This episode transcript has been edited for context and clarity. This week, we’re talking about why you should never use free wifi.
Tim: Hey, nerds! You have established a digital connection to the Team Nerd Tech Show. Tim Gillen here, Terrapin Networks, in Traverse City, Michigan. Thanks for joining us.
You are listening to Episode 23, and we will be talking for the next 30 minutes about tech stuff, tech tips, tech news, tech gizmos… all focused on small companies because that’s what we do here at Terrapinn Networks, that’s what I do, and that’s what you do. That’s why you’re listening. So thanks for joining us.
I’m going to flip it over right here to our weekly cohost. Ruthy Kirwan. Ruthy, what have you got for us?
Tech News: Updates on SCADA privacy risks
Ruthy: Hey Tim!
So the first thing I wanted to talk about this week is part of our normal Tech News segment.
It’s a little update on the power grid attacks that we talked about back in episode 18, about hackers attacking power grids and how freaking scary that is.
There’s a new cybersecurity report about how hackers have been targeting the grids, and what the exploration has been on the government’s end to stop this from actually happening.
Tim, talk to us about these power grids and why they’re so scary and what could be happening.
Tim: Yes, of course. In episode 18, we talked about SCADA connections. SCADA is the system engineers use to talk to the machinery in power stations. Instead of needing 7 or 8 people to sit in an office and work the controls, a SCADA system helps those engineers automate the process of monitoring public works utilities like water towers and power grids, things like that.
The thing is, many of these systems were built back in the day, when early computer conductivity was first coming into play. By design, SCADA is a very open communication, meaning it’s very easy to connect to these systems.
Now, engineers can connect to them and make this work, but this lowers the security factor, so it’s easy to connect to. As time has gone on, that easy connectivity is easily exploited.
Ruthy: We’re going to be sharing an article on the website, about how a group of hackers have been targeting the US power grid over the past several months. Thankfully, they’ve been unable to trigger any outages.
There is a cybersecurity firm called Dragos, who have been tracking the hacker group, known as Xenotime, or the Triton actor. They’ve been tacking them and making sure they don’t attack anything in the United States. And they haven’t, but they have actually infiltrated a power grid in Saudi Arabia and injected that grid with malware.
Ruthy: It sounds scary.
Tim: Yeah it is scary. And it’s ramped up a lot in focus on the government side, both at the state level and federal level of the cybersecurity teams for the Department of Defense for the state department.
Part of the problem with these, with so much of this, of the SCADA connectivity, is it’s a very low level of government. You have townships that run small cities that run water treatment plants. They don’t have the resources to prevent the attacks, in many cases. They have to go upstream to a state level or federal level to actually get anything done, and it sometimes is pretty difficult.
So there’s some outside firms that are doing this, and of course there’s some risk in that because they’ll that will go out to the lowest bidder.
It’s, it’s tricky, but SCADA has gotten a lot of attention because we know the vulnerability. One of the things that that is the danger is not that some hacker group goes in and shuts off the power grid, but that they could plant a piece of software somewhere in the system.
Once that software is embedded, they can activate it whenever they want. And that piece of software can be hard to detect. That becomes the challenge. And that’s what firms like Draco and the cybersecurity teams in, for example, our Michigan state police, work to safeguard against.
Ruthy: That was something that Governor Snyder brought in, wasn’t it?
Tim: Yes, Governor Snyder really got that going. His tech background had a lot to do with that, and he put quite a bit of money behind it.
Tech Tip: Setting Up Processes for Onboarding and Offboarding Employees
Ruthy: This concept really brings me into Tech Tip, which is the next segment of our show.
In Tech Tip, I like to talk about everyday solutions that small businesses can use for setting up their networks and data security, as well as business processes. This week, I want to talk about how you can best onboard new employees so that your data stays secure and safe all the way through. It’s about setting up a process that keeps a security throughline, that starts before you hire somebody and goes straight through to when they move on from your company.
Tim: This is a good topic, and it’s one that gets brought up a lot to me as I work with small companies. This is, of course, the nature of having a staff, of having a team, and needing to hire, fire, and employee with or without internal human resources. Because people will come and go, and you need a system to bring them in and then to safely see them out.
Ruthy: I think especially in today’s economy where we have a lot of gig economy employees, it’s even more important to be secure during onboarding and offboarding.
Tim: I think one of the real key things is that you need to control that as the business owner, your tech team, you have to put stuff in place to safeguard your company.
If you don’t understand that, that’s fine, but you need to hire people who do.
Ruthy: Ok, so tell me all of the things that you want to make sure that you have in an onboarding process. So an email would be one. What else. Well, an email would be one. And then whatever, whatever access to they have to your company data.
And there’s going to be two main things that show up when someone is on any internal network. You’re going to have some kind of internal network with internal documents that staff may or may not need access to, but that has to be very clearly defined. And your network has to be set up so much that you can bring in a new person and just add them to a group that you’ve already created, which gives them access to these folders on the network.
These documents on the network, it’s just kind of a done deal. If they’re doing this kind of work, they get this kind of access. It’s all baked in. Mary Beth comes in, we add her. She leaves, John comes in behind Mary Beth, we add John in.
Another place this sort of need comes up is email. People sometimes don’t want to either pay for or set up a separate email account for that user, especially if they’re a contractor. But frankly, my advice just about every time is: you should. You want them to have an email address at your company domain, so it’s important you make that for them.
You can set this up with Office 365, Google GSuite, or any number of cloud-based platforms you run your email through your domain, so they have an “firstname.lastname@example.org” email address.
This is you as the business owner, saying, “this is my corporate data, it’s up to me to protect it.” An employee leaves, you don’t know where they’re going to go.
These are not matters of trust. These are matters of good company practices.
The main thing is you have to maintain complete control. Keep in mind all corporate email belongs to the company. Never to the employee, whether they’re contractor or whatever it belongs. If your company is Acme Widgets and you make anvils that you sell to roadrunners and coyotes, then email@example.com or whatever email you set up for Jane, that belongs to Acme Widgets. Not Jane.
So it all becomes systems. In our business, we have checklists that we use. It’s a very standard checklist, and whenever one of our customers brings on a new employee, we have a list of about eight things that we go through to both onboard the new employee as well as, if necessary, offboard someone who may be leaving. Now, not every checklist item may apply in every circumstance. It may depend on the systems that company has. But it’s a starting off point and a way to say, each time, “this is done, this is done”, etc.
Some things you may want to have on your onboarding and offboarding employee checklist, adapted to your company needs:
- Name of new employee
- Their department
- Job Title
- Are they replacing someone?
- Do they have the same rights the last person had?
- Isthere anything different about the role this new person has?
You also need to be aware of the parameters of your cloud based services, and making sure you’ve revoked access to past employees. Say a law firm uses LexisNexis and they pay for accounts for that. You need to make sure the past employee is scrubbed from the service, because you don’t want to be paying for someone to access when you don’t need them to be.
Tech Gadget: Stop Using That Free Wifi in the Airport!
Ruthy: Let’s get into our topic for Tech Gadget this week. Right now it’s July, there are a lot of people traveling and using free wifi, USB charging ports, that sort of thing.
So if you were an employee of a small business and traveling and using the free wifi at a coffee shop or an airport or wherever, you might be in danger of having your data compromised. What would you tell a small business owner about their employees conducting business while utilizing a free wifi service, like at a hotel?
Tim: Let’s start with the very first thing: Do not allow any of your employees to ever use free wifi.
Ruthy: I have here an article we’re going to link on our website, that says, not only should you not use free wifi, you shouldn’t be using those free USB charging stations, either. Because that can also suck up your personal data.
Tim: Anything that’s free. Well, one thing you can use that’s free, I’m still okay with, as is an electrical outlet at the airport.
Ruthy: All right, well that’s good to know, but you know those little USB ports that are handy to just plug in chargers. You should avoid that, right? Why not use them?
Tim: Well, keep in mind that your USB connection also transfers data by design. Here’s what that means: People can pop the lid on one of those things at three in the morning when no one’s around in that part of the waiting room and plug in something behind it that will now inject software into your phone when you plug it to the charging dock.
So any, any public USB, don’t use it. Well, there is a solution: pay for a VPN.
Ruthy: Ok, so tell me about a VPN. How do I get it onto my phone to protect my wifi? And explain what it is, exactly, too.
Tim: There are a few VPN companies out there that come to mind immediately, one is called IP Vanish. Another is ExpressVPN. You can head over to cnet.com and see their list of VPNs and what the various breakdowns are.
Most VPN services will run you about $100 a year. When you run that VPN, now, let’s talk about a laptop on a free wifi at a Starbucks. Or, say, you’re downtown, using free wifi the city has set up. Although I don’t know why anybody uses free wifi downtowns anymore, since everyone has a data plan on their phones. It seems a silly thing t odo.
Ruthy: You know, I’m traveling right now, and I don’t have the strongest service downtown. So I actually coujld use the free wifi, since my data plan while traveling doesn’t always give me a strong signal.
Tim: Well, I guess that’s the answer for why a city may want to have it, but I’m just not in favor of cities necessarily doing that because it’s a very dubious benefit.
For a very small number of people who actually use the free wifi, it costs a lot of money to actually keep runnin. And because these things need constant care and maintenance and then you have their security issues, there’s a number of reasons why I happened to be in the group that thinks free wifi, especially in a downtown, is kind of silly. But besides that, a lot of restaurants, bars, stuff we’ll have open wifi.
And honestly, that’s fine to use. Usually, as long as you have a VPN, you can use the free wifi. And conversely, if you don’t have a VPN, do not use it.
You are connecting in a completely open manner. It’s like, if you’re a man or a woman with a backpack or a purse, and you just leave it sitting wide open on a bar top while you go to the bathroom. You just don’t want to do it.
So my solution for that is, buy IPVanish, ExpressVPN, whichever service you choose. Pa your $80, $90 bucks a year. And what that means is their little piece of software will run in the background of your computer or phone.
You tell it to run when you want it to, you select it and start it running. It will now use the wireless connection to establish a VPN, which stands for Virtual Private Network and establishes what we call a tunnel.
This tunnel, so to speak, connects onto the wifi with a garbled up coded all around, and you good data runs through the middle of that. So from the outside it’s a bunch of garbage, but your good data runs in the middle of this safe tunnel and connects to the internet.
You have that all baked in where the VPN will run continuously in the background. It maintains your connection, and you set that up so that it won’t allow any other connections on your wifi.
Because your wifi might be fine on your laptop when you’re in your office using the secure connection, there’s secure wireless in your office. That’s fine. You might even go to a trusted vendor and they have a secure wireless. That’s fine. We set up wireless for our customers all the time, and we’ll set up a private and a guest network, and that’s what they use both for their employees and then their guests who don’t need full access to their network.
Ruthy: Yep, I’ve seen that before. A lot of times when you go into a restaurant or something, you’re logging into their guest network for free, and they also have a private one that’s just for, say, the internal files in the office or for the POS systems (point of sale) to access on a private network.
Tim: Yep. And so the way we’ll set up a private or a secure that actually connects into the company network, then people who are staff members can use that.
That’s fine if you’re a guest. But also we use that for regular companies that aren’t a bar or restaurant. They might have people come in and use their conference room for presentations. They may have vendors who come in regularly who need to log into their vendors sites to conduct business. I don’t mind them using my network.
So I suppose it is okay to log on to someone else’s free wifi, if you know the business and you trust it, like it’s still going to need a password.
But if I’m in a trusted company and I’m a trusted vendor, that’s not really free wifi at the airport or free wifi at Starbucks. Which is by design set up for anybody.
Ruthy: Going back to another episode, I think this was last week, episode 22, when we talked about rural areas needing better wifi. We talked about how libraries are having a hard time because people are pulling into the parking lot after hours and using their wifi that way.
Tim: Couple of years ago, I was at a church where I’d been asked do some consulting. Someone there had set up an open wifi because they wanted the kids to be able to use it down in the youth group. But again, had no schedule or set-up of any kind. And I said, you know, “These kids who know all know the simple passwords you put on it can drive up here at 11 o’clock at night and use this wifi for any number of things in the parking lot. The wifi is very strong on the parking lot.”
They said, “We probably don’t want that.” Nobody had even thought of it.
Ruthy: Yeah. I wouldn’t have, I wouldn’t have thought of it.
Tim: Right? It’s a common thing not to think of. When we set these things up, we also throttle the public connection.
Ruthy: Ok, talk to me about that because I’ve noticed myself having issues with that in the past.
Tim: Because people will just use public wifi to download movies or run torrent movies where you’re pirating movies off the internet.
Using the the free wifi at the library to do that means you’re choking everyone else’s bandwidth. So one of the things that we try to do with the public wifi that we’re giving people is this very effective wifi. As long as you’re just using it for web browsing and checking email or whatever, it’s great, but it’s lousy for downloading movies.
I don’t want to worry about what movies you’re downloading. I don’t want three people choking it with a bunch of things that they’re trying to download because there’s a finite amount of data you can download at over a certain amount of time. You’re connecting to the internet with a pipe that’s only so big.
And so we throttle down the public and it also discourages people from saying, “Hey, there’s a free wifi, I get to do whatever I want on it”, because, no, you can’t do whatever you want on it. It’s there for a very particular reason. It discourages all that kind of use and it doesn’t cause any trouble for the people who actually have to use it.
So someone says to me, let’s just give a hypothetical, “Well, the kids in youth group are complaining, they don’t have enough bandwidth.” And I would say, because I’m a jerk about this, “They don’t have enough bandwidth for what?” And they’lll say, “Well, I really don’t know.” Well, like, we have to know. We shouldn’t change it because they might want it for stuff we don’t want to give it to them for.
I mean, I know they’re nice kids. But… they’re kids. I remember what I was like then. I remember what you were like. You know, Ruth and I kind of know each other [laughter] We’ve known each other a long time, because I’m her Dad.
But the same thing applies, for example, with what might be happening at the library with people coming in at night. And using that at 2 in the morning in the airport and being a creeper at the airport and sitting there while they’ve gotten a plane ticket and they’d gotten through security and one of the things that they’ll do, is get there very early on purpose so that they can sit there and sniff people using the open wifi.
Ruthy: And on planes, too.
Tim: And sitting on planes, too, you bet. And so, you think, “Well, geez, I just got this email that I forgot to pay this bill. I better go online and just pay this real quick, real fast. I’ll be on and off.” It doesn’t matter how fast you’re going because they’re on there just hoovering up everything.
I’m going to say it again: always, always, always conduct yourself with technology like there’s some knucklehead who’s looking over your shoulder. And if you think of it that way, you’ll start to build habits that are good habits.
USB connections, by the way, are a real entry point still. If I’m a bad guy and I want to get onto a company network, the simplest thing I can do is put some invisible software into the network. It can be in hidden folders, where you can’t find it easily.
Or, say, take half a dozen USB keys, jump drives, whatever you call them. And on a nice dry day, just scatter them around a parking lot.
Ruthy: You’ve talked about this before and it chilled me to the bone because then some unsuspecting Good Samaritan takes that USB key, plugs it in to be like, Oh, let me get this back to their owner.
Tim: Yeah, you know, you’re a nice person. Because my first thought wasn’t Good Samaritan. My first thought was somebody thinking, Sweet, I got a free USB here. And so the other way, it’s not just scatter them around the parking lot. Another way you can do it is just go up to the receptionist, the gatekeeper of the office, and say, “Oh, is Mr. Smith here?”
And while the receptionist is dealing with you and telling you there’s no access, you just kind of quietly, like any good con man, lay that USB key on the counter next to the plants. You don’t even need to shove it in to anything, because again, the software is on there. You let the software do the work for you.
Just leave it there. Somebody will plug it into something. People can’t help it. So moral of the story is never plug in a random USB. Never.
There’s this one article that we’ll have a link to that referred to using random USB connections as basically finding a toothbrush by the side of the road and thinking, “Wow, this looks good, huh? I’ll just use this one.”
Tim: It’s a very creepy way of describing it, but I think it was pretty good. That’s how you want to think of it. I would never. Now, I might do it with a sandbox computers that’s not attached to anything that I can use to test files and that kind of thing.
Ruthy: It’s called a ‘sandbox’?.
Tim: A sandbox, yeah. It’s completely set aside, not on the network, not on the internet, or if it is on the internet, it’s in its own little place that can’t go anywhere except the internet but it can’t affect anything that I care about.
Ruthy: So you use it as a testing ground.
Tim: Exactly. We refer to that as a sandbox.
Ruthy: I have never even heard of the term.
Tim: A lot of people have computers in this way, that’s not uncommon. And we also use things as proxy. We use things called honeypots, which is a server that everything actually goes through coming and going, to kind of do a secondary vetting, if you will, of the data.
But so USB chargers, USB cables, you walk up talks about this and this article, you walk up, sit down, you need to charge your iPhone. “Hey, not only is there a USB charger here, somebody left their iPhone cable connected to it. Awesome.”
Ruthy: Like they forgot it?
Tim: Not even that they spaced it out. You really think nice things about people. I think most people are like, “Awesome, some doofus left their cable there.”
Ruthy: I just always think, “Oh, there’s so much good in the world!” And then you come along and you’re like, NO.
Tim: Yeah, it’s some creeper who left it there, hoping that you’ll plug it into your phone because you don’t want to reach in and grab your own cord.
You don’t want to mess with it, right? So airports thought they were doing people a favor putting these USB keys in the charging ports. And all of us techies thought right away, “I’m not plugging into that. It’s not a benefit to me. I don’t even want it there.”
Ruthy: I thought that this would be kind of like an uplifting sort of episode, but here we go.
Tim: There are more ways to protect yourself. People will say to me all the time, if there’s one thing I hear: “I just wish I knew some of the risks.” And that phrase is true: We don’t know what we don’t know.
Now. Sometimes you think, Oh, that’s just terrible. Why are people like that? People are like that. People have always been like that. There’s these Cain and Abel guys, it kind of goes way back. So the main thing is, just, know little things that you can pick up. It’s no big deal.
Ruthy: It’s what you always say: you want security over convenience. So it might be convenient to plug into that USB, but it’s just not secure.
Ruthy: Well, Tim, thank you very much for chatting with me this week about all the ills and thrills of the technology world!
If you want to listen to this episode or any past episodes, we list them all out at teamnerdtechshow.com. If you’ve got any questions that you wanted to ask myself or Tim that we could answer in an upcoming show, send us an email: firstname.lastname@example.org or leave us a voicemail. Our phone number here is (231) 668-9175 and we also have all of our episodes at Google music, Apple Podcasts, Stitcher, anywhere else that you get your podcasts.
Tim, I will catch up with you next week. Sound good?
Tim: Thank you!
Ruthy: All right, bye bye!