Active breach detection is the only way to protect your network beyond the firewall.

Paul Kraus

Subscribe to Paul Kraus: eMailAlertsEmail Alerts
Get Paul Kraus: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Article

Five Online Technologies That Seem Secure – But Aren’t

Common User Safety Assumptions Hackers Exploit

In the security game, user complacency can be dangerous. Especially when it comes to trusting our internet connection. This article highlights five online technologies that seem secure, but aren't while explaining why.

Trust. We do it all the time. We trust people not to run red lights, and we trust that our internet connection will be operational enough to stream the latest Netflix series. As ongoing IRS breaches and banking breaches prove, however, not everything that is supposed to be safe actually lives up to that promise.

A lot of people work hard to keep the Internet secure. But many others work even harder to find ways to exploit the system's weaknesses. This high-tech game of cat and mouse can have real consequences for the average user. Putting faith in professionals when it comes to safety is necessary for most of us, but being aware of potential risks can really pay off.

The Security Game

By now, most people are at least peripherally aware of the dangers of clicking on links in emails and downloading attachments - though they may still click away with abandon - but it's a completely different game when trusted technologies fail to keep users safe. While IT can train employees to be aware of these more surface-level attacks, there are some threats that flank traditional user weaknesses and go at the core of our trusted security protocols.

Here are five technologies that most of us assume are safe, but hackers exploit to gain access, wreak havoc, and exfiltrate data.

Secure Sockets Layer. If you take a look at the address bar in your browser, you may notice an "https" and a little green lock icon that indicates everything you do on that site is safe and secure. SSL is a long-trusted technology that we've become accustomed to seeing when we hand over credit card information or do some online banking. This is the gold standard for the average Web user.

However, the older a technology gets the more time hackers have to poke and prod and examine it for cracks. SSL is the perfect example. While developers hurry to seal the cracks as they appear, exploits can keep security holes open in places we are assured are locked safe. In the instance of the Heartbleed bug, for example, security depends on end-users, IT departments and even consumers to perform security upgrades. More often than not, these upgrades do not occur. Months after Heartbleed made headlines, hundreds of thousands of servers still had the vulnerability.

It is also still thought that the "little green lock" means that the site is hosted by a legitimate source - wrong. Anyone can get a valid certificate, secure the communication channel, and transmit malware  -  for free. You no longer have to spend thousands of dollars to get a valid certificate. Just Google "adding ssl to your website for free" and you will see what we are talking about.

Mobile Hotspots. Coffee shops and airports are cesspools when it comes to insecure wifi connections. Nonetheless, people connect their laptops and phones, often automatically, to any available wifi networks. Credit card numbers, personal data, and passwords can be scavenged by even the least savvy hacker. Certainly, as long as we turn off auto-connect and rely on our own, trusted mobile hotspots, we are safe, right? Not so much.

Go ahead, Google it. There are lists of ways for people to hack wifi and simply grab data out of the air - even with little technical know-how. Some mobile hotspots use MAC addresses or other publicly accessible information as the default password, making compromising the connection as simple as examining the data provided in the wifi signal. To protect yourself, you should turn-off wifi auto-connect and change default passwords on mobile hotspots before trusting them.

WPA/WPA2. You know enough not to connect to those open networks now, so surely you can feel safe connecting to that WPA/WPA2 protected network, right? Perhaps not.

Brute force password crackers can quickly run through millions and millions of passwords to compromise a weak password. WPA and WPA2 allow for up to 63 characters - and you might consider using more of those characters. Though strong passwords are a good start, there is still the issue of the WPS PIN on your router that allows users to bypass WPA and WPA2 passwords completely by downloading a tool written and made available by hackers. If you can, consider taking an extra step and disabling WPS to ensure that your WPA/WPA2 network is as safe as you first assumed.

Virtual Private Networks. If all else fails, a VPN should keep you safe. Hacking a VPN is extremely difficult and should take care of even the most open wifi connection. The problem is, security goes out the window if the threat is already inside. Sloppy configuration, no penetration testing, and failure to keep devices and servers virus-free are invitations for infiltration. To increase safety, make sure your VPN has 256-bit encryption and a kill switch that shuts down the internet connection if the VPN fails.

Email. With email programs that automatically scan attachments and links, our fear around email security may have been replaced with complacency, but newer, more sophisticated attacks have raised the stakes.

Spearphishing, for example, takes readily available personal information from the web and uses it to create seemingly authentic emails that look like they're from your bank, your boss, or even your relatives and friends. Click on a link in one of these seemingly harmless emails and you may end up giving even more personal information to hackers - passwords, account numbers, and social security numbers. To protect yourself, if you get an email from your bank or other institution, don't just click. Be critical and pay close attention for clues (such as a similar but not identical URL). Call the institution or open up your web browser and manually enter the web address to check your account, rather than simply clicking on the included link.

Security First

More often than not, the convenience offered by the Internet outweighs the concerns we should have. Hackers find their success through persistence so you need to do the same. While users need to be able to trust the security measures put in place, those security measures are only as good as the diligence put into their configuration and implementation. When all else fails - verify before you trust.

More Stories By Paul Kraus

Paul has more than 25 years of experience in security, including VP Engineering at Blue Coat Systems and Solera Networks, and Director of Engineering roles at Adobe, VERITAS and Symantec.

In his current role as President and CEO for Eastwind, Paul is helping define and execute the company’s mission of providing enterprise-grade network security to SMBs.