Being safe on hostile WiFi/mobile networks

But first… clarifying the risk

  • threat actors — who would be interested in you and your data, and what is their ‘capability’ (tools; personnel volume and talent-base; money; time etc)
  • probability — for simplicity, lets call this the motivation of the threat actor(s) combined with a view on how successful their attempts may be if they tried
  • consequence — what could actually happen if the threat actor was successful in getting access to your IT

What are we defending?

  • social media
  • contacts
  • emails
  • documents/files
  • login information to other stuff
  • the IT you use to do all of the above
  • access to any of the above stuff/people through something else

Limiting scope of consequence

On with it then!

Temporary equipment

Virtual Private Network (VPN)

NextDNS (encrypted DNS)

New temporary SIM card

Sacrifice your data allowance

New temporary email address / cloud account

Known chargers / USB data blocker

Messaging apps

Photos/videos via Dropbox.com

Account passwords / multi-factor authentication (MFA)

Biometrics v Passphrases

Pre-warming friends/team

Technical nitty gritty

  • Setup Face ID and/or Touch ID with a very strong alphanumeric passphrase (remember, you still need to remember it and be able to type it, but you won’t do it that often)
  • Signed in using my temporary iCloud
  • Added my temporary Google account (just for mail)
  • Set PIN codes on SIM cards
  • Turned off:
  1. Siri
  2. Bluetooth
  3. Control Centre on Lock Screen
  4. Spotlight Siri Suggestions
  5. Handoff
  6. Suggested apps
  7. Voice dial
  8. Everything under ‘Allow Access When Locked’
  9. Everything under ‘iCloud’ except Find My iPhone
  10. iCloud Backups (doesn’t maintain end-to-end encryption for iMessages etc)
  11. Mail/Messages previews
  12. Send as SMS fallback
  13. Javascript in Safari
  14. Automatic downloads (inc updates) in iTunes & App Stores
  15. Chat backups in WhatsApp
  • Turned on:
  1. Wipe after 10 failed passcode entries
  2. Always-on VPN (via ExpressVPN app)
  3. Encrypted DNS (via NextDNS app)

Ignore/reject any and all updates

Physical device security

Near but unattended

Out and about

Hotel safe

User experience — the bad

  • iPhones and iPads aren’t cheap (!)
  • It took some time to setup — largely because of new devices
  • I didn’t have access to Facebook
  • Separation anxiety from my emails
  • I did wonder who ignored my pre-warming and out of office and was trying to reach me
  • Changing passwords (even with a password manager to help)
  • I had very little idea what my Estonian number was (+372 blank blank blank something 2…?) so every time someone I met asked me I had to look it up
  • Waiting x seconds for the VPN to re-connect
  • Effort/time in decommissioning

User experience — the good

  • I didn’t have access to Facebook (!)
  • I took a slightly odd pleasure in not having my emails (don’t know ~= can’t work)
  • I actually focused on where I was and who I was with
  • My photos/videos mean more to me
  • Technical security turned into a hands-on practical exercise (I have my own regime under normal circumstances but otherwise day to day I spend my time offering advice rather than doing things)
  • It sort of felt cool?

Coming back home

Contacts

Decommissioning

What I found on the devices.

Account trashing / re-sanitisation

A quick outtro

--

--

--

The thin blue line between technology and everything else. joelgsamuel.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Ultimate Way to Protect Your Online Accounts

Will Recent UK Election Change Cyber Security in the Nation?

Lossless x Fight Legends | Partnership Announcement

Introducing Cali Dog Security

THM Advent-of-cyber Day8

A Guide to RSA Encryption in Go

TAFToken All Systems are GO!

{UPDATE} Vankila Eloonjääminen Paeta Su Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else. joelgsamuel.com

More from Medium

Blockchain of Things: Paving The Way For Digital Disruption

Blockchain of Things

DSA-2021–088: Dell Client Platform Security Update

Highest APY & Auto Compounding Protocol in Decentralize Space

Honeypot project