Never use free Wi-Fi
- 13 May, 2019 11:42
This is a conversation I find myself having almost every day and I believe that the message isn’t really sinking in on the dangers of using public or free Wi-Fi. Using these free internet services opens your machine and your organisation to malware, credential theft, data/IP theft and so much more. I don’t think the benefit of the free internet is worth all the risk it brings with it and to ensure that you all understand why I am going to describe a scenario in which I could use this situation to my benefit, I may even do two different scenarios just to drive the message home just a little more so we can get you all using a safer connection when working outside of your office.
Let’s look at scenario one for the moment. You are a business person and you are flying from Brisbane to Melbourne, you have done this trip hundreds of times now as you are a regular traveller to all of the states and you are already through security and are now waiting on your flight to start boarding. It has been delayed for almost an hour which is going to mean that you will be cutting it fine for the first meeting you have in Melbourne. You intended to work on your presentation for that meeting in your company’s office in Melbourne when you arrived but now you won’t have time to do this and it is extremely important that you get this pitch right as this could be a really great customer if you can bring them onboard.
You decide that you are going to get your laptop out and do some work on your presentation while you wait for your plane. You get it out and look on your laptop for your presentation, but you have it stored on the company cloud storage and to save storage you don’t sync files to your laptop. Your only option is to connect to the internet and download the file to your laptop, that way you can easily work on it on the plane as well. You click on the wifi button on your laptop to turn it on and you get some available options come up, one of them is “Brisbane Airport Free Wi-Fi” so you click on the available network and select connect (That was mistake one).
Now you open up a web browser and attempt to connect to the web portal for your company cloud storage, enter your corporate login details and download your files (Mistake number two). You then decide that since you have the file that you will just check if you had been paid your expenses claims for last week and logged into your bank account. You have a look through the details and then log out of your bank account (that was mistake number three). You then hear over the PA that the flight is delayed for another 30 minutes so you open up your presentation and make a few simple changes until you are happy with the final result.
Since you no longer need to make any changes you decide that you will re-upload the file to the cloud storage (Mistake number four) and then grab yourself a coffee. You do and sit back to enjoy it and by the time you have finished, your plane starts to board. You pick up your carry-on luggage and board the plane to Melbourne. None the wiser as to what is happening while you were in the air, you arrive at Melbourne and grab a taxi to the office but when you arrive at the office something strange occurs. The cab fare is $43 dollars and when you go to pay with your EFTPOS card it declines. That can't be right you checked before you boarded the plane and there was almost $20K in your account. You shrug it off and pay with your credit card and make a mental note that you will have to check what happened later after you have your first meeting.
You arrive just a few minutes before your potential customers do and get ready for them in the board room. You connect your laptop up to the network and open the presentation (mistake number five), do a quick run through to make sure you are still happy with the changes you made to it before you boarded the plane in Brisbane which you are. a few minutes go by and then the board room phone rings and its Janet from reception telling you that your guests have arrived. You go and meet them in reception and then head back into the boardroom with them to start the pitch. Everything is going well until about 30 minutes into the discussions when suddenly your laptop starts to freeze and behave badly. Then an image comes up on your screen that says "your system and files have now all be encrypted and you need to reach out to ***** email address to negotiate the cost for decryption of your files" (or something along those lines).
The same message starts to appear across all the machines in the business at the Melbourne office and then a few minutes later starts to spread across the private VPN between sites and all machines across all sites have the same message. All files are encrypted with no access. As you would imagine the meeting was over and it’s probably likely that they won’t be doing further business with your organisation.
So, you can see that this issue escalated quickly but did you know why I was indicating on each occasion why the businessman – let's call him Harold made a mistake? Let's look at each occasion and then discuss what happened that Harold didn't know at each point.
Mistake number one – connecting to the free wifi. At this time what Harold connected too, it was actually a connection set up by a malicious actor, so that they could collect and capture any traffic that anyone using the network was transmitting. So that then brings us to mistake no# two – Harold then logs into the corporate network giving the malicious actor login credentials to the cloud platform.
Mistake number three - Harold logged into his personal bank account giving the malicious actor access to the account. If you remember when Harold tried to pay his card declined that’s because why Harold was in the air flying from Brisbane to Melbourne the malicious actor transferred all of the money out into an offshore account and then probably moved it another ten times before finally exchanging it for bitcoins which was also then transferred several more times between different bitcoin wallets (you could say that money is gone forever now).
Mistake number four – Harold uploaded his updated file to the company cloud storage which the malicious actor intercepted and modified to include a little something extra (Ransomware bug) before sending it onward to the cloud storage using the stolen credentials that Harold had already given him (remember mistake number two).
Mistake number five – Harold connected his machine to the corporate network and then executed the modified version of his presentation on his machine, thus executing the virus and as Harold continued on his normal work the ransomware bug has started to do its worst in the background and well you know the final result. Everything was encrypted, and it was all possible because of that first step. Connecting to the free wifi connection at the airport.
This is obviously a worst-case scenario, but you can see how easy it was carried out and the malicious actor didn't really have to do much at all to make this happen, Harold basically gave them keys to the network and said go for it without even knowing that he had done it.
You are probably thinking okay great I get it, the house burnt down, and it was all Harold's fault and technically yes it was Harold's fault but that is not the lesson here. Harold should have received awareness training from his organisation and he should be made aware that he should NEVER connect to free wifi. Harold carries a company smartphone that has the ability to be used as a wifi hotspot and share access to the internet. This is what should be done at a minimum. This will stop the scenario at mistake one and prevent that day which could have been the best day of Harold’s career.
Obviously, there are some issues with the way the company has set up the network that allowed it to spread right through the organisation and a lack of good quality antivirus/IDS/IPS that could have stopped or at least minimised the effect, but I want to leave this at the free wifi, for this is the lesson I want you all to learn. That alone could save you from a similar fate as Harold my poor imaginary businessman.
I want to describe another scenario for you now just to ensure you really understand the dangers I am trying to bring to your attention if you use the free wifi. Let's look at a motel, they could have hundreds of guests stay over a week and guests expect to have fast internet available to them when staying but should you use the free wifi? NO, never use the free. Let's look at the motel free wifi for a moment, if you have 30 guests all connected to the wifi at one time (it will probably be horribly slow but that isn't the issue here), as a malicious actor I could do the same scenario I described in the airport and just capture all data on the network.
I could also scan the network and gain access directly to machines on the network to steal data or infect them to spread my viruses or expand my access even further. I could go on for probably another ten minutes on ways that this could be used to my advantage but by now you must have started to understand what I am trying to get across to you all by now.
Never ever use free/public wifi connections it’s not worth the risk, use your mobile as a hotspot, buy a mobile connection that can be used outside of the office anything. Just remember the ease at which the incident could escalate and do the right thing here.