Monday, March 7, 2016

Grant's Rants: "I got hacked on an airplane"...because you weren't paying attention.

Grant's Rants:

My initial reaction to the original story of how a reporter was hacked mid-flight through an airline's GoGo wireless network was that reporters, by nature, tend to use less secure, consumer-focused systems. With this update, we understand with clarity that he is operating as an independent reporter. This wasn't a reporter for security issues, so this was just a reporter, even if he has a description like: USA TODAY columnist Steven Petrow offers advice about living in the Digital Age."

In the end, we can interpret this story as being one that was ripe for happening, and was trumpeted by an opportunistic reporter. We now know that he wasn’t focused on maintaining his own equipment or being concerned about information security issues until he was compromised, and then he made some money off of it by writing articles about his experience that are being shared widely.

Let's look at the situation:

  1. He was using an older, deprecated email connection method (POP3). He set it up in 2002 and apparently hasn’t touched it since. Therefore, his email traffic could be picked up “in the air” and was entirely unencrypted. 
  2. He wasn’t using a VPN for his insecure email protocol. Again, his email traffic could be seen.
  3. He was using unencrypted (public) WiFi. Frankly, any Public WiFi is as secure as any unencrypted WiFi network, home or otherwise. If the network connections aren’t encrypted, then others who are within listening range can see any app traffic that isn’t encrypted…like unencrypted POP3 to pull email.

He wasn't under the corporate umbrella of systems management and secure configurations, so he was left to his own devices (no pun intended). Petrow asked the security expert “'What else do I need to do?' He explained [the reporter] needed to regularly download software updates…” was shocking to read. Frankly, I was surprised it took this long for this reporter to be compromised.

After writing this, there is blame to be spread around, though:

  1. ISPs and email providers should only provide encrypted methods for accessing email. Why was unencrypted POP3 still allowed? I know the answer, because they didn't want to have additional support requests from their users.
  2. OS vendors should do more to educate and encourage automatic updating for OSes. Microsoft does a good job, on the initial install, and through occasional reminders. 
  3. App vendors should be encrypting network connections by default, not by exception or an opt-in process. 
  4. App vendors should be building in automatic updates and/or warnings about lack of upgrades. This is a win-win driving more business and securing the consumer. Apple App Store, Chrome and Firefox Automatic Updates were designed for the consumer with no ability to engage in this overhead. Turn it on and forget it. Never look back. Kudos to them. It is for self preservation, and other selfish reasons, typically, but it is moving the needle for consumers and consumer protection.
  5. At this point, consumer VPN services are used widely for a) the paranoid, b) high school students trying to get around school content filters. Maybe it's time for Consumer VPN services to take off. 

This type of article in USA Today gives continued exposure and awareness to these basic issues to those people in hotels across the country, so that's good, but updating systems should be table stakes for anyone under 50, especially if you offer "advice about living in the Digital Age." He wasn't paying attention, was compromised and suffered embarrassment. Fortunately, this guy got a second chance to improve his security posture and get paid for his work instead of more serious consequences for his inaction.