Is Anything Safe Online?

Recent revelations in the ongoing Edward Snowden scandal are shining a new light on the far-reaching cyber capabilities of the National Security Agency -- including the agency's ability to bypass the online encryption standards used by the majority of the web.

It's hard to overstate the significance of this revelation -- online encryption is what has allowed online banking, online purchasing, email, even mobile apps to flourish over the past few years. While the security industry has known for years that encryption was vulnerable to hackers, this raises the stakes so much more.

And it begs the question: Is it any longer possible to be private online?

The honest answer is, "No." Until recently, we were under a collective delusion about online privacy -- the reality is, there's never been any such thing, and today the threats are far more widespread, sophisticated and high-level. There is no such thing as a 100 percent safe computer network, internet browser, email provider, encryption service, data backup service or cloud provider or mobile operating system. Even The Onion Router (TOR), the often cited private web browsing framework, can and has been hacked allegedly by government agents.

While I wouldn't recommend overreacting to this news, it is a great opportunity to raise awareness among consumers about the relative frailty of the online world. Just because the website you're on has a lock symbol in the address bar, doesn't mean it's 100 percent safe. Just because it's an Apple product, doesn't mean it can't get a virus. Just because your WiFi is WEP/WPA/WPA2 protected, doesn't mean someone can't eavesdrop on you.

The U.S. government isn't the only one with the capability to break into online services that many consumers have long assumed to be "unhackable." Cyber criminals, hacktivists and others can also do it.

Here are four ways you didn't know you could get hacked:

  • Forget About the Padlock Symbol: That padlock symbol that appears in your internet address bar whenever you visit a "secure" website like a bank, retail checkout page, etc. isn't as ironclad as it may seem. Obviously, the NSA may have a backdoor. But in the past few years, other hackers have been figuring out new ways to bypass HTTPS to steal a person's login credentials. In fact, the Department of Homeland Security issued a formal alert about one of these attacks (called BREACH) on August 6th. There are several others too, that go by such names as SSLStrip, CRIME, BEAST, Lucky13, etc. In the case of SSL stripping, an attacker can create a fake padlock symbol ("favicon") that shows up in your address bar, even while you're getting hacked. Now, that isn't to say it's easy to get hacked over an HTTPS connection -- but it is possible, and in a few years, we could see these attacks really take off. Best advice: don't rely solely on HTTPS to protect you. That means you shouldn't be fooled into thinking it's ok to visit a sensitive website (like a bank or shopping cart page) over an open WiFi network because you believe you are "already protected" by HTTPS. Use a virtual private network (VPN) and use one credit card to make online purchases.

  • "Protected" WiFi is Still Hackable: Just because you're using a "protected" WiFi setup, like WPA or WPA2, doesn't mean you're safe. Hackers know how to beat these networks, and there are plenty of online tools that make it easy to do -- like Aircrack-ng, Reaver, etc. Does this mean you shouldn't bother setting a password on your network? Absolutely not -- WPA/WPA2 are still much better options than WEP or going commando, but it's important to realize that these "protected" setups aren't bulletproof. If you want to be safer, set up a VPN on your computer, laptop, smartphone and tablet in order to add an extra layer of encryption that will make it harder for someone to spy on you. Another piece of advice: consider reverting to an ethernet cable connection instead of WiFi when performing sensitive tasks like online banking.
  • Eavesdropping Over 3G/4G: My phone can't get hacked when it's using a 3G/4G signal, right? Actually, this is no longer true. While it's definitely safer to browse the Web over a 3G/4G connection instead of WiFi, there are ways hackers can break into the cellular network -- for instance, by using a modified femtocell (which anyone can buy, by the way) to trick your phone into thinking the hacker's network is the local cell phone tower. This cell tower "spoofing" is pretty alarming -- and there isn't much you can do to protect yourself. A VPN will help, but it won't encrypt phone calls and some other types of information. However, the chances of this happening are somewhat low and hopefully the mobile carriers will develop new security solutions to guard against it in the coming year.
  • Smartphone Auto-Connects: Your phone can also sell you out in another way: with its auto-connect feature. Most smartphones today, including the iPhone, have a special feature that "remembers" WiFi networks you've used in the past and will automatically connect to them whenever it senses they're in range. Most of the time, this is helpful -- we don't have to manually connect each time we go from our home WiFi network to our office WiFi network, etc. But this convenience also comes at a cost -- it makes us vulnerable to a type of attack known as "pineappling," which basically means a hacker spoofs one of your remembered networks -- tricking your phone into auto-connecting with a malicious network. The bad news is that we can't stop our phones from auto-connecting. However, you can improve your safety by either turning off WiFi altogether when you're out of the house and/or using a VPN to add an extra layer of protection (notice a common theme here?).