How to stop malicious WIFI from infecting my computer?

Question

Was reading this: How to check if a Wi-Fi network is safe to connect to?

When I came across some comments

I can redirect you to other pages without your interaction. Install key loggers. Heck if your browser runs activeX objects I could open a shell on your machine without your knowledge. That last example is rare these days but what's not rare is tricking you into installing a shell for me, keylogging, session stealing, and redirection.

Or as I mentioned in my post, drop a crypto miner on your machine with the tool I wrote

Written by Anthony Russell in the comments of his answer.

So, this looks bad, obviously. What I want to know is how can I stop these attacks? Blocking javascript sounds like a good start, the original post also suggested to check my device for open ports (they did not demonstrate how to shut them though). What else? Is there a fool-proof way to prevent these sort of (virus injection? remote control?) attacks?

To be clear, I am not talking about logging. That's a given when you connect to any network. Please also dont give any advice along the lines of "don't connect to malicious networks". There are reasons that I cannot switch away from a (possibly) compromised network.

What I'm most worried about is virus injection. But other attacks (like key loggers) mentioned above are serious concerns too. Just share whatever comes to mind. I'm sure other people will fill in the blanks.

Sorry if I sound like a complete noob. That's because I am. Sorry in advance.

Answer 1

As Anthony Russell wrote in the answer to that other question you referenced:

Always use TLS and if you can, connect to a VPN whenever you're on a public wifi. Make sure that you don't have any unnecessary services running on your machine that are open to the network. Honestly, you probably shouldn't have any ports open. Any openings are potential access points. Also make sure your machine is fully patched and running all available firewall services.

Mind you this is all just mitigation. If you're connecting to public wifi points you have some accepted risk.

That is good advice.

The idea about TLS or VPN is these are ways to get end-to-end protection (authentication, encryption, etc.) so they can ride securely even over untrusted networks.

The idea about not having unnecessary services/ports on your machine is that even if your intended traffic (say, checking your email, etc.) is protected by TLS or VPN, there can still be attacks as incoming traffic from an attacker goes for your open services/ports.

Answer 2

It makes no sense to distinguish WiFi networks. If you are connected to any network that you don't fully control, you should not trust it.

If the site uses HTTPS, then of course no injection of JavaScript, ActiveX etc. is possible. But on the other hand, it is not necessary that an attacker in particular WiFi is trying to inject anything. Even if you use your private WiFi (assuming you fully control and that you made secure) and use HTTPS to access particular site, this site can contain malicious code (JavaScript, ActiveX etc.)

What can you do to make your computer secure?

1. Decide what level of security you actually need. 1) Because keeping your computer as much protected as possible can cost a lot of time, efforts and money: To regularly track the relevant security updates for every software installed, to be informed about the current threats, to create backups, to review your system fully and regularly. It may be that in your case moderate measures will be sufficient and that in case your computer is compromised a system reset may be much easier. 2) Because very often the price of higher security is worse user experience, less comfort of using the software on your computer. For instance, what is preferable to you: to break a video or a game to install a security update as soon as possible or to postpone the update for a couple of days when it is more suitable to you? Depending on selected level you can apply all measures listed below, or skip some of them, or implement some of them not strictly (e.g. getting informed about security problems not daily, but once in a month or once in 3 months).
2. Use firewall and close all ports that you not necessarily need. For instance, if you have some web application or database running on your computer, make sure that firewall allows traffic from your home network only, and that traffic from any other network is not allowed.
3. If you decided to keep some ports open, make sure that applications running on these ports have low privileges. In case you misconfigured firewall, and such ports are reachable in public network, and this application becomes compromised, then low privileges will not allow the attacker to execute any critical operations in your system, access protected data, modify any files or system settings.
4. Use antivirus. In case you downloaded any malicious code or in case the attacker tricked you do some actions that exploit some weakness in your system, antivirus will prevent harmful actions.
5. Keep your system updated. Security problems are found time to time in many applications. Usually they are fixed in the newer versions. That's why it is important to periodically check if you have the most recent version and if it fixes any security problems. This is applicable to the operating system itself, to any applications, to antivirus as well.
6. Be informed about main approaches how attackers compromise computers and keep that in mind when you use your computer: Be careful when you download and install any software, when you install any extensions in browser, when you open any links, when you visit any web sites (e.g. if some site supports only HTTP, think if you really want to visit it), when you open any email attachments.
7. Use a system account with little privileges whenever possible. In case you occasionally downloaded and launched some harmful software or you are doing anything else potentially harmful, and antivirus has not recognized that (because there is no virus update yet), then the operating system will prevent serious problems, because very often harmful code can successfully work with high privileges only.
8. Create backup of important data regularly. Even the best possible measures don't give 100% guarantee. In case of successful attack you will be able to reset your system and restore your data.

Answer 3

So, this looks bad, obviously. What I want to know is how can I stop these attacks? Blocking javascript sounds like a good start, the original post also suggested to check my device for open ports (they did not demonstrate how to shut them though). What else? Is there a fool-proof way to prevent these sort of (virus injection? remote control?) attacks?

A simple solution is to use a VPN and route all your traffic through it. From the local network's perspective, all that will be visible (unless you're leaking protocols around the VPN) is the data stream towards the VPN server, which will be protected against tampering and eavesdropping.