As I mentioned in my earlier post today, I am at RSA Conference, the largest and most important security conference in the world. Every major company that has anything to do with security is represented here. The exhibits cover two huge convention floors. There are tens of thousands of attendees, including people having to do with privacy, cryptography, security devices and software and on and on and on.
The conference is organized by RSA, which is one of the premier security firms in the world. Their technology is used by most major financial institutions, governments, and others to control access to sensitive networks, operations, and data.
Attending the conference is expensive – nearly $1,900 for 3 days of events. It is not surprising that, in addition to giving out T-shirts and knapsacks, the conference provides free WiFi, with fast service even at peak times of usage.
However, I do find it a bit ironic that the conference guide says “Important! The wireless network available at the Moscone Center is an open, unsecured network. We strongly recommend that you use appropriate security measure, such as utilizing a VPN connection, installing a personal firewall, and keeping your operating system up-to-date with security patches.”
My curiosity was piqued, so I decided to see how many of these world-class security experts actually followed this common-sense advice. I got out one of the WiFi “sniffing” tools and hacked into the WiFi communications. As you would expect, a lot of the traffic was encrypted – these were security experts, after all, and well aware of the risks.
But there were also large amounts of completely unprotected communications by many different people on the network. What where these people doing on the Internet? Some of them were pretty standard and expected, such as Apple.com, Google, msn, Yahoo, LA Times, and a news site in Madrid. Of course, lots of people were doing real work, checking various marketing and technology sites, including one in Portugal. Others were various social networks, such as Sharethis.com and Facebook.
One person was checking the weather in Germany. Another was checking his/her email on the online version of Outlook. A third was browsing the Major League Baseball site.
Some were a bit more delicious, such as Victoriassecret.com and a site called “Thrillist.com,” which had articles on “the world’s 7 best party countries” and “18 ways to seriously anger a stripper,” which helpfully included pictures to help explain the offending behavior.
It only took about 15 minutes of sniffing to find this much information (and much more), and if I had more patience or motivation, I am sure I could have found information that would have been interesting to identity thieves and probably various confidential corporate information.
What does it all mean? Since even those who are most aware of the risks can be lax at times, it means that the general public has to be continually reminded to use the right technology to protect themselves. It has been 30 years since seat belts were mandatory, yet we still have to have signs around saying “Buckle Up.” In the case of using VPNs to encrypt Internet communications in WiFi hotspots, we clearly have a long way to go.
It also means that VPNs have to be easier to use, so people can have them active all the time, just like anti-virus. It would not be practical to have to remember to turn anti-virus on when visiting suspect sites, makes no sense to have to remember to turn on a VPN when on an unsecured WiFi.
But that means that the VPN must be intelligent enough to know what the connection is and only activate when needed.
At PRIVATE WiFi, we not only devised that capability, we patented it.