Reduce Your Attack Surface While Traveling
Share this entry
We’re beginning to travel again and attending shows like RSA, Infosec Europe, and Black Hat. Maybe you’re also taking some well-deserved time off and relaxing with your backlog of shows (or doing that thing where you’re supposed to be off, but still checking your email?)
Whether your travel plans are for business or pleasure, we want folks to be mindful of the fundamentals of cybersecurity while on the go.
Is That Free Public Wi-Fi Really Free?
I get it. You’re frazzled and putting yourself back together after getting through airport security. And I don’t care if you have TSA Pre-Check, Clear, Clear+, Clear-, Clear*, or whatever is available currently check-in-wise, it’s a frenetic experience and you just want to sit down with your computer – maybe get some work done or unwind a bit. Clicking that “Accept Terms” button on the airport wi-fi would be so easy.
However, keeping fundamentals in mind, we security practitioners know we need to consider the source, especially if you’re traveling with your work devices (and traveling with your work devices – while on vacation? That’s a whole other thing). But (and that’s a big BUT), if you do need to keep an eye on some things in the office while you’re away, use a Virtual Private Network (VPN) for that added layer of security.
Additionally, once you make it to your final destination and are ready to collapse in your hotel room, the hotel WiFi can be…questionable. They’re analyzing traffic using SSL interception and similar techniques, which can directly interfere with the aforementioned VPN use. So in this instance, we’d recommend using your phone’s hotspot or a MiFi device if possible. Most phones with hotspot capability can also act as a sort of cellular modem if wired directly into the device (depending on the manufacturer).
Protect Your Devices While Charging
While there have been no confirmed cases of juice jacking – which is the idea of bad actors siphoning data and passwords from public charging stations – it’s still not a bad idea to reduce your attack surface with an added layer of protection.
We recommend a charging-only cable from a trusted supplier. If you’ve been to an industry event recently, we provide one in our travel security kits, so be sure to stop by our booth to grab one. If you don’t have a charging-only cable, you could use an external battery or use an AC power outlet.
Maintaining Your Privacy While You Travel
We’re all aware that it’s a tight squeeze on planes nowadays. Even if the people around you aren’t trying to be nosy, it’s pretty easy to glance over to see what’s on your screen. That’s why if you are planning to get some work done on your way to your vacation destination (and again, I hope you log out and get that much needed R&R!), look into a privacy screen to keep prying eyes away.
And unfortunately, the concern isn’t just who’s next to you while traveling, but who can see or hear you while you’re traveling. Maybe you’re not concerned with people hearing some sweet steel drums, but if you’re traveling for work instead of pleasure, you want to ensure bad actors can’t see or hear using your computer’s microphone or camera.
In the aforementioned kit DomainTools provides, there is a mic-lock as well as a cover for your camera, so again, if you don’t already have one, we’ve got you (literally) covered. It’s also a good plan to heed the warnings your mobile device gives you when the camera and mic are active, along with the MicroSnitch software that will do the same for MacBooks.
Using Two-Factor or Multi-Factor Authentication
I know, I know – it’s mentioned a lot, but it bears repeating because even if a cybercriminal has your password, don’t let them just get away with it. Make it harder for them by enabling MFA whenever you can, so you can see notifications if someone tries to log into your various accounts. And please note: it’s encouraged to use MFA whether you’re at home or on the go.
Avoiding Evil Maid Attacks
Again, we’re fighting against the urge of what’s easy, and it is so easy to just leave your devices in your room, where they should be safe, but as we know, that’s not always the case. Evil Maid attacks occur when bad actors physically gain access to your devices (like if you leave them in the hotel room) and conduct direct hardware attacks on the laptop like implanting devices, cloning storage or RAM, etc. It doesn’t necessarily have to be just leaving a device in a room though – you should avoid leaving your phone or computer at your table if you’re working at a coffee shop or at a workstation at the airport.
The best way to avoid the Evil Maid attack is to carry your devices with you, but that’s not always possible (and sounds super cumbersome). You can also use full disc encryption or set up BIOS to restrict direct access to device memory.
(RFID) Bag It Up
Some of the items you need to travel (like your passport, mobile device, and credit cards), use Radio Frequency Identification (RFID), which sends out signals via radio waves. We suggest investing in a RFID-blocking travel pouch, which is a bag lined with a copper alloy to stop the transfer of information using electromagnetic signals from RFID scanners. And just to clarify, this post is not sponsored in any way, shape, or form and the RFID-blocking travel pouch link we’re sharing is just one example of where you can find this type of protection for your items that block RFID. And…their products look really slick. Seriously. If you have one of these bags, and they block RFID the way they say they do, we would love to know!
We hope everyone has a happy, safe travel season whether that’s to a vacation destination or to any upcoming conferences. If you’re interested in our travel security kit, but won’t be at any of the shows we’ll be at, let us know – depending on our supply levels, we may be able to send you one, or we can make recommendations on some alternatives.