These days, you can hardly turn on the TV news or check your email without hearing about another password leak at a major website, an incident of criminal hacking, or a further revelation about internet surveillance.
So what can hacking and monitoring really expose? And is there anything you can do about it? In this article, we’ll answer these questions and more.
Deep Packets and Deep Pockets
First, let’s talk about how Internet connections can be monitored. It might be tempting to think of an Internet connection a bit like an old-fashioned phone line, with a physical electrical link between one end and the other. Or, dare we say it, as a ‘series of tubes’.
In reality, your Internet traffic is split into tiny chunks called ‘packets’ that are dropped onto the public Internet. Large cooperative systems send the packets one step closer to their destinations, hop by hop.
Back in the 1980s, the East German Stasi perfected the art of steaming envelopes open. And until relatively recently, it seemed as though doing the electronic equivalent – opening every packet on a high-bandwidth Internet connection – was just too demanding for computers to do on a large scale.
But thanks to advances in software and new high-performance hardware, so-called ‘Deep Packet Inspection’ equipment is within the reach of not just governments, but also ISPs, universities, large enterprises and even small businesses.
It’s not just the visible actors, either. Passive surveillance, whether it’s in the form of a malicious WiFi hotspot or a Stingray device that latches on to your cell phone, can be deployed cheaply and configured to divert traffic without a trace.
So, suppose you’re happily browsing your favourite Taylor Swift e-zine (we’re not judging – the girl can sing). What can someone who’s monitoring you actually see?
Well, let’s start with the obvious stuff. If an attacker were able to capture all your requests, as is the case with deep packet inspection, they’d see quite a few things.
These details include the source and destination IP addresses, the website address you visited, your cookies, the address of the referring page, and the content of the current page.
If the page is encrypted, it’ll show ‘HTTPS’, or a padlock, at the start of the address bar. Only the source and destination IP addresses are visible to someone intercepting the traffic, with the rest being scrambled.
However, this depends on the website supporting HTTPS. Although support is increasing, it still represents a frustratingly low fraction of the whole web. It’s also notoriously difficult to implement in a truly secure way, both on servers and in browsers. And despite the fact that HTTPS can hide the content of traffic, it still gives away those tell-tale IP addresses to those monitoring the connection.
The situation for other applications on the Internet is even worse. Email offers very little protection against interception. Although email encryption protocols exist, they are not widely used by the general public.
The obvious solution is to encrypt the entire internet connection, so that all your traffic is sent over a secure channel.
You can do this with a VPN, or ‘virtual private network’, which wraps up everything in one scrambled stream. This means that from your computer to the VPN host’s network, anyone intercepting the traffic would only see what appears to be junk data.
A well-implemented VPN service provides security from interception to all protocols that don’t normally provide this.
Picking a reliable, fast, and trusted VPN provider is therefore one of the simplest, most effective upgrades to your internet security.
Unless you’ve been living under a rock for the past few years, you’ll be aware of Edward Snowdon’s disclosures about the system of global surveillance orchestrated by an alliance of national intelligence agencies, including the US National Security Agency, British GCHQ, German BND and others.
The most significant element of the program is XKeyscore, a comprehensive database of Internet traffic captured from key points on fibre optic cables that span the globe. Think of it as a little like Google, but for searching everybody’s internet activity.
The system is constantly capturing and indexing traffic so that analysts can retrieve and action it.
While the debate over the legality and ethics of such a program will no doubt continue for years to come, governments will likely continue to capture and monitoring Internet traffic in one form or another.
It’s also clear that the most viable means to combat surveillance is to use encryption wherever possible. To frustrate a program of such scale, it’s likely that individuals need to use multiple techniques.
If you thought Uncle Sam was bad, at least he isn’t after your credit card details. And with a great number of persistent threats out there, it’s perhaps no wonder that the general public can’t stay ahead of determined high-tech fraudsters.
You might be surprised to learn that it’s not just hard-up members of the Nigerian royalty that are out to make a quick buck online. Unfortunately, public locations such as coffee shops offer Wi-Fi fraudsters a tempting combination of busy people, a confluence of many devices, and a plurality of Wi-Fi hotspots to impersonate.
Techniques such as DNS spoofing and network rebroadcasting allow attackers to capture rich traffic information while keeping users entirely in the dark.
The good news is that you can protect yourself from Wi-Fi scams. Encrypt all your traffic with a trusty VPN, practice good ‘security hygiene’ when it comes to public hotspots, and you’ll be in much better shape.
Regardless of the technologies you use to defend yourself, there’s no substitute for good cyber security awareness. Understand the threat model that applies in your situation, and take action accordingly.
Whether it’s protecting your financial details from opportunistic hackers or shoring up your resilience in the face of a state-level adversary, learning more will position you to understand which measures to choose, and how best to use them.
With a solid understanding, and some basic security tools, you’ll be able to browse and conduct business online with much more confidence.
Get advice you can trust on the best VPN to protect your privacy and data security with our Top 5 Best VPN Services for Security.