When you are away from work and away from home, stop and think about the devices you are using and where you are.  Can you trust the network you are connecting to, are you at risk of someone looking over your shoulder

eduroam

More than 10,000 eduroam hotspots are available at universities, research centres, academies, many schools, and other research and education institutions in more than 100 territories around the world. As eduroam grows, more and more hotspots are appearing in additional places such as libraries, museums and public spaces such as railway stations and coffee shops.

An eduroam mobile app has been created which allows users to use the map screen to explore eduroam venues close to them or to plan network access for upcoming trips. The interface allows searching for a specific venue or listing all venues on the current map view. Further details for each venue can be displayed, and if desired the app will create a route to navigate you to a chosen venue.  More information on the eduroam companion app can be found at https://www.jisc.ac.uk/eduroam#tab-3-4

Wireless networks in public

It's important that you protect yourself when using these types of network as the characteristics that make them accessible and easy to use, also make them vulnerable!

Wireless networks use radio frequencies to create connections between devices and as the signals are all around us, if they're not protected anyone within range of those signals can see and use the same signal. Think about the FM radio frequency: it's not protected so anyone with an FM radio can tune into it!

If you want to use publicly available Wi-Fi networks, you need to do so with care and take steps to protect yourself. These networks are often provided by companies who aren't in the IT business, so making sure these networks are protected by adequate security measures is not something that they will have the time or inclination to do.

Encrypt it! Encryption converts your information into a code which can only be 'understood' by authorised people or devices. WPA (WiFi Protected Access) or WPA2 are considered the best and modern device should support this. Older devices may need to use WEP however whilst this is better than no encryption at all, it's not considered particularly secure..

Stick with the familiar. If you're using a hotspot, stick to those provided by trusted commercial operators like BT OpenZone or T-Mobile.

Use protection! Make sure the security on your computer or device is up to date especially where available, your firewall.

What are you doing?! Think about what you're actually doing on these Wi-Fi networks - avoid transmitting sensitive information (i.e. like accessing your bank account). If you have to carry out these types of transactions make sure you're using a secure webpage (these start https:// and have the padlock symbol in the address bar).

Eavesdropping

 Eavesdropping is the name given to the process of a third party accessing your information as it passes un-encrypted over the public internet.

The security risk associated with using public Wi-Fi is that unauthorised people can intercept anything you are doing online. This could include capturing your passwords and reading private emails. This can happen if the connection between your device and the WiFi is not encrypted, or if someone creates a spoof hotspot which fools you into thinking that it is a legitimate one. 

Alternatively, you may simply be prompted to log in to enable internet access. This will tell the operator that you are online in their café, hotel or pub. Again, this will usually mean that there is no encryption.

 Do not carry out any confidential transactions, communications or network access via public Wi-Fi hotspots as they may not be secure

 Remember: In security terms, it is preferable to use a 3G or 4G connection than a non-secure Wi-Fi network.

  • Unless you are using a secure web page, do not send or receive private information when using public Wi-Fi.
  • Wherever possible, use well-known, commercial hotspot providers such as BT OpenZone or T-Mobile.

Shoulder surfing

Shoulder surfing (or visual hacking) is the act of gaining information simply by looking at someone else's papers or screen. It usually involves looking over a person's shoulder, while they are unaware, to gather data.  You are more susceptible to shoulder surfing while in a crowded place, while using a computer, smartphone or even a cash machine.

  • Locate a quiet spot away from the crowd
  • Be aware of who is standing or sitting around and behind you

SSL

The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today.

It is essentially a method to provide a secure channel between two machines operating over the Internet or an internal network. In today's Internet focused world, the SSL protocol is typically used when a web browser needs to securely connect to a web server over the inherently insecure Internet.

Technically, SSL is a transparent protocol which requires little interaction from the end user when establishing a secure session. In the case of a browser for instance, users are alerted to the presence of SSL when the browser displays a padlock, or, in the case of Extended Validation SSL, when the address bar displays both a padlock and a green bar. This is the key to the success of SSL – it is an incredibly simple experience for end users.

  UoG Portal secure URL 

What Happens When a Browser Encounters SSL? 

  1. A browser attempts to connect to a website secured with SSL.
  2. The browser requests that the web server identify itself.
  3. The server sends the browser a copy of its SSL Certificate.
  4. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
  5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  6. Encrypted data is shared between the browser and the server and https and the padlock icon appears (and the address bar may turn green).

How is SSL used today? 

  • To secure online credit card transactions.
  • To secure system logins and any sensitive information exchanged online.
  • To secure webmail and applications like Outlook Web Access, Exchange and Office Communications Server.
  • To secure workflow and virtualisation applications like Citrix Delivery Platforms or cloud-based computing platforms.
  • To secure the connection between an e-mail client such as Microsoft Outlook and an e-mail server such as Microsoft Exchange.
  • To secure the transfer of files over https and FTP(s) services such as website owners updating new pages to their websites or transferring large files.
  • To secure hosting control panel logins and activity like Parallels, cPanel, and others.
  • To secure intranet based traffic such as internal networks, file sharing, extranets, and database connections.
  • To secure network logins and other network traffic with SSL VPNs such as VPN Access Servers or applications like the Citrix Access Gateway.

The above scenarios fall into one of the following themes:

The data being transmitted over the Internet or network needs confidentiality. In other words, people do not want their credit card number, account login, passwords or personal information to be exposed over the Internet.

The data needs to remain integral, which means that once credit card details and the amount to be charged to the credit card have been sent, a hacker sitting in the middle cannot change the amount to be charged and where the funds should go.

Your organisation needs identity assurance to authenticate itself to customers / extranet users and ensure them they are dealing with the right organisation.

Your organisation needs to comply with regional, national or international regulations on data privacy, security and integrity.

SSL at University of Greenwich.

To check the encryption on services provided at the University, in any of the main browsers, simply click on the padlock icon in the address bar and look for the information regarding the certificate.

UoG Portal Padlock information