Network Security on Shared Wifi?

[jyl]

Suppose you are connecting to the Internet via a shared wifi network. Maybe at a airport or coffee shop, maybe from your office or desk in a "co-working" space. How can you make sure that other people using the network cannot access your computer or the email, files, data you are sending or receiving?

Will using a VPN be enough? Given that you're accessing the VPN through the shared wifi? Is there hardware you can use?

[svandamme]

All network connectivity happens within the OSI model


The data you send and receive over the internet is only as secure as the encryption used , typically at the Presentation Level (But can be done lower level as well, for instance with a VPN, or hardware encryption on the network etc etc).

But the application should not rely on lower levels to do the encryption.

So essentially it should not matter to you if you use a UTP cable connected to an Ethernet switch, or a Wifi connection to a known and safe Access point or a Wifi connection to a shared Wifi access point.

As far as sending and receiving data, it should be secured before it hits the air or cable.

Because in the end, how would you know if there is somebody further upstream who might just connect his laptop to a physical network switch, in the datacenter.

A geek with to much time for instance that just eavesdrops on whatever traffic passes through?
or the NSA or anybody else with an interest in whatever?

a VPN in that case will only move the weakspot to another Datacenter.. Your communication will come out in the open at the end point of the VPN vs the access point of your internet connection.

It doesn't matter if you use Wifi or Ethernet cable, or Token Ring or whatever you want.
Unless you are on a fully secured, Local network and your are not sending anything out of that network, you cannot control the security of the network when you go "online".

So your security has to be done at the 2 end points of the transmissions.
Mailserver <> client
Browser <> Webserver
etc etc


The only big issue with shared Wifi, is lack of control over the content.
If you connect to an unknown, shared, public wifi.

You may be connected to a malicious network set up to misdirect you to a fake webbanking website where they social engineer you into giving them your password and clear out your bank account.

They can do this by dns , by replacing the IP of the www.mybank.com with their own, wher they have a copy of that website.
It's a similar trick that can be done with a trojan virus on your home pc..
So the issue is not limited to shared wifi.
That's where SSL certificates come into play, those validate the website, they serve as a confirmation that the website you are looking at, is infact the right one.
It's quite complicated but it's something they cannot fake as long as your computer has not been hacked first.
You want to got to
login.mybank.com

And instead you'de be looking at http://login.mybank.com
No green, no SSL closed lock, no httpS, nothing.

The better ones would have a fake selfsigned certificate that looks nothing like your normal bank and your browser would warn you that the certificate is untrusted or expired.

So again ,the security against this, happens on your pc.
Have a good Antivirus
with internet firewall protection (that blocks incoming hackers)
with internet browser protection (that warns you for spoofed websites)
Make sure your OS is patched
Make sure you are on the right website
Check the SSL certificates https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details/
Do not proceed with your login if you get a certificate warning.
And use decent passwords and don't use the same password for everything, have levels of passwords for important and less important accounts.

probably 99% of all successful hacks are done at the End-User's side, that is the weakest link.
And a lot of it is Social Engineering.

[RKDinOKC]

We have Multiple Factor Authentication on our Mail and VPN connections. You go through standard SSL logins which can now be hacked on shared wifi with KRACK. But then you must also do a second authentication using a third device on another network like entering a code that is texted to a phone. The second authentication code changes with every login. So even if your password is monitored and hacked they cannot get in unless they can also monitor your third device that is on another network.

But even so, like Stijn says, YOU are your last line of defense. Think before you click. What that means is make sure anything you open or link you click is from whom you think it is, even if that means you have to Phone a known number and confirm if they sent you the link or file. Now that is even if the file, picture, or link was texted to you.

The scary thing is that things have gotten to the point that hackers can get to anything on your computer once they get malware onto your computer and exploit the recently discovered Meltdown and Specter processor flaws that let them break the application layer boundaries Stijn listed.

[svandamme]

well, technically, if they can plant software on the pc, you are already screwed.. It's to late then.

And they didn't need meltdown or spectre for that.. They could simply plant a keylogger and you gave em the password yourself.


And I would rephrase that, the end user is the first line of defence, not the last.
It's like having a house with a fancy lock on all doors, alarm system looking in and outside the house.. a surveillance camera system and every bell and whistle known to man kind..

And then the home owner leaves the house and forgets to turn it on.

or, and i've seen this happen.. he leaves the master code of the system to factory default while he has stickers of the alarm system brand on his door.

[masraum]

As stated, the user is the first line of defense.

There are things you can do that can make your experience more secure, but even then, there are ways around almost any of it.

If you have a VPN, that's great. If someone does not have access to your computer, and only has access to see the stream of traffic leaving your PC, then being on a VPN will help. But, if that person is on a shared network with you, then they may not care about the data in your VPN. Then they may be looking to just access your computer directly, which would have nothing to do with your traffic through the VPN if you have an open/listening port that they can manage to connect to.

You can harden your OS, even Windows can have the security cranked up. Windows by default comes with various services enabled (granted, it's much better than it used to be). You can probably find a document online with advice on how to disable unnecessary services and that sort of thing to improve security.

[stomachmonkey]

Plenty of great contributions already so rather than rehash I'll throw a nod out there for NordVPN.

Great product and cheap, current deal is 2 years for $3.29 a month.

[mikester]

Turn it off.

[stealthn]

Yes, first don’t use a shared WiFi network, but if you have to use a VPN. I have a tablet I use for testing and I frequently MiTM shared wifi to show people. I can also in real time decrypt and encrypt SSL so even secure web sites are easily spoofed.
That guy next to you at Starbucks with a tablet may just be me

[RKDinOKC]

Use personal hot spot on my phone and not public wifi.

By saying you are the last line of defense also means don't forego using all other means of defense as well, but do not depend on them protecting you.

[svandamme]

If you can do it on shared Wifi, then i reckon any other Wifi is just as unsafe to you

[jyl]

So

VPN
Firewall
Close ports, no sharing
Don't click on sketchy stuff

Or

Use cellular hotspot

[RKDinOKC]

Using cell hot spot you still can still get yourself malware by clicking. You just don't have to worry about the free wifi hacks.