Are Free Public Wi-Fi Networks Safe?

You already have plenty on your plate, whether you are implementing and maintaining technology, helping to resolve technical issues or ensuring your company’s data is safe and secure. Now, you can add the proliferation of rogue free public Wi-Fi networks to that list.

Free Wi-Fi connections can be tempting for traveling employees. And hey, you can’t blame them, as one less item on an expense report can make them look better -- especially if your company is tightening its belt. But talking to them about the risks can help protect them -- and you.

How Rogue Free Public Wi-Fi Works
Tech-savvy thieves are taking advantage of users’ thirst for constant connectivity. “The basic idea is someone in vicinity has created a ‘free Wi-Fi network’ that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too,” says Tim Bajarin, president of Creative Strategies, a tech consultancy in Campbell, Calif.

“These ‘rogue’ networks are really individuals who have software to hack into your systems -- and because the majority of people’s laptops are not protected, they’re a lot more susceptible than they think.”

In fact, New York-based independent security consultant Dino A. Dai Zovi says he and a colleague, Shane Macaulay, authored a tool called KARMA to demonstrate the risk of unprotected wireless networks. “KARMA acts as a promiscuous access point that masquerades itself as a wireless network,” explains Dai Zovi. “It makes the victim connect to our rogue wireless network automatically.”

Rogue operators will often craft network names similar to the name of the hotel or the coffee shop where your end user is attempting to connect. One careless click and your data is exposed.

Scary stuff. So, what to do?

Tips for Safer Surfing on Free Public Wi-Fi
You’ve got your work cut out for you, and it starts with employee awareness, say the experts. Consider these steps:

  • Avoid free public Wi-Fi. Caution employees to steer clear of freebies. “When I go to hotel, I make sure they have a wired [Ethernet] connection,” says Bajarin. “And if I want to go wireless on my laptop or other devices in my hotel room, I bring an Airport Express with me,” he adds, referring to Apple’s compact wireless router.
  • Be efficient. If you or your end users can’t avoid a free public Wi-Fi network, “get on, get what you need and get off -- and don’t do any financial things until you’re back at home," cautions Bajarin.
  • Use VPN. Only use free public Wi-Fi if you have VPN (Virtual Private Network) access, says Dai Zovi. “Otherwise, everything you do can be easily monitored by anyone nearby.” Citing recent Firesheep attacks, Zovi says that even password-based networks can be attacked by malicious types. Firesheep is an extension for the Firefox browser that can grab your login credentials for sites such as Facebook and Twitter.
  • Give employees your own connection. Another option for mobile workers is to use WAN-enabled laptops, USB sticks with cellular connectivity or to create a mobile hotspot through a smartphone or tablet.
  • Use security software. Make sure all security software is updated regularly, enable firewalls and give employees a means to encrypt sensitive data.

Only through education, secured connections and some common sense can your employees keep personal and professional data safe from cyber-snoopers, waiting to attack through a free public Wi-Fi.

Like this article? Connect with us @ITinsiderOnline

Photo Credit: @iStockphoto.com/gulfix

Protect Your Company’s Bank Account

Here's a sobering thought for anyone who has a small business account: If your account gets hacked and thieves break in, you're not going to get your money back.

Unlike consumers, small businesses are on their own. The FDIC does not insure small business bank accounts for cybertheft (although it does insure them for other types of theft up to $100,000).

That's particularly bad news because cybertheft is on the rise. Tom Kellerman, vice president of security awareness for ethical hacking firm Core Security, says falsified wire transfers -- the primary type of small business account hacking -- is up 500 percent in the last two years.

The good news is there are some things you the IT decision-maker can do to lower the odds of a break-in. In particular: 

  • Limit the use of wireless. Kellerman says that wireless is a "very easy access point" for hackers. Best not to use wireless at all, but if you need to, use equipment adhering to the 802.11.i IEEE standard.
  • Move away from passwords. Even the best passwords aren't as secure as alternatives like tokens or biometrics. Tokens, which are physical objects like smart cards, are best paired with passwords to prevent fraud. Biometrics, using a fingerprint or voice, are unique to a particular user. (But of course, if you have a Trojan already lodged in your PC, such protection won't offer any help.)
  • Segregate your company’s banking data. Severely limit Web browsing on the PC that connects to your company’s bank account. Anton Chuvakin, principal of Security Warrior Consulting, takes this a step further and suggests that you have one PC on hand that just connects to your bank account and does nothing else. It’s worth it: The price of one PC (under $500) can completely protect your company from having its account hacked.

If Nothing Else, Be Smart
Security analysts say the best thing you can do is educate yourself and any other employees who might access the account on the dangers of phishing scams and Trojans. Since a Trojan causes mischief by lodging itself on your computer, the goal is to not allow that in the first place. So remind users to be extremely cautious about opening any suspicious email, particularly if it's sent over a social network.

Kellerman says that even fairly sophisticated users can be taken in by so-called “spear phishing” attacks, which mimic websites or email addresses of people with whom you do business. So a good way to minimize the risks of such attacks is to limit the amount of people and PCs allowed to access banking information. IT’s rep is on the line if data is stolen, so take control of access points. Says Kellerman: “There’s no point in administration privileges if you’re going to have it for a bunch of devices.”

Like this article? Connect with us @ITinsiderOnline

5 Tax Security Strategies for Small Business

When tax time rolls around, it isn’t just CPAs who spring into action. It’s a big time for hackers as well, who bank on sensitive information getting transmitted over the Internet via online filings. And if the hackers are working OT, you know what that means: more work for IT too.

Like everyone else, your company has two options: File taxes yourself or go through a third party. Each choice comes with its own risks, which you can minimize with some foresight and common sense.

Tax Security Tip No. 1: Secure your connection.
If your boss is the do-it-yourself sort, you as the IT brain face the same headaches as the average Joe taxpayer. Is the PC you’re using secure? Are you sending the information over a wireless network? If so, are you using a WPA2 connection or a less secure one?

Jeff Lanza, president of The Lanza Group and an expert on computer security matters, recommends using a wired connection if possible and making sure the PC your company uses to file those taxes has updated security software. “You’re giving up Social Security numbers, birth dates and all sorts of information that can lead to identity theft,” says Lanza.

Tax Security Tip No. 2: Check out the CPA.
Outsourcing your company’s taxes to a third party may seem like a safer option, but Lanza suggests that you play detective first. “If you’re using a CPA, you want to ask how they protect the information and what they do keep your info secure,” says Lanza. Don’t just leave it to management to select a tax preparer. Explain that you need to ask critical IT security questions.

What kinds of questions? Ask what type of software the tax preparer is using and whether he or she has installed the latest security patches. Examine the firm’s security and privacy policies and find out if the preparer uses SSL encryption. Lanza says emailing data can also be risky, so either go with a secure email service or hand-deliver the information.

Beyond that, Robert Siciliano, a security analyst and consultant, suggests doing a simple background check. “Whenever you’re doing business with anyone, you should know who you’re doing business with,” says Siciliano. “It wouldn’t be a bad idea just to do a quick Google search on them.”

Tax Security Tip No. 3: Go directly to IRS.gov.
No matter who’s filing, the ultimate destination is IRS.gov. Subsequent links from that page should be in the secure “https” format. Caution tax filers about clicking on pages that aren’t secure.

Tax Security Tip No. 4: Warn your unsuspecting end users.
Now is a good time to educate your end users about phishing scams. Tell them about common scams around tax time, like hackers posing as representatives from TurboTax or H&R Block in an effort to get consumers and businesses to give up sensitive information. Another common scam is a warning email purportedly from the IRS. Remind end users that the government will never solicit their sensitive information via email.

By preparing end users, you’re not just protecting their info. If end users click on a malicious link using a company computer, you’ll have the hassle of dealing with the threat to your company’s data.

Tax Security Tip No. 5: Store tax records securely.
After the taxes are completed, the best way to protect your company’s sensitive tax-related information is to take it off the hard drive and put it on an external drive instead. And finally, a few months down the road, take the final, most crucial precaution to make sure you’ve safeguarded data: “Check your credit report,” says Lanza. “You should be doing that on a regular basis anyway.”

Like this article? Connect with us @ITinsiderOnline