From f2845246a749c74eae5bf42477d056780284e385 Mon Sep 17 00:00:00 2001
From: Lisa Jervis <lisa@iecology.org>
Date: Wed, 11 Oct 2017 18:04:52 -0700
Subject: [PATCH] end user feedback on public wireless checklist
---
6_public_wireless_checklist.md | 58 ++++++++++++++++++----------------
1 file changed, 31 insertions(+), 27 deletions(-)
diff --git a/6_public_wireless_checklist.md b/6_public_wireless_checklist.md
index f2fca7f..a71a914 100644
--- a/6_public_wireless_checklist.md
+++ b/6_public_wireless_checklist.md
@@ -2,16 +2,19 @@
document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
title: Password and Authentication Safety Checklist
author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 9/2/17
+last modified: 10/11/17
version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
---
# Public Wireless Network Safety Checklist
## Introduction
-This checklist provides a number or practices that can help protect you and your staff when using publicly available wireless networks such as those in hotels, cafés and airports. Because there are so many ways that wireless networks can be compromised, this checklist is not exhaustive. You are always safest on networks you own and/or control.
-**If performing work using sensitive or confidential information including that required to be protected by law (such as personal health information) you are best off avoiding the use of public networks for those tasks.**
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+
+This checklist provides a number or practices that can help protect you and your staff when using publicly available wireless networks such as those in hotels, cafés, and airports. Because there are so many ways that wireless networks can be compromised, this checklist is not exhaustive. You are always safest on networks you own and/or control.
+
+**If performing work using sensitive or confidential information, including anything that required to be protected by law (such as personal health information), you are best off avoiding the use of public networks for those tasks.**
## Key
:heavy_check_mark: Record actions
@@ -22,55 +25,56 @@ This checklist provides a number or practices that can help protect you and your
:heavy_check_mark: **Prefer Firefox or Chrome browsers. Only use Internet Explorer and Safari when required. Keep all web browser software, including extensions, updated to the latest version.**
:rocket::wrench::fire:
-*Internet Explorer has had a much higher incidence of vulnerabilities than Chrome and Firefox while Safari has suffered some recent security concerns. Although nearly all of the latest browsers support “certificate pinning” which makes it harder to intercept secure connections, [Chrome]("https://google.com/chrome") and [Firefox]("https://getfirefox.com/") have led the development of this important feature.*
+*Internet Explorer has had a much higher incidence of vulnerabilities than Chrome and Firefox, while Safari has suffered some recent security concerns. <one reviewer asked if these had been addressed in the recent High Sierra OS update but this: https://www.cvits.com/2017/09/29/apple-safari-browser-may-have-security-issues-according-to-google/ makes me think not at all! So I think leave as is but I wanted you to know the Q had been raised.> Although nearly all of the latest browsers support “certificate pinning,” which makes it harder to intercept secure connections, [Chrome]("https://google.com/chrome") and [Firefox]("https://getfirefox.com/") have led the development of this important feature.*
-:heavy_check_mark: **Install the HTTPS Everywhere extension for all of the web browsers you use on your system.**
+:heavy_check_mark: **Install the HTTPS Everywhere extension on all of the web browsers you use.**
:rocket::wrench::fire:
-*This step will help ensure that more sites you visit and information you submit to them cannot be seen by others on the wireless network or the operator of the network itself.You can install that plugin from [this page]
-("https://www.eff.org/HTTPS-EVERYWHERE").*
+*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the wireless network or the operator of the network itself. The browser extension HTTPS Everywhere forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed by others on your network. You can install that plugin from [this page]("https://www.eff.org/HTTPS-EVERYWHERE").*
-:heavy_check_mark: **Install Privacy Badger, a browser add-on which will limit the “cookies” - small persistent chunks of information - set on your computer by websites**
-:rocket::wrench::fire:
+:heavy_check_mark: **Install Privacy Badger, a browser add-on which will limit the “cookies” -- small persistent chunks of information -- set on your computer by websites.**
+:rocket::wrench::fire::fire:
+
+*Privacy Badger (also produced by the [Electronic Frontier Foundation]("https://eff.org")) is designed to help reduce the privacy breaches and tracking that come with the use of cookies. These cookies can be transferred insecurely so can, if poorly implemented, expose login credentials or other information in transit. As an extra benefit, using it will increase your privacy and reduce the extent to which you are tracked online. Download it [here]("https://privacybadger.org").*
-*Privacy Badger is software produced by the non-profit [Electronic Frontier Foundation] ("https://eff.org") to help reduce the privacy breaches and tracking that come with the use of cookies. These cookies can be transferred insecurely so can, if poorly implemented, expose login credentials or other information in transit. As an extra benefit, you will increase you privacy and lessen your online tracking as a result of using this software. Download it [here]("https://privacybadger.org.").*
+*Note that if you are using integrations between different web-based systems in your work (for example, connecting file-sharing systems such as Google or Box to project management systems such as Asana or Basecamp), you will need to tune your Privacy Badger settings for those sites to keep the integrations working properly.*
-:heavy_check_mark: **Prefer wireless networks that use a password, ideally a unique one for each person connecting, and preferably using WPA or WPA2 encryption rather than WEP encryption.**
+:heavy_check_mark: **Prefer wireless networks that use a password, ideally a unique one for each person connecting, and those that use WPA or WPA2 encryption rather than WEP encryption.**
:rocket::wrench::fire:
-*A password on a wireless network means the information moving across it is less easily captured and decoded by someone nearby. However in most cases everyone with that password can at least see some parts of your network connections so if everyone has a unique password this becomes quite hard to do. WPA and WPA2 offer stronger protection than WEP, which is now relatively easily compromised. You can easily view what encryption is in use on most computers. In OSX, hold down the Option key and click the wireless indicator in the top right corner to reveal extra information about each wireless network. The method for viewing these details is different in each version of Windows so ask your tech support provider for assistance for the software you use.*
+*A password on a wireless network means the information moving across it is less easily captured and decoded by someone nearby. However, in most cases everyone with that password can at least see some parts of your network connections -- but if everyone has a unique password this becomes quite hard to do. WPA and WPA2 offer stronger protection than WEP, which is now relatively easily compromised. Most computers offer an easy way to view what encryption is in use on a given network. In OSX, hold down the Option key and click the wireless indicator in the top right corner to reveal extra information about each wireless network. The method for viewing these details is different in each version of Windows, so ask your tech support provider for assistance for the software you use.*
:heavy_check_mark: **Confirm the network details before you connect.**
:rocket::rocket::wrench::fire:
-*An attacker can setup an access point with a name similar or identical to a legitimate one, so that you connect to it instead of the network you intend. Make sure to ask the proprietor of a public network what the network name and password are, and connect to the network with that name that accepts that password. This doesn't completely guarantee that the network you are connecting to isn't hostile or compromised, but it makes the difficulty of hijacking your connection much higher.*
+*An attacker can set up an access point with a name similar or identical to a legitimate one, so that you connect to it instead of the network you intend. Make sure to ask the proprietor of a public network what the network name and password are, and connect to the network with that name that accepts that password. This doesn't completely guarantee that the network you are connecting to isn't hostile or compromised, but it makes the difficulty of hijacking your connection much higher.*
-:heavy_check_mark: **Turn off the built-in file sharing functionality on your computer or device**
+:heavy_check_mark: **Turn off the built-in file sharing functionality on your computer or device.**
:rocket::wrench::fire::fire:
-*Although handy for sharing files with peers, the built-in file sharing functionality on your computer is vulnerable to abuse or accidental information leakage, especially on simple networks like one finds in cafes or on airplanes that don't provide "host isolation" meaning that any computer using the wireless can connect to any other one. It is preferable to set up alternate tools and practices for sharing files, such as a central file repository in your office or cloud file service.*
+*Although handy for sharing files with peers, the built-in file sharing functionality on your computer is vulnerable to abuse or accidental information leakage, especially on simple networks like one finds in cafés or on airplanes, which don't provide host isolation (the lack of host isolation means that any device using the wireless can connect to any other device). It is preferable to set up alternate tools and practices for sharing files, such as a central file repository in your office or a cloud file service.*
-*To turn off file sharing on a Mac, go to Apple menu \> System Preferences, then click Sharing and make sure all the boxes are unchecked. See [this article]("https://support.microsoft.com/en-us/kb/307874") for turning off file sharing on a Windows computer.*
+*To turn off file sharing on a Mac, go to Apple menu \> System Preferences, then click Sharing and make sure all the boxes are unchecked. Also disable AirDrop on your computer by going to the Finder, and choosing AirDrop under the Go menu. When the window comes up, you will see the phrase "Allow me to be discovered by" with a dropdown menu for completion. Choose "No One" from this dropdown. On an iOS device, select “Receiving Off” in the Control Center’s AirDrop settings. See [this article]("https://support.microsoft.com/en-us/kb/307874") for turning off file sharing on a Windows computer.*
-*Recognize that if you are currently using the built-in file sharing functionality to share files inside an office, doing this will disrupt current work practices.*
+*Recognize that if you are currently using any built-in file sharing functionality to share files inside an office, doing this will disrupt current work practices.*
-:heavy_check_mark: **Ensure that the wireless network is not presenting false certificates**
+:heavy_check_mark: **Ensure that the wireless network is not presenting false certificates.**
:rocket::rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
-*Increasingly, networks are set up to monitor traffic for various reasons such as ad placement or content filtering. However, this potentially compromises all secure connections, as it allows traffic to be monitored via the same mechanism in what is called a Man-In-The-Middle (MITM) attack. The network device will replace the security certificate from the service you are connecting to with one of its own. Anyone with access to that device can see any communication between you and that service. Learning to view certificates in your web browser, or installing and learning to use a tool such as Certificate Patrol (available only for Firefox [here]("http://patrol.psyced.org/") will help you identify certificate changes but in normal operation also causes many alert windows to appear as vendors change their certificates.*
+*Increasingly, networks are set up to monitor traffic for various reasons such as ad placement or content filtering. However, this potentially compromises all secure connections, as it allows traffic to be monitored via the same mechanism in what is called a Man-In-The-Middle (MITM) attack. Under these circumstances the network device will replace the security certificate from the service you are connecting to with one of its own. Anyone with access to that device can see any communication between you and that service. Learning to view certificates in your web browser, or installing and learning to use a tool such as Certificate Patrol (available only for Firefox [here]("http://patrol.psyced.org/")), will help you identify certificate changes but in normal operation also causes many alert windows to appear as vendors change their certificates.*
-*Google has created [a document]("https://support.google.com/chrome/answer/95617?hl=en")on viewing certificate information in Chrome. Mozilla has [a similar document]("https://support.mozilla.org/en-US/kb/secure-website-certificate
-") for Firefox as well as some [overall instructions] ("https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure") on connection security that you may wish to review.*
+*Google has created [documentation]("https://support.google.com/chrome/answer/95617?hl=en") for viewing certificate information in Chrome. Mozilla has [similar documentation]("https://support.mozilla.org/en-US/kb/secure-website-certificate
+") for Firefox as well as some [overall instructions]("https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure") on connection security that you may wish to review.*
:heavy_check_mark:
-**Use a Virtual Private Network (VPN) to securely tunnel out of public networks**
+**Use a Virtual Private Network (VPN) to securely tunnel out of public networks.**
:rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
-*A VPN creates a secure connection for your computers to use to access the office network and the Internet. This connection, or tunnel, can be used to hide all information moving from your computers to the Internet or office network from the operator or other users of the wireless network. Use of a VPN severely limits the amount of trust you have to place in the owner and operator of the network you are on and so limits your exposure to them. These factors make VPNs a very effective way to protect your traffic from observation or interception on untrusted networks.*
+*A VPN creates a secure connection for your computers and mobile devices to use to access an office network and/or the Internet. This connection, or tunnel, can be used to hide all information moving from your computers to the Internet or office network from the operator or other users of the wireless network. Use of a VPN severely limits your exposure to the owner and operator of the network you are on and so significantly reduces the amount of trust you have to place in them. These factors make VPNs a very effective way to protect your traffic from observation or interception on untrusted networks.*
-*A VPN is implemented via a device you own located in your office or at an offsite facility, or that a third party provides you use of for a fee. If hosting your own VPN hardware, budget for ongoing maintenance, licensing and software updates so that the device mediating your connection doesn't become a point of leverage against you. Also recognize that in setting up a device to use for VPN connections inside your office, many offsite staff will be dependent on your office Internet line for their work. If this Internet connection is unstable, undersized or asynchronous (made for downloading more than uploading, such as DSL or residential cable connections) the VPN will not work well for staff. For this reason, paying to "colocate" your own VPN device in a data center is the best way of getting a high trust, high performance VPN setup in place.*
+*A VPN is implemented via a device you own located in your office or at an offsite facility, or that a third party hosts for you. If hosting your own VPN hardware, make sure you budget for ongoing maintenance, licensing, and software updates; otherwise, the device mediating your connection will become a vulnerability instead of a security improvement. Also recognize that in setting up a device to use for VPN connections inside your office, many offsite staff will be dependent on your office Internet line for their work. If this Internet connection is unstable, undersized, or asymmetric (made for downloading more than uploading, such as DSL or residential cable connections), the VPN will not work well for staff. For this reason, paying to locate your VPN device in a data center is the best way of getting a high trust, high- performance VPN setup in place.*
-*Because of the high cost of self hosted VPNs, most organizations choose to use a third party VPN service provider to meet this need. It is important to recognize that unless you setup, run and maintain your own VPN infrastructure, you are just offloading that trust to a different third party -- the owner and operator of the VPN service. Be very careful in your selection of VPN providers and review their policies and track record carefully. Specific recommendations for VPN providers is outside of the realm of this document.*
+*Because of the high cost of self-hosted VPNs, most organizations choose to use a third party VPN service provider to meet this need. This makes budgetary and operational sense, but it is very important to vet a VPN provider carefully by thoroughly reviewing their policies, understanding their track record in the field, and checking client references. Recognize that unless you set up, run, and maintain your own VPN infrastructure, you are just offloading the trust you don't want to place in the operators of networks you are using to a different third party -- the owner and operator of the VPN service. While specific recommendations for VPN providers are outside of the scope of this document, in general, free VPN services, including those available in some app stores, should be avoided. (The adage "If you are not paying for it, you're not the customer -- you're the product" holds true here.)*
-*Choosing a VPN provider and setting up computers to use it are not simple tasks, and critically important – a misstep in setup or use can expose your information, bring your work to a crawl or expose your information. All VPNs add a layer of network traffic and will slow down your Internet access so your distance to and bandwidth available from your VPN provider (or, as noted above, your office or colocation facility if hosting your own) will make a difference to performance -- and in turn whether people actually use it.
+*Choosing a provider of a VPN and setting up devices to use it are not simple tasks, and they are critically important -- a misstep in setup or use can bring your work to a crawl or expose your information. All VPNs add a layer of network traffic and will slow down your Internet access, so your distance to and the bandwidth available from your VPN provider (or your office or data center facility if hosting your own) will make a difference to performance -- and in turn whether people actually use it.*
-*Consider if you can absorb the costs to make the speed and trust tradeoffs acceptable to you before choosing to implement a VPN. If you can, the investment in hardware, implementation, setup and hassle is repaid by a solution that mitigates a range of threats associated with use of untrustworthy networks across many situations.*
+*Consider whether you can absorb the costs to make the speed and trust tradeoffs acceptable to you before choosing to implement a VPN. If you can, the investment in hardware, implementation, setup, and hassle is repaid by a solution that mitigates a range of threats associated with use of untrustworthy networks across many situations.*
--
GitLab