When connecting to a public or, even worse, unprotected WiFi network, it is important to use some caution to prevent your data from falling into the hands of malicious people. Below are the main steps we suggest you take before connecting to a WiFi network from your notebook, tablet, convertible or smartphone.
The security of WiFi, especially when using public WiFi, is by no means taken for granted: by connecting to a public or unprotected WiFi – without taking a few simple precautions – you could risk sharing personal information or making accessible to third parties part of the communications that may contain confidential data.
The level of security guaranteed by a public or open WiFi network must always be considered insufficient: just think that an attacker, using the same Internet connection, can easily verify the data in transit (exchanged by other devices connected to the same router Wi Fi or access point). Unless the data packets are encrypted, using a sniffer software it is possible to verify their content.
Set Up The Network As A Public Network In Windows And Disable Sharing In Macos
In Windows 7, go to the Network and Sharing Center (just type in the Connection Center in the Search for Programs and Files box), click on the network type (e.g. Business Network or Home Network if either of the following two items are displayed).
Now, from the Network Settings window, choose Public Network.
In Windows 8.1 and Windows 10 write Network Status in the search box and then select Change Connection Properties. On the next screen, select the Private option.
However, by clicking Sharing Options or Changing Advanced Sharing Settings in Windows 7, you must ensure that the Disable Network Detection and Disable File and Printer Sharing options are selected for the Guest or Public profile.
In this way, any folders shared on your Windows PC will not be accessible by other devices connected to the WiFi network and the system will not even respond to PING.
More information in our article Difference between public network and private network in Windows 10.
In macOS you can disable resource sharing by accessing System Preferences then clicking on Sharing and finally disabling the various boxes in the box on the left that lists the various services.
On Windows Pcs Disable The Wpad Feature
Windows uses a feature, enabled by default, that allows you to automatically receive the parameters of any proxy server to be used after establishing a network connection.
An attacker can use the mechanism behind WPAD (Web Proxy Auto-Discovery Protocol) to send to clients connected to the WiFi network the IP address of a bogus proxy that, for example, monitors or redirects users to malicious websites. Cybercriminals can thus make the user believe that they are visiting a legitimate website (leading them to enter authentication data) when they are on a web server set up specifically to initiate phishing and steal the credentials of others.
To completely deactivate the WPAD functionality in Windows, just follow the instructions in the article Connecting to a public WiFi network safely: deactivate WPAD in Windows in the section How to deactivate WPAD in Windows.
Check That The Firewall Is Active And Working
Before connecting to the public or unprotected WiFi network, it is important to check that the Windows firewall is up and running.
To proceed, type Windows Firewall with advanced security in the search box of the operating system (write Windows Defender Firewall with advanced security in the case of Windows 10).
The firewall must be indicated as active (green tick) on all connection profiles.
Check The Open Input Ports And Make Sure That No Server Components Are Running
When using other people’s Wi Fi connections, do not expose any ports to the local network. Who is connected to the wireless network can scan the devices connected to the LAN and determine which services are listening.
The intervention that we have illustrated in point 1) allows to avoid that the operating system exposes the default ports used in the local network. On the private IP address assigned to the device, however, third-party software with server functionality can also be listened to. Even if the system does not respond to the PING, then, using a utility such as Nmap, an attacker can go back to the software with server functionality placed in listening.
The advice is to type cmd in the Windows search box then press the key combination CTRL+SHIFT+ENTER to open the command prompt with administrator rights.
By writing netstat -ab and checking what appears in the first column in square brackets, you can check the open ports. We suggest checking what appears next to the LISTENING entries.
You can also type netstat -ab | findstr /c: “LISTENING” to extract the list of open ports.
From Any Device, Make Sure You Always Connect to HTTPS Websites.
The information transmitted via HTTP can be intercepted and read in the clear by anyone, connected to the same public or unprotected WiFi network, using a special software sniffer.
Especially if you are logged in, with your credentials, to any website, it is essential to check that to the left of the URL shown in the address bar of the browser is shown the message Safe: Safe site on Chrome and Firefox, what it means.
When the word Secure appears it means that you are connected to a website that uses the HTTPS protocol and displays a valid digital certificate, not expired and issued by a certification authority known and approved.
By exchanging data via HTTPS, the information sent and received cannot in any way be read by third parties.
From Any Device, Be Sure To Send And Receive Electronic Mail Using The Tls Protocol
The data exchanged using the web browser is not the only data that any device can send and receive over the network.
When using a public or unsecured WiFi network, you should never use services and applications that do not encrypt data at all.
E-mail messages often contain confidential data and information that must not fall into the hands of others.
If you are using mail clients installed on your PC or mobile device, it is therefore essential to ensure that your managed accounts use the TLS: Email protocol: SSL, TLS and STARTTLS. Differences and why to use them.
To ascertain this, simply start the email client and go to the settings of your email account.
To receive mail (incoming mail server), the IMAP protocol uses port 143 while the old POP3 uses port 110. If the client is configured to access the mail server using one of these two ports, it means that the TLS protocol is not in use.
Similarly, to send “unencrypted” emails without any form of encryption, the SMTP protocol uses port 25 by default: if the email client was configured to use this port, it means that the transmitted email messages could be read by anyone connected to the same WiFi network.
In this case, the advice is to switch to an email account that supports the TLS protocol: Create an email address: which service to choose.
If this is not possible at the moment, before connecting to public or unsecured WiFi, the advice is to close the mail client making sure that none of its components remain running (i.e. check the mailbox in the background) and use the provider’s webmail to send and receive messages provided, of course, that the service is provided on HTTPS protocol.
Activate Two-factor Authentication On Your Accounts
If you travel a lot and often find yourself using public or unprotected WiFi networks, you should activate two-factor authentication on all important user accounts.
In this way, to access the account you will no longer only need a username and password, but you will need to confirm the operation from time to time using another device in your possession (such as your smartphone).
Google calls two-factor authentication Two-step verification: Google two-step verification: only 10% of users use it.
Whatever Client Device You Use, Connect To A Remote Vpn Server
To ensure that all information sent and received over the network by your devices can not be intercepted by third parties, the ideal is to establish a connection with a reliable VPN server.
On the PC or on your mobile devices it is therefore advisable to install a VPN client that allows you to prepare an encrypted tunnel with a remote VPN server: all data in transit, with any application installed on your devices, will still be encrypted and made incomprehensible to anyone trying to perform sniffing on the WiFi network.
In the article Secure VPN Services: how to prevent real public IP from being blurred we have seen how to select the operators that offer reliable VPNs.
Excellent ProtonVPN, also available in a free version (see ProtonVPN: how to surf anonymously and ProtonVPN conquers one million users and launches the version for iOS); AzireVPN (free VPN: what it is and how it works WireGuard with AzireVPN) and ExpressVPN (VPN connection: how it helps to access content otherwise not usable).
the most experienced professionals and users, we suggest setting up a VPN server in the company, at home or in the office, to which you can connect remotely when needed:
- VPN server, how to create it using a NAS;
- Make your VPN more secure on Synology NAS servers;
- VPN connection in Windows with OpenVPN.
Simply install an OpenVPN client with the parameters of your VPN server on your PC or mobile device and, once the remote connection is established, you will also have the possibility to securely access the shared resources within your LAN.
Learn more about choosing the best VPN services to safely use wireless networks in our VPN article, what it is and how to choose the best ones.
Set Up The Dns Server To Use On Your Device
If you are unfortunately connected to a WiFi that uses a dangerous DNS server or, even worse, modified by some malicious person to return fake IP addresses and field particularly effective phishing campaigns (you can make a user believe you are on Google, Facebook, on Microsoft services or on the home page of the online banking service when this is not true…), by asking the WiFi router to dynamically return the server to be used, the operating system, browser and applications in use will blindly rely on that DNS server for the resolution of all domain names.
Following the instructions in the article Changing DNS to Windows, Linux, macOS and Android, we suggest manually setting up a DNS server (for example Google’s 188.8.131.52.8 and 184.108.40.206) without accepting the one set on the WiFi router.
Make Sure You Always Connect To The Right Wifi
Creating a WiFi hotspot is very easy: anyone can do it with any device (including tablets and smartphones).
An attacker physically located nearby can create a WiFi access point characterized by the same SSID of another network (evil twin) in order to mislead users. It is therefore good to be aware of this possibility (see Stealing the WiFi password: beware of evil twins) and always activate data encryption as explained in the previous points.
It is therefore good to pay the utmost attention to the WiFi devices to which you connect making sure that they are the legitimate ones.