The summer travel season is upon us, and that means many people will connect to public Wi-Fi hotspots at airports, hotels, cafes, restaurants, bus stops and more. Unfortunately, public networks have become honeypots for hackers who use them to infiltrate connected devices.

A compromised network can allow a hacker to intercept, read and modify the internet traffic that passes through it. They can then leverage this for a number of purposes, ranging from stealing passwords to downloading malware onto victims’ phones and laptops.

Be Cautious on Public Wi-Fi

Open Wi-fi hotspots are difficult to secure because anyone can connect to them without any sort of authentication. This gives cybercriminals two avenues of attack:

• Hack an existing Wi-Fi network. The hacker gains access to a router that broadcasts an open network. If the router was not properly secured, it likely has some holes in its security that could allow a someone to access the router firmware console. Many router owners never change the default username and password used to access the console administrator’s account. From the console, the hacker can take complete control of the network.
• Create a fake Wi-Fi network. In this case, the hacker creates a Wi-Fi hotspot from their smartphone or other device and gives it a deceiving name, such as “Starbucks Wi-Fi.” Any unsuspecting person who believes they are connecting to internet provided by Starbucks actually sends all of their data straight to the bad guy.

Even if a Wi-Fi network requires a password that you must obtain from staff on premises, it doesn’t mean the network is secure. A hacker could just as easily obtain the password to join the network or create a fake Wi-Fi hotspot with an identical name and password. Nearly two of every five Wi-Fi hotspots in the U.S. is inadequately secured. Essentially, the only network you should trust is one you set up yourself.

How to Protect Yourself

Now that you know the threat that public networks can pose, you can take steps to protect yourself.

Always Check for HTTPS

Website URLs that contain “https://” at the beginning, often accompanied by a green padlock, encrypt all the data sent back and forth between a web browser and the website. They use SSL encryption to scramble the contents of your data before it leaves your device, making it impossible for a hacker on the Wi-Fi network to decipher.

Use a Virtual Private Network (VPN)

A VPN is a service that encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of the user’s choosing. A VPN grants numerous benefits to users and is particularly useful to people who have to use public Wi-FI while traveling for work or fun.

The encryption part of a VPN is similar to what you get when you visit an HTTPS site. Anyone who happens to intercept internet traffic between the smartphone or laptop and the VPN server won’t be able to decipher its contents, including Wi-Fi hackers.

Nor can a hacker determine where that traffic is headed; they can only see encrypted data headed to a VPN server, but not the actual website.

Both of these perks are applied to all websites and applications on the VPN-connected device. VPNs that include DNS leak protection should also guard against aforementioned DNS spoofing attacks.

VPNs come in many shapes and sizes, but the most reputable are paid subscription services. Each provider typically makes its own apps for smartphones and computers, which you can download and install upon signing up. Once that’s done, just pick a location and connect. After the connection is established you can use the internet as you normally would.

Finally, know that mobile data connections are generally more secure than public Wi-Fi. If you have a smartphone with working data where you travel, use that to take care of any sensitive online tasks. If you need to use a laptop, you can turn on your phone’s mobile Wi-Fi hotspot to create a more secure connection to the internet. Just make sure to secure it with a strong password!

HTTPS websites are also verified by a certificate authority. When your browser sees this certificate, it ensures the user that they are communicating with the real website and not an imposter, such as a phishing site.

Most websites use HTTPS these days, but not all. Sometimes websites have both HTTPS and non-HTTPS versions available.

HTTPS websites encrypt the contents of internet traffic sent to and from a site, but they don’t conceal the address of the website itself, so a hacker could still see what websites you access.

Hackers working for the Chinese government compromised a US Navy contractor and stole a massive cache of highly sensitive data, including details about a planned supersonic anti-ship missile, American officials said Friday.

The hack, reported by the Washington Post, took place in January and February and resulted in more than 614 gigabytes of data being stolen. The contractor that was breached was not disclosed but reportedly worked with the Naval Undersea Warfare Center, a research and development group that works on submarines and underwater weapons.

Of particular interest in the treasure trove of stolen documents—all of which government officials said were unclassified, were details about a project known as Sea Dragon. First proposed in 2012, the Post said Sea Dragon is part of a Pentagon initiative to adapt existing US military technologies for new applications. The Defense Department described Sea Dragon as a weapon with “disruptive offensive capability” that will integrate “an existing weapon system with an existing Navy platform.”

While public details regarding the project are few and far between, the Pentagon has reportedly requested or used more than $300 million for the Sea Dragon project since 2015. Underwater testing is planned to start this September.

Plans for a supersonic anti-ship missile were also stolen (it’s not clear if those plans are the same or related to the Sea Dragon project). The missile was intended to be introduced for use on US submarines by 2020. 

The stolen files also contained the following:

Signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.

The breach highlights the ongoing trouble the federal government has had not just defending against breaches but also getting contractors to stop playing fast and loose with sensitive data.

The Chinese firm Foscam has released firmware updates to address three vulnerabilities in multiple models of IP-based cameras that could be exploited to take control of vulnerable cameras exposed online.

“One of the vendors for which we found vulnerable devices was Foscam, when our team discovered a critical chain of vulnerabilities in Foscam security cameras. Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet).” reads the analysis published by VDOO.

Below the attack scenario described by VDOO on a network-accessible camera. The attack scenario on a network-accessible camera is as follows:

• Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
  • If the camera and the network are configured by the user such that the camera has directinterface to the internet, its address might be revealed by some internet scanners.
  • If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
  • If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name
     
• Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.
   
• Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.
   
• Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation. Full details appear in the Technical Deep Dive below.

In June 2017, experts at F-Secure discovered tens of vulnerabilities in tens of thousands of Internet-connected cameras from China-based manufacturer Foscam, but at the time the Chinese firm ignored the report from the security firm.

The experts published a long list of affected Foscam device models and firmware versions, users urge to update the firmware as soon as possible.

The latest Facebook privacy blunder is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.

On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.

Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.

Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up.

Egan said that the bug popped up as Facebook was building a new way to share featured items on profiles, like a photo for example. Featured items are automatically set to “public,” so the suggested audience for all new posts – not just these items – was also set to public, she said.

The glitch is now fixed. Facebook also changed the sharing audience back to what affected people had been using before. Facebook’s letting people know, and asking them to doublecheck the fix, “out of an abundance of caution,” Egan said.

You’ll know if you’re one of the 14 million if, when you log in, you see a notification that leads to a page with more information, including a review of posts during the 18-22 May period.

When people post to Facebook, the service suggests a default distribution for their posts based on past privacy settings. If someone made all posts "friends only" in the past, it will set their next post to "friends only" as well. People can still manually change the privacy level of the posts — anywhere from "public" to "only me" — and this was the case while the bug was active as well.

The Smart Compose feature of Google’s recent Gmail update does not exactly write your full message for you. The program uses machine learning techniques to evaluate what you are writing — and then suggests what to type next based on that analysis. Gmail’s text suggestions appear in slightly lighter gray type at the end of the sentence you are writing. If you choose to accept the computer-generated words, tap the Tab key to add the material and move on to the next sentence.

In theory, the Smart Compose tool can speed up your message composition and cut down on typographical errors. While “machine learning” means the software (and not a human) is scanning your work-in-progress to get information for the predictive text function, you are sharing information with Google when you use its products.

If you have already updated to the new version of Gmail, you can try out Smart Compose by going to the General tab in Settings and turning on the check box next to enable Experimental Access. Next, click Save Changes at the bottom of the Settings screen.

When you return to the General tab of the Gmail settings, scroll down to the newly arrived Smart Compose section and confirm that “Writing suggestions on” is enabled. If you do not care for Google’s assistance after sampling the feature, you can return to the settings and click “Writing suggestions off” to disable Smart Compose.

The new feature is available only for English composition at the moment, and a disclaimer from Google warns: “Smart Compose is not designed to provide answers and may not always predict factually correct information.” Google also warns that experimental tools like Smart Compose are still under development and that the company may change or remove the features at any time.