Tom Olzak

Help for the Clueless

In Data Security, Email, Mobile Device Security, Network Security, Risk Management, Uncategorized on July 15, 2009 at 08:06

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

  1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
  2. Using HTTPS protected Web mail, such as Gmail
  3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

%d bloggers like this: