BCS MEMBERSHIP

navigation-membership-member.png

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

navigation-membership-citp.png

CITP validates technical expertise and professional behaviours in the tech industry

STARTING YOUR IT CAREER

Young Careers

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

navigation-qualifications-swt.png

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

navigation-qualifications-skills.png

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

navigation-events-calendar.png

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

navigation-articles-people.png

The latest insights, ideas and perspectives.

IN FOCUS

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

IN FOCUS

Cyber security researcher Dan Card separates the facts from the fiction about the safety of public WiFi. Along the way, he gives safety tips to users and corporate IT policy writers.

There’s nothing like it: sitting back and enjoying a grande soya macchiato accompanied by a shot of free internet access. But behind this shabby-chic scene of mobile-in-hand metropolitan bliss, there lurks potent potential danger. If the headlines are to be believed, there’s more than just the caffeine and sugar to make you feel jittery. While you’re surfing and sipping, hackers could be intercepting and stealing your data. What’s possible — what’s theory and what’s the stuff of Hollywood B-movies? We speak to a seasoned security professional and find out.

Why don’t you introduce yourself and tell us a little about your career?

I’m Daniel Card, I’m a cyber security consultant and I’ve been working in technology and security for over 20 years (well, I stopped counting after 20). I’ve worked with all kinds of organisations…I’ve designed secure environments, responded to major ransomware events and worked with hundreds of organisations to help them with their technology and security challenges.

To give some kind of idea, In 2003 I responded to a major worm incident in a local authority, in 2017 I supported the NHS responding to Wannacry and yesterday I was trying to hack my way inside my home’s WIFI… I’m an architect and problem solver (hacker). I seem to vary my world between Powerpoint and PowerSploit. That’s a hacker joke!

Tell us about your coffee shop WiFi research — what sparked your interest?

Back in the 2000s, I did some wardriving — locating open WiFi hotspots from a car. Elsewhere, as you can imagine, I’ve broken into a fair few organisations' networks via WiFi while penetration testing (pen testing). No names mentioned.

Around a year or so ago, I noticed people making all kinds of claims about the dangers of public WiFi. These seemed like nonsense — particularly in 2024. So, I set about understanding and showing the realities of coffee shop WiFi — not just hacker movie fantasies and lab scenarios.

I’m always following threats and trends…I’m always looking at this stuff. It would be madness for me to advise organisations if I couldn’t separate fact from fiction.

Can you give us some examples?

This week I’ve been researching a claim that hackers hacked a WiFi network using a microcomputer hidden behind a microwave. I built this setup by hiding a Raspberry Pi behind a microwave! It turns out that a microwave runs at 2.5Ghz. This is awfully close to WiFi’s 2.4Ghz operating frequency. This causes a massive problem and creates a denial of service condition. Who’d have guessed? So once again, cyber reality is different from cyber fiction.

I like to help people, and sometimes that involves helping them to understand what is a threat and what is fantasy. It’s also great to challenge assumptions — mine included. Cyber security is a vast and constantly changing field…what is true today might not be true tomorrow! But, we must lead with science not fiction — otherwise we end up in a world where people are chasing ghosts whilst the criminals and fraudsters are raiding gran’s life savings.

As a researcher, what public-WiFi scenarios have you investigated?

I’ve conducted a range of testing against potential avenues. The focus has been on the use case of ‘my mum’. Her apps are things like Facebook, banking and the like.

What is an Evil Portal? How does the attack work?

An Evil Portal is a web page that has been built to harvest data. When a user tries to log in, it might save a copy of your username, password and the like. This is clearly something that a benign logon process would explicitly not do.

You don’t need anything special — you can make one of these on a Raspberry Pi. You could also use something custom, like a wireless Pineapple from Hak5 — my friend Robin invented that—it’s a good bit of kit.

Do VPNs keep you safe?

Safe from what? From whom? If I had to generalise, a VPN does not generally protect someone from Evil Portals, phishing or malware. So, no, a VPN does not make someone safe. Also, subject to how it is used, VPNs won’t keep you anonymous. They do, however, work great for geo-hopping — pretending you’re in, say, a different country.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

‘I’m using a 4G/5G hotspot on my phone. I’m safe.’ — Again, can I relax?

Yes and no. You can still be phished over the internet and download malware. There’s a slim chance someone could try to attack the hotspot (but that’s not that likely for the general public). If you are using Facebook, you can also still be scammed…

Now, as to whether people should relax or be at a heightened state of threat…humans, in my experience, don’t work well if they are told to be constantly vigilant. So, don’t stress. But do make sure you have a handle on your digital world.

In terms of operating systems — Windows, Mac, Android, Linux — do you see differences in mobile security?

The defaults across these are all different. I’ll pick the one that I have the most concern about, and that’s corporate Windows machines that are not appropriately secured before deployment to staff.

These days, home devices all come with reasonable defaults. However, each person’s device has such a varied landscape that it really does depend.

What are the most effective configuration changes we can all make to our devices before we travel?

For the everyday traveller, ensure you’ve downloaded the latest updates for your phone OS and apps. Next, make sure you are backed up, that the find my phone feature is enabled, make sure you have a lock-screen pin number and — ideally — a biometric unlock.

Also, plan for what you’ll do if your phone is stolen, lost or damaged. If your phone supports it, enable lost or stolen protections

What advice would you’d give to people writing corporate security policies?

I think policies should align more with the idea of ‘work from a location appropriate to the task at hand’. If you are dealing with sensitive matters, then working in public areas is not generally advisable. Blanket telling people to only work from home in 2024 seems like something from the cyber stone age. Also, I don’t think it’s realistic or pragmatic. I think organisations should think about the business context and provide appropriately secured technology services and training for staff. It's almost like they should use a risk-based and threat-aligned approach.

Topics

Security / data / privacy

Related

Opinion

The triple threat

Yesterday
Article

PopCompSci bytesize: why blockchain adoption is slow

3 days ago
Article

Career Opportunities in Cyber Security: A Guide for Aspiring Professionals

27 days ago