Traveling Safely Harvard Townsend IT Security Officer

advertisement
Traveling Safely
SIRT IT Security Roundtable
Harvard Townsend
IT Security Officer
harv@ksu.edu
May 8, 2009
Agenda









What and where are the risks?
Using Internet cafes and WiFi hot spots safely (is
that possible?!)
Protecting your eID and other passwords
Protecting your personal and financial info
Airport risks
Laptop security
Things to do before you leave
Beware of export restrictions on certain
technologies
K-State VPN service
2
What are the risks?




Identity theft
Financial fraud/theft
Physical theft (like your laptop)
Information loss/theft (personal,
institutional, passwords, acct info)
3
Where are the risks?





Internet cafés
WiFi hot spots
Any public computer, even some
private ones (e.g. hotel business
center)
Airports
ATM machines
4
Internet Cafés

Technology typically not managed well.
Susceptible to:





Worms, Trojan horses, etc.
Keyloggers
USB thumb drive infections
Browser cache, temporary files,
deleted files, log data leave a trace of
your activity
Staff sometimes part of the conspiracy
5
Internet Cafés

What can you do about it?







Avoid them altogether, or just use them for innocuous activities
like checking the weather, bus/train/flight schedules, tourist
sites
Research locations before you leave or ask someone you trust
(hotel concierge?) to determine which ones are reputable
Never use them for financial transactions
If at all possible, don’t use your K-State eID and password
Make sure it has antivirus software running and up-to-date – do
a manual scan if possible; check for firewall too
Or run a free web-based AV check (like Trend’s HouseCall http://housecall.trendmicro.com/), although this can be timeconsuming and you’re paying for your time on the computer
Check installed programs, programs running in memory for
anything suspicious
6
Internet Cafés

What can you do about it?



When you delete a file, use a secure delete tool like “Eraser” (if
you can install programs on the computer)
NEVER let it save your login/account information
in the browser
Clear the browser cache, cookies, history before
you leave






Firefox – Pull down Tools menu, select “Clear Private Data”, check all the
boxes, select “Clear Private Data now”
IE – Pull down Tools menu, select “Delete Browsing History…”, select
“Delete All”
Watch for shoulder-surfing
Don’t leave your computer unattended with any sensitive
information showing, or authenticated sessions open (lock the
screen)
Carry your own programs on a USB flash drive (browser, AV
software, email client, password safe, VPN client, Secure erase,
etc.)
Summary – AVOID or BE PARANOID!
7
Other public computers


Treat them ALL with suspicion
Hotel business centers





Probably better than Internet café, esp. at
reputable hotel, but even those are not
without risk
They typically use an acct with Administrator
privileges, so anyone can install anything
Use same precautions as Internet Cafés
Don’t use for financial transactions, your
eID/password, or other sensitive sessions if
at all possible
Plug your own laptop in if possible; turn off
File/Printer sharing
8
Other public computers

Public libraries


In U.S., have extensive filtering that can
prevent some malware too. Might be
better managed than other public
computers, depending on the staff at that
library
Public Kiosks

“Danger, Will Robinson!” (just check the
weather and news)
9
The WiFi Dilemma




It’s SOOO useful and SOOO risky
Unsecured wireless networks are very easy to
snoop – someone near you or even across
the street can watch ALL of your traffic
Are freely available programs that watch WiFi
traffic looking for anything that looks like a
username and password, or account info
Hotels – just because you have to register or
authenticate doesn’t mean it’s secure. They
typically are not encrypted and you don’t know
who is in the room next to you.
10
Wireless security



Use K-State’s VPN service to access KState systems; this does NOT protect your
other Internet traffic
Don’t do financial transactions or other
sensitive work in public WiFi zones, if
possible
General wireless security:
www.onguardonline.gov/wireless.html

Wireless terminology:
www.onguardonline.gov/wireless.html#glossary
11
Protecting your eID



Avoid using it in Internet Cafés and
other public computers, if possible
Use K-State VPN service to access KState resources when possible
Change your eID password when you
get home as a precaution
12
Protecting Your Personal
and Financial Information


Take all the online precautions mentioned thus far
Always know where your passport is







Stow it securely on your person
Hide it in your hotel room or put it in a safe
Beware of pick-pockets
Conceal your valuables
Don’t let a vendor/server take your credit card out of
your sight
Pay with cash as much as possible (so you don’t have to
use your credit card)
Let your credit card companies know your travel
destination and dates (can now do this online with some
major credit cards)
13
ATM security






“ATM skimming” devices
rampant in Europe, happens in
U.S. too
Organized crime involved
Look for indicators of tampering with the keypad
or card swipe/feed mechanism
Only use ATMs in the lobby of reputable banks;
esp. beware of solitary ATMs in secluded places
at night
Watch for people looking over your shoulder
Make a few large withdrawals instead of many
smaller ones
14
Airports

High risk of theft



16,000 laptops lost or stolen in airports in
US and Europe PER WEEK!!
Will cover laptop security later
Don’t let valuables out of your site,
esp. at security screening; criminals
target airports and create diversions to
distract you while they steal your
laptop
15
Airports

Use same precautions with the public
WiFi in airports that you would in any
public WiFi hot spot

Beware of the oft-seen
but bogus
“Free Public WiFi”
ad hoc/computer-to-computer wireless
network – don’t try to connect to it
General rule – don’t connect to unknown
wireless networks

16
Laptop Security


Never leave unsecured laptop unattended
Use a locking security cable





Don’t leave it in view in your vehicle



Hotel room
Public locations, coffee shop
Conferences, training sessions
Cost $15-$50, combination or key lock
Don’t trust the trunk - remember the quick release lever
inside the vehicle?
Use strong password on all accounts
Don’t store sensitive info on it, but if you have to,
encrypt the entire hard drive (K-State uses PGP
Whole Disk Encryption software for this purpose):
http://www.k-state.edu/infotech/security/pgp
17
Laptop Security



Don’t let it out of your sight when you travel
Be particularly watchful at airport security
checkpoints
Always take it in your carry-on luggage


Use a nondescript carrying case



Never put it in checked luggage
One that doesn’t look like a laptop carrying case
Remove the manufacturer logo from the case
Be careful when you take a nap in the airport


Wrap the carrying case strap around your body
Use the locking security cable to secure it
18
Tracking & Recovery
Software



If stolen, the computer contacts the company
the next time it’s on the Internet; the company
then traces it and contacts law enforcement to
recover it; inconsistent results outside the U.S.
Computrace LoJack for Laptops from Absolute
Software (www.absolute.com) is an example
Pre-installed in BIOS on many laptops




Dell
HP
Have to buy the license to activate
Costs about $30-$50 per year
19
Before you leave home


Backup your data
Record identification information






Record make, model, serial number of laptop
Take pictures of it
Label it with ownership and contact info
Write down credit card acct. numbers and phone
numbers for credit/debit card companies (and take it with
you)
If leaving the country, notify the financial institutions
whose accounts you will use (destination and dates of
travel)
Notify the U.S. state department if going to a volatile
location: https://travelregistration.state.gov
20
Export Controls




“Export” broadly defined by Feds, includes
“actual shipment of any covered goods or
items”
Export Administration Regulations (EAR) by
the Commerce Dept. controls technology
Int’l Traffic in Arms Regulations (ITAR) by the
State Dept. controls weapons (duh)
K-State’s University Research Compliance
Office (URCO) has training available
http://urco.ksu.edu/
21
Cisco VPN client?
“Civilian Solutions: Restricted Encryption and
Unrestricted”
 Cisco's restricted strong encryption solutions may
be exported or re-exported to most
civilian/commercial end users located in all
territories except the embargoed destinations and
countries designated as supporting terrorist
activities. Countries listed in Part 746 of the EAR
as embargoed destinations requiring a license are
Cuba, Iran, North Korea, Sudan, and Syria.
 See list of countries with embargos at
http://www.bis.doc.gov/policiesandregulations/regionalconsid
erations.htm
22
Cisco VPN client?
“Government Solutions: Restricted Encryption”
 Government entities not located in the following
countries require a U.S. export license in order
to obtain restricted non-retail strong encryption
items: Austria, Australia, Belgium, Canada,
Czech Republic, Cyprus, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary,
Ireland, Italy, Japan, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, New Zealand,
Norway, Poland, Portugal, Slovakia, Slovenia,
Spain, Sweden, Switzerland, United Kingdom,
United States.
23
Virtual Private Network (VPN)




Encrypts all network traffic between your
computer and the K-State border
Makes your computer appear to be on
campus to get access to restricted
resources
Does NOT necessarily encrypt everything
that goes to the Internet (“split tunneling”)
Also does not encrypt traffic once it is on
campus
24
25
Virtual Private Network (VPN)


Must install “VPN Client” software
Information and software available at:
http://www.k-state.edu/infotech/networks/vpn/


Cannot use it on campus yet (to secure your
wireless, for example); will be able to soon.
If can get to Internet but not K-State, modify
the “Transport” configuration:


Enable Transparent Tunneling
IPSec over TCP
26
Disconnected
Connected
27
What’s on your mind?
28
USB Flash Drive Security

No confidential data!





Too easy to lose, easy target of theft
Don’t use it as a backup device
“Erase” files so they aren’t recoverable
Encrypt files on it with TrueCrypt or Encrypted USB flash drives


Ironkey very popular https://www.ironkey.com/
View demo?
29
Download