This post first appeared on LinkedIn, published by Dan Weis, Head of Security and Lead Penetration Tester, Kiandra IT
I often get asked at conferences about personal security when traveling, and whether or not you should use other WiFi networks (NO!!).
So I thought it was timely to pull together a quick post as I will be going on a very long overdue vacation shortly (overseas) and I need to set up the basics for all members of the family.
The basic rules you need to always remember:
– All public/open WiFi is insecure
– What about hotel WiFi? It has a password… nope, same deal – stay away!
– Anything you send across these networks can be intercepted
– Never log into anything requiring credentials (username and password) or sensitive systems such as work resources or networks while on these networks. No internet banking!
– There is no guarantee that a WiFi network really does belong to Maccas, or the hotel etc.
I get it, you have tonnes of photos that you want to upload to Facebook while you’re drinking cocktails by the pool, you also want to check emails from time to time too, well you can — just use a VPN.
I’ve blogged about the use of VPNs many times in the past, but for a refresher…
A VPN is the BEST way to prevent interception of your credentials and sensitive information. You basically install a piece of software which will create a network connection to another source for all of your traffic to run through. Basically a VPN creates a tunnel between you and another point, and all your information flows through the tunnel, which stops the bad guys from reading it or “sniffing” it.
Here is my 2 minute Visio diagram to explain it.
When you connect to “Free Public Wifi” which is being run by an attacker and you do not use a VPN, this is what happens:
– You go to log in, and you send your credentials over the WiFi network
– The attacker is running a MitM (Man-in-the-Middle) attack and is sniffing (collecting) any data that runs over that WiFi network including credentials
– The attacker harvests the data and sends on the credentials to Gmail or whatever service they use.
But, by using a VPN, that data is encrypted and effectively runs over a tunnel, which means the attacker gets nothing.
I personally use ProtonVPN. It’s a great solution and is available here: https://protonvpn.com/. It provides the best level of protection from snooping from both attackers and other tracking services.
Another good solution is Freedome, it’s a nice easy to use solution and is literally one button for VPN on or off. You can get it here: https://www.f-secure.com/en_GB/web/home_gb/freedome
You install the app, then choose on or off! Couldn’t be easier!
But I use ProtonVPN as it allows me to choose my VPN location and utilise tor. It can also be utilised on a larger number of platforms. You can get it here: https://protonvpn.com/
The rest of this article will be based upon ProtonVPN’s solution.
The Windows client for ProtonVPN is self-explanatory, install the software, login, select an endpoint and choose to connect.
For Android they are still building the client, but here is how you set it up.
Download OpenVPN for Android from the Play store: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
You now need to download the VPN config file. Log into your account on ProtonVPN. Go to Downloads and select Android as your platform, UDP as the protocol and download the file for whichever location you want (or have available).
For my connection I’m going to use a secure core connection via Australia.
Save the VPN file.
You need to get this file to your Android device. You can email it to yourself or connect your phone and upload it via USB.
Next open the OpenVPN App. Select Import.
Select your file:
Then select Save:
Select your VPN connection, select OK when you see the connection request prompt below:
You will now be prompted for your credentials:
You can get these via the Account section of the ProtonVPN portal:
You will see a connection success message and the little key in the status bar:
Do your thing! Upload those photos to Facey, check your emails — you’re now safe and protected! 🙂
When you are done you just select the connection:
And choose Disconnect:
That’s all there is to it. The process may look long but it will only take you five minutes tops. A minimal amount of time to spend to prevent your sensitive information from being harvested.
If you are using an iPhone, ProtonVPN have install instructions on their website https://protonvpn.com/support/ios-vpn-setup/.
Make sure you have a day pass
Obviously, if you are traveling overseas you will need to enable roaming before you go (if you plan on taking/receiving calls). Telstra call this ‘International Day Pass’ and it will set you back between $5 and $10 per day, which is way cheaper than roaming call rates. You can access it here: https://www.telstra.com.au/international-roaming/mobiles-on-a-plan#app, or via the Telstra App:
Where possible always use a WiFi network belonging to the hotel or which requires authentication rather than an open network, but ALWAYS, ALWAYS use a VPN over these networks.
Internet cafes pose the same risks however, you usually don’t have the option to install or use a VPN so I would suggest you avoid these entirely.
Most of all enjoy your trip and stay safe while doing so!