WiFi can be a free-for-all for hackers. Here's how to stop them from taking your data

LAS VEGAS — The connectivity at Black Hat and DEF CON is not where you want to gamble. Both conferences attract thousands of information-security professionals, some of whom will snoop around networks here.

A potentially sketchy Wi-Fi or cellular connection does not, however, require carrying a burner phone or cringing in airplane mode. As talks and presentations here outlined, basic precautions help keep you private and secure – precautions some attendees ignored.

Keeping these four suggestions in mind can help keep your data and devices safe, even when you aren't at a hacker convention – or, at least don't think you are.

Encryption is your friend

Scrambling data sent between your devices and sites is the easiest eavesdropping defense. Your browser encrypts connections to compatible sites automatically. If you use a separate email app, that should’ve activated the same protection when first set up.

Support for encryption has steadily grown. Google reports that 82% of pages in Chrome for Windows and 94% of messages sent to Gmail users now come encrypted. Your browser should identify site encryption in its address bar – Chrome is more aggressive about this – and Gmail will warn if a recipient email declines encryption.

Alas, encrypted traffic on Black Hat’s Wi-Fi has yet to surpass about 70%, researchers Neil Wyler of RSA Security and Bart Stump of Optiv Security said in a talk last Thursday.

Some attendees not only used mail services that didn’t scramble messages but sent sensitive documents over them. Wyler showed a screenshot of an attached mortgage statement (with personal data redacted) and commented: "Dude, you are sending a lot of financial information in the clear."

More such bad judgment awaited at DEF CON’s Wall of Sheep, a screen showing usernames and passwords sent sans encryption.

Watch your apps

Encryption isn’t so clear with mobile apps. Although both Apple and Google require app developers to encrypt their communication, researchers have caught exceptions even in such name-brand apps as the dating app Tinder. In June, Wandera found two-thirds of iOS apps didn’t use iOS’s encryption framework.

"We've seen a fair number of big brands leak sensitive data,” said Wandera’s product-strategy vice president Michael Covington in an interview here Friday. “It tends to be in one particular workflow where we see the leak” – some tasks happen with encryption, others don’t.

Researcher Mike Spicer cited other examples in a talk Friday evening about Wi-Fi at security conferences: weather apps leaking unencrypted location info.

So you might prefer mobile web sites to apps from the same companies.

VPN with care

A virtual private network service encrypts your entire connection and makes even dodgy apps and mail services gibberish to others on the same Wi-Fi (it’s still dumb to employ anything but official networks at hacker events like DEF CON) or cellular network (4G LTE encrypts connections but not strongly). But VPNs aren’t magic dust.

They cost money – those endorsed by review sites PCMag and Wirecutter cost $35 and up annually – and can slow your connection. And they require careful configuration to enable such backstops as kill-switch settings to take you offline if the VPN’s encrypted link drops.

Some VPNs, especially those offered for free, can harvest your data. In January, Apple and Google booted a Facebook research app built on VPN software earlier evicted by Apple.

Install updates but not new apps

One last bit of advice applies anywhere you roam: Install security patches as soon as they’re available. You will not outsmart Apple, Google or Microsoft at defeating attackers rushing to exploited newly-discovered “zero-day” vulnerabilities.

At the same time, using untrusted bandwidth means avoiding new apps, especially from outside Apple and Google’s reasonably-policed app stores. The only scenario in which a friend has admitted to getting malware on their phone: an attempt at DEF CON to install a mobile-hotspot app from a developer’s site.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at @robpegoraro.

This article originally appeared on USA TODAY: WiFi: How safe is your connection? 4 ways to keep your data secure