Need a reason not to use free hotel wi-fi without a VPN? How about spear-phishing and targeted attacks against you by people who your real name, your room number, and expected arrival and departure times? According to the article, some of the tactics used include Adobe Flash zero-day exploits, fake software updates containing malware, and embedded iFrames redirecting to phony installers.
When you connect to any wi-fi network, you must assume it is hostile and act accordingly. Even if you’re not a senior company executive, here’s an example of the types of attacks that could be used by a rogue Wi-Fi network against various password managers; if you use one, yours could be among them. It’s interesting to note that iFrames are also involved in one of the “sweep attacks” described by the paper.
Over the past few days, media outlets have been reporting that Verizon has been inserting a string of letters and numbers called a UIDH into outgoing http requests made by its customers. The string uniquely identifies a specific device. The diagram in Jonathan Mayer’s blog post provides a good picture of how the process occurs and how this string can be used. Basically, a website that receives the string can pass it along to an advertising exchange which in turn pays Verizon for information on the subscriber that allows them to show more relevant ads.
Mayer’s post states that at a minimum, Verizon reveals Continue reading The Lowdown on Phone Carrier UIDH Injection
Comcast has begun injecting ads into webpages accessed by users using one of its 3.5 million public Wi-Fi hotspots. With this action, Comcast joins the list of businesses (e.g. airports) that provide Wi-Fi service with ads.
Another potential solution is to use a VPN, which encrypts all the traffic between you and the VPN provider instead of between you and the website.