In the second of our series of “Back to Basics” articles, adapted from the Cybersecurity for Lawyers wiki he has recently started, Neil Brown gives some practical tips on using wi-fi when out and about and setting it up in-house.
Using public Wi-Fi
It can often be convenient to connect to public Wi-Fi. But bear in mind that you are connecting to a fundamentally untrusted third party network.
Provide fake details where you can
You'll often be asked for your title, name, and possibly even your address or other irrelevant information.
If you can get away with giving fake details (i.e. you can be comfortable that you are not committing an offence, such as fraud), it might be sensible to do so.
(Alternatively, you could read their terms of service, and their privacy notice, but there's no guarantee that they actually do what they say they do. You're probably better of protecting yourself rather than relying on them anyway.)
If you have to give an email address, use a unique one
If you need to sign up with an email address, use a unique email address for that service.
Don't let your devices join public Wi-Fi networks automatically
Even if the connection is encrypted, you cannot be sure that it is a “genuine” access point and not one run by a rogue third party. Anyone can set the broadcast name of a Wi-Fi network — what is known as the SSID — to anything they like.
So even if you see a network called “Starbucks”, for example, it might not be operated by Starbucks. It could just be someone sitting with a device in their bag, pretending to be the Starbucks network, trying to capture the traffic you send across their network.
If you permit your device to connect automatically to known networks, it may connect to a rogue network and start sending data over to an unknown third party before you even realise it.
When you join a network, your operating system may prompt you to say if you want to “remember” the network or join it automatically in future. If it doesn't prompt you, you may need to go into your computer's settings and tell it not to connect automatically.
For example, in macOS, you need to untick the box “Automatically join this network”.
Run a VPN over the connection, as soon as you can
If you do want to use the Wi-Fi, run a VPN session over it. Or you could use Tor.
Some Wi-Fi networks block VPNs and some block Tor. In those cases, don't use that Wi-Fi network — why would you want to trust a network which is trying to stop you operating securely? Consider tethering instead (see below).
Wi-Fi which requires a login may not work if you use a VPN
Wi-Fi which requires a login page (a “captive portal”) may not work if your VPN is attempting to connect automatically. Typically, a captive portal requires you to connect to it without going through your VPN, as you need to connect to their login page directly.
If you need to communicate with a “captive portal” without connecting to the VPN, that gives an opportunity for a malicious actor to acquire information from your device, or see where your device is trying to send traffic.
The best approach is to avoid these hotspots.
Connect using your phone instead
If you do not trust the network less than you trust your mobile network operator, you may be better off connecting your computer to the Internet via your phone's data plan. This is commonly known as “tethering”.
You might want to run a VPN, or use Tor, over the top of your mobile connection anyway.
You can normally tether via a USB cable, or else over Wi-Fi or Bluetooth. Using Wi-Fi or Bluetooth has the advantage that you can leave your phone in your pocket, but it comes at the cost of draining your phone's battery more quickly. Connecting via a cable is usually more reliable, but may drain your computer's battery more quickly, as it is probably charging your phone too.
Tethering on iOS
If you use an iPhone or iPad, rather than calling it “tethering”, Apple calls it “Personal Hotspot”. By default, this is turned off, but you can enable it in Settings / Personal Hotspot.
Your office Wi-Fi
Make sure it is encrypted and not open
When you set up a Wi-Fi access point, you will be prompted to set the security you want in place.
Avoid “open” or “WEP”. If you have equipment which only works on WEP, upgrade it, because WEP is no longer effective and can be trivially broken. If you do not have equipment which only works on WEP, make a plan to move to WPA very soon.
For a small firm, “WPA Personal” is easy to administer, but you will need to change the Wi-Fi password when someone leaves, to prevent them from connecting to your network.
For larger organisations, “WPA Enterprise” is more likely to be suitable, but it requires a higher degree of IT knowledge to set it up.
Change all default passwords
If your network equipment comes with default passwords, make sure you have changed them.
If someone is able to access your Wi-Fi equipment, or your router, they could easily control the traffic on your network.
Disable access from the Internet
Unless you specifically need it (for example, because you plan on administering it when you are outside its local networks, or if you need to do so to enable remote backups of your router’s configuration — in which case, set it up securely), disable access to your Wi-Fi equipment / router from the Internet.
Use a firewall
Firewalls are devices (or software applications) that control what traffic is allowed to move between networks according to rules you set — for example, between the Internet and your office network.
Most consumer-grade routers do not have a firewall and rely instead on something called “network address translation”. While this can have an effect a bit like a firewall, consider investing in a router with proper firewalling software. Pay someone to set it up securely for you if you are not confident doing it yourself.
For example, a FireBrick is an affordable, versatile network appliance, which incorporates a firewall and a tool for checking your firewall rules.
Make sure someone in the firm has the admin usernames and passwords, or admin access
Especially if you outsource your IT support, make sure someone in the firm has either a copy of all the usernames and passwords, or else admin access, and other information necessary to configure and control your Wi-Fi (and other elements of your firm's IT, for that matter).
You do not want to find that, if your IT support provider ceases to support you, you are unable to manage your network.
Have a means of preventing former staff from connecting to your network
If you have “enterprise grade” Wi-Fi equipment, you are probably authenticating users to your network by unique usernames and passwords, which can be readily revoked.
If, however, you are using consumer-grade equipment, and are using a common password for access to your Wi-Fi network, you'll need to think about how you deal with someone who leaves the firm: how do you make sure that they cannot continue to access your network? This might entail changing the network password and distributing the new password to all remaining members of staff.
Only offer secure guest access
Offering guests — including clients — access to Wi-Fi may be nice and perhaps even expected.
Only let guests connect to a network which is segregated (logically or physically) from your office network.
If you cannot do this securely, you are better off not offering it at all.
The same rule applies to employees connecting their own devices: do it securely or ask them to use their own mobile phone connections.