google ID or your ISP account. When you connect to a public access point through Passpoint, it authenticates you and establishes a secure connection using WPA2-Enterprise, the gold standard in Wi-Fi security—instead of leaving your traffic unencrypted or visible on the shared wireless LAN.

The reason that you don't yet see Passpoint everywhere is that it requires the Wi-Fi provider—such as a consumer ISP,  Google, or Boingo—to trust certain authentication providers and to advertise a list of them to connecting devices—the longer, the better. And users would need to configure Passpoint on their system to use one or more of their credentials when connecting to such a network. There hasn't been wide adoption of Passpoint yet—while it's been put to use in certain high-volume locations, such as many airports, it's still pretty uncommon.

The Wi-Fi Alliance now says that Passpoint is gaining traction in the enterprise as a way to handle BYOD. That's interesting if true, but it doesn't address the pain point of public Wi-Fi privacy. Passpoint has the potential to close the VPN data leakage window and make public Internet services far more secure. In its absence, there is no good solution.