I’m a sales guy. But since Lunarline is a high-growth cyber security company, we occasionally find ourselves short-handed. When that happens, management tracks me down at happy hour, drags me back to the office and makes me do actual work.
While doing real work is a drag, I have learned a few things about cyber security along the way. I’ve babysat SIEMs and configured firewalls. I’ve ridden shotgun on pen tests. I even spent a year onsite with one of our federal clients.
So while I may be a sales guy, I’m also pretty comfortable with cyber security terms and techniques.
Which is why ArsTechnica’s great article on the secure use of open Wi-Fi got me thinking. Really thinking. As in, this-is-so-hard-my-head-hurts-make-it-stop-please-type thinking.
Because even as a semi-security pro, I still had a really difficult time following along. And if after a decade in the security industry, I have a hard time with this stuff, what hope is there for the average computer user?
Shhhh…Your Computer Has Things to Say
When you put a password on your home Wi-Fi network, you’re doing more than denying your neighbors a sweet deal on internet. You’re laying the groundwork for some pretty nifty encryption to protect your data as it flows from your computer to your wireless router and out to the web.
This is what makes open, public Wi-Fi — the kind without a password that you might use at a local coffee shop — so dangerous. Even if you’re doing something totally innocuous, like flipping through the news, your computer is TMI-ing every device in range. It’s all like, “Hey, over here! This is Spence’s computer. He’s signed into his work email. But he’s not really working; he’s on Facebook. Oh, hey, hey, hey, look everyone, he just sent a username in the clear! And hooray, there’s his password! And hmmm, he’s using an outdated version of…”
Shut Up Already!
It’s hard to get your computer to quit over-sharing. But you can at least shove a sock in its digital mouth so all that blabbering emerges as nothing more than unintelligible mumbling.
That gag is a Virtual Private Network (VPN). Many security-conscious folks use VPNs to create encrypted “tunnels” over public Wi-Fi and out to trusted, pre-configured environments. Once safely connected to that trusted environment, they can work securely on an internal, private network or rejoin the public internet under more controlled conditions.
This improves your personal security posture because most (but not necessarily all…) data sent from the originating device through the VPN to the trusted environment is encrypted. This helps keep eavesdroppers from sniffing traffic sent over open Wi-Fi connections.
Or Does it?
The ArsTechnica article tears the horn off this cute little security unicorn.
Think about the last time you connected to a public Wi-Fi hotspot. While your computer may have connected automatically, you probably had to use your browser to hit a “captive portal” and agree to some terms and conditions before actually accessing the internet.
And there’s the rub. You may think that you’re safely buried in a VPN tunnel. But your VPN can’t establish an encrypted connection until it has a free and clear path to the internet. You don’t have a free and clear path to the internet until after you navigate the captive portal. And that takes an eternity in computer time (in real time too for that matter…).
Meanwhile, your little chatterbox doesn’t waste a nanosecond. Your computer spends that digital eternity broadcasting all sorts of information that could give eavesdroppers clues on how to attack your system. Worse, depending on how you’ve configured your device, your machine may attempt to fire up chat, check email or log into websites — all in the clear.
Put a Muzzle on Your Machine
ArsTechnica provides a security solution to the open Wi-Fi security challenge. But their solution requires an understanding some tough stuff, like:
- Wi-Fi encryption
- VPN configuration
- Firewall configuration
- Operational security best practices
These are technical concepts — ones that I barely grasp, despite being around this stuff every day for the last decade. And that’s a problem. The security industry needs to make cyber defense as intuitive as an iPhone if we’re going to equip non-IT personnel with the tools they need to fight back against cyber crime.
Thankfully intuitive design need not come at the expense of capability. Here are some handy usable security and privacy tools that somehow make security seem easy.
Disconnect.me: I really love what Disconnect.me is doing. Disconnect.me lets you anonymously use any search engine, proxied through Disconnect servers, to avoid having your searches tracked. Disconnect also make a great plugin that blocks websites from siphoning data. It’s shocking how many sites take your data and send it off to providers across the internet. And of course, they have a snazzy, easy to use VPN to further muddy the waters and help preserve online privacy.
TOR: TOR conjures up images of the Dark Web or of dissidents taking extreme precautions to hide from oppressive governments. It sounds really intimidating. But truthfully it’s super easy to use. It’s built on Firefox, and works just like any browser. It also includes two of my favorite plugins, HTTPS Everywhere and NoScript.
Browser extensions: There are piles of extensions that can improve the security of your computer, but some of my favorites include: HTTPS Everywhere, NoScript, AdBlock, Flashblock and Disconnect.me. (If you really want to geek out on browser extensions, I recommend reading through this text from USENIX (PDF).
Password managers: Most people have about a billion passwords. And the unfortunate reality is that most people use ridiculously easy to remember words and phrases. Your pet’s name, birthday or (gag!) 123456 do not a secure password make. Password managers, like LastPass and Dashlane not only securely store your passwords, but also can automatically create complex passwords with just a push of a button. (For a complete list of password managers, check out these ratings from PC Magazine.)
Two-factor authentication: Most of us authenticate to an email provider using just one method: username and password (i.e. something you know). When you combine this technique with something you have, in addition to something you know, you significantly increase your personal security posture by using two-factor authentication. Many two-factor authentication systems work by sending a code to your phone (something you have), after you input something you know (your username and password). While this may sound a bit annoying, two-factor authentication is really easy to use. And it makes it a lot harder for cyber crooks to swipe your information. Email services, social media platforms, financial institutions and pretty much any organization that takes the security of its customers seriously offers two-factor authentication on their accounts. But it doesn’t do you any good if you’re not actually using it.
FileVault: Apple’s full disc encryption solution, FileVault, prevents access to data stored on your startup disc with a hefty XTS-AES 128 encryption. It also offers several password recovery methods if you happen to forget the words or phrases that unlock your entire machine. Smart, Apple, very smart.
But What About Secure Use of Open Wi-Fi?
Getting back to the ArsTechnica article, you want to know one tool that is still way too hard to use? Firewalls. Because they can be used to restrict both inbound and outbound communications, Firewalls are a key part of any personal security solution, particularly when using open Wi-Fi. But I’ve messed with dozens of them, and I find them all impossible. I’d love to see the security community come out with a ridiculously easy personal Firewall for managing both inbound and outbound communication.
Are there any usable security tools that you recommend? Hit me up at firstname.lastname@example.org, and I’ll feature your preferred solution in a follow-up post.