NSA Headquarters at Night (Trevor Paglen)

NSA Headquarters at Night (Trevor Paglen)

WASHINGTON: The National Security Agency today released a set of best practices for using public networks, including Wi-Fi, Bluetooth, and Near Field Communications. The guidance is specifically aimed at those who work with national security, Defense Department, and defense industrial base data, devices, and systems, but the advice can be adopted by any sensible user.

NSA’s guidance, Securing Wireless Devices in Public Settings, highlights some of the many security threats associated with using public networks, noting, “The risk is not merely theoretical; these malicious techniques are publicly known and in use.”

Indeed, most of the threats covered in the guidance have been known to the cybersecurity community for years, if not decades. But they could be unknown to many, and the information is therefore worth sharing.

The guidance also outlines steps users can take to protect themselves, but adds, “While these best practices cannot ensure data and devices are fully protected, they do provide protective measures users can employ to improve their cybersecurity and reduce their risks.”

The guidance comes as the US economy reopens to business travel and telework appears to be part of the new normal for many employees. Remote workers sometimes use public networks while in hotels, airports, or other nodes along travel routes, exposing themselves to myriad threats.

The reasons foreign governments would try to hack defense officials is obvious. And while the Pentagon itself is fairly secure, government employees and defense contractors can expose sensitive data or have their devices compromised while using public networks. When those compromised devices are connected to the network at a DoD installation, they can introduce vulnerabilities, if specific security safeguards are not in place.

Defense contractors, especially those with small- and medium-sized companies, are in many ways the soft underbelly of the defense industrial base. They often lack the same security training and technology that big primes offer and are regularly pursued by nation-state threat actors, who see them as a direct target for cyberespionage as well as a potential avenue into prime contractor networks through connected systems. The latter tactic is a type of supply chain attack, illustrated by the 2013 breach of Target Corp.

The threat extends to contractors while traveling or working remotely because of prevalent cyber vulnerabilities found in contractors’ software, email, and remote access tech, cybersecurity firm BlueVoyant found in its 2021 Defense Industry Supply Chain & Security study.

Among the public network threats NSA highlights are:

  • Malicious access points: Also called “evil twins,” these rogue access points appear to be for legitimate networks, but are in fact inherently compromised and controlled by threat actors.
  • Network eavesdropping: Depending on several factors, threat actors on the same network can often view traffic such as email, text messages, and account login credentials — especially if this data is not properly encrypted.
  • Man-in-the-Middle Attacks: Threat actors who are on the same network and have the right capabilities can intercept communications in transit to read, manipulate, or alter them.
  • Redirect web traffic: Threat actors with the capabilities can manipulate public network traffic to point users to malicious websites, called watering holes, which often host malware. Watering holes are often designed to automatically inject malware via an embedded script while the website loads, without any user interaction required — a tactic known as drive-by downloads. (Drive-by downloads can be mitigated by using free browser extensions such as NoScript, which automatically blocks all web scripts by default while allowing users to granularly view and “whitelist” scripts per individual website.)

NSA also highlights the threats associated with using Bluetooth and Near Field Communications tech.

To protect users, data, and devices from these and other threats, the NSA offers several recommendations, including (but not limited to):

  • Browse securely — Ensure browsers are fully patched and access only those websites that encrypt traffic. Websites that encrypt traffic have URLs (i.e., web addresses) that begin with HTTPS (which stands for Secure Hypertext Transfer Protocol) and show a lock to the left of the URL text field in browsers. There are free browser add-ons, such as HTTPS Everywhere, which force web connections to use encrypted HTTPS when it’s an option made available by websites.
  • Use a Virtual Private Network — VPNs create an encrypted tunnel for network traffic. Users should ensure VPN software is fully patched. Note that, for technical reasons, VPNs may not fully protect users if the threat actor is on the same public network and has certain capabilities.

Homeland Security’s cyber lead, the Cybersecurity and Infrastructure Structure Agency, earlier this week noted that remote work tech such as VPNs were among those most exploited during 2020. Indeed, Pulse Connect Secure VPNs, which are used by 24 federal agencies, were targeted in a campaign earlier this year.

While workers may not always be able to avoid using public networks when traveling or working remotely, it remains prudent to avoid certain activities, such as accessing highly sensitive work or personal (e.g., banking) accounts, while using public networks. The threats are too severe, the vulnerabilities too numerous, and the risk too high in the vast majority of cases to justify highly sensitive activities while on public networks. It’s best to limit such activities to private, secure, trusted networks.