Traveling SafelySIRT IT Security Roundtable

Harvard TownsendChief Information Security Officerharv@ksu.eduMay 6, 2011

Agenda What and where are the risks? Using Internet cafes and WiFi hot spots safely (is that

even possible?!) New K-State VPN service is your friend!

Protecting your eID and other passwords Protecting your personal and financial info ATM security Airport risks Laptop security Things to do before you leave (important!!) USB Flash drive security Beware of export restrictions on certain technologies

2

What are the risks?

Physical theft (esp. your laptop or phone, and of course wallet/purse)

Information loss/theft (personal, institutional, passwords, acct info)

Identity theft Financial fraud/theft

3

Where are the risks?

Internet cafés WiFi hot spots Any public computer, even some private

ones (e.g. hotel business center) Airports ATM machines Any country with lax law enforcement or

untrustworthy government4

Is China a Risk? January 2010 – Google discloses cyber attacks from China that target Gmail accounts of

Chinese human rights activists as well as Google intellectual property (now known as “Operation Aurora”); some 30 other corporations similarly attacked; Google implicates the Chinese government

April 2010 – NY Times reporter’s email hacked while in China; reports that many of his colleagues experienced the same thing

April 2010 - Researchers at University of Toronto exposed a cyber spy ring that pilfered documents and email from computers in 100 different countries; the common thread is the attacks originated from computers in China and targeted the Dalai Lama (stole his email), Tibetan human rights advocates, the Indian Defense Ministry, and foreign journalists who cover China and Taiwan

China is a hotbed for cybercrime, state-sponsored or otherwise Extremely lax IT security Amendment to Chinese Law on Guarding State Secrets in 2010 states that "Information

transmissions should be immediately stopped if they are found to contain state secrets," and that if state secrets have been found to be leaked, the companies must keep records of the incident and notify authorities. The definition of state secrets in China is quite broad; information such as maps and economic statistics could be considered prohibited for discussion. There’s no such thing as privacy or net neutrality in China!www.washingtonpost.com/wp-dyn/content/article/2010/04/27/AR2010042704503.html

5

Percentage of Computers Infected with Malware[Source: PandaLabs Q1 Report, Apr. 5, 2011]

Internet Cafés Technology typically not managed well.

Susceptible to: Worms, Trojan horses, etc. Keyloggers Info-stealing malware (steals

username/password, financial account info) USB thumb drive infections

Browser cache, temporary files, deleted files, log data leave a trace of your activity

Employees sometimes part of the conspiracy

6

Internet CafésWhat can you do about it? Avoid them altogether, or just use them for innocuous

activities like checking the weather, bus/train/flight schedules, tourist sites

Research local Internet Cafés before you leave or ask someone you trust (hotel concierge?) to determine which ones are reputable

Never use them for financial transactions If at all possible, don’t use your K-State eID and

password (even secure web access with https does not protect you from keyloggers)

Change your eID password after you return to the U.S. Make sure it has antivirus software running and up-to-

date – do a manual scan if possible

7

Internet CafésWhat can you do about it? NEVER let it save your login/account information

in the browser Use “Private Browsing” in Firefox or IE which does

not save any history/cache/cookies Or clear the browser cache, cookies, history before

you leave Firefox – Pull down Tools menu, select “Clear Private Data”, check all the

boxes, select “Clear Private Data now” IE – Pull down Tools menu, select “Delete Browsing History…”, select

“Delete All” Watch for shoulder-surfing Don’t leave your computer unattended with any sensitive information

showing, or authenticated sessions open (lock the screen) Carry your own programs on a USB flash drive (browser, AV software,

email client, password safe, VPN client, Secure erase, etc.) Summary – AVOID or BE PARANOID!

8

Other public computers Treat them ALL with suspicion Hotel business centers

Somewhat better than Internet Café, esp. at reputable hotel, but even those are not without risk

They typically use an acct with Administrator privileges, so anyone can install anything

Use same precautions as Internet Cafés Don’t use for financial Transactions, your

eID/password, or other sensitive sessions if at all possible

Public Kiosks “Danger, Will Robinson!” (just check the weather

and news)9

The WiFi Dilemma It’s SOOO useful and SOOO risky Unsecured wireless networks are very easy to

snoop – someone near you or even across the street can watch ALL of your traffic

Are freely available programs that watch WiFi traffic and intercepts anything that looks like a username and password, or account info

Hotel wireless – just because you have to register, pay, and/or authenticate doesn’t mean it’s secure. Typically they are not encrypted and you don’t know who is in the room next to you.

“Firesheep” can intercept Facebook and Twitter sessions to change your status, send messages, and/or post on the wall of friends

10

Use K-State’s new full tunnel VPN service (more about this later)

Configure Facebook to encrypt all network traffic (https: in the web address) Change in “Account”->”Account Settings”->

”Account Security”

Firesheep Defenses

Wireless security

Don’t do financial transactions or other sensitive work in public WiFi zones, if possible; HTTPS reduces the risk, as does the full tunnel VPN service

Use K-State’s VPN service to access K-State systems; the default “split tunnel” encrypts all traffic to/from K-State, but does NOT protect your other Internet traffic

A “full tunnel” option is now available that encrypts ALL wireless traffic – you should use this every time you’re in a public WiFi location, even in Manhattan

12

13

Virtual Private Network(VPN) Service

Must install Cisco “AnyConnect” VPN client software

Information and software available at:www.k-state.edu/its/security/vpn/

Available for Windows, Mac OS X, Linux, soon for some Smartphones

This new version uses SSL instead of IPSEC so it works better with firewalls and is more reliable

Also can use it on the K-State campus wireless, which is advisable since WEP security is weak (stronger WPA2 security available soon on campus)

14

Virtual Private Network(VPN) Service

Default is “split tunnel” – only K-State traffic encrypted Better performance for non-K-State/Internet

traffic, esp. streaming videos like Netflix Suitable for home wireless network IF you

properly secure your home wireless “Full tunnel” encrypts ALL traffic, but sends

Internet traffic through K-State’s network instead of your Internet Service Provider (Cox, AT&T, etc.) Performance may suffer Highly recommended in public WiFi locations

(coffee shop, airport, McDonald’s, etc.)

15Disconnected Connected

Full Tunnel (everything encrypted)

Split Tunnel (only K-State traffic encrypted)

Protecting your eID

16

Avoid using it in Internet Cafés and other public computers, if possible (due to risk of it being stolen by keylogger malware)

Use K-State’s VPN service to access K-State resources when possible

Change your eID password when you get home as a precaution

Use a web-based password manager like LastPass to manage your passwords (even though lastpass was hacked recently…)

Protecting Your Personaland Financial Information Take all the online precautions mentioned thus far Always know where your passport is

Stow it securely on your person Hide it in your hotel room or put it in a safe

Beware of pick-pockets Conceal your valuables Don’t let a vendor/server take your credit card out of your

sight Pay with cash as much as possible (so you don’t have to use

your credit card) Use “virtual credit card number” if available from your card-

issuing bank – only good for a single purchase, or single merchant, or limited time; is in essence a throw-away card number tied to your account; can generate yourself online

Let your credit card companies know your travel destination and dates (can now do this online with some major credit cards)

17

ATM security

US Secret Service estimates annual loss from ATM fraud at $1 billion ($350K per day!), 80% of that due to card skimming (bogus card reader placed over the top of the real card reader)

“ATM skimmer” = device attached to an ATM machine to steal bank account info

Rampant in Europe, growing threat in U.S. too Look for indicators of tampering with the keypad or card

swipe/feed mechanism Device fits over real card reader and stores or transmits (via

cell phone, for example) the data from the magnetic stripe on the card; criminals also get PIN with camera or fake keypad

Criminals can buy skimmers online for $1500-$2500

18

ATM Skimmers

19

Skimmer found at Citibank ATM in Woodland Hills, CA, Dec. 2009

Skimmer found at Wachovia Bank inAlexandria, VA, Feb. 28, 2010; loss to customers exceeded $60,000

Bogus keypad designed for Diebold ATM

ATM security

Only use ATMs in the lobby of reputable banks; esp. beware of solitary ATMs in secluded places at night (risk of assault/theft)

Watch for people looking over your shoulder

Make a few large withdrawals instead of many smaller ones so you use the card less often (although carrying lots of cash is risky)

20

Airports

High risk of theft Fall 2008 report: 16,000 laptops lost or

stolen in airports in US and Europe PER WEEK!!

Will cover laptop security later Don’t let valuables out of your site, esp.

at security screening; criminals target airports and create diversions to distract you while they steal your laptop

Put your smartphone in your shoe or carry-on bag (i.e., out of sight) when going through X-ray to reduce risk of theft

21

Airports

Use same precautions with the public WiFi in airports that you would in any public WiFi hot spot

General rule – don’t connect to unknown wireless networks

Remember that just because you pay for the service does not mean it’s secure.

Use “Personal/WiFi Hotspot” feature of Smartphone (laptop connects to Internet via WiFi through your phone); beware of eating up your cell phone data plan allotment

Use “MiFi” device (WiFi connectionthrough cellular 3G/4G network)

22

Airports

Beware of the oft-seen but bogus “Free Public WiFi” adhoc/computer-to-computer wireless network – don’t try to connect to it.

It may give someone access to your computer if you have file sharing enabled without password protection or an account without a password

In most cases, it’s harmless, but your computer may start advertising “Free Public WiFi” to people near you

23

Airports

Know what you can and cannot bring into the country – don’t discover that at the Customs check at the destination airport

Israel would not allow iPads into the country for about two weeks in April 2010 due to an unfounded fear that its WiFi implementation might interfere with communications and did not meet European Union standards (not true)

Are recent reports of Israeli airport security taking apart computers looking for explosives

24

25

Laptop Security 20+ stolen on K-State campus in 2010 Stolen laptops a daily occurrence in Manhattan Never leave unsecured laptop unattended Use a locking security cable

Hotel room Public locations, coffee shop Conferences, training sessions Cost $15-$50, combination or key lock

Use strong password on all accounts Don’t store sensitive info on it, but if you have to,

encrypt the entire hard drive (K-State uses PGP Whole Disk Encryption software for this purpose): www.k-state.edu/its/security/pgp

Don’t leave it in view in your vehicle Don’t trust the trunk - remember the quick release lever inside

the vehicle?

26

Laptop Security Don’t let it out of your sight when you travel Be particularly watchful at airport security

checkpoints Always take it in your carry-on luggage

Never put it in checked luggage K-State administrator traveling in Asia this spring, told at

check-in in Kuala Lampur airport in Malaysia to reduce weight of carry-on; put laptop in checked bag – gone when he arrived at destination

Use a nondescript carrying case One that doesn’t look like a laptop carrying case Remove the computer manufacturer logo from the case

Be careful when you take a nap in the airport Wrap the carrying case strap around your body Or use the locking security cable to secure it

Take a cheap netbook or an iPad instead of your laptop

27

Tracking & RecoverySoftware

If stolen, the computer contacts the company the next time it’s on the Internet; the company then traces it and contacts law enforcement to recover it; very effective in the U.S.; inconsistent results outside the U.S.

This software led to the recovery of a laptop stolen in Columbia, MO, that later appeared on the K-State network (January 2010)

Computrace LoJack for Laptops from Absolute Software (www.absolute.com) is an example

Pre-installed in BIOS on many laptops Dell HP

Have to buy the license to activate Costs about $30-$45 per year per computer

Before you leave home

THESE PRECAUTIONS ARE REALLY IMPORTANT! Backup your data Record identification information of your laptop

Record make, model, serial number of laptop Take pictures of it Label it with ownership and contact info; a conspicuous label

is a significant deterrent Write down credit card account numbers and phone

numbers for credit/debit card companies (and take them with you); can’t use U.S. toll-free numbers overseas but can call them collect so take the correct phone numbers with you

28

Before you leave home

Don’t rely solely on electronic device for your reservations, confirmation numbers, itinerary, etc. Have paper copies. In case device stolen or battery dies Can show cab driver a piece of paper with the address of

your destination instead of handing him your Smartphone If leaving the country, notify the financial

institutions of the accounts you will use (destination and dates of travel); otherwise, they are likely to lock your account when they see transactions from another country

Notify the U.S. state department if going to a volatile location: travelregistration.state.gov

29

Take my stuff, please!

USB Flash Drive Security DO NOT store confidential data on them!!

Too easy to lose, easy target of theft Common way malware spreads – don’t use it in a

computer you cannot trust, like an Internet Café; just putting the drive in the computer can infect it

Don’t use it as a backup device (too easy to lose it)

Delete files so they aren’t recoverable Good tool for this is Eraser (eraser.heidi.ie)

Encrypt files on it with TrueCrypt (truecrypt.org) or…

Buy an encrypted USB flash drive Ironkey a popular brand; 8 GB encrypted drive about

$200 - www.ironkey.com31

Export Controls

“Export” broadly defined by Feds, includes “actual shipment of any covered goods or items”

Export Administration Regulations (EAR) by the Commerce Dept. controls technology – types of encryption technology have historically been an issue

Int’l Traffic in Arms Regulations (ITAR) by the State Dept. controls weapons (duh!)

K-State’s University Research Compliance Office (URCO) has training availablewww.k-state.edu/research/comply/ecp/index.htm

32

What’s on your mind?

33