planes trains information security

I travel often. For several years, I was one of those people who lived in the sky. During my busiest traveling year, I racked up nearly 175,000 domestic miles in the air. Traveling as much as I did during that time, I saw a lot of things I wish I could have just erased like an Etch-A-Sketch with just a quick shake of my head.

On a recent trip, I experienced a lengthy delay. After I changed gates and settled in, I picked up the book I was reading and mixed in some intermittent emailing. About a half-hour passed before someone plopped themselves down across from me, began plugging in, and made an ad hoc desk for themselves out of their laptop and roll-aboard suitcase.  

I try very hard not to eavesdrop at the airport because, well, it’s rude. Sometimes you just can’t help it though. When this person picked up the phone to chat with what sounded like their HR person, they were talking in the loudest voice I’ve heard outside of a sporting event or construction site. They were talking about the new salesperson they had hired and some of the things that they needed to have in place for them for their first week: laptop, business cards, company swag, and other typical onboarding things. Then they brought up customer relationship management (CRM) access. 

The IT person must have told them that they didn’t have any remaining unused licenses and that they’d need to buy one for the new employee. The person across from me said (loudly), “I’m stuck here at the airport, so I’ll take care of some of these things after I log onto the Wi-Fi here.” 

Because their voice was at the decibel level of a person at a metal concert, I heard everything. So did everyone else. Once they logged onto the airport internet, the person began buying things for their new rep. They were reading off credit card numbers to a vendor and making purchases online for other stuff. I began wondering if this person knew how much information security risk there was to doing these kinds of activities in public and on open networks. Do you?

Traveling comes with remarkable information security risk . Using a public Wi-Fi, public charging stations, and being ignorant to the conversations you may be allowing people to hear all pose threats to you and your employer. Here are some things to be mindful of while traveling so that you don’t put sensitive information at risk.

Public Wi-Fi, Hotel, or Airport Wi-Fi

public internet connection

Public Wi-Fi networks often see a large volume of connections, making them prime targets for attackers. Wireless attacks like fake access points, evil twins, and man in the middle (MitM) attacks prey on the carelessness of the general public. With a fake access point, an attacker uses a Wi-Fi connection that people would think it legitimate. Usually, they are named something very close to the name of the public network, and it makes you think that you are safe to use it.

Something like “Airport Free Wi-Fi 2” may seem like a reputable internet source, but could be an attacker’s network. Either way, these connections allow a user (like our loud friend) to connect to the internet as normal, and the bad guy who has created or intercepted the network can spy on and/or absorb all the information that travels along the network before it gets to the intended recipient. These attacks methods are effective, common, and are great ways to capture information and infect your device with malware.

Tips

  • I don’t ever connect to public Wi-Fi directly, and you should resist the temptation as well. I use my phone as a tethered hot spot. While it may slow things down in some cases, it is more than capable of handling email, most internet platforms, and basic computer activities. Especially if you pay for unlimited data, this is an easy risk management technique that ensures a more secure connection.
  • If you want to up the level of security on tethering to your phone, consider a wired tether solution. These wires can be purchased online and allow you to access the internet the same as a mobile hotspot—only they use a USB cord to do so.
  • Outside of tethering, you can also go through your mobile phone provider and purchase a mobile hotspot, which effectively acts as a portable Wi-Fi that you can take with you and use in public. If you use good password and privacy habits with your mobile hotspot, these are very solid alternatives.
  • Another option is to use a virtual private network (VPN) on your computer. This will still allow you to connect to a public internet connection on your device, but it will mask your internet protocol (IP) address and create secure and encrypted connections that protect information.

Public USB Charging Ports

usb charger

As we become more connected to our devices, public USB chargers at airports and public spaces are becoming more prevalent. They’re handy, fast, and easy to use. They’re also riskier than eating roadkill raccoon in the summer. Remember that the USB cord that you use to charge the phone is also used for transmitting data, files, etc. Unless you can somehow ensure that the port you’re using isn’t passing data, you’re putting your information at risk, exposing the data on your device, the credentials of your device, and opening yourself up to malware. While the chances of this happening are low, you are in an airport where thousands of people fly and it’s plausible that some are looking for an easy data breach.

Tips

  • Travel with a battery backup or two. By always having a trusted battery source, I don’t have to plug into USB ports and have eliminated the risk of getting infected by those public charging ports.
  • Only use wall-plug chargers in public. It prevents the passing of data since that’s a unique feature to USB ports that doesn’t exist in a normal outlet.
  • Get a USB data blocker (also called a USB condom). These dongles block data from transferring to or from your device through your cord. Effectively, it ensures your cord is for charging and charging only. These are relatively inexpensive and can be purchased through a few online retailers.

Your Conversations

It’s an airport. There are a lot of people there. It’s likely none of them are listening to your conversations, but the chances are certainly higher in a place with that many people in it. Would you walk through your city’s downtown area and hand out paper slips with your credit card numbers written down on them? Openly reading off things like credit card numbers, social security numbers, etc. in your outside voice is equally reckless.

Tips

  • There’s not much to this one. Be mindful of where you are and what kinds of conversations you’re having. Avoid reading sensitive information off to anyone you haven’t vetted first and certainly ensure the only people who can hear you are the ones you’d be comfortable knowing the information. A lot of the time, that’s just you.

Other Personal Information security habits

personal information security habits

Information security habits can be tough to break, but our habits can be our biggest threats. These tools that keep us connected are convenient, but not always secure. We need to retrain our brains to make information security a priority over convenience.

Tips

  • Disable auto-connect on both Wi-Fi and Bluetooth. If your device automatically connects to devices and networks, it makes it easy for attackers to mimic credible connection sources and latch onto your device.
  • Try not to tell people where you’re going on social media. We’re all guilty of this to an extent. It’s fun to share life updates with your friends, but that information is often public, and it would be easy for an attacker to know you’re heading to Florida for the week and your home will be uninhabited.
  • Don’t leave your devices uninhabited or unlocked. We’re often guilty of this where I’m from—Minnesota nice. It might seem okay to get up from the bar to go to the bathroom and ask the person next to you to watch your computer, but you don’t know them. You don’t know if they’d do something malicious. If you step away from your device, ensure that it’s locked. Better yet, don’t leave your device unattended at all.
  • Mistakes happen. You’re not unintelligent if you accidentally connect to a bad wireless connection or get unusual activity on your device after using a USB charger. That’s why we need to have measures to protect us afterward. Particularly with things that handle financial or personal information, make sure apps are up to date. Updates often contain security measures to fix noticeable information security vulnerabilities. Antivirus is also an easy and effective way to block anything that may slip through the cracks.
  • Finally, ensure you’re practicing good password and PIN practices. It’s not a bad idea to change all the passwords you regularly use, especially before traveling. Different passwords for each account ensure that even if an attacker does get access to something, that’s all they get access to. PINs too. If you have a lockbox or something you carry with you while traveling, make sure the PIN is not something easily identifiable (like a birthday or phone number) and that it’s not one you regularly use.

Conclusion

Traveling comes with remarkable information security risk. Using a public Wi-Fi, public charging stations, and being ignorant to the conversations you may be allowing people to hear all pose threats to you and your employer. Understanding the scenarios above and the tips to avoid them are easy ways to avoid disaster. Prepare for the potential pitfalls associated with airports, train stations, and other public locations where you spend time connected. It’s not hard, it just takes that mental shift to be cautious instead of focusing on convenience. Even implementing some of these tips can go a long way in helping you avoid compromise.

To learn more about how to protect yourself and your business from compromise, visit frsecure.com.

personal-security-s2me

Jim Nash on EmailJim Nash on Linkedin
Jim Nash
Information Security Evangelist at FRSecure
Jim's experiences in both politics and the InfoSec industry have cultivated him into a strong and animated communicator that has the ability to crystallize difficult concepts into digestible ideas. These skills and experiences have morphed him into a cybersecurity and information security evangelist, focusing on publicizing the need for organizations to make cyber threats a business liability and not just an IT problem.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *