Protecting Your Data

Time and time again, you hear the same advice, use a strong password, never reuse passwords, don't click on hyperlinks or suspicious attachments, install Anti Virus software, keep your software updated, don't post personal data publicly, yada, yada, yada. Most people don't give much thought when connecting to public Wifi hotspots. Almost everywhere we travel, the first thing we look for is a good WiFi with Free Internet! We logon to our social media accounts, even do online banking, buy stuff online, etc. Behind that 'Free WiFi' might be a hotspot designed to steal your credentials or reroute your connections to a fake web server. It sounds ludicrous, but in reality, such devices do exist and is actively deployed in public places. Why? Well, there are various reasons to doing it. People must understand that their personal data is very valuable for legitimate as well as illegitimate purposes. On the dark side, it can be used to steal identities to create fraudulent transactions or even post personal and slanderous remarks using your credentials. In some countries, this can get you in trouble with the law, it's called defamation. It can also be used to track online habits, track your location. Personal data can be stolen either by hijacking it during transmission or when it's at rest. While data at rest are usually stolen from compromised hosts. Both scenarios can be avoided by employing strong encryption and safe online habits.

Data Transmission
But why should I bother if I'm connecting a SSL enabled website? Well, you should be cautious because SSL enabled websites can be stripped/downgraded to plaintext using a technique called sslstriping.  To make it difficult for malicious actors to hijack your data during transmission is to keep your data stream encrypted. VPN offers one solution to the problem but is not a total solution. A VPN connection will make it harder for threat actors to hijack your connections even at the LAN layer. TCP hijacks or MiTM attacks are easier to initiate from the LAN because there are fundamental protocol flaws at the switching layer eg. arp spoofing. Also, it is easier to identify your intended target because the victims are usually physically in closer proximity during this phase of attack. Finally, it is trivial to plant malicious devices in the LAN, such as placing a tap just before the Internet gateway or rerouting packets.

                                                   Attack scenario 1

In Attack scenario 1, the attacker host uses arp spoofing tool to poison the WIFI AP into redirecting Victim's traffic to himself. Thus, allowing attacker to manipulate legitimate traffic, a precursor to further phishing conduit or even sslstrip attacks.

                                                Attack scenario 2

Attack scenario 2, the WIFI AP is jammed and a rogue WIFI AP with the same SSID is setup to lure victim host into connecting to it. Upon successful handshake, all legitimate traffic is rerouted via the rogue AP for further manipulation such as sslstrip, phishing, stealing credential, etc.

Having a dedicated VPN connection to encapsulate your connections will fundamentally make it almost impossible for a threat actor to hijack its data stream because any modification to its data stream will either render its payload useless due to encryption cipher or messes its packet header integrity thus disconnecting itself from further attacks.

Data at Rest
To steal data, it must be readable for it to be valuable. If the content is encrypted it will be of little use to the threat actors. Encrypting data at rest with strong encryption such as AES with asymmetric RSA keys grants recipients privacy by the virtue that only the authorised recipients' can decrypt its data provided he/she has the right public and private key pairs with valid pass phrase. 

Conclusion
Next time you intend to transmit or store anything on any public networks or servers, have a thought on privacy. Always think of who are the rightful recipients. Not everyone should have the same privilege to access your data. After all, it's called private for a reason because such info is unique to you and only you! Eg Credit Card No, SSN, Passport No, Birth dates, Tel no, Bank Account No, userid/passwords, pincodes, passphrase, your mother's maiden name, personal addresses, etc. During transmission of data, remember to check the URI address carefully and its SSL certificate on the server. This can be done by clicking on your browsers' lock sign in the URL bar. Never accept connections with bad SSL cert. Lastly, keep your OS fully patched and never click on links that you are unsure or appears dubious or come from unknown sources.