Traveling Safely
SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
May 4, 2012
Agenda


What and where are the risks?
Using Internet cafes and WiFi hot spots safely (is that even
possible?!)








New K-State VPN service is your friend!
Protecting your eID and other passwords
Protecting your personal and financial info
ATM security
Airport risks
Laptop security (add smartphones to the list...)
Things to do before you leave (important!!)
If we have time...


USB Flash drive security
Beware of export restrictions on certain technologies
2
What are the risks?
Focus of this seminar is risks to information
and technology, not other travel-related risks
Physical theft (esp. your laptop, iPad/tablet,
or smartphone, and of course wallet/purse)
Information loss/theft (personal,
institutional, passwords, acct info)
Identity theft
Financial fraud/theft
3
Where are the risks?






Internet cafés
WiFi hot spots (coffee shop, airport, hotel)
Any public computer, even some private
ones (e.g. hotel business center)
Airports
ATM machines
Any country with lax law enforcement or
untrustworthy government
4
Percentage of Computers Infected with Malware
Is China a Risk?
[Source: PandaLabs 2011 Annual Report, Jan. 2012]





January 2010 – Google discloses cyber attacks
that target Gmail accounts of Chinese human
rights activists as well as Google intellectual
property (now known as “Operation Aurora”); ~30
other corporations similarly attacked. Google
implicates Chinese government.
April 2010 – NY Times reporter’s email is hacked
while in China; reports that many of his
colleagues experienced the same thing
China is a hotbed of cybercrime, state-sponsored
or otherwise
There’s no such thing as privacy in China!
Extremely lax IT security
5
Internet Cafés

Technology typically not managed well.
Susceptible to:






Worms, Trojan horses, etc.
Keyloggers
Info-stealing malware (steals
username/password, financial account info)
USB thumb drive infections
Threat to your privacy since the browser
cache, temporary files, deleted files, and
log data leave a trace of your activity
Employees sometimes part of the
conspiracy
6
Internet Cafés
What can you do about it?






Avoid them altogether, or just use them for innocuous
activities like checking the weather, bus/train/flight
schedules, tourist sites
Research local Internet Cafés before you leave or ask
someone you trust (e.g., the hotel concierge) to
determine which ones are reputable
Never use them for financial transactions
If at all possible, don’t use your K-State eID and
password (even secure web access with HTTPS does
not protect you from keyloggers)
Change your eID password after you return to the U.S.
Make sure antivirus software is running and up-to-date
– do a manual scan if possible, although that’s timeconsuming
7
Internet Cafés
What can you do about it?



NEVER let it save your login/account information
in the browser
Use “Private Browsing” in Firefox or IE (“InPrivate Browsing”)
which does not save any history/cache/cookies
Or clear the browser cache, cookies, history before
you leave






Firefox – Pull down Tools menu, select “Clear Recent History”, check all the
boxes, change “Time range to clear” to “Today”, select “Clear Now”
IE – Pull down Tools menu, select “Delete browsing history…”, check all the
boxes, select “Delete”
Watch for shoulder-surfing
Don’t leave your computer unattended with any sensitive information
showing, or authenticated sessions open (lock the screen)
Carry your own programs on a USB flash drive (browser, AV software,
email client, password safe, VPN client, Secure erase, etc.)
Summary – AVOID or BE PARANOID!
8
Other public computers


Treat them ALL with suspicion
Hotel business centers



Somewhat better than Internet Café, esp. at
reputable hotel, but even those are not without risk
Use same precautions as Internet Cafés
Don’t use for financial transactions, your
eID/password, or other sensitive
information if at all possible
9
The WiFi Dilemma





It’s SOOO useful and SOOO risky
Unsecured wireless networks are very easy to
snoop – someone near you or even across the
street can watch ALL of your traffic
Are freely available programs that watch WiFi
traffic and intercepts anything that looks like a
username and password, or account info
Hotel wireless – just because you have to
register, pay, and/or authenticate doesn’t mean
it’s secure. Typically they are not encrypted and
you don’t know who is in the room next to you.
“Firesheep” can intercept Facebook and Twitter
sessions to change your status, send messages,
and/or post on the wall of friends
10
Wireless security



Don’t do financial transactions or other
sensitive work in public WiFi zones, if possible;
HTTPS reduces the risk, as does the full tunnel
VPN service
Use K-State’s VPN service to access K-State
systems; the default “split tunnel” encrypts all
traffic to/from K-State, but does NOT protect
your other Internet traffic
A “full tunnel” option is now available that
encrypts ALL wireless traffic – you should use
this every time you’re in a public WiFi
location, even in Manhattan
11
Virtual Private Network
(VPN) Service




Install the Cisco “AnyConnect” VPN
client available to all fac/staff/students
Software and instructions available at
www.k-state.edu/its/security/vpn
Available for Windows, Mac OS X,
Linux, iOS (iPhone), and Android
This is covered in this year’s required
annual IT security training
12
Split Tunnel (only K-State
traffic encrypted)
Full Tunnel
(everything encrypted)
Disconnected
13
Connected
Protecting your eID




Avoid using it in Internet Cafés and other
public computers, if possible (due to risk of it
being stolen by keylogger malware)
Use K-State’s VPN service to access K-State
resources when possible
Change your eID password when you get
home as a precaution
Use a web-based password manager like
LastPass to manage your passwords (even
though lastpass was hacked last year)
14
Protecting Your Personal
and Financial Information


Take all the online precautions mentioned thus far
Always know where your passport is










Stow it securely on your person
Hide it in your hotel room or put it in a safe
Beware of pick-pockets
Conceal your valuables
Don’t let a vendor/server take your credit card out of your sight
Pay with cash as much as possible (so you don’t have to use
your credit card)
Use “virtual credit card number” if available from your cardissuing bank – only good for a single purchase, or single
merchant, or limited time; is in essence a throw-away card
number tied to your account; can generate yourself online
Get a “chip & PIN” credit card – increasingly required for
overseas travel, especially in Europe
Risk of RFID in new passports exaggerated
Let your credit card companies know your travel destination
and dates (can now do this online with some major credit
15
cards)
ATM security





US Secret Service estimates annual loss
from ATM fraud at $1 billion ($350K per day!), 80% of that due
to card skimming (bogus card reader placed over the top of
the real card reader)
“ATM skimmer” = device attached to an ATM machine to steal
bank account info
Rampant in Europe, growing threat in U.S. too
Look for indicators of tampering with the keypad or card
swipe/feed mechanism
Device fits over real card reader and stores or transmits (via
cell phone, for example) the data from the magnetic stripe on
the card; criminals also get PIN with camera or fake keypad
16
ATM Skimmers
Bogus keypad designed for
Diebold ATM
Skimmer found at Citibank ATM in
Woodland Hills, CA, Dec. 2009
Skimmer found at Wachovia Bank in
Alexandria, VA, Feb. 28, 2010; loss
to customers exceeded $60,000 17
ATM security



Only use ATMs in the lobby of
reputable banks; esp. beware of
solitary ATMs in secluded places at
night (risk of assault/theft)
Watch for people looking over your
shoulder
Make a few large withdrawals instead
of many smaller ones so you use the
card less often (although carrying lots
of cash is risky)
18
Airports

High risk of theft




Fall 2008 report: 16,000 laptops lost or
stolen in airports in US and Europe PER
WEEK!!
Will cover laptop security later
Don’t let valuables out of your site, esp.
at security screening; criminals target
airports and create diversions to distract
you while they steal your laptop
Put your smartphone in your shoe or
carry-on bag (i.e., out of sight) when
going through X-ray to reduce risk of theft
19
Airports





Use same precautions with the public WiFi in
airports that you would in any public WiFi hot spot
General rule – don’t connect to unknown wireless
networks
Remember that just because you pay for the
service does not mean it’s secure.
Use “Personal/WiFi Hotspot” feature of
Smartphone (laptop connects to Internet via WiFi
through your phone); beware of eating up your
cell phone data plan allotment
Use “MiFi” device (WiFi connection
through cellular 3G/4G network)
20
Airports



Beware of the oft-seen but bogus “Free
Public WiFi” adhoc/computer-to-computer
wireless network – don’t try to connect to it.
It may give someone access to your
computer if you have file sharing enabled
without password protection or an account
without a password
In most cases, it’s harmless, but your
computer may start advertising “Free Public
WiFi” to people near you
21
Airports



Know what you can and cannot bring into
the country – don’t discover that at the
Customs check at the destination airport
Israel would not allow iPads into the country
for about two weeks in April 2010 due to an
unfounded fear that its WiFi implementation
might interfere with communications and did
not meet European Union standards (not
true)
Are recent reports of Israeli airport security
taking apart computers looking for
explosives
22
Airports

Speaking of excessive Israeli airport
security...
23
Laptop Security




20+ stolen on K-State campus in 2010
Stolen laptops a daily occurrence in Manhattan
Never leave unsecured laptop unattended
Use a locking security cable







Hotel room
Public locations, coffee shop
Conferences, training sessions
Cost $15-$50, combination or key lock
Use strong password on all accounts
Don’t store sensitive info on it, but if you have to,
encrypt the entire hard drive (K-State uses PGP Whole
Disk Encryption software for this purpose): www.kstate.edu/its/security/pgp
Don’t leave it in view in your vehicle

Don’t trust the trunk - remember the quick release lever inside
the vehicle?
24
Laptop Security



Don’t let it out of your sight when you travel
Be particularly watchful at airport security
checkpoints
Always take it in your carry-on luggage



Use a nondescript carrying case




One that doesn’t look like a laptop carrying case
Remove the computer manufacturer logo from the case
Be careful when you take a nap in the airport



Never put it in checked luggage
K-State administrator traveling in Asia last year, told at
check-in in Kuala Lampur airport in Malaysia to reduce
weight of carry-on; put laptop in checked bag – gone when
he arrived at destination
Wrap the carrying case strap around your body
Or use the locking security cable to secure it
Take a clean (i.e., no data) netbook or iPad
instead of your laptop
Take similar precautions with your smartphone –
they are prime targets for theft and now hold much
data
25
Tracking & Recovery
Software




If stolen, the computer contacts the company the next
time it’s on the Internet; the company then traces it and
contacts law enforcement to recover it; very effective in
the U.S.; inconsistent results outside the U.S.
This software led to the recovery of a laptop stolen in
Columbia, MO, that later appeared on the K-State
network (January 2010)
Computrace LoJack for Laptops from Absolute Software
(www.absolute.com) is an example
Pre-installed in BIOS on many laptops




Dell
HP
Have to buy the license to activate
Costs about $30-$45 per year per computer
26
Before you leave home
THESE PRECAUTIONS ARE REALLY IMPORTANT!
 Backup your data
 Record identification information of your laptop





Record make, model, serial number of laptop
Take pictures of it
Label it with ownership and contact info; a conspicuous label
is a significant deterrent
Write down credit card account numbers and phone
numbers for credit/debit card companies (and take
them with you); can’t use U.S. toll-free numbers
overseas but can call them collect so take the correct
phone numbers with you
Take a paper copy of your passport info page in case
it is lost or stolen
27
Before you leave home

Don’t rely solely on electronic device for your
reservations, confirmation numbers, itinerary,
etc. Have paper copies.




In case device stolen or battery dies
Can show cab driver a piece of paper with the address of
your destination instead of handing him your Smartphone
If leaving the country, notify the financial
institutions of the accounts you will use
(destination and dates of travel); otherwise,
they are likely to lock your account when they
see transactions from another country
Notify the U.S. state department if going to a
volatile location: travelregistration.state.gov
28
Take my stuff, please!
www.theregister.co.uk/2010/09/13/social_network_burglary_gang/
What’s on your mind?
30
USB Flash Drive Security

DO NOT store confidential data on them!!




Common way malware spreads – don’t use it in a
computer you cannot trust, like an Internet Café;
just putting the drive in the computer can infect it
Don’t use it as a backup device (too easy to lose
it)
Delete files so they aren’t recoverable



Too easy to lose, easy target of theft
Good tool for this is Eraser (eraser.heidi.ie)
Encrypt files on it with TrueCrypt (truecrypt.org)
or…
Buy an encrypted USB flash drive

Ironkey a popular brand; 8 GB encrypted drive about
$200 - www.ironkey.com
31
Export Controls




“Export” broadly defined by Feds, includes
“actual shipment of any covered goods or
items”
Export Administration Regulations (EAR) by
the Commerce Dept. controls technology –
types of encryption technology have
historically been an issue
Int’l Traffic in Arms Regulations (ITAR) by the
State Dept. controls weapons (duh!)
K-State’s University Research Compliance
Office (URCO) has training available
www.k-state.edu/research/comply/ecp/index.htm
32