This is a conversation I find myself having almost every day, and I believe that the message isn’t really sinking in on the dangers of using public or free Wi-Fi. Using these free internet services opens your machine and your organisation to malware, credential theft, data/IP theft, and so much more. I don’t think the benefit of the free internet is worth all the risk it brings with it. To ensure that you all understand why I am going to describe a scenario in which I could use this situation to my benefit, I may even do two different scenarios just to drive the message home just a little more so we can get you all using a safer connection when working outside of your office.
Let’s look at scenario one for the moment. You are a business person, and you are flying from London to Manchester, you have done this trip hundreds of times now as you are a regular traveller and you are already through security and are now waiting on your flight to start boarding. It has been delayed for almost an hour, which is going to mean that you will be cutting it fine for the meeting in Manchester. You intended to work on your presentation for that meeting in your company’s office in Manchester when you arrived, but now you won’t have time to do this, and it is extremely important that you get this pitch right as this could be a really great customer if you can bring them on board.
You decide that you are going to get your laptop out and do some work on your presentation while you wait for your plane. You get it out and look on your laptop for your presentation, but you have it stored on the company cloud storage and to save storage you don’t sync files to your laptop. Your only option is to connect to the internet and download the file to your laptop; that way you can efficiently work on it on the plane as well. You click on the Wi-Fi button on your laptop to turn it on, and you get some available options come up, one of them is “London Free Wi-Fi” so you click on the available network and select connect (That was mistake one).
Now you open up a web browser and attempt to connect to the web portal for your company cloud storage, enter your corporate login details and download your files (mistake number two). You then decide that since you have the file that you will just check if you had been paid your expenses claims for last week and logged into your bank account. You have a look through the details and then log out of your bank account (that was mistake number three). You then hear over the PA that the flight is delayed for another 30 minutes, so you open up your presentation and make a few simple changes until you are happy with the final result.
Since you no longer need to make any changes you decide that you will re-upload the file to the cloud storage (mistake number four) and then grab yourself a coffee. You do and sit back to enjoy it, and by the time you have finished, your plane starts to board. You pick up your carry-on luggage and board the plane to Manchester. None the wiser as to what is happening while you were in the air, you arrive at Manchester and grab a taxi to the office but when you arrive at the office something strange occurs. The cab fare is £20 and when you go to pay with your debit card it declines. That can’t be right you checked before you boarded the plane and there was almost £1K in your account. You shrug it off and pay with your credit card and make a mental note that you will have to check what happened later after you have your first meeting.
You arrive just a few minutes before your potential customers do and get ready for them in the board room. You connect your laptop up to the network and open the presentation (mistake number five), do a quick run through to make sure you are still happy with the changes you made to it before you boarded the plane in London, which you are. A few minutes go by and then the board room phone rings and its Janet from reception telling you that your guests have arrived. You go and meet them in reception and then head back into the boardroom with them to start the pitch. Everything is going well until about 30 minutes into the discussions when suddenly your laptop starts to freeze and misbehave. Then an image comes up on your screen that says “your system and files have now all be encrypted, and you need to reach out to ***** email address to negotiate the cost for decryption of your files” (or something along those lines).
The same message starts to appear across all the machines in the business at the Manchester office and then a few minutes later starts to spread across the private VPN between sites and all devices across all sites have the same message. All files are encrypted with no access. As you would imagine, the meeting was over, and it’s probably likely that they won’t be doing further business with your organisation.
So, you can see that this issue escalated quickly but did you know why I was indicating on each occasion why the businessman – let’s call him Harold made a mistake? Let’s look at each occasion and then discuss what happened that Harold didn’t know at each point.
Mistake number one – connecting to the free Wi-Fi. At this time what Harold connected too, it was actually a connection set up by a malicious actor, so that they could collect and capture any traffic that anyone using the network was transmitting. So that then brings us to mistake number two – Harold then logs into the corporate network giving the malicious actor login credentials to the cloud platform.
Mistake number three – Harold logged into his personal bank account, giving the malicious actor access to the account. If you remember when Harold tried to pay his card declined that’s because why Harold was in the air flying from London to Manchester, the malicious actor transferred all of the money out into an offshore account and then probably moved it another ten times before finally exchanging it for bitcoins which was also then transferred several more times between different bitcoin wallets (you could say that money is gone forever now).
Mistake number four – Harold uploaded his updated file to the company cloud storage which the malicious actor intercepted and modified to include a little something extra (Ransomware bug) before sending it onward to the cloud storage using the stolen credentials that Harold had already given him (remember mistake number two).
Mistake number five – Harold connected his machine to the corporate network. He then executed the modified version of his presentation on his machine, thus executing the virus. As Harold continued on with his regular work, the ransomware bug has started to do its worst in the background and well you know the final result. Everything was encrypted, and it was all possible because of that first step – connecting to the free Wi-Fi connection at the airport.
This is obviously a worst-case scenario, but you can see how easy it was carried out and the malicious actor didn’t really have to do much at all to make this happen, Harold basically gave them keys to the network and said go for it without even knowing that he had done it.
You are probably thinking okay great I get it, the house burnt down, and it was all Harold’s fault, and technically yes it was Harold’s fault, but that is not the lesson here. Harold should have received awareness training from his organisation, and he should be made aware that he should NEVER connect to free Wi-Fi. Harold carries a company smartphone that has the ability to be used as a Wi-Fi hotspot and share access to the internet. This is what should be done at a minimum. This will stop the scenario at mistake one and prevent that day which could have been the best day of Harold’s career.
Obviously, there are some issues with the way the company has set up the network that allowed it to spread right through the organisation and a lack of good quality antivirus/IDS/IPS that could have stopped or at least minimised the effect, but I want to leave this at the free Wi-Fi, for this is the lesson I want you all to learn. That alone could save you from a similar fate as Harold, my poor imaginary businessman.
I want to describe another scenario for you now just to ensure you really understand the dangers I am trying to bring to your attention if you use the free Wi-Fi. Let’s look at a hotel, they could have hundreds of guests stay over a week, and guests expect to have fast internet available to them when staying but should you use the free Wi-Fi? NO, never use the free. Let’s look at the hotel free Wi-Fi for a moment, if you have 30 guests all connected to the Wi-Fi at one time (it will probably be horribly slow but that isn’t the issue here), as a malicious actor I could do the same scenario I described in the airport and just capture all data on the network.
I could also scan the network and gain access directly to machines on the network to steal data or infect them to spread my viruses or expand my access even further. I could go on for probably another ten minutes on ways that this could be used to my advantage but by now you must have started to understand what I am trying to get across to you all by now.
Never ever use free/public Wi-Fi connections it’s not worth the risk, use your mobile as a hotspot, buy a mobile connection that can be used outside of the office anything. Just remember the ease at which the incident could escalate and do the right thing here.