Disclosure: Small business and offering “free” WiFi – what NOT to do

In the interest of what I ran into last night, I will share what horrible networking practices this business I stumbled upon was employing. I was driving past a local tire shop, and noticed they had an open Wi-Fi network named “Goodyear”. So I thought to myself “let’s just take a peek at what is accessible to why user”.

There was no authentication agreement once connected, no ‘rules of conduct’ if you will that even most coffee shop networks toss up at users. Lately I have been using my nexus 7 to see just how much mayhem I am able to cause, without looking suspicious with a laptop.

Once I connected to the network, I fired up Dsniff to analyze the network layout. There was a curious hostname, with a Netgear device signature, that I felt warranted a look. So I scanned the services, and noticed a network share was the only service available, signaling this was likely a NAS device. A NAS on a open public WiFi, I could only dream what treasures lay within its storage.

Using ES File Manager’s built in Samba services to connect, for fun I try using the default ‘Guest’ account, and tada, I’m presented with a share and the secret share data. In the root of the ‘My Documents’ folder, I find a fun file named ‘LOGINS.rtf’ and save it to my tablet for later review.

The business is closed, nobody inside, and yet TONS of information, just waiting to be plucked. If the NAS was so easy, I open chrome and browse to the router login page, yet again, default username/password. I have to verify root login so I adjust the filter settings on the router to block all requests for Google.com, Facebook.com, and twitter.com; and low and behold, it was successful.

I am sharing this, so that anyone running a small business will take serious caution to ensure that their sensitive data, is segregated from the public WiFi network. It can be done very simply, even with regular routers from best buy. Please do not think that offering ‘free’ wireless will be positive for your customers. Their data is valuable and if they are compromised because your system was poorly managed, that will reflect poorly on you.

Advertisements

Always, ALWAYS be mindful of what you share online.

With your privacy under attack by so many organizations, and governments; it is important to remember that anything you share can come back to haunt you. Facebook recently changed its privacy policies to include a statement that anything you post (be it pictures, posts, stories, poems, status updates, etc…) is owned by Facebook, and can be used as they please because all users are capital entities.

I also just read about an iPhone/iPad app called “snapchat” that purports to automatically delete pictures sent after a max of 10 seconds since it was received. This is done in an effort to protect teens from “accidently” sharing photos of themselves that could cause trouble for them (think the Amanda Todd incident) however, there is nothing stopping anyone from taking a screenshot of the picture or even doing a few other ways of capturing the content before it is auto deleted.

It is important to stay educated when sharing anything online, as once it has been released in a digital format, there will ALWAYS be a trace of it somewhere on the internet. The only way to truly protect your pictures, or information is to keep it off the web to begin with.

If you are worried about maintaining your copyright for your works that you post online, make sure you carefully read ALL the privacy and content notices under the end user license agreements for any company or website that you use. In a best case scenario you would be using your own private server, and private storage that would allow you to maintain ownership of all your intellectual property.

Privacy and intellectual property is a huge concern in today’s world. Governments, and companies will seek to profit and use your information for their gain, and most times with little concern for how it impacts you.

minus.com social cloud sharing

There are many times that I find myself scrambling to find a way to share files online with a large number of people. My friend showed me a site that so far, seems to meet my needs. minus.com is a kind of socially based cloud storage/sharing site, that offers up to a 50GB account for free. If a friend joins the site with your link, you both get an extra 1GB of free space. I shared my executable version of my password generator script, with no problems or hiccups. If you would like to join, and the idea of a free extra 1GB head start on your account, follow this link

Facebook: If you don’t use it, why have it?

Today at work I was lucky enough to attend an InfoSec session, and the speaker was very knowledgeable. The target audience was a less tech-savvy crowed, and mainly focused on teaching the basics of how to avoid the “human” factor in getting taken advantage of on-line.

One of the things that came up, is something I’ve been thinking for quite some time. Regarding social media sites and the myriad accounts that most people have. Technology is a great thing, and the access to information we have today is simply amazing, but with all the access, all the smart phones, all the computers, and websites you have also increased your on-line footprint, and made yourself a much larger target for ID theft, Scamming, or any other possible attack.

Some of the points I’ve touched on before:
1. Don’t use public wireless networks
2. On your phone, disable wifi. Use the 3g/4g data, because most phones just connect to an open wireless without warning
3. Be careful what you put on your public facing profiles
4. Don’t simply click links in emails, open your browser and MANUALLY go to the site.

But the final point that finally sank home with me, was regarding Facebook and other sites like LinkedIn. Most people use those sites to connect with “trusted friends”, but don’t stop to think who else can access that information. With the recent hack of LinkedIn, millions of users user-names/passwords/email etc was leaked to the public simply because someone got bored and wanted some excitement (it will be plenty exciting for them in prison, but thats another story). But just think for a second, how likely is it that many of the users that were compromised, don’t log in and use the service? Now their account is compromised along with all the personal information therein and they will never know. It begs the question:

If you aren’t going to use a service, why have an account at all?

The simple answer is, “Don’t” why leave personal information out there? By default most sites will simply only “deactivate” your account, and will still retain all your data. You will need to hunt for the permanently delete, but its there, sites are required to have it, just not required to make it easy.

So today, I finally did what I’ve wrestled with for some time, and DELETED all the accounts I never use. There is no need for extra accounts, if someone wants to reach you, they likely already know how.

Just some more food for thought.