Do As I Say, Not As I Do.

Fooling The Security Pros.

A rogue (AP) access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

To make a point, a firewall supplier installed one of these (a rogue AP) at the recent RSA Conference in San Francisco last month in a successful attempt to demonstrate the dangers of open WiFi hotspots at places like airports and Starbucks cafes.

The attempt was successful because in spite of the tens of thousands of the best security professionals on the planet who were in attendance and should have known better, almost 2,500 of them connected to that network anyway.

This particular rogue AP was of the type that broadcast a few common network names that seemed familiar on first glance. The tendency for us mere mortals is to save the network name and automatically connect to it the next time we are in that hotspot area. Surely, actual security professionals wouldn’t do such a thing, would they?

They sure did. And they did so with a variety of devices; smartphones, laptops, tablets, wearables, etc., each broadcasting their particulars to the network and opening themselves up to commonly used exploits like phishing for login credentials or credit card data using bogus splash pages, or other sensitive data snooping through Man-in-the-middle attacks.

But, there was also a second and more remarkable surprise: The number one application these security experts preferred was peer-to-peer file sharing. Tsk, tsk.

Without repeating all of the now obvious dangers to open WiFi use and examining the many free tools available to WiFi hackers these days, it is sufficient to say that setting up a rogue AP is easy and tricking Wi-Fi devices to connect to it even easier.

The question is what can you do about it?

1. Stop with the laziness. Don’t choose to “save Wi-Fi network” and “automatically reconnect” when joining random and unverified Wi-Fi networks. Unless, the network is at your home, office or a trusted location, just say no.
2. When using any open Wi-Fi hotspot, always check to see if the website is using HTTPS encryption by looking for the “HTTPS” or a padlock icon in or near the nav bar.
3. Make sure that traditional devices like laptops have modern endpoint protection installed.
4. Never input login credentials, credit card information, or other sensitive data over any WiFi. Period.

And, if you’re a business that wants to offer or is providing WiFi hotspots, you had better have some solid cyber-security infrastructure in place, including regulatory compliance adherence, because as we are now starting to see with the recent substantial court ruling against Wyndham in favor of the FTC, you now have a critical willful neglect standard against which your security measures will be judged in the future.

Be mindful that security experts have continually warned that open hotspots are not secure, and most of the data transferred is not encrypted. If you continue to provide that kind of access in spite of industry warnings to the contrary, I would guess that would translate easily to willful neglect.

While you definitely don’t want to be the security expert who is hacked because she logged onto an open WiFi network out of laziness, you definitely don’t want to be that other guy either.

Some interesting breaches in the past 30 days:

• KTVT TV reports court records containing sensitive information about tens of thousands of Texans, including children, have been available for anyone to see on the Internet for more than a decade.
• Vidant Health announces it has discovered that an unknown number of employee records at its Duplin, North Carolina, hospital have been compromised by unauthorized access to them by an outside source.
• Magnolia Health in California reports sensitive information about all active employees was compromised when a spreadsheet containing the information was sent to a third party in response to a bogus email from the company's CEO.
• Radiology Regional Center PA announces personal information of an undisclosed number of patients is at risk after its records disposal vendor released the records in Fort Myers, Florida, as they were in transit to be incinerated.
• Kankakee Valley REMC in Indiana announces records for 17,700 members are at risk after an audit discovered a storage device on its network was accessed by a foreign IP address.
• The Associated Press reports an investigation is under way after a data breach resulted in posting to the Internet sensitive information of 3,500 Florida law enforcement officials. The information was posted to a website created by a former Palm Beach County sheriff's deputy who says he sold the site in 2012 to some friends in Russia.
• Washington State Department of Transportation reveals a former contract employee accessed without authorization the personal information of 500 customers of its Good To Go program and stole the credit card information of 13 of them.
• University of Mary Washington in Virginia reveals the personal information of 4,100 employees, students and alumni is at risk after an employee's laptop was stolen in January.

It happens everywhere now and 90% of it is sourced in human error.