We have seen that passwords can be guessed, especially if too simplistic or reused. But there are other ways to obtain them, including what are called “man-in-the-middle attacks”.
As its name suggests, a man-in-the-middle attack involves someone snooping on information between locations. For example, if you are connected to an office network from a hotel room, using the hotel’s supplied network connection, there is no way of knowing how secure their network infrastructure is. The hotel’s network might have been hacked, with someone constantly monitoring traffic, or a hotel employee might be watching what goes in and out. In either case, the information passing between the user and their office server could be scrutinized for passwords, credit card numbers, and other valuable information.
The problem also exists with public Wi-Fi hotspots, but it is even worse. Wi-Fi is simply radio waves; anyone with basic computer equipment and free software can “sniff” the Wi-Fi signals within range. Although public Wi-Fi in a coffee shop or similar location is convenient, it suffers from this broadcast problem.
Things are better than they used to be, and much more internet traffic is encrypted so that eavesdropping may only disclose unreadable data. But there is still a lot of information transmitted in plain text on the Internet, and if that includes passwords or other valuable data, it is easy to steal and use it.
One defence against this type of theft is a virtual private network, or VPN. VPNs use sophisticated encryption technology to conceal data. A user can configure a device or install software, so it creates a secure tunnel between it and a target system, such as a remote office network. Think of the tunnel as a pipe that data travels through, with the pipe constructed from essentially unbreakable encryption. Even if there is a person in the middle, they can only see that information is flowing, but it looks like random data and there is nothing the eavesdropper can glean from it.
Many systems have VPN capability built in, and once enabled, it is simple to use. Any Windows, MacOS or Linux machine, for instance, can access a VPN which has been set up on the remote side. Mobile operating systems like iOS and Android also support VPN’s so there are few places where it cannot be used. And it should always be used when utilizing a public network like a coffee shop or hotel, to eliminate man-in-the-middle attacks.
There are also third-party VPNs, some free and some paid. Besides data protection, VPNs are popular with those who want to geo-relocate. Wherever the exit point of the VPN is located makes it look like the user is based there. This is useful when accessing geo-locked content for services like Netflix.
A free VPN might be sufficient for something like geo-relocation but be careful when relying on a third-party VPN to secure important data. Free services may not have appropriate protection or might be gathering customer data for resale to support themselves. A paid third-party service, many of which are relatively inexpensive, may be a better solution.
While a VPN is a necessary part of security layers when using outside networks, it does not provide full security by itself. For example, a VPN is not a firewall. If visiting a sketchy site or clicking on a compromised link, a VPN will not protect the user. The bad information will travel down the tunnel, encrypted or not. Look at VPNs as part of required defensive layering, not a total security solution.
Optional Videos: For more information about VPNs, watch the two-part Bite-Sized CPD videos. Part 1 highlights some of the advantages of and Part 2 discusses commercial VPN services and ways of implementing your own VPN.
VPN’s Part 1 [6:43 minutes]
VPN’s Part 2 [7:38 minutes]