Attackers Never Take a Vacation: Staying Safe While Traveling
School is out and the summer travel season is in full force. According to AAA, 42 MillionAmericans traveled during the three-day American Memorial day holiday weekend. I myself just wrapped up a tour of the Southwest US with my family, nearly baking to death in the summer heat. (Thank goodness for air conditioning)
My employer Zscaler is also kicking off our inaugural user conference Zenith Live at the Cosmopolitan in Las Vegas where it’s predicted to be a balmy 109 degrees Fahrenheit tomorrow. Like tens of millions of other travelers, many of my colleagues are away from the corporate office and their home internet connections.
Imagine kicking back at the hotel pool with a cold Mai Thai in one hand and your smartphone in the other, ready to post the latest selfie or cute kid photo to social media. Are you connected to Hotel Wi-Fi? Are you using a cellular LTE connection? Where do those bytes go after you click “post”? Who is going to see my post and known I’m traveling? Many attackers take advantage of relaxed travelers who lower their guard while on vacation. However, good security practitioners will tell you that it is important to maintain the same OpSec (Operational Security) whether you are at a desk in the office or on a beach in Bora Bora. Smartphones and mobile computing devices such as laptops and tablets contain untold amounts of information including very personal data, corporate intellectual property, and even a connection back to the corporate office (VPN).
Here are a few tips to stay safe while traveling this summer.
Do Not Trust Public Wi-Fi
Traveling away from home and corporate will almost guarantee that you will have to use a Wi-Fi network that is not under your control.
Last year at an event, I was tasked with performing low-level (and harmless / whitehat) reconnaissance on some users in order to demonstrate the dangers of utilizing public Wi-Fi. Utilizing a Wi-Fi Pineapple with a fake captive portal, I was successful in using an evil twin attack to collect data on users within the vicinity of my Pineapple, without them being the wiser.
For this reason I always use a mobile Wi-Fi hotspot or tether to my phone for internet access while traveling. While this is not feasible for those without these additional services, at a minimum use a reputable VPN vendor such as Tunnel Bear. Tunnel Bear is the only VPN provider (that I am aware of at the time of writing) to provide a full third-party audit and make the results public. VPN does not automatically mean security, since all it does is tunnel all of your traffic to another egress point before it hits the open internet. Adding encryption and mutually certificate-authenticated sessions to the tunneled traffic adds additional layers of security.
Even LTE/Cellular connection is not free from spying as evidenced by this GSM cellular tower layout before and after BlackHat 2017 in Las Vegas.
Do Not Type Passwords Into Business Center or Public Computers
Always assume any computer you do not control is compromised. Even well intentioned and properly configured computers are subject to compromise through the use of hardware key loggers, USB rubber duckies executing arbitrary code, spy cameras placed above the keyboard/monitor, or a man-in-the-middle proxy on the network wire.
If you absolutely have to use a business center to print something out, consider using a disposable e-mail service such as 10 minute mail, which allows you to access e-mail and documents without typing in your password and as an additional security measure, your message is automatically deleted after 10 minutes. Mailinator serves a similar purpose without the time limit.
Do Not Forget Physical Security
Layer 1 of the OSI model is Physical and this layer is subject to attack just as much (if not more) than the rest of the layers.
The so-called "evil maid attack" is all too common where traveling business professionals will leave a laptop in a hotel safe and an unauthorized party will attempt to access or steal information from the device. Hotel safes have been proven to have useless security as many have hard-coded master codes or can be unlocked with trivial tools. Security research company F Secure just published research on how easy it is to create a hotel master key that can open any room.
Taking a laptop everywhere you go is often cumbersome and not practical so consider bringing a blank laptop with a Windows To Go device. The Windows To Go USB device acts as the laptop’s hard drive and can be easily taken anywhere you go.
See that desk in the corner? Does that desk have to be there? Do I have to work there? When you are in a hotel room, you own the space and you can move any furniture (that isn’t bolted down) anywhere you want. Attackers have been known to install spy cameras in hotel rooms where people commonly work such as a desk to try and glean passwords and other sensitive information.
As many hotels modernize, they are installing USB charging ports in their rooms for additional convenience. It is a security best practice not to plug a phone into a USB port that you do not have total control over. If you must use a hotel USB charging port, consider using a USB data blocker so only the power pins are utilized.
For personal security, I always travel with a SureFire 6P flashlight which sits on the nightstand next to where I sleep. My phone is always within arms reach so in the event of an emergency, I do not have to have to cross the room and search for my phone on the desk. After checking in, count the number of doors between your room and the nearest fire exit; if there’s a lot of smoke in the event of a fire, it will be difficult to see, but you will still be able to feel your way to the nearest exit.
Minimize the Attack Surface
When not using WiFi and Bluetooth, disable these services. There are many documented attacks against WiFi and Bluetooth and turning these services off will reduce your exposure to these attack vectors. When traveling for leisure, I lock my corporate laptop in my fireproof safe at home and do not bring it since most of what I will need to do can be done from my phone and not having my laptop with me means one less thing to worry about being stolen or compromised. Utilizing could services and a secure way to access them through my phone ensures I can still work if an emergency arises.
When crossing international borders, bring a burner phone or delete all unnecessary applications before crossing. There are many documented cases of journalists, activists, and even normal civilians having their phones interrogated before they are allowed to enter or exit a country. Having LastPass or OneDrive installed on your phone will cause more exposure than necessary and deleting these applications will provide a level of plausible deniability.
Please Rob Me
Please Rob Me was an online service used to raise awareness of the dangers of sharing too much information on social media. Michael Dell’s daughter famously tweeted her locationto her followers and undermined a $2.7 Million USD a year security operation to keep the family safe and secure. Posting the wrong thing on social media could inform attackers that you are not home and open you up to social engineering (e.g. attacker posing as a hotel employee wanting to confirm your credit card information), spearphishing, and physical break-ins to your home (Did you remember to lock your corporate laptop in a fireproof safe?). Be vigilant about what is posted and who can see those posts.
Attackers do not go on vacation and neither should security awareness. Following a few security best practices will allow you to travel safely and keep secret things secret. When traveling for work or securing corporate assets, it is essential to have the same level of protection whether that device is on or off the corporate network. Security starts with the user and a relaxed or vacationing user should not let their guard down. Stay safe this summer.