September 01, 2018

Product Watch

Two Possible Cures for Your Wi-Fi Insecurity

Daniel J. Siegel

Everyone has heard that the free Wi-Fi at Starbucks is not secure and is a haven for hackers. Starbucks isn’t alone. Every unsecured Wi-Fi network poses risks, as do Wi-Fi networks with easy-to-hack passwords, perhaps even your home or office network. Once a hacker is inside your device, he can see pretty much everything on it, including confidential client data, user names, passwords and account numbers. And once the hacker is inside your network, he or she may access other computers on your network, “brute force” the router password or mount some other type of attack.

There are easy ways, however, to protect your devices from Starbucks-type hackers, as well as methods of determining how secure your network is. In this column I discuss two such products. The first is Norton WiFi Privacy, an app that automatically switches your Android or iOS-based mobile device to a secure virtual private network (VPN) whenever you connect to an unsecured network. A VPN is a secure network that allows users to send and receive data as if their devices were connected directly to a private network. The second product is Elcomsoft Wireless Security Auditor, which runs different attacks—that is, hacking attempts—to determine whether your network is vulnerable to hackers.

Each program can help prevent attacks and protect the release of confidential information and other sensitive data.

Using Norton WiFi Privacy

I have used Norton WiFi Privacy on my smartphones and tablets for about one year—and wouldn’t leave home without it. After installing the app, you specify what region (country) you are in or you let the program determine your location. Then, whenever you connect to an unsecured network, it automatically connects to a VPN, at times in a different region, with the goal of ensuring you do not notice any loss of internet speed or connectivity and that your connection feels as if you were at home. You can also configure the program to notify you when you are connected to an unsecured hotspot and make the decision each time whether to connect to Norton’s VPN. I don’t recommend this latter setting because of how seamless the automatic connection is and because it’s easy to forget to connect.

When you are connected to the VPN, the app uses bank-grade encryption, making it extremely difficult for hackers to access your device. Because hackers look for easy targets, they will likely ignore your encrypted device and look for easier prey to steal from. The program also can block ad trackers that keep track of your internet activity.

If you discover that the program doesn’t always connect or doesn’t stay connected, check your device’s settings. On my Android phone, for example, I had to change the VPN settings to Always-on VPN. Once I did this, the program worked flawlessly.

Norton WiFi Privacy is sold on a monthly or annual basis, and you can purchase a subscription for one, five or 10 devices. A one-device subscription costs $4.99 per month, and a five-device subscription is $7.99 per month, but the annual subscription for either one or five devices is $39.99 annually. I have installed the app on every mobile device I own and love the peace of mind I experience when I periodically check the program and discover that while everyone else in the store may be on the exposed network, I’m securely connected to a VPN.

Understanding Elcomsoft Wireless Security Auditor

While Norton WiFi Privacy protects your devices, Elcomsoft Wireless Security Auditor (EWSA) protects your wireless network by analyzing it, searching for Wi-Fi traffic and running an attack on the network’s WPA/WPA2-PSK password. A WPA/WPA2-PSK password contains a combination of characters and is the type of wireless password found on most public networks.

Elcomsoft explains the full capabilities of EWSA, noting that you can “perform a full-performance attack on Wi-Fi passwords. Running on multiple computers, Elcomsoft Distributed Password Recovery can utilize all available resources (CPU and GPU units) when attempting to break your wireless password. If your password cannot be recovered after a reasonably long distributed attack, you may assume your network is sufficiently secure.”

This description is probably beyond most lawyers’ comprehension. But that doesn’t matter—we didn’t go to law school to be network hackers. Because lawyers have an obligation to take reasonable measures to ensure that their client’s data remains confidential, this program helps them meet their obligations by confirming whether their wireless networks are vulnerable.

I tried the Professional Edition version of the software on my home and office networks and even set up a guest network with a very weak password. Then I let it run. After trying various types of attacks, I was unable to crack into my home or office networks, all of which had what I had hoped were highly secure passwords.

On the other hand, the program discovered the weak password in about an hour in Dictionary Attack mode. Using its Word Attack mode, EWSA discovered the weak password in a few minutes. EWSA has four other modes designed to crack a network password: Mask Attack, Combination Attack, Hybrid Attack and Custom Attack.

EWSA does not come with any instructions, and those without a computer or network security background will find the built-in Help function to be less than helpful. As a result, when I began using the program, I could discover my wireless networks but had no idea how to add the network to the project window—that is, the window you use to set up and start your attacks.

For “real” help I turned to YouTube, where I discovered numerous videos that showed me how to use the program, including discovering networks, adding their identification information to the project window and running the various types of attacks. For a program that costs $299 for the Standard Edition and $599 for the Professional Edition, there should be more robust, user-friendly documentation.

The Standard Edition supports up to two central processing units and one graphics processing unit. The Professional Edition includes a built-in wireless sniffer (for AirPcap adapters and general Wi-Fi adapters), hardware acceleration on AMD and NVIDIA boards and supports up to 32 central processing units and eight graphics processing units. But, like the software itself, most lawyers will not understand these terms. Instead they should turn the process over to their IT staff or consultants and let them figure out whether their wireless network is secure.

I recommend the Professional Edition because of its ability to locate adapters connected to your wireless network. Do you need to have that feature? No. But when it comes to network security, you’re always better off having the most versatile product, just in case. A $599 cost is far cheaper than the cost—and the potential publicity—that could accompany the news story that a hacker accessed your client data and posted it all over the internet.

Neither the ABA nor ABA entities endorse non-ABA products or services, and this review should not be so construed.

Daniel J. Siegel

Daniel J. Siegel is an attorney whose practice focuses on appellate law and providing ethical and professional guidance to other attorneys. He is also president of Integrated Technology Services, a consulting firm that assists law firms with improving their workflows.