November 30 2021: In response to burgeoning threats of cyber attacks, a chapter of the Association for Computer Machinery (ACM) created National Computer Security Day to raise public awareness every November 30 since 1988
On this occasion, some relevant thoughts and suggestions from tech leaders:
Indrajit Belgundi, Senior Director and General Manager, Client Solutions Group, Dell Technologies, India comments “With hybrid work becoming the new norm, there’s a strong need for organizations to have a robust security and data protection strategy. In India, nearly 1 in 3 (30%) of employees had to contend with using personal productivity tools for work, found our Remote Work Readiness Index [nam02.safelinks.protection.outlook.com]. This leaves a large volume of confidential data across various endpoints, vulnerable. At Dell Technologies, we continue to strengthen our focus towards driving tech innovation with security at the forefront. With ProSupport Suite for PCs, IT managers can now automate the way they support employees and optimize PCs. Moreover, Dell’s SafeBIOS mitigates the risk of BIOS tampering with integrated firmware attack detection, thereby allowing IT teams to take early remediation. Moving forward, it is imperative for organizations to equip their employees with the right technology tools and use multi-factor authentication for additional layer of protection. For devices that contain sensitive data, it is equally important to use end-to-end encryption and invest in endpoint security solutions. It is also crucial for organizations to educate their employees on the best cybersecurity practices to follow while working remotely.”
Don’t fear the Wi-Fi, says Chester Wisniewski, principal research scientist at Sophos
As many parts of the world appear to be finally getting a grip on the pandemic and more people can consider their approach to getting back into the world, we are suddenly out and about much more than before. This inevitably leads to needing internet access as we travel, shop, and socialise again. Almost 10 years after Edward Snowden told us we were being spied upon online, is it finally safe to just “connect”?
We’ve made great progress in improving the baseline of security by making changes behind the scenes to how encryption is implemented to ensure our communications remain private.
Most public WiFi is unencrypted, that is to say anyone within radio range (up to 100 metres or 300 feet) can see the information you send over the connection. This was problematic in the past as it offered many opportunities for spying on or hijacking your communications.
The first requirement for an attacker then is to be within radio range and do one of the following:
Operate an “evil twin” WiFi point with the same name that has a stronger signal that you connect to instead of the real one
Trick you into using the attacker for name lookups (DNS) so they can redirect your requests to fake pages or through proxies
Simply observe your communications to intercept any unprotected data between you and your intended destination
This isn’t too hard, but the physical aspect of this makes it impractical. Attackers must put themselves physically close to their victims, limiting potential victims to people in their immediate area.
Next, attackers need to predict which sites their victims might want to visit and whether these sites are protected by HSTS. If they are, attackers will be unable to intercept the traffic without convincing a certificate authority to issue them a valid one for the protected domain.
Of course, attackers could just snoop on unencrypted traffic and hope for the best. As my research showed, less than approximately 5% of connections are unencrypted and the vast majority of those are marketing and ad trackers. None of the most popular destinations that lacked encryption accepted usernames and passwords, making this observation of limited use to criminals.
WiFi based attacks are a very low-yield crime with a very high likelihood of arrest, if cybercriminals are detected. If there is anything I have learned over the years, it is that criminals are usually lazy and reach for the lowest hanging fruit. The risk of attacks like this will vary though, based on your risk profile. More on that later.
Encrypted websites aren’t immune to being hijacked though. A website that doesn’t utilise HSTS can be “downgraded” by an adversary to use an unencrypted connection allowing them to tamper with or intercept your information.In my research this was most of the sites surveyed; 61.03%. That sounds scary, but remember they need to be nearby and either target specific destinations ahead of time or downgrade only the sites without HSTS to HTTP, a difficult, if not impossible feat. None of the sites without HSTS protection were in categories where the types of information criminals often value are transmitted. This includes social media, web-based email providers, office applications, financial institutions, or dating sites.
Risk level for most people
So where does that leave us? In two words? Largely safe. Everything most of us use from our mobiles or while traveling on our laptops in public places is protected at a level that is incredibly hard to compromise.