On a recent business trip to
the east coast, I had the opportunity to once again enjoy my
hobby of just sitting back and observing people. I was
again reminded of just how complacent folks are about their
security when it comes to using computers and other
information technology enabled devices when on travel.
This seemed to be especially true when using computers in
public places – either their own laptops, or computers in
hotel business centers. I am not sure if people are
just in a hurry, or if they just really are not aware of the
potentials for exposing themselves (in a “data” sort of
sense, that is) while out and about.
There are a number of things
I will talk about in this article having to do with ways to
keep yourself (and your data) more secure when away on
travels. Some of these things are as simple as using
fundamental physical measures to shield your computer screen
from curious eyes. Others involve the act of just
taking the time to clean up after yourself when using a
public computer, and yet other measures I will discuss
simply involve the use of technology that is already built
in to the devices that you are using. There really is
very little to no cost involved in protecting yourself with
these measures, but the cost of giving away your data can be
huge and devastating. So let’s take a look at a few of
the vulnerabilities we face everyday when on travel and some
solutions for protection.
Shoulder Surfing:
If you are flying, your
potential for vulnerability begins the very minute you get
to the airport. Many people find that they have to arrive
at the airport a few hours early just to make it through
check-in and security, in order to make their flight on
time. There is often a lot of “down time” here, so many
people, as do I, pull out the laptop and the Blackberry, and
do some work. In this setting, we are often in very close
proximity to other people. Once we board the airplane, it
is even worse. Unless you are lucky enough to be in First
Class, you are sitting with your elbows right up against
someone else’s, and their wandering eyes are just a foot or
two north. Even if you aren’t flying, or have arrived at
your destination, the local restaurant and the corner coffee
shop are no different. When you sit down in that
comfortable chair to enjoy your latte and do some work,
there are countless wandering eyes trying to figure out what
you are doing.
The second (and more common)
problem with being in close proximity to others is that they
are often able to view what is on your screen. Are you
working on a document with sensitive personal or company
information? Composing an offline email that you really
don’t want others (especially strangers) to know about? How
about that PowerPoint presentation chock full of corporate
proprietary sales or engineering data? Whatever it is, you
have to either make sure you are only working on things that
are completely dull and unworthy of your nosey neighbor’s
interest, or make the screen un-viewable. In other words,
either pick non-sensitive stuff to work on during these
times, or find a way to hide the screen. For example, I
usually pick some low-level instructional or procedure guide
to work on while I’m flying, or just do some professional
reading. For example, I keep a lot of pdf white papers and
“eBooks” from various online sources on my computer for
reading while on the plane. My job is such that
professional reading and just keeping are large parts of my
work anyway – so it’s not like I’m goofing off.
Solutions: For the password problem, if you
are on a computer that is joined to a corporate domain, use
a local account on the computer (that does not have
administrative privileges), and set a temporary password
that will only be good for the duration of your trip. Of
course, if you do this, you will have to make sure you know
where to browse to on the computer to get to your documents
in your “real” account, because the profile you log in with
will have a “My Documents” folder in a different location.
I get around this by accessing only documents that I have
placed on a flash drive. If you are not joined to a domain,
then just set a temporary password, and set it back to your
actual password when you get home. One of the best
solutions for this is to simply get a small finger print
scanner to use to log into the machine. Many are small,
portable, and just plug into the USB port. The newer
laptops and tablet PCs even come with these built in. See
my article on biometric devices for more information.
For the “prying eyes on the
screen” problem, there are a variety of
filters you can buy that will obscure the screen when
someone tries to view it from other than looking at it
straight on. This particular solution will also help to
obscure your username and other login credential information
as you log in. If they can’t see your username, the
password will do no good. But again, don’t give them any
pieces of the puzzle if at all possible. As I always tell
people: “If they have even just your username, they then
have 50% of the information they need to access your
computer.”
Of course, being the
wisenheimer that I am, if I notice someone trying to “catch
a wave” on “shoulder beach”, I simply open a document, set
the font to a larger size (to make sure they can easily read
it), and then start typing in some juicy “official looking”
verbiage. After a paragraph or two, I start a brand new
paragraph, and type in “I think the nosey person sitting
next to me is looking at what I am writing. I hope they
enjoyed my previous two paragraphs. Now GO AWAY!” I have
seen a red face or two resulting from that prank.
Using Flash Drives:
Flash drives are portable
and can store a lot of data. Many people have resorted to
using them because if they know they will have access to a
computer at their destination, all they have to do is put
their documents on the flash drive and leave the computer at
home. Many cell phones and even iPods can be used for this
purpose as well. The problem with these small flash drives
is that they are easily lost or forgotten. It isn’t
uncommon for someone to use them in a public or borrowed
computer and then forget to take them when they are
finished. A lost flash drive means lost data. Lost data
can mean something as frustrating as losing work and having
to do it all over again (if you didn’t have a backup copy
somewhere else), or as devastating as putting sensitive
information into a stranger’s hands.
Flash drives are cheap these
days. If you lose the flash drive, you can just go get
another one. But what about the data on the flash drive?
Is it replaceable? Will it cost you if someone else has
it? Another issue surrounding the ubiquitous nature of
these things is that some people seem to have a whole
lanyard full of them around their necks. Do you have a good
inventory of how many you have? If one came up missing, how
long would it take for you to notice? Kind of like the
movie “Home Alone” where the family had so many kids that
they didn’t notice little Kevin missing until they were in
France!
Solution: The manufacturers of many of
these drives have solved part of this problem for you.
Flash drives have the ability to be encrypted, and the
software to do that is often included with the flash drive
itself. Typically, this encryption works by having you set
up a password in order to access the data. You can encrypt
all or only part of the flash drive’s contents. If someone
gets a hold of your flash drive, they can access anything
that is not encrypted, but will need to know your password
to access the encrypted data. In some cases (depends on the
drive and the encryption software), you can set your
encryption such that if a number of unsuccessful password
attempts occur the data on the drive will be erased. Know
how many you have and keep track of them. If traveling,
take only what you need – leave the other ones at home and
in a safe place. I promise – they won’t miss you.
Using Common Area (Business Center) Computers:
Many hotels have business
centers with computers to allow their guests to access the
Internet and their web based email. In fact on my recent
trip, I had full Internet access at the office I was
visiting, but had to pay for Internet access if I wanted to
use my laptop at the hotel. The only thing I needed after
hours Internet access for was to check my personal email,
and I wasn’t about to pay $10 just for 5 minutes of use. My
remaining option then was to use the business center, since
using those computers was free of charge.
A few problems present
themselves in this scenario, however. One is that people
use these public computers and often leave their surfing
tracks for all to see. The other is that some people forget
to just close out of their applications, and yet another is
leaving those little flash drives plugged in for someone to
come along and retrieve later. In fact, while in the hotel
elevator on my most recent trip, I heard a woman telling her
colleague that when he finished using the computer in the
business center, he had left his email open, and she could
have gone through all his email. Worse, she could have
launched a few questionable emails in his name. This is
truly a dangerous situation. What if it had been a
stranger, and not a trusted colleague? That person could
have read email, sent a few of their own (under the email
account owner’s name), looked at the address book to get a
list of names of people at the company, and just in general
could do some serious damage. All this done under the name
of the person who owns the account. How do you prove that
it wasn’t you who did those things?
When
I used one of the business center computers, I got curious
and opened the browser history. I saw a plethora of email
sites and surfing history. Wouldn’t be too hard to put
together a few patterns and find out where some of these
email servers existed. Depending on the cookies still on
the machine, going to one of those sites may not even
require me to log back in to access the account. The cookie
would remember that I (or more accurately the email account
owner) was just there and just let me right back in. This
is especially true if the previous user had left the web
browser open.
On a really malicious (and
hopefully rare) side of things, a devious person could sneak
into the hotel business center and put a
keystroke logging dongle on the back of the computer
between the keyboard and the computer, or in a USB port.
Such a device is used to capture everything typed into the
keyboard. Which means that they can get the URL to your
banking site, the username and password for your banking
site, and the contents of an email or anything else that you
type into the computer. These key loggers have legitimate
investigative purposes, but are inexpensive and can be
obtained by anyone – including thieves. I say that this is
(hopefully) rare, because most hotel business centers
require a room key card to access – a person would
(theoretically) have to be a paying guest in order to do
this. But many public computers often do not offer such
access protection as that provided by hotel business
centers.
Solutions: For the reasons mentioned above,
it is very important to pre-inspect the computer before and
clean up after yourself after using a public computer. It
takes a few extra minutes to do this, but you can’t put a
price on the time it would take to straighten out the mess
after you have been exposed because you didn’t have time to
prevent these vulnerabilities. Here are some important
steps to take when using public computers:
Being the cheapskate that I
am, however, my solution is that I try my best to only
patronize hotels and coffee shops that provide complimentary
Internet access to their guests. That way, I can avoid
public computers altogether. But sometimes that just
doesn’t work out, and I end up staying somewhere that makes
me pay additional fees for access. In which case, the above
solutions are a must.
PDAs/Blackberrys/Cell Phones:
Many of the same problems
that exist with flash drives exist with these devices as
well. They are small, easily lost, and can really store a
lot of information. A Blackberry, for example is a phone,
email client, and PDA all rolled into one. Emails, contact
lists, to-do lists, documents, and personal journals are
just a few of the things that can be kept on these devices.
A lost phone device can not only give away sensitive data,
but can give someone access to a free phone. And watch what
you are discussing. What you say can be as revealing as
anything else – especially if you are one of those people
who puts everything on speaker phone, even when in public.
Solutions: Just as you can do with your
flash drives, you can password protect and encrypt the data
on your PDA as well. On my Blackberry, for example, I can
password protect access and encrypt the contents. Not only
that, but my Blackberry is set so that if someone types in
an incorrect password ten times, the Blackberry erases all
of the contents. Then, for added security, the data is
encrypted, so that even if someone takes apart the
Blackberry, and somehow gets the data off of the chip, the
data is encrypted and unusable. Don’t discuss anything on
your phone that you don’t want others in close proximity to
hear. If you are sitting next to me on the plane, just
don’t use your phone – period! I have no interest in what
you have to say ;)
Laptops:
Saving the best and biggest
for last: Laptops (and the data on them) need a lot of
protection. They can carry a lot of data, and are very
attractive to thieves. Keeping the laptop from being stolen
is a job in and of itself, but if it does get stolen, there
is more to worry about than just losing an expensive piece
of hardware. Keeping the data on it from being compromised
is the really important issue at hand, and if someone can
access the data, they can potentially do a great deal of
damage.
A big part of this problem
is that even if they can’t log into the computer itself, and
if they have the computer (physically), then they can remove
the hard drive and put it into a computer that they can
access. In fact, many data recovery techniques rely on
taking the hard drive out of the failed (or in this case
inaccessible) computer and “slave” it into a working
computer. The working computer’s primary hard drive allows
it to be booted up, and the slaved in hard drive contains
data that can then be accessed. More clever people have
freely available tools such as Knoppix (Linux on a CD) that
they can use to boot up the computer, bypass the security on
that computer, and access the data on the hard drive. In
fact Knoppix can even be used to change the administrative
password on a computer so that access can be gained through
the more conventional method of booting up and logging in.
Solutions: There are some basic measures
that will protect against access to a computer, but only if
the computer is not stolen. In other words, these measures
will work if you can keep the computer from being stolen.
But once the computer is in unauthorized hands, these
measures can be quickly bypassed. You can set a BIOS
password that will prevent the computer from being booted
into the operating system. But this is bypassed by simply
taking the hard drive out of the computer and putting it
into a different computer. Strong passwords for the
operating system itself should also be used. As mentioned
above, consider using temporary or “disposable” passwords.
Small biometric devices, such as fingerprint readers, are
fairly inexpensive, and many laptop and tablet computers
have a fingerprint reader built in. Unfortunately, this can
still be bypassed by putting the hard drive in another
computer, or using a tool such as Knoppix to access the hard
drive’s contents.
Encrypting the hard drive
contents will help a great deal, even if the computer is
stolen. Windows XP has the ability to do this using a built
in feature. Windows Vista has a built in tool called
BitLocker. Technologies such as that which is built into
the BitLocker feature, for example, have the ability to
protect data even if the hard drive is transferred to
another computer. The downside of that is that you need to
make sure you remember your password for logging into the
computer, or set up what is known as a “recovery agent,” or
you will lose your encrypted data.
Wrapping It All Up:
There are many other dangers
that I haven’t mentioned here, such as accessing wireless
networks while on the road, but that is a topic in and of
itself. Wireless encryption, making sure you are not
accessing an “evil twin” wireless access point, and a few
other issues will be discussed in an upcoming article.
But for the purposes of this
article, I wanted to focus mainly on the more ”physical”
aspects of being secure on the road, as well as using
built-in technologies to protect your data. Shielding your
laptop screen from roaming eyes and preventing laptop theft
are important ideas. If your laptop is stolen, knowing that
you took measures to prevent the data from being usable by
unauthorized people is also a very important idea. Other
technologies, such as flash drives, cell phones, and PDAs
represent things that are small, easily forgotten, or easily
stolen. Those items contain sensitive data as well, and
must have data security measures proactively applied. Once
the data is in unauthorized hands, it must be assumed that
it will be used for malicious or illegal purposes. Even if
you retrieve your items, it must also be assumed that the
information was copied and will be used – unless you took
measures to make it useless in the event that a loss occurs.
It is easy to be complacent
when traveling. And, unfortunately, there are plenty of
people out there willing to take advantage of this fact. By
taking a few extra moments to think about what needs to be
protected, take inventory of your technology rich
possessions, and take the extra time to protect your data,
you will ensure a more worry-free travel experience. If I
ever go into a hotel business center and see that you left
your email open – man – I will hunt you down! (After I
email a few jokes to your whole company, that is).
Additional Resources:
Article: Web Surfing in Public Places is a Way to Court Trouble
Article: Mobile Computing: Traveling Without a Notebook
Theft tracking tools
Article: Laptop Security Part 1Article: Laptop Security Part 2
