Traveling Safely SIRT IT Security Roundtable Harvard Townsend

Traveling Safely SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu. edu May 4, 2012

Agenda n n What and where are the risks? Using Internet cafes and Wi. Fi hot spots safely (is that even possible? !) n n n n New K-State VPN service is your friend! Protecting your e. ID and other passwords Protecting your personal and financial info ATM security Airport risks Laptop security (add smartphones to the list. . . ) Things to do before you leave (important!!) If we have time. . . n n USB Flash drive security Beware of export restrictions on certain technologies 2

What are the risks? Focus of this seminar is risks to information and technology, not other travel-related risks n. Physical theft (esp. your laptop, i. Pad/tablet, or smartphone, and of course wallet/purse) n. Information loss/theft (personal, institutional, passwords, acct info) n. Identity theft n. Financial fraud/theft 3

Where are the risks? n n n Internet cafés Wi. Fi hot spots (coffee shop, airport, hotel) Any public computer, even some private ones (e. g. hotel business center) Airports ATM machines Any country with lax law enforcement or untrustworthy government 4

Percentage Is China a Risk? of Computers Infected with Malware [Source: Panda. Labs 2011 Annual Report, Jan. 2012] n n n January 2010 – Google discloses cyber attacks that target Gmail accounts of Chinese human rights activists as well as Google intellectual property (now known as “Operation Aurora”); ~30 other corporations similarly attacked. Google implicates Chinese government. April 2010 – NY Times reporter’s email is hacked while in China; reports that many of his colleagues experienced the same thing China is a hotbed of cybercrime, state-sponsored or otherwise There’s no such thing as privacy in China! Extremely lax IT security 5

Internet Cafés n Technology typically not managed well. Susceptible to: ¡ ¡ n n Worms, Trojan horses, etc. Keyloggers Info-stealing malware (steals username/password, financial account info) USB thumb drive infections Threat to your privacy since the browser cache, temporary files, deleted files, and log data leave a trace of your activity Employees sometimes part of the conspiracy 6

Internet Cafés What can you do about it? n n n Avoid them altogether, or just use them for innocuous activities like checking the weather, bus/train/flight schedules, tourist sites Research local Internet Cafés before you leave or ask someone you trust (e. g. , the hotel concierge) to determine which ones are reputable Never use them for financial transactions If at all possible, don’t use your K-State e. ID and password (even secure web access with HTTPS does not protect you from keyloggers) Change your e. ID password after you return to the U. S. Make sure antivirus software is running and up-to-date – do a manual scan if possible, although that’s timeconsuming 7

Internet Cafés What can you do about it? n n n NEVER let it save your login/account information in the browser Use “Private Browsing” in Firefox or IE (“In. Private Browsing”) which does not save any history/cache/cookies Or clear the browser cache, cookies, history before you leave ¡ ¡ n n Firefox – Pull down Tools menu, select “Clear Recent History”, check all the boxes, change “Time range to clear” to “Today”, select “Clear Now” IE – Pull down Tools menu, select “Delete browsing history…”, check all the boxes, select “Delete” Watch for shoulder-surfing Don’t leave your computer unattended with any sensitive information showing, or authenticated sessions open (lock the screen) Carry your own programs on a USB flash drive (browser, AV software, email client, password safe, VPN client, Secure erase, etc. ) Summary – AVOID or BE PARANOID! 8

Other public computers n n Treat them ALL with suspicion Hotel business centers ¡ ¡ ¡ Somewhat better than Internet Café, esp. at reputable hotel, but even those are not without risk Use same precautions as Internet Cafés Don’t use for financial transactions, your e. ID/password, or other sensitive information if at all possible 9

The Wi. Fi Dilemma n n n It’s SOOO useful and SOOO risky Unsecured wireless networks are very easy to snoop – someone near you or even across the street can watch ALL of your traffic Are freely available programs that watch Wi. Fi traffic and intercepts anything that looks like a username and password, or account info Hotel wireless – just because you have to register, pay, and/or authenticate doesn’t mean it’s secure. Typically they are not encrypted and you don’t know who is in the room next to you. “Firesheep” can intercept Facebook and Twitter sessions to change your status, send messages, and/or post on the wall of friends 10

Wireless security n n n Don’t do financial transactions or other sensitive work in public Wi. Fi zones, if possible; HTTPS reduces the risk, as does the full tunnel VPN service Use K-State’s VPN service to access K-State systems; the default “split tunnel” encrypts all traffic to/from K-State, but does NOT protect your other Internet traffic A “full tunnel” option is now available that encrypts ALL wireless traffic – you should use this every time you’re in a public Wi. Fi location, even in Manhattan 11

Virtual Private Network (VPN) Service n n Install the Cisco “Any. Connect” VPN client available to all fac/staff/students Software and instructions available at www. k-state. edu/its/security/vpn Available for Windows, Mac OS X, Linux, i. OS (i. Phone), and Android This is covered in this year’s required annual IT security training 12

Split Tunnel (only K-State traffic encrypted) Full Tunnel (everything encrypted) Disconnected 13 Connected

Protecting your e. ID n n Avoid using it in Internet Cafés and other public computers, if possible (due to risk of it being stolen by keylogger malware) Use K-State’s VPN service to access K-State resources when possible Change your e. ID password when you get home as a precaution Use a web-based password manager like Last. Pass to manage your passwords (even though lastpass was hacked last year) 14

Protecting Your Personal and Financial Information n n Take all the online precautions mentioned thus far Always know where your passport is ¡ ¡ n n n n Stow it securely on your person Hide it in your hotel room or put it in a safe Beware of pick-pockets Conceal your valuables Don’t let a vendor/server take your credit card out of your sight Pay with cash as much as possible (so you don’t have to use your credit card) Use “virtual credit card number” if available from your cardissuing bank – only good for a single purchase, or single merchant, or limited time; is in essence a throw-away card number tied to your account; can generate yourself online Get a “chip & PIN” credit card – increasingly required for overseas travel, especially in Europe Risk of RFID in new passports exaggerated Let your credit card companies know your travel destination and dates (can now do this online with some major credit 15 cards)

ATM security n n n US Secret Service estimates annual loss from ATM fraud at $1 billion ($350 K per day!), 80% of that due to card skimming (bogus card reader placed over the top of the real card reader) “ATM skimmer” = device attached to an ATM machine to steal bank account info Rampant in Europe, growing threat in U. S. too Look for indicators of tampering with the keypad or card swipe/feed mechanism Device fits over real card reader and stores or transmits (via cell phone, for example) the data from the magnetic stripe on the card; criminals also get PIN with camera or fake keypad 16

ATM Skimmers Bogus keypad designed for Diebold ATM Skimmer found at Citibank ATM in Woodland Hills, CA, Dec. 2009 Skimmer found at Wachovia Bank in Alexandria, VA, Feb. 28, 2010; loss to customers exceeded $60, 000 17

ATM security n n n Only use ATMs in the lobby of reputable banks; esp. beware of solitary ATMs in secluded places at night (risk of assault/theft) Watch for people looking over your shoulder Make a few large withdrawals instead of many smaller ones so you use the card less often (although carrying lots of cash is risky) 18

Airports n High risk of theft ¡ n n n Fall 2008 report: 16, 000 laptops lost or stolen in airports in US and Europe PER WEEK!! Will cover laptop security later Don’t let valuables out of your site, esp. at security screening; criminals target airports and create diversions to distract you while they steal your laptop Put your smartphone in your shoe or carry-on bag (i. e. , out of sight) when going through X-ray to reduce risk of theft 19

Airports n n n Use same precautions with the public Wi. Fi in airports that you would in any public Wi. Fi hot spot General rule – don’t connect to unknown wireless networks Remember that just because you pay for the service does not mean it’s secure. Use “Personal/Wi. Fi Hotspot” feature of Smartphone (laptop connects to Internet via Wi. Fi through your phone); beware of eating up your cell phone data plan allotment Use “Mi. Fi” device (Wi. Fi connection through cellular 3 G/4 G network) 20

Airports n n n Beware of the oft-seen but bogus “Free Public Wi. Fi” adhoc/computer-to-computer wireless network – don’t try to connect to it. It may give someone access to your computer if you have file sharing enabled without password protection or an account without a password In most cases, it’s harmless, but your computer may start advertising “Free Public Wi. Fi” to people near you 21

Airports n n n Know what you can and cannot bring into the country – don’t discover that at the Customs check at the destination airport Israel would not allow i. Pads into the country for about two weeks in April 2010 due to an unfounded fear that its Wi. Fi implementation might interfere with communications and did not meet European Union standards (not true) Are recent reports of Israeli airport security taking apart computers looking for explosives 22

Airports n Speaking of excessive Israeli airport security. . . 23

Laptop Security n n 20+ stolen on K-State campus in 2010 Stolen laptops a daily occurrence in Manhattan Never leave unsecured laptop unattended Use a locking security cable ¡ ¡ n n n Hotel room Public locations, coffee shop Conferences, training sessions Cost $15 -$50, combination or key lock Use strong password on all accounts Don’t store sensitive info on it, but if you have to, encrypt the entire hard drive (K-State uses PGP Whole Disk Encryption software for this purpose): www. kstate. edu/its/security/pgp Don’t leave it in view in your vehicle ¡ Don’t trust the trunk - remember the quick release lever inside the vehicle? 24

Laptop Security n n n Don’t let it out of your sight when you travel Be particularly watchful at airport security checkpoints Always take it in your carry-on luggage ¡ ¡ n Never put it in checked luggage K-State administrator traveling in Asia last year, told at check-in in Kuala Lampur airport in Malaysia to reduce weight of carry-on; put laptop in checked bag – gone when he arrived at destination Use a nondescript carrying case ¡ ¡ n n n One that doesn’t look like a laptop carrying case Remove the computer manufacturer logo from the case Wrap the carrying case strap around your body Or use the locking security cable to secure it Be careful when you take a nap in the airport Take a clean (i. e. , no data) netbook or i. Pad instead of your laptop Take similar precautions with your smartphone – they are prime targets for theft and now hold much data 25

Tracking & Recovery Software n n If stolen, the computer contacts the company the next time it’s on the Internet; the company then traces it and contacts law enforcement to recover it; very effective in the U. S. ; inconsistent results outside the U. S. This software led to the recovery of a laptop stolen in Columbia, MO, that later appeared on the K-State network (January 2010) Computrace Lo. Jack for Laptops from Absolute Software (www. absolute. com) is an example Pre-installed in BIOS on many laptops ¡ ¡ n n Dell HP Have to buy the license to activate Costs about $30 -$45 per year per computer 26

Before you leave home THESE PRECAUTIONS ARE REALLY IMPORTANT! n Backup your data n Record identification information of your laptop ¡ ¡ ¡ n n Record make, model, serial number of laptop Take pictures of it Label it with ownership and contact info; a conspicuous label is a significant deterrent Write down credit card account numbers and phone numbers for credit/debit card companies (and take them with you); can’t use U. S. toll-free numbers overseas but can call them collect so take the correct phone numbers with you Take a paper copy of your passport info page in case it is lost or stolen 27

Before you leave home n Don’t rely solely on electronic device for your reservations, confirmation numbers, itinerary, etc. Have paper copies. ¡ ¡ n n In case device stolen or battery dies Can show cab driver a piece of paper with the address of your destination instead of handing him your Smartphone If leaving the country, notify the financial institutions of the accounts you will use (destination and dates of travel); otherwise, they are likely to lock your account when they see transactions from another country Notify the U. S. state department if going to a volatile location: travelregistration. state. gov 28

Take my stuff, please!

What’s on your mind? 30

USB Flash Drive Security n DO NOT store confidential data on them!! ¡ n n n Common way malware spreads – don’t use it in a computer you cannot trust, like an Internet Café; just putting the drive in the computer can infect it Don’t use it as a backup device (too easy to lose it) Delete files so they aren’t recoverable ¡ n n Too easy to lose, easy target of theft Good tool for this is Eraser (eraser. heidi. ie) Encrypt files on it with True. Crypt (truecrypt. org) or… Buy an encrypted USB flash drive ¡ Ironkey a popular brand; 8 GB encrypted drive about $200 - www. ironkey. com 31

Export Controls n n “Export” broadly defined by Feds, includes “actual shipment of any covered goods or items” Export Administration Regulations (EAR) by the Commerce Dept. controls technology – types of encryption technology have historically been an issue Int’l Traffic in Arms Regulations (ITAR) by the State Dept. controls weapons (duh!) K-State’s University Research Compliance Office (URCO) has training available www. k-state. edu/research/comply/ecp/index. htm 32