InfoSec and Communal Spaces: Are they compatible?
InfoSec and Communal Spaces: Are they compatible and how should you protect yourself?
Let's face it, films have made hacking look cool, but the reality is far from it. I've dreamed of sitting in the corner and Hacking the Gibson as much as the next person, but it's far from something I'm capable of, and really I just want to set the sprinklers off over John next time he thinks it's OK to microwave fish (fuck you John).
Jokes about being able to put a giant cookie monster on people's screens aside, information security in communal spaces is a growing concern for many: freelancers and businesses alike.
This article is intended as a place to get started and written mostly in layman's terms, it's always worth getting the advice of an IT professional, whether you're in your own private space or communal space.
And no, that guy at the end of the table with the Guy Fawkes mask frantically typing away isn't hacking you, he's just on 4chan. For some reason.
Physical security always seems like the most obvious thing, if you've travelled anywhere in the last 18 years, you will have been bombarded with messages about not leaving things unattended (bags, luggage, items, packages, small children etc.), you lock your door every day and all your bags have some kind of zip or clip. Physical security is a huge part of our lives from a very young age. One of the reasons it is so easy to overlook is because of that obviousness, repetitive actions become unconscious actions and you carry them out without thinking.
Communal spaces are great because they often come with a sense of another word of shared origin, community. The person next to you will not doubt cast a watchful eye over your belongings while you've nipped off to grab your 4th coffee of the day but is this always the best idea? It doesn't take long to close up your laptop, slip it in your bag and take it with you. Even if you lose your spot, isn't the point of hot desking being able to move around?
Leaving your phone on the table is a thing that we're all guilty of. Especially if you have both a work phone and a personal phone. I often pick up my personal phone and leave my work phone right next to my laptop, it's a bad habit I share with many and it's not one that is just limited to workspaces, but with our lives now so focused on our phones, it's one that could be a huge problem if the wrong person is around when you do it.
Information Security in these situations is one thing, but security (at least for me), doesn't just mean someone else doing something malicious with your belongings. It also means being able to go about your day as normal. The more vigilant you are, the less likely you are to leave your keys on the self-service machine in Sainsbury's or your phone on a sink in the loo. Losing your phone or wallet might not be the end of your business, but it's incredibly annoying when you're stood at the barrier of the nearest train station with no way to get home or trying to get on the bus with no card and cash. This situation occurs more often than you think. In a previous job I had two clients bin their wallets in the space of a week and it had happened a few times before that.
Accessing your or your clients data physically is unlikely to happen in those brief moments that you've left your phone on the table if it isn't stolen outright. Despite what people like to believe, NFC works at a range of about 10 cm or less, so no one is stealing your card details from across the room, but if you have a fixed desk in a coworking space, do you leave your computer there every day? Did you check for any mysterious USB drives plugged in this morning? Having physical access to a device is the easiest way to get information from it and plugging in something as inconspicuous as a USB drive is one way to gain access.
Wi-Fi and Internet Connections
One of the great triumphs of the modern age is Wi-Fi. Wi-Fi is everywhere and almost everything connects to it. You can sit in a coworking space, a coffee shop, a train station or even on the street and send a message from London to Sidney or Bangladesh to Mexico.
But are you even connected to internet connection that you think you are?
IT is harder to get a handle on if you're a freelancer rather than working for a big company. After all, you don't have a dedicated tech team and a bunch of people to roll their eyes at you when raised a ticket because you forgot your password was case-sensitive (sorry IT team!) and really, who has the time, you've got six client projects on the go, and they don't care if John who always microwaves fish for his lunch (fuck you John) once saw your password.
In the not too distant past, I was talking to someone who was telling me about some security testing they had been doing on their Wi-Fi network. They had the Wi-Fi Access Point named something along the lines of "Coworking Wi-Fi 1" (the SSID for those in the know), just like you would do when you tether your phone, you might have "AndroidAP" or if you're vain and cool like me it'll be "BryceFi". They had their "IT Guy" (definitely not their official title) sitting in their communal space. Within an hour the IT guy not only had staff passwords, but member passwords and business data. All he had to do was setup his own access point with the same SSID and password that he'd been given for the communal Wi-Fi, and soon people were coming in and connecting to his network rather than the communal one. Later on, just for effect, he unplugged the actual AP so his network was the only one available, most people just reconnected to the network they thought was the same because the name was the same. No-one complained because they were able to immediately reconnect and no one had any idea any of that had happened.
To keep their members safe, many providers will give you a unique username and password to use on their Wi-Fi networks, this is a great way to make sure only those that should be accessing the network are connected, alongside this, one of the most accessible ways to keep yourself safe on share Wi-Fi connections is through a VPN, even if you're not tech savvy, setting one up on most modern devices is trivial and signing up to a service is as straightforward as signing up for Amazon prime (or if you are more technically minded, set up your own!). A quick search will lead you to a few articles comparing services for you, so you don't have to do too much research.
We'd also recommend making sure your firewall is active, many devices have them built-in these days, keeping and up-to-date antivirus, especially if you are downloading files, and making sure that each website you visit is using HTTPS, most browser will show you this with a symbol such as a lock, to the left of the website's address.
Social Engineering if getting someone to do or tell you something, usually by tricking them.
So you've been getting on with Callum who's usually sat in the corner on a Tuesday. Turns out he's pretty interesting for an accountant (sorry accountants...). You've had a beer, gotten deep, told him your deeply embarrassing first pet's name, exchanged a few memes over email and then come Monday you can't get onto your email, your password has been changed, but how!? How did anyone know my secret answer was "Chew Barker"?
So it turns out Callum was more shady than interesting, your Amazon account was hooked up to your card, he's sat somewhere enjoying his bulk order of Freddo's and you're out £50.
You never think you'd be the person to give away all of your details but it's pretty easy, especially if you've spent a reasonable amount of time with someone. If you want a great example of how easy it is, check out this Jimmy Kimmel Video.
It's hard to implement best practices mitigating social engineering beyond just paying attention to what you're saying or what you're doing.
With regard to what you're doing, phishing is probably one of the most frustrating "human element" information security issues. Phishing emails are sent by the 1000s, every day to all sorts of people, from small business owners to multinational CEOs, we've all had them, but for some reason people seem to still be clicking on them.
There's a slightly older article that says 70% of credentials are collected within the first hour of phishing attacks, this means as soon as you've clicked on something in that dodgy email, someone could be gathering your data.
If you receive an email you're unsure of, always click on the sender's name to check that it was actually sent by them, from their actual email address, usually something like: [email protected] and a great way to check links in these emails is to hover your mouse pointer over them, many browsers will show the address that they link to in the bottom "status" bar of the browser. If the link isn't to something you're discussing, or their own website, then just don't click it, it's not worth it.