In computer networks, the data is divided in smaller packets so the information can be transported. From these packets, it is possible to indicate where the packet is coming from and where it is going to. Information is very often available in plain language, and anyone along the transfer will be able to see the data as it is. Sometimes the information in the packages is in encrypted form, but in some cases, it is possible to break the encryption. Especially when the user does not believe the warnings from the browser or other software about incorrect identification information, but will continue with the connection despite the warnings.
In particular, wireless local area networks (Wifi) users are pretty easy targets for tapping. If your wireless network does not use any encryption (encryptions are for example WEP, nowadays WPA1/2), all packets transferred in the vicinity of a wireless access point are possible to capture. The potential eavesdropper can also be in the fixed network or the wireless access point may also be a so-called “Rogue access point”, when the access point is there without authorization. In this case, the eavesdropper provides the access point with a credible name or even the same network name (BSSID) as your unauthorized base station to fool the users.
Fully unencrypted Wi-Fi networks are very common in Finland and abroad. For example, PanOulu is an unencrypted wireless network.
The idea of VPN connection is to encrypt all transportable packages and include that encrypted traffic for transport inside of the other package. Packages will be sent to the VPN server, which is able to decrypt and then forward traffic.
- Remote access to the organization’s information systems as identified and safely
- Can use their own devices in unknown network connections rather safely
- To improve the protection of privacy
Different ways of how (remote) users who are using unprotected connections is being cheated:
- You are travelling in Finland by train and it seems that train is offering free internet access. The base station may be VR’s installed base as “VR” etc., or any other passenger is keeping the same “official name” as a base to attract more passengers to use the internet connection. Now users who use that unauthorized base station are at risk because the information passing through is stored.
- Your are enjoying a cool beer in a summer at the marketplace and you are using PanOulu network. At the patio nearby someone collects plain text traffic between your phone and the base station PanOulu.
- You are using PanOulu network in your office with a laptop or the phone. In a classroom near by one student has build unauthorized base station with the same name and you laptop/phone is associated with that (false) base station as a user.
- You are visiting London and you are using Heathrow airports free Wi-Fi network. In the same departure lounge there is cyber criminals who collect all plain text traffic for later use.
- You are visiting in French partner university, and sign up for their highly secure WPA2 wireless local area network. You are using username of the person hosting the event. Behind the wireless local area network in the fixed network there is a security breach or some other third party who sees the base stations traffic unencrypted.
- Same as number 5. but you are at hotel/bed & breakfast accommodation and the traffic behind the wireless network is recorded.
Eavesdropping and capturing network traffic is virtually always automatically implemented, and does not require real-time human guidance.
Maximum protection of wireless access point does not necessarily reflect to safety of connection, because there is no certainty of the base station owner, and the user does not typically know what is happening at the back of the base station network. Effective VPN connection will encrypt all transmitted traffic, and there is no significant damage even if a foreign entity would saw those encrypted packets. Note that you can use VPN connections to mobile and local area network communication.
How to create a VPN connection
IT Services has drafted guidelines for the formation of VPN connections, see: VPN instructions for students and VPN instructions for staff. In untrusted wireless networks, first put the VPN connection on and start using online services only after you have established the VPN connection.
Please note that in all relevant Oamk’s services, all telecommunication is protected. For example, Oamk e-mail, intranets and Moodle are using a secure communications (TLS, for example HTTPS). The browser notifies you if you are not using established certificate: In this case, you must select if you want to continue to the service or not, being aware of the possibility of an intervening party providing a false certificate with a scam in mind. In such circumstances, please make sure from Oamk IT helpdesk whether the service’s certificate has just expired, and its renewal is still pending. The problem may also affect the VPN service. Furthermore, be aware that older versions than TLS 1.2 are vulnerable to a pair of attack, which at least the “Beast”-attack and its variants are pretty well-known methods of attack proven to work.
VPN works against the internet name service forgery. Typically, most of the current services use secure connections, so for that part VPN is to be seen mainly as a good additional protection in addition to other security methods. However, some system software does not use encrypted connections to audit or retrieve updates. More information about this can be found for example using search for “evilgrade”.