Security is a hot topic for all of us these days - whether we're simply protecting our individual email accounts, or working to protect an entire organization, or even a nation, from cyber threats. It's such a critical issue that those at the very top - the industry and government figureheads who make the big decisions that affect us all - regularly meet to discuss it at conferences, powerfully demonstrating that they're on top of the big issues.
But it seems that a few of those who attended Sweden's leading security conference, 'Folk och Försvar' ('People and Defense'), could do with a refresher course in good security practice, as activists from the youth wing of the country's Pirate Party recently demonstrated.
As Falkvinge & Co reports, these young campaigners set up an open Wi-Fi access point at the security conference, calling it 'Open Guest'... and then they waited. As it turns out, around a hundred conference attendees - which included cabinet ministers, and many staunch advocates for increased and more intense digital surveillance on citizens - stumbled right into the trap.
The activists, Elin Andersson and Gustav Nipe, were able to view the metadata from the Wi-Fi hotspot to view the activity of each connection made. They explain:
Analysis of the traffic metadata enables us to draw conclusions about which individuals were using our network. Visiting high-volume websites like the Aftonbladet tabloid won’t say much about the user in question, but when this is followed by connections to “mail.agencyX.se” and surfing on pages about a particular small city, the roster of possible candidates is dramatically reduced.
If you're able to identify an individual from their web usage, that opens up a lot of possibilities, with obvious security implications for the person in question - and the potential for plenty of embarrassment too.
In their findings, Andersson and Nipe also pointed out that many of those at the security conference used the open and unencrypted hotspot to access their government email:
On several occassions, we logged connections to mail servers of governmental agencies. Using an open, unencrypted network to read governmental correspondence is not good. For example, we saw connections to the mail server for the Swedish Civil Contingencies Agency (“Myndigheten för Samhällsskydd och Beredskap, MSB”). The agency’s mission is to develop society’s ability to prevent and deal with serious accidents and contingencies. We consider it problematic that their personnel is nowhere near sufficiently trained in information security.
So it seems that many of those who are tasked with confronting the big security issues of our time - and who make the decisions that will impact upon our lives - are just as incompetent when it comes to simple security precautions as many feared.
While that may not come as a great surprise to some, the activists' efforts highlight the need to take greater care when it comes to monitoring one's own online security. The promise of 'free Wi-Fi' may be enticing - but the risks of connecting to open and unencrypted access points, and having your web activity monitored, mean that there may be a hidden price to pay later.