Sophos (a large IT security company) recently conducted a survey of 560 people. 54% of them admitted to using someone else’s wireless network without permission. That’s more than half the respondents. Why should you care?
If you have a wireless network that isn’t well secured then:
- Someone could be using your internet account and incurring expenses (or pushing you over a capped limit and effectively slowing down your connection)
- Someone could be illegally downloading copyrighted content (such as using a file sharing program to download commercial movies – it’s illegal and you’re liable for providing the connection)
- Someone could be using your internet connection to commit online crimes (just read the posts on this site to get an idea of how common this is).
- It lets anyone within range bypass your firewall, making your computers and other wireless devices vulnerable. This is especially important if you have wireless in an office environment
- It’s easier for someone to install spyware on your computer, making activities like online banking very dangerous
The most important reason of these is how easy it makes it for someone to use your network to commit crimes. Imagine being involved in a child pornography investigation, or having your internet disconnected because your network was used to send millions of spam emails.
I’ve written before on how to secure a wireless network and if you haven’t done so it’s worth reading through here.
If you’re in the 54% of people who wouldn’t think twice of using someone else’s wireless network without permission then you should know that:
- It’s illegal in a lot of countries (people get arrested for this quite often)
- It’s effectively stealing. It isn’t a victimless crime
- You can’t trust the network you’re using. It’s easy for someone to setup a wireless network in such a was that they can record all the traffic from it. This is one way to eavesdrop on other people’s traffic and to capture passwords
So the message here is to secure your wireless network, and don’t use other people’s wireless networks without permission.
Skype is a popular communication tool allowing people to have voice and video conversations over the internet. And one of its features is how it transports that communications data. Skype first encrypts your data then distributes it using a network of other skype users (using what’s called a peer to peer model).
The encryption is intended to stop random strangers eavesdropping on your conversations. And it seems to be fairly effective from what this article says – the German Federal Police Office have a problem wiretapping Skype calls.
Is this a good thing or a bad thing? Well, it’s a little of both. It gives Skype users a level of security that makes the general public comfortable enough to use it, and stops casual eavesdropping. That’s the good news.
The bad news is that VoIP traffic (phone calls over internet) can be intercepted in other ways. When it becomes too hard to break the encryption, as the German police found, an easier path is to install a trojan on the PC and intercept the voice data before it becomes encrypted. This stuff really happens.
The German federal police office is looking into developing trojans so they can install one on people’s computers they need to listen in on (article here). This is a legal form of spyware (at least in the country it’s used in). Other governments have been using this technique for years and legally it’s not much different to wiretapping a phone. What makes it scary is that antivirus companies have an understanding with law enforcement agencies and some government spyware may go undetected.
This isn’t a problem to most people. And at the end of the day it’s no different to using a house or mobile (cellular) phone.
The message in this article is that you should place the same level of trust in any VoIP phone (such as Skype) as you would with any other phone. It doesn’t offer any additional level of privacy. Law enforcement agencies have been finding ways to listen in, and fairly soon we’ll have spyware that can do the same thing only with less legal intentions.
A common scenario is when someone takes home a notebook from work. The intention is to do work from home for whatever reason.
This could be a serious security risk. Most companies have gone to a lot of trouble to secure their office networks (for example by installing and managing firewalls; though a firewall is not enough to secure a network). In fact some companies have an entire department dedicated to maintaining network security. However most homes don’t have managed firewalls or any of the other network security systems or resources that companies often use. This effectively makes a home network less secure.
The risk is having an outsider gain access to the contents of the notebook. This could be achieved in a number of ways including having a trojan on another PC in the house. The possible damage to businesses can be huge, depending on the importance of the data on the notebook, or the importance of the work being done from home.
Some misconceptions need to be explained:
- All firewalls are the same – this is not true. There are different types of firewalls making some more secure than others. They also need to be patched when the vendor discovers a vulnerability. Some home routers even claim to have firewalls when they don’t (they claim that a NAT feature is effectively a firewall – it isn’t). SPI firewalls are good (Stateful Packet Inspection)
- No one would be interested in hacking into your home network. The internet doesn’t discriminate, every device connected to the internet is at as much risk as every other device
It’s not all bad news though. There are things you can do to protect yourself and your employer.
- The laptop should have an antivirus program installed. It needs to be up to date.
- The laptop would ideally have a “personal firewall” installed. Windows Firewall is not good enough. You need something that not only stops other programs getting into the notebook, it needs to stop unknown programs already on the notebook from getting out to the internet.
- The home router should have its own firewall, or you could use a dedicated firewall device. Ideally the firewall would filter out traffic coming from or going to known sources of malware but this isn’t going to happen at home, it requires a fair bit of maintenance (i.e. it’s expensive)
- Encrypt the hard drive in the notebook. This can protect you if you lose the notebook or it gets stolen (and statistics show this happens often). Whole disk encryption costs money and slows down the notebook a bit but it’s very important.
- Don’t carry all your files on the notebook. Don’t keep all your emails, or your entire client list, etc. Only copy the data you need to get the job done and limit the risk.
- A VPN to your office network can help.
- Don’t connect your notebook to the internet. These days almost everyone needs the internet to do work so this idea might not be very practical
- Don’t use someone else’s wireless network. Not only is this illegal in many countries, you would be sending all your data through a stranger’s network. It’s technically possible for someone to intercept that data, even to manipulate it.
- If you use wireless at all make sure it uses a strong security protocol (WPA or WPA2)
A note about VPNs:
VPN stands for Virtual Private Network. It’s a piece of technology that can be used to join an office network to a home network. Servers and PCs on the networks would behave as if they were sitting in the same location, ignoring the fact there’s some distance inbetween, and ignoring the fact it’s really travelling across the Internet.
A VPN isn’t the be all and end all of security, it’s only a technical solution to a technical problem. You still need firewalls, virus scanners, and a little bit of tech support.
They can be setup to route all traffic to your office network and then you would trust your office network to filter the traffic for you. This is generally good. There are some caveats:
- Activities like internet browsing are slowed down
- Your office network may keep a log of what websites you view from home, when you’re connected to the VPN
- You’re trusting your office’s IT staff not to hack into your home network (it’s technically easier when you establish a VPN)
- It costs your employer money to setup and manage a VPN
- If you have an unreliable internet connection at home it’ll disrupt your work.
Above all find out what your company’s IT policies are and follow them as best you can. If they don’t have one then now’s a good time to suggest one. Working from home doesn’t have to be risky.