Introduction

Are you tired of hearing about yet another significant data breach? As I was reading about the most recent breach of Marriott and how the attackers were probably inside the Marriott system for four years (or longer), I got mad.

You should be mad too.

There’s no reason we should accept a lack of security from organizations (both corporate and government) that have collected our personal information. Many of these breaches were due to either pure negligence or management deciding to not spend the money to upgrade their network security to an acceptable level.

It’s frustrating that we’re still talking about many of the same problems with computer security that have existed for decades, even as the volume of data has exploded.

These attitudes about digital security are no longer acceptable.

It’s time for us to hold these people and organizations accountable. When I say “accountable,” I mean both criminally and civilly.

Instead of the United States continuing to be almost the only developed country without federal protection for personal data, we need to pass new legislation requiring this protection. The law should make the penalties and punishments severe enough to make organizations think seriously about their efforts and the resources to provide for security.

The problem won’t go away unless the probable consequences of failure to protect this data are real and substantial.

Senior executives and boards of directors who were aware of security problems (or should have been) and took no action to protect our data should face the risk of criminal prosecution as well as individual civil liability.

Situations like this have historically been considered to be “white collar” crime and have not been a high priority in our legal system.

This needs to change.

There’s too much fraud and other crimes involving digital technologies.

Yet there still doesn’t seem to be much interest in protecting people’s financial and personal information.

Too many organizations still consider the risk of a data breach as a “cost of doing business.”

After the Marriott breach was made public, several people have suggested that these breaches will not go away unless someone is prosecuted criminally and goes to prison.

https://gizmodo.com/only-jail-time-and-stiff-fines-will-stop-this-say-sena-1830779327

http://www.govtech.com/security/Senators-Call-for-Stricter-Data-Protections-Post-Marriott-Hack.html

I agree.

It’s time to change the mindset and to force responsibility and accountability. If we don’t change the approach to security as technology continues to grow exponentially, we’ll see more techno-crimes of all types.

Let’s send a message that we won’t accept this attitude anymore.

In the meantime, what can you do?

The first thing I would recommend is to freeze your credit reports.

I understand that this is not convenient for every person, but think about the convenience compared to the risks of your personal information, financial data, and medical records being stolen in a data breach.

You’ll need to make that decision depending on your individual circumstances, but that’s what I strongly recommend.

For more detailed information about freezing your credit report:

Equifax
Experian
TransUnion
Innovis

Another aspect of this problem is to check to see if the children in your family have a credit history. For a child under 16, in most cases there is no reason for a credit record to exist. But if a child’s identity has been stolen, the theft might not be discovered for many years. That could make the problem much harder to clean up years later when it comes to light. It can be a bit more difficult to check a child’s credit history, but it can certainly be done.

For more information:

Credicards.com

Consumer Financial Protection Bureau

Final thoughts:

We need more security and digital investigations professionals.

Did you know that some projections say that by 2021 there will be over 3 million cyber security positions that we won’t be able to fill?

3.5 million!

This number doesn’t even include digital forensics investigators who will also be needed to investigate the exploding number of techno-crimes.

We’ll need more of these experts to provide better security for our data, and to investigate crimes that will still occur.

Finally, there are too many organizations — both public and government based– that are collecting an ever-increasing amount of data about every person.

It’s time to hold them all accountable, and to demand that they take action to secure our data…or pay the consequences.

The days of ignoring security and facilitating the theft of our data need to end.

Perhaps the only solution will be when those responsible have an individual or corporate price to pay for their negligence or lack of responsibility.

Enough is enough.

Introduction

In our previous post, we described a hypothetical network where your digital evidence will be anonymous and encrypted.

All of the data on this network is shredded into fragments, with each piece individually encrypted using a different code.

Several copies of all fragments are dispersed to be stored on different land-based devices or satellites.

I call this “Cosmos Computing,” and believe it could be the next version of the Internet.

If you read the entire post, near the end I told you that networks like this already exist or are under development.

If you missed the other post, feel free to read it at https://technocrime.com/will-evidence-located-cosmos-computing/.

Now let me give you some examples.

The SAFE Network

The first example is called The Safe Network (Safe Access For Everyone) and is being created by MaidSafe, a Scottish company. For more information, you can go to their website at https://www.maidsafe.net).

The SAFE Network is designed to work exactly like the hypothetical network described in our earlier post (but currently without satellites).

As you read about the SAFE Network and how it is being designed, think about how this technology will affect your search for digital evidence.

The following are quotes from “The SAFE Network Primer” to give you an idea about the philosophy behind the project (the entire document is available on their website):

“For all its glories, the Internet is broken. It has strayed from its original vision. It is now a machine for censorship, propaganda, and central control that feeds on our personal data. It could and should have been much better than this.

MaidSafe’s solution is to create a secure, autonomous, data-centric, peer-to-peer network as an alternative to the current server-centric model. Rather than residing on a central server or data center, individual files are split up into pieces, encrypted and spread out over the network. Individuals retain full control of the data they create. It is resistant to DDoS, malware, and hacking and it cannot be centrally co-opted and controlled by monopolistic corporate and government interests. As a platform, such a network could usher in whole new business models, just as the original Internet did at the turn of the century.”

“The Internet giants of today would no longer be able to harvest our data without our say so, nor could government spooks eavesdrop over their shoulders. There would be a rebalancing of power from the data haves to the data have-nots. Censorship would be impossible, and data could be not be erased.”

Volunteers can choose to dedicate part of their computer’s hardware and data storage for use by the SAFE Network. In return, these owners are compensated for the use of their machines in a digital currency called “Safecoin.”

Safecoin will be convertible to many other types of digital currencies, such as Bitcoin.

People could also use the network’s custom browser to securely navigate the Internet, store their data files, or create websites.

Users who want to store data on the SAFE Network will pay Safecoin to the network for the service, and these funds are used to pay the volunteers hosting the data and the company managing the network.

Data stored on the volunteer network nodes will be secured inside an encrypted “vault,” and even the machine’s owner will not have access to it.

If anyone could break into the vault, he would only see scattered encrypted fragments of data that would not be readable. Only the original user who generated the data can recall and reconstruct it.

The network makes sure that no complete file is ever stored in a single vault.

When a volunteer host machine is shut down, the network software first makes multiple copies of all data fragments stored in that vault and disperses them to other working nodes on the network.

This means that your evidence may be stored on a different physical device in another location from one day to the next.

The SAFE Network never sees a user’s password. The only place the password is used is when the person logs onto the network to retrieve data he previously stored there.

The decryption keys are never transmitted on the network.

When a SAFE Network user logs out and shuts down the software, all traces of her activity are wiped from the host device.

We already discussed some of the potential benefits, but should we review them again?

• A user’s personal data would be secure, and the user would control every aspect of how that data was shared with another party.
• The data breach problem might be solved since there would be no single point of attack to steal proprietary or personal information.
• Hackers wouldn’t be able to access any useful data, as it would all be encrypted and stored on multiple devices.
• Distributed Denial of Service (DDoS) attacks will no longer work. The network would re-route the traffic around any targeted servers.
• The impact of malware would be limited due to the fragmentation and encryption of the data stored and transmitted on the network.
• Ransomware attacks and crypto-jacking would be almost impossible.

The SAFE Network is still in test mode, but imagine how this technology will change your investigations when it goes live!

Freenet

Freenet is a self-contained distributed network that was designed to provide “censorship-resistant communication.” The Freenet Project’s primary goal is to protect freedom of speech without censorship.

“Distributed networks” or “peer-to-peer networks” merely mean that there are no centralized servers, and that every computer that joins the network becomes one of the nodes on the net.

As with the SAFE Network, users contribute some of their bandwidth and even a portion of their hard drive for data storage for other users of the network.

Freenet provides websites, forums, chat sites, and file storage.

All communication is encrypted and routed through multiple nodes.

Only websites and resources created and stored on Freenet can be accessed on the network. Regular Internet sites such as https://technocrime.com are not a part of this network.

The network now has a “darknet” mode that communicates only with people that are trusted by the user.

Storj

Storj Labs is developing a commercial version of this type of network for data storage only.

As with the other examples, computer owners can join the network to allow their machines to be used, and are paid based on the amount of storage and bandwidth used by the network.

Users can provide part of their data storage and be paid with Storj token, which works the same as other cryptocurrencies like Bitcoin.

Files are shredded and encrypted, and every data fragment is stored in a different location across the network on at least three redundant nodes.

Users maintain the encryption keys for their data, and every file is encrypted with a different key.

Storj is a for-profit company, and currently charges users the following rates:

• $0.015 per gigabyte for data stored per month
• $0.05 per gigabyte of data downloaded from the network

Conclusion

These are only three examples to give you an idea of how this technology is developing.

Now imagine that the suspects in your investigation use several of these networks for their communication, websites, or data storage.

Because of the explosion of new technologies being developed, we are going to need specialist investigators who know how they work, what evidence may exist, and the best methods to obtain it.

We also need to start thinking about new ways to identify these specialists, and how to find them when they’re needed.

You now know about three examples, but there are others…

Are you ready for Cosmos Computing?

Introduction

Imagine working a case where your digital evidence is all anonymous and encrypted.

Plus any data — files, documents, email, and all evidence of Internet use — is shredded into several pieces, with each piece individually encrypted using a different key.

To complicate matters even further, each piece of the encrypted and shredded data is then stored on different devices scattered all over the world.

What if we expand all of this to include data storage on satellites in space?

This scenario is what I call “Cosmos Computing,” and it could be the next version of the Internet.

What impact would this have on your investigations?

Let me explain one way this could happen…

Is It Even Possible?

Most of you are already familiar with cloud computing, where any type of data can be stored on a server in the Internet “cloud.”

Cloud computing has already created some big challenges for investigators. Before cloud technology existed, we could go to the IT department to obtain data from the network or collect data directly from user devices.

Now the data we need could be stored in several places, and we might not even know where the data is physically located or who controls access.

In this post, we won’t talk about the complexities related to cloud computing, such as managing security, malware, legal holds, and digital forensics data collection and preservation.

We’ll save those for another day.

What I want to describe for you is what I believe the Internet of the future might look like, and point out some issues that we need to be thinking about now.

“Cosmos”: The Next Step Beyond The Cloud…

There are several companies actively working on systems to provide broadband Internet signals from satellite networks or (believe it or not) balloons.

These include Google, OneWeb, and SpaceX.

The goal is to provide Internet access to everyone in the world, especially the people who currently have no way to connect.

One expert estimates that in the next six years, four billion new users will be connected to the Internet.

New earth-based 5G wireless networks will be 10-100 times faster than those we have today.
With all these new connections and the additional billions of Internet of Things devices that will be added, these new technologies will change the world in ways we can’t even imagine.

If we are going to have Internet signals from satellites in space, how much harder could it be to also have solar-powered satellites that store data?

Think about the possibilities of multiple networks of low, intermediate, and higher-altitude orbiting satellites, giving every individual on earth multiple sources of Internet connections…and new places to store their data.

Now Add Distributed and Decentralized Computing

With all this additional traffic, along with growing concerns related to privacy and security, I believe we might see a completely different and more sophisticated type of Internet.

Here’s one idea.

• Imagine a network where every device is capable of connecting directly to every other device. Remember, we must now think in terms of devices…not just computers. Tablets, smart phones, and connected Internet of Things devices can also be part of these networks.
• This network will need no centralized servers. Whoever owns any device they want to connect to our network can share part of that device’s processing power and data storage with other users of the network.
• When someone offers to share some of a device’s resources, first they’ll download special software to connect the device to the network.
• This software will create an encrypted “vault” on their device for use by others.
• For their contribution, the device owners are paid with an untraceable digital currency, depending on the amount of resources shared.
• For example, someone who shares 50 gigabytes of their data storage would be paid more than a person only sharing 25 gigabytes.
• Any user who wants to store data on the network will first download different software to connect.
• Users are charged a small fee, also paid with the same untraceable digital currency, but only for the amount of data storage or service they actually need.
• Data stored or transmitted on this network will always be secure, because everything will be encrypted.
• But we’ll go even further. Before it is sent, every file or other type of data will be broken into small pieces that are individually encrypted.
• Then, each piece of data will be encrypted again, just to add even more security.
• The network’s software will then make several copies of each piece of data for backup and redundancy.
• When the data is sent for storage to the network, each of our encrypted data pieces (including the copies) are sent to be stored on different devices all over the world.
• The network will be designed so that owners of those devices won’t have access to the data other users have stored with them.

To give you a physical analogy, let’s use an example of a one-page printed document that we want to save, but secure it so nobody else can ever see it.

• First, you’ll encrypt the document with a code that only you know.
• Then, you cut the page into 50 pieces.
• You make five copies of each piece of data, for a total of 250.
• Next, you seal each of the 250 pieces in 250 tamper-proof containers that require yet another code to open that only you know.
• Each of the 250 sealed containers is sent to a different trusted person to store until you need it back.
• Those 250 people can’t open the container. Even if they could they would see only one of the 50 coded pieces of the original document, and they wouldn’t be able to read any content.

Some Possible Results of This Network…

• A user’s medical records, financial records, and personal data would be secure, and the user would control every aspect of how that data were shared with another party.
• We might solve the data breach problem, since there would be no single point of attack to steal proprietary or personal information.
• Hackers wouldn’t be able to access any useful data, as it would all be encrypted.
• Distributed Denial of Service (DDoS) attacks will no longer work (if you want to learn more about DDOS attacks, here is a good place to start). The network would simply re-route the traffic around any targeted devices.
• The impact of malware would be limited due to the fragmentation and encryption of the data stored and transmitted on the network.
• Ransomware attacks and crypto-jacking would be almost impossible.

What Does This Mean For Investigators?

Since the network is completely decentralized, there is no central point of management that would have access to any of the data transmitted by or stored on the network.

No single device will store any of the encryption/decryption keys used on the network.

Court orders or subpoenas would not be effective, since no single entity or group could provide any useful data related to the activities of the network users.

The device where encrypted pieces of your evidence are stored today may be in a different location tomorrow and a different one the day after that.

In many ways, these types of networks could bring tremendous improvements to security and privacy compared to systems we all use today.

Do you still think the investigative scenario described in the introduction is impossible?

I think it’s much closer than you realize, and it raises many new questions:

• Where will your digital evidence be when these types of networks are deployed?
• How will legal jurisdiction be determined?
• Will we need new international laws?
• How will you collect and preserve digital data related to your investigation?
• What new types of technical expertise will be needed to investigate techno-crimes in this environment?

Conclusions

I think we’ve reached a point where our dependence on technology is so great that we need to make a choice.

We can choose to design new networks and systems that focus on security and privacy on the one side, but make it harder for law enforcement and/or intelligence agencies.

Or we can choose networks and devices that may not be as secure and private, but still allow access to evidence.

I’m not sure that you can have both, but that is a very complicated debate that we can have another time.

Finally…I have a confession to make.

Companies are already working on the “fictional” network I described above. I’ll tell you who they are in my next post.

Are you ready for Cosmos Computing?

 

If you are interested in being part of our mailing list to find out more information about techno-crimes and investigations, it’s easy to sign at the bottom of this page.

 

Consider these scenarios…

A kidnapper takes remote control of the self-driving car that just picked your CEO at her hotel. The car is now driving her to a remote location where the criminals will meet her.

Your new smart home controller (think Amazon Echo, Google Home, Apple HomePod) has been hacked, and is now always listening to anything said within range of the microphone.

A terrorist group takes wireless control of several connected cars on major freeways and cause major pileups that kill or injure over 500 people.

A hacker sends a wireless command to the cardio-verter defibrillator implanted in a politician’s chest, causing the device to send a jolt of 750 volts to the politician’s heart.

A drone with a mounted silenced weapon assassinates the president of a country.

Your daughter received a “talking” teddy bear for her birthday. You don’t realize that the voice now talking to her is the convicted sex offender who lives several houses away.

All of the above examples are possible today, or will be in the near future.

Introduction

Welcome to the Internet of Things (IoT), an exploding technology where almost anything is or will be connected to the Internet.

Lots of these items have cameras, microphones or sensors that track data about a user or any other person in range.

Many of the devices are “smart”, which means they have some type of built-in data processing capability.

Some can talk to other connected devices, and almost all of them will be communicating data to at least one cloud-based server (if not more).

Voice-aware personal and home assistants can already act on your voice commands to do everything from play music to make bank transfers, and are being given more capabilities daily.

Self-driving cars that will be able to talk to each other and also to a central traffic control server will arrive within a few years.

Many medical devices are already connected in healthcare provider offices and hospitals, and new medical implants will monitor your vital signs and any other body or brain function (while communicating this data wirelessly to a connected mobile device and/or to a cloud server).

We now have smart homes, offices and even smart cities, where technology is becoming even more intelligent and interconnected.

Lots of devices that you might not think about are now being made with network connectivity (these are all real products):

• Clothing
• Light bulbs
• Smoke alarms
• Thermostats
• Fitness trackers
• Kitchen appliances
• Industrial sensors
• Toys
• Trash cans
• Hairbrushes
• Luggage
• Forks
• Whiskey decanters
• Mirrors
• Cardiac pacemakers and defibrillators

Now combine these billions of new devices with an exploding number of satellite, drone, and surveillance cameras, microphones, and biometric and facial recognition technology. Can you imagine the possible new types of data these IoT devices could produce for investigators…or criminals?

How big can it be?

Many people don’t realize how the number of connected devices will explode in the coming years.

The estimated number of devices connected to the Internet today is over 10 billion, which is already greater than the population of the earth.

The Gartner Group projects that by 2020 the number of connected devices could double to over 20 billion.

One company predicts that Internet of Things devices will generate over 600 zettabytes of data by 2020.

Now to put that in perspective, one zettabyte of data storage is the equivalent of:

• 34 trillion 3-minute digital songs
• 250 billion DVDs, or
• 36,000 years of high-definition videos.

The Information Security Institute estimates that there will soon be over 100 devices that contain Wi-Fi chips in every home.

John Chambers, former CEO of Cisco Systems, predicted that the impact of the Internet of Things could be 5 – 10 times greater than the impact of the Internet itself.

How IoT will change your life

The Internet of Things technology will give us fantastic benefits that aren’t even possible today.

You won’t use a keyboard to interact with the network anymore. Devices will either be voice-activated, or capable of direct communication via a brain computer interface (BCI).

Yes, this means that the network will be able to know and react to your thoughts.

With so much data being collected about you, the network will know everything about your financial transactions, your health and medical history, and your food and drink preferences. It will also know everywhere you go and most of what you do throughout the day.

Medical IoT devices and new implants will provide continuous monitoring and personalized medical treatments that aren’t possible today. Imagine a medical implant that can monitor your blood chemistry and glucose levels, and can administer only the amount of medication needed at that precise moment.

Your medical insurance rates will adjust automatically throughout the day depending on your behavior. On days when you exercise, get plenty of sleep, and eat well, your premiums go down. If you overeat, drink too much, and experience high stress, the premiums increase.

Holographic and virtual reality technologies will give you the capability of appearing to be anywhere you want to be in the real or virtual worlds, and developing “haptic” technologies will allow you to see, touch, hear and smell the environment where your representative avatar is.

All this technology will lead to increased productivity and convenience. The network will be able to anticipate your needs and desires. Facial and biometric recognition will provide you with personalized experiences and services that you can’t even imagine.

Robotics technology (of course they will also be wirelessly connected) will create entirely new possibilities in multiple industries. For example, in the service industry robots have already replaced human employees to check in guests at hotels, deliver room service, and help to care for elderly or disabled patients.

The possibilities seem endless to improve our lives and increase efficiency.

Unintended side effects?

But what unintended consequences could this technology cause?

First of all, can you imagine the impact it will have on your personal privacy?

If the exploding number of IoT devices are always watching and listening, will privacy still be possible?

What impact could this have on our world, if a person can no longer do anything, say anything, or think anything without that data being collected and analyzed?

Would this change your behavior?

Surveillance is the business model of the Internet.
You are the product.

And with the Internet of Things, this will be even more certain.

Many governments and companies already collect massive amounts of data about all of us. But with the IoT, the volume of collected data will skyrocket.

But there will be some logistical problems with accumulating this quantity of data.

• How much will it cost to develop the data storage to hold it all?
• Where will the data be stored (which may be impacted by existing or future privacy laws that differ from country to country)?
• Will we need new international laws related to IoT technology?
• How will investigators know which company has collected what data, and how to obtain it?
• If every IoT device collects data in a different format, how will an investigator be able to combine all the data related to an investigation to provide useful information?
• As with most mass surveillance or data collection, the size of the data makes it more difficult to extract useful information and interpret it.

Consider the analogy of finding a needle in a haystack. If the haystack you are searching suddenly doubles in size, how much longer will it take for you to find the needle?

What if it grows by one hundred times?

Remember, the success of almost all investigations relies on either time or money.

If the technology makes it harder for investigators to find relevant data, will IoT help you be successful, or will the sheer volume of data overwhelm you and keep you from finding the evidence you need?

What about security?

What about the security of Internet of Things devices?

Right now, security doesn’t seem to be a priority for companies manufacturing these devices.

There are few, if any, laws of regulations addressing the security of IoT devices.

Most devices have no security at all, and many don’t have the capability for the device’s firmware or software to be updated.

If a security flaw in one of these devices is discovered, your only option may be to destroy the device and get a new one that “might” have been updated to eliminate the flaw.

But what are your options when a different defect is found?

Most IoT devices communicate wirelessly, but very few of them currently use encryption to protect the data.

If any wireless signal is not secured, it can potentially be intercepted.

This could give anyone access to the data being transmitted by the IoT device.

Unsecured IoT devices communicating via Wi-Fi or Bluetooth signals on your home or office network could also give a criminal access to your network.

And access to the data stored on every device connected to the network.

For example, many smart televisions have microphones and cameras.

Some smart televisions even create their own Wi-Fi hotspot, and with no security.

A hacker who could intercept this Wi-Fi signal might be able to see or hear anything within range of the camera and microphone.

If the television is connected to your home of office Wi-Fi, the attacker could potentially gain access to your network.

In one study by Hewlett Packard, 70% of IoT devices analyzed were vulnerable, and each device contained an average of 25 security flaws.

A Symantec study of health/fitness tracking apps showed the average device sent the collected data to between 5 and 14 different Internet domains.

According to a recent survey of IT professionals on the ISACA IT Risk/Reward Barometer, three-quarters of the respondents believed that a security breach caused by an insecure IoT device is likely.

Almost every IoT device that has been tested by security researchers has been successfully hacked.

Connected cars, medical devices in hospitals, implantable cardioverter-defibrillators (and pacemakers) have been hacked.

Video conferencing systems, wireless copiers and printers, and other office devices have been remotely accessed.

Kitchen appliances, connected thermostats, and wireless home security systems have been hacked.

Could the IoT fundamentally change crime and investigations?

This may seem to be a strange question, but consider the following:

• We already have a staggering number of surface, satellite, mobile device, and drone cameras that will only continue to grow.
• Add a dramatic expansion of facial and biometric recognition with much better quality than we have today.
• All the devices that operate via voice control will always be listening and will alter behavior, even behind closed doors.
• IoT devices will mostly communicate via wireless protocols, many of which have already been hacked.
• Self-driving and fully autonomous vehicles will provide much more information about individual movements than has ever existed.

Since new IoT vehicles will have cameras and biometric recognition, and will be tracked with GPS, will auto theft and hijacking go away? Or will we have new types of high-tech thefts when the technology is hacked?

Does IoT technology have the potential to reduce person-on-person violent crime?

Could medical implants that constantly monitor blood components help to reduce illegal drug use?

We may have new risks when facial recognition or other biometric data is stolen.

• If a criminal steals an identity or financial records, the victim can probably recover by creating new accounts, obtain new identification, and eventually resolve any fraud that was committed.
• But if a crook steals biometric data, that can’t be recovered or replaced.

We may even see new types of crime created by these technologies that never existed before.

The Internet of Things may also change how we investigate crime.

We will need new types of investigative and forensic specialists who will have the knowledge and expertise to deal with this technology.

We might need to re-think how we organize law enforcement agencies and private investigations firms.

The old models where an agency or company has all the expertise needed “in house” may no longer be possible.

Teams of investigative specialists may be needed for each criminal case or civil engagement.

Sophisticated artificial intelligence capable of reviewing the massive amount of video and other data that will be collected from millions of sources might be required.

Conclusions

Are you sure that the Internet of Things will create more benefits than risks?

Even if the technology benefits outweigh the risks, are you ready to deal with the security and investigative challenges that will come with it?

We can help you understand some of the risks from your smart homes and mobile devices, and hopefully help you improve your security.

In our Free Member Content Library you can find our “Smart Home and Mobile Device Security Checklist.”

This checklist doesn’t address all of the issues we’ll face with the Internet of Things, but at least it might give you a good place to start.

Introduction

A journalist named Steven was on a flight from Dallas to Raleigh. During the flight he connected to the in-flight Wi-Fi while working on a very sensitive and controversial article. He checked and wrote several email messages during the flight.

As the plane landed and everyone stood up to deplane, a man in the row just behind Steven tapped him on the shoulder and asked to talk to him after they left the plane. Steven thought it was a little strange, but agreed.
In the gate area, the stranger told Steven that he had hacked his device during the flight, and could read everything that Steven had sent and received, including information about Steven’s confidential informants. In fact, the stranger admitted that he had hacked most of the devices connected to the in-flight Wi-Fi.

Given the sensitive nature of the article, the stranger just wanted to warn Steven that he needed to be more careful.

The Risks From Unsecure Wi-Fi

I’m sure that almost all of you use Wi-Fi, either in your home, office or in public places that provide a free connection.

Wi-Fi that is not properly secured could put your identity, your data, and your finances at risk.

Think about the types of data you are transmitting when you connect to the Internet

• Access to your email
• Login credentials for any network or website
• Data related to online banking or investments
• Credit card numbers
• Text messages

Data stored on your devices that you might prefer to keep private might also be at risk.

Wi-Fi has become so widespread that we tend to take it for granted without questioning whether it is secure. Here are the facts:

• Hundreds of thousands of home and office Internet routers have been hacked, as the default passwords and SSID names (Service Set Identifier) were never changed on the devices. (An SSID is the Wi-Fi network name.)
• Even more routers have been successfully attacked because the password was easily guessed.
• People connect to public Wi-Fi in airports, hotels, train stations, sporting events and conferences because it’s convenient and free, and doesn’t require them to use data minutes from their cellular provider.
• In some situations, Wi-Fi providers who require a password do not really have secured systems.
• Even your home or office Wi-Fi router may have already been compromised.
• With the recent U.S. government change in policy toward “net neutrality,” your Internet Service Provider (ISP) can now legally watch your Internet activity and use this data for advertising, or even sell your data to other companies.

Do You Know How to Use Wi-Fi Securely?

Probably the most important step you can take to improve the security of your Wi-Fi connections is to use a Virtual Private Network, or VPN.

Without a VPN, your Wi-Fi traffic could possibly be intercepted, and if your device has file-sharing activated, an attacker might even be able to access the data stored on the device.

Hackers could also use techniques that allow them to plant malware on your device.

Your Internet Service Provider (ISP) can see all of your Internet activity if you are not using a VPN.

In simple terms, a VPN creates a secure, encrypted tunnel between your device and one of the remote servers of the VPN provider.

A VPN not only encrypts the data transmitted between your device and the server, but it also hides your Internet Protocol (IP) address. This masks your location and can make it appear that you are located somewhere else.

Once your traffic exits the VPN server, if you are accessing a website protected with HTTPS then your communication is still secure. HTTPS stands for “HyperText Transfer Protocol Secure,” which encrypts the traffic between your device and a website.

However, if the website does not have HTTPS, keep in mind that an outside party monitoring traffic from the VPN server could conceivably intercept your traffic, but it would be more difficult to trace it back to you depending on the nature and content of the transmission.

One potential downside to using a VPN is that the VPN service provider may be able to see all of your Internet traffic, so you will need to trust it to keep your data confidential. Some providers do not maintain any logs of user activity, but many do, so make sure you research providers before you decide which service to use.

A VPN won’t protect you if you click on an infected attached file or link, so you should still consider anti-malware protection for all of your devices.

How to Choose a VPN?

Choosing the best VPN depends on your situation and individual or organizational needs.

Some VPNs are free, but most offer paid versions with other services, such as faster bandwidth, a larger variety of services, multi-device plans, and more.

Remember that a VPN does NOT make you completely anonymous, and will NOT protect you from malware.

Most VPN services are software-based, but there are some that also offer VPN capability built into an Internet router.

Other services will help you to reprogram your existing router to use their service, but this almost always requires a paid subscription.

Some questions that you might want to ask:

• How confidential will my Internet activity be?
• What kind of data, if any, does the VPN provider collect about my browsing?
• How long does it keep this data?
• Are there any restrictions on bandwidth?
• Where are the VPN servers?
• How do you pay for the VPN service?
• There are lots of reviews and recommendations about the best VPN services, and you should read several to find the best choice for you.

I am providing some links to help you get started:

• That One Privacy Site – https://thatoneprivacysite.net/simple-vpn-comparison-chart/
• https://www.top10vpn.com/best-vpn-for-usa
• https://www.techradar.com/vpn/best-vpn

And these are links to several VPN services for more detailed information:

• Freedome VPN – https://www.f-secure.com
• IPVanish VPN – https://www.ipvanish.com
• Nord VPN – https://nordvpn.com/
• ProtonVPN – https://protonvpn.com/
• Mullvad – https://www.mullvad.net/en/
• StrongVPN – https://strongvpn.com/
• Tunnelbear VPN – https://www.tunnelbear.com/
• Vyper VPN – https://www.goldenfrog.com/vyprvpn

Additional Options to Explore

• Turn Wi-Fi off on all your devices when it isn’t needed.
• Think about using a browser that focuses on privacy instead of tracking your activities.
• Use the “HTTPS Everywhere” browser extension at https://www.eff.org/https-everywhere.
• Research other browser extensions or add-ons designed to protect your privacy
• If you store your data anywhere in the “cloud,” seriously consider either using a service that encrypts your data or encrypting the data yourself before it is uploaded to your cloud account.
• Consider the use of a search engine that does not track your search activities, such as StartPage.com or DuckDuckGo.com.

The risks from techno-crime grow every day, but there are relatively simple and easy things you can all do to minimize the dangers you are exposed to.

I recommend that you never, ever connect to an unsecured Wi-Fi signal without using a VPN.

On every device.

All the time.

Remember…just because you think a Wi-Fi signal is secure, there is no guarantee.

Stay safe and please take this one step to protect yourself from one of your biggest techno-crime risks.