Video 39: WARNING: Your Information is at Risk! Protecting insurance data on wifi networks.
The VPN service I use is Black VPN (get two months free with referral code WWXFCQW). They provide very good instructions on how to set up the VPN once you’ve subscribed to the service.
Hi, it’s Aaron Kassover from AgentMethods talking about insurance websites, and I feel like before I go into today’s talk, I should just do a quick apology if we got Rebecca Black’s song stuck in your head; I know was just sort of singing it, The Friday Song, over and over again, and also just clear the record that I do not own any Justin Bieber albums and I’m not really a fan of the whole teenage pop star, even though I did say some nice things about his talent yesterday. It doesn’t mean that I’m a subscriber to the wonders of Justin Bieber overall. So just clear the air there.
*Now, I also want to maybe see if I can make up for yesterday by doing a bit of a public service announcement and talk about data security, and really specifically data security on wireless networks. If you’re like me, especially if you work from a home office or if you travel a lot, you probably end up kind of walking into a Starbucks to check your email or go into a local coffee shop just to get out of the house and do some work there, maybe it’s an airport Wi-Fi network. And so I want to let you know some risks that you are facing by using these Wi-Fi networks. Basically, if a Wi-Fi network does not require you to enter in a password, what that means is traffic that’s sent between your computer and the wireless access point – I drew a little diagram here. You can imagine this is your computer and this is the wireless access point, which is how you get connected to the internet. Anything that goes between these two points, if it’s unsecure, is just broadcast out totally in the clear. *
And what that means is that when information goes out from a Wi-Fi access point, it doesn’t just go to your computer, it just sends it out to every computer in the network, and then your computer looks at this information, looks at these packets of data, and decides “is this for me or not?” And if it’s not, they forget it. And if it’s for you, they grab it. And so what that means is that somebody else can be sitting on the network and their getting all the traffic that is getting sent to your computer, and this is anything that is being sent. It could be everything from your email to web pages that you’re doing, files you’re browsing, passwords to your FTP server, passwords to your email services, really, you name it. If it’s being transmitted between you and your computer, somebody else can grab it. So be aware of that. I’ve seen people that have been to just sort of grab a copy of every email that was sent and received from a computer, and the server information, and the user name, and the password. It’s a great way for spammers, hackers to go out and just get data.
*Now, there are some things you can do to protect yourself, and you probably do this at home where you have to enter in a password to get onto a wireless network. And the old standard is something called WEP, it’s the wireless encryption protocol. I’ll just tell you right now, WEP is bad, WEP is not secure, don’t even bother using WEP. It’s easy to hack, there’s free software that you can download that will just get you into WEP networks. The newer standard is WPA, it’s the wireless password authentication, or WPA2, which is even better, and this actually encrypts traffic between your computer and the wireless access point so that data that goes back and forth gets secured so that only you and the access point can see it. *
Now, there is a loophole in WPA, which is that you all have the same shared password. It’s the password you use to get on your wireless network. And if somebody else has this password, when a new computer comes on, there’s what’s called a handshake that happens where they send the password back and then the wireless network sends back a token and so then they create their encrypted tunnel. And somebody else on the network that knows the password to the overall network can, while this new computer is authenticating, they can get your token, and then they can get access to your computer. So while it’s more secure, it’s good for home networks. If you’re using it in a public network, in a coffee shop or somewhere else, somebody can still get access to all of your data that’s being sent back and forth. So know that about WPA. It’s good for your home network; it’s not going to cover you out in the world at large.
The second thing is SSL, and you’ve probably seen SSL. This is an encryption between your browser and the web server. And SSL is actually pretty good encryption. Banks use it; probably most of the carriers use it for online applications. You’re going to see SSL a lot of places, and so SSL is a great way to protect you. Make sure that you’re on HTTPS and you see the little secured lock in your browser. Now, there is a catch to SSL, which is that a lot of sites like Facebook and Gmail, some bank sites, will set a cookie on your browser, which is just a little identifier, and they can use that in place of logging in. So if you just have the right cookie – and what happens here is often if you type in Facebook.com, for example, you go to Facebook’s unsecure page. And Facebook will say, “Hey, are you authenticated? Give me your cookie.” And that cookie will get sent to the unsecured page before you get redirected to the secured page. So SSL is good, but this remaining logged in, this cookie that can go back and forth, can actually put you at risk. And what can happen is somebody in the network can just simply browse/watch for these cookies to be passed forward, and they can actually just grab a copy of that cookie and then they can go to Facebook or Gmail or anywhere else and just get access to your control.
Now, it sounds pretty technical; it’s actually not. It’s actually really easy to do, and to demonstrate this, about two or three months ago, some people released a plug-in for Firefox called Firesheep, which you can just add to your Firefox browser, and then you can fire it up and sit there on a public Wi-Fi network and over a couple minutes, you’ll start to see – you’re going to gain access to people’s Hotmail accounts, people’s Gmail accounts, people’s Facebook accounts, and you can literally, on the toolbar, click on their name and instantly login as them. It’s scary how easy Firesheep makes it to hack into people’s secured and personal information through Wi-Fi networks, including when the authentication happens through SSL. So know about that.
*So this is all pretty scary. Now, there is a way to protect yourself, there is a way that you can make sure that nothing you do can be caught by anyone else on the wireless network, and that’s called the VPN, which is virtual private network. And the way that the VPN works is that there’s a server out on the internet somewhere, it’s your VPN server, and when you open up a VPN connection, it creates a secured pipeline where every piece of data is encrypted using a shared key that you have set up previously between your computer – I will draw it in red – your computer and the VPN server, there’s this tunnel that goes through the internet, through the Wi-Fi network, all the way to a VPN server. And then from there, you access the internet. And so everything along the way, while they can get your packets, they’re all encrypted and they look just like gibberish. And so by using a VPN, you’re pretty much guaranteeing that nobody between your computer and the VPN server that you’re connected to can get access to your cookies, to your email passwords, to your information, to your customers’ information, anything else on a wireless network. *
VPN is sort of industrial-grade security. It takes a little bit to set up, but if you’re on a Wi-Fi network, if you do this very often, and if you are accessing your email, if you’re access your server, if you are doing any kind of online applications, your customer data, definitely anything secure like health information or social security numbers or any financial data, make sure you’re using this VPN setup. And I use a service called Black VPN, and I think it costs $8 a month, and they run the servers, they give me all the information, they provide pretty good support for setting up and managing my VPN. I found that whenever I’ve had a question or an issue, they respond pretty quickly. I’ll post a link to Black VPN in the comments so that you can set this up if you’d like. I highly recommend doing it if you’re going out – if you’re doing any kind of secure information on a public Wi-Fi network, set up a VPN.
*So this is my public service announcement today. It’s a little bit technical, but if you’re going out, if you’re doing this in a Wi-Fi network, if you’re accessing data, you’ve got to do it, you got to make sure that you’re secure, and make sure you’re protected and make sure customers are protected. It’s really important. *
That’s what I’ve got today. If you have any questions about this, just send me a message or post a comment, and I’ll see if I can help you out. I will have more and more specific to insurance websites tomorrow. Thank you very much for watching.