The use of public networks is risky. Whether wireless or wired, any public access Internet connection is putting you and your data at risk. It may be convenient to use a hotel, restaurant, or coffee shop Internet link, but the likelihood of attack or compromise is greater than accessing a private network.
When using any network connection, there is always the risk of a wide range of network attacks. These include eavesdropping, on-path or entity-in-the-middle attacks, and DNS abuses, which in turn lead to malware or ransomware infection, being compromised by a rootkit, granting an attacker remote access to a device, being subjected to social engineering attacks, and more.
Any network transmission that is not properly encrypted could provide an attacker with access to your communications. This could include your logon credentials to online accounts, emails, data transfers, and even identity theft-level information harvesting. Keep reading to learn more about different types of attacks.
On-Path Attacks
An on-path or entity-in-the-middle attack is a network abuse where a hacker inserts themselves into a network communication to cause your traffic to traverse the hacker's system rather than head directly to the intended destination. An on-path attack is performed through a resolution attack. The mechanisms your OS and applications use to resolve names and addresses into other names and addresses can be abused.
Whether ARP, DNS, DHCP, or even proxy configurations, your system can be tricked into accepting falsified resolution data so the information you transmit is sent to the hacker's system rather than your intended recipient. The hacker's on-path attack system will often make a copy of this data before forwarding it to the original destination to mask the fact that your traffic is taking a detour rather than a direct route. This type of network attack can be used to perform eavesdropping, alter traffic being sent or received, or to re-direct your communications to a false version of the destination.
DNS Abuses
DNS abuses can also be used in many other contexts where the processes used to resolve a FQDN (fully qualified domain names) into an IP address are manipulated to provide false results. This would cause you to craft communications to the wrong recipient. DNS abuse could be caused by a range of attacks, including:
- Malware infection which alters your local HOSTS file (a static file of DNS records) or alters your DNS server lookup address
- Altered DHCP services which assign alternate DNS server lookup address
- Authoritative DNS server poisoning where the original DNS data is altered causing harm to the entire Internet
- Caching/Secondary DNS server poisoning where a local DNS server has its cached DNS data poisoned so only those systems using the caching/secondary DNS server as its lookup server are affected (such as the DNS server of a company or an ISP)
- DNS spoofing which monitors network traffic for DNS queries then crafts false replies it sends to the client
Beware of False or Rogue Access Points
When using wireless networks, additional attacks and abuses become possible. Any wireless network can be attacked with a DoS using a jamming device or simply transmitting significant invalid messages. At first thought, a wireless network attacked by a DoS seems to be of low risk to you as a client, the issue seems to be that you just can't make a connection. However, if the attacker also operates a false or rogue access point in the same area, you might be fooled into connecting directly to the hacker’s access point since the real one is unavailable.
Rogue access points can take several forms, including:
- Operating a wireless network with the same network name (i.e., SSID) as the valid network, but operate it on a different channel/frequency.
- Using a similar network name or one that seems legitimate, such as adding "fast" or "free" or "VIP" to the correct network name.
- Setting up a wireless network using a network name of a nearby company or organization which doesn't have a wireless network at all.
- Automatically duplicating the parameters of a wireless network based on your client’s re-connect requests (this is known as the evil twin attack).
- Announcing a well-known or common WiFi SSID to which many devices are pre-configured to automatically connect, such as "boingo" or "t-mobile" or "attwifi".
These are just some of the techniques hackers can use to trick you into connecting to their false wireless network. But with all of these methods, you have to select or choose a network from the list on your client.
Keep in mind that while many WiFi networks require authentication and use encryption, those security features are managed and negotiated by the base station. So, even if a valid network requires you to log in and negotiate encryption, a rogue access point will not. Your client will accept whatever connection type, secure or not, that is being offered by a wireless network if that base station is advertising the right SSID and MAC address combination that your device already trusts (i.e., have connected to previously).
These are just some of the types of network attacks and abuses you may be exposed to when using either wired or wireless network connections. In most cases, it is not possible to determine when an attack occurs. My recommendation is to always assume an attack is taking place and take precautions. The primary precaution is to use a VPN.
Use a VPN Whenever You Connect to the Internet
VPNs can be useful and provide a higher level of security when using any type of network connection, whether at home, at work, or while traveling. Generally, a VPN is an encrypted communication tunnel between your system and a remote VPN provider. Using a VPN will effectively eliminate the risk of using any network connection, including public wired and wireless connections. Local attackers will only be able to capture your encrypted traffic (which they can't decipher) or interfere with the communications (i.e., DoS).
A VPN will prevent any attacks other than DoS from causing you any harm. Any on-path attacks will still cause your traffic to traverse the rogue node, but all of the data will be encrypted so the attacker cannot do anything with it.
Also, most VPNs do not rely upon local DNS servers, so any locally focused DNS exploitations would be avoided. If a DNS attack still affected you, it would most likely prevent the VPN from establishing a connection in the first place. Thus, be sure to always confirm your VPN is established before interacting with Internet services and avoid using any Internet link where your VPN does not function or establish a confirmed secure connection.
A VPN does not eliminate all possible Internet use risks. Any attacks originating from online services or sites, such as malicious downloads or abusive scripts, can still cause harm to you over a VPN. Like most security features, a VPN's security benefits are focused on specific concerns. A VPN provides protections against attacks waged locally against the establishment of a connection (i.e., wireless connections) or the initial segments of a connection path (i.e., on-path attacks or DNS abuses).
How to Setup a VPN
Using a VPN requires that you have a VPN client utility and a VPN provider to connect to. That VPN provider could be another system you own and control or can be from a free or paid third-party service provider.
If you are moderately skilled and you believe your home or work Internet service is generally secure, then you can install your own VPN service using solutions based on SSH or OpenVPN. If you want to use a third-party VPN provider, there are many free and paid options. Most of the free options are bandwidth or speed capped or are limited to Web or email only. A free VPN service might provide just enough features or use capacity for your needs. A paid option will often include unlimited throughput and allow any protocol or application to be used.
At Home
The use of a VPN at home can make sense in several situations. If you are sharing a single Internet connection with others, a VPN will keep your traffic isolated from them. If you believe (or know) that your ISP is monitoring your activities, a VPN would prevent that privacy violation. If you are using a wireless connection that you cannot secure (because the ISP controls the device), a VPN can provide the encryption.
Mobile devices, such as smartphones, tablets, and notebook computers can also use VPNs. Apps or utilities can be installed to add VPN connectivity to almost any client device. Plus, many mobile device OSes have native VPN support, you will just need to provide the configuration and credential details.
In a home configuration or a device configuration, the VPN client software will need to be installed on each system that will need to use the VPN. Each individual system will establish its own unique VPN connection to the VPN provider. This type of implementation would result in some devices being VPN protected while the others are not.
If you want all devices on a local network to be protected by a VPN, then an implementation similar to that used by a business could be used (even in a home environment). For this, the VPN anchor point or entrance host is set up on a dedicated device, sometimes called a VPN appliance, gateway, or server. The individual systems on the local network do not need any additional software to use the VPN. Instead, the VPN is simply a secured route that traffic can use if the destination resides on the other side of the VPN. Effectively, the VPN is another available routed path as far as most network devices, servers, and clients are concerned.
At Work
At work, VPNs are often used to connect geographically distant network locations. This allows them to operate as an extended LAN without exposing internal communications to outsiders, not to mention the low cost as compared to a dedicated WAN link.
VPNs can provide secure connections for remote workers or any other form of remote connection. Your employer may allow you to use the company VPN service for your personal devices. However, this will mean that all of your personal activity and traffic will be subjected to the company’s filtering, logging, and monitoring.
Take Action
Now that you know more about using a VPN, you should recognize that this is just a starting point of obtaining security knowledge. There are many other important security concerns that you need to be aware of. Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out the means to gain more knowledge.
One source of additional knowledge is the educational material made available from Global Knowledge. Global Knowledge offers a wealth of online resources such as this article and other online materials. Global Knowledge is also a world leader in training, both live and on-demand courses.
Related Courses