Traveling Safely SIRT IT Security Roundtable - PowerPoint PPT Presentation

Loading...

PPT – Traveling Safely SIRT IT Security Roundtable PowerPoint presentation | free to download - id: 3cecb3-OGQzO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Traveling Safely SIRT IT Security Roundtable

Description:

Traveling Safely SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv_at_ksu.edu May 4, 2012 * * * * Computrace when online, contacts ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 33
Provided by: kstateEd9
Learn more at: http://www.k-state.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Traveling Safely SIRT IT Security Roundtable


1
Traveling SafelySIRT IT Security Roundtable
Harvard Townsend Chief Information Security
Officer harv_at_ksu.edu May 4, 2012
2
Agenda
  • What and where are the risks?
  • Using Internet cafes and WiFi hot spots safely
    (is that even possible?!)
  • New K-State VPN service is your friend!
  • Protecting your eID and other passwords
  • Protecting your personal and financial info
  • ATM security
  • Airport risks
  • Laptop security (add smartphones to the list...)
  • Things to do before you leave (important!!)
  • If we have time...
  • USB Flash drive security
  • Beware of export restrictions on certain
    technologies

3
What are the risks?
  • Focus of this seminar is risks to information and
    technology, not other travel-related risks
  • Physical theft (esp. your laptop, iPad/tablet, or
    smartphone, and of course wallet/purse)
  • Information loss/theft (personal, institutional,
    passwords, acct info)
  • Identity theft
  • Financial fraud/theft

4
Where are the risks?
  • Internet cafés
  • WiFi hot spots (coffee shop, airport, hotel)
  • Any public computer, even some private ones (e.g.
    hotel business center)
  • Airports
  • ATM machines
  • Any country with lax law enforcement or
    untrustworthy government

5
Is China a Risk?
Percentage of Computers Infected with
Malware Source PandaLabs 2011 Annual Report,
Jan. 2012
  • January 2010 Google discloses cyber attacks
    that target Gmail accounts of Chinese human
    rights activists as well as Google intellectual
    property (now known as Operation Aurora) 30
    other corporations similarly attacked. Google
    implicates Chinese government.
  • April 2010 NY Times reporters email is hacked
    while in China reports that many of his
    colleagues experienced the same thing
  • China is a hotbed of cybercrime, state-sponsored
    or otherwise
  • Theres no such thing as privacy in China!
  • Extremely lax IT security

6
Internet Cafés
  • Technology typically not managed well.
    Susceptible to
  • Worms, Trojan horses, etc.
  • Keyloggers
  • Info-stealing malware (steals username/password,
    financial account info)
  • USB thumb drive infections
  • Threat to your privacy since the browser cache,
    temporary files, deleted files, and log data
    leave a trace of your activity
  • Employees sometimes part of the conspiracy

7
Internet Cafés
  • What can you do about it?
  • Avoid them altogether, or just use them for
    innocuous activities like checking the weather,
    bus/train/flight schedules, tourist sites
  • Research local Internet Cafés before you leave or
    ask someone you trust (e.g., the hotel concierge)
    to determine which ones are reputable
  • Never use them for financial transactions
  • If at all possible, dont use your K-State eID
    and password (even secure web access with HTTPS
    does not protect you from keyloggers)
  • Change your eID password after you return to the
    U.S.
  • Make sure antivirus software is running and
    up-to-date do a manual scan if possible,
    although thats time-consuming

8
Internet Cafés
  • What can you do about it?
  • NEVER let it save your login/account
    informationin the browser
  • Use Private Browsing in Firefox or IE
    (InPrivate Browsing)which does not save any
    history/cache/cookies
  • Or clear the browser cache, cookies, history
    beforeyou leave
  • Firefox Pull down Tools menu, select Clear
    Recent History, check all the boxes, change
    Time range to clear to Today, select Clear
    Now
  • IE Pull down Tools menu, select Delete
    browsing history, check all the boxes, select
    Delete
  • Watch for shoulder-surfing
  • Dont leave your computer unattended with any
    sensitive information showing, or authenticated
    sessions open (lock the screen)
  • Carry your own programs on a USB flash drive
    (browser, AV software, email client, password
    safe, VPN client, Secure erase, etc.)
  • Summary AVOID or BE PARANOID!

9
Other public computers
  • Treat them ALL with suspicion
  • Hotel business centers
  • Somewhat better than Internet Café, esp. at
    reputable hotel, but even those are not without
    risk
  • Use same precautions as Internet Cafés
  • Dont use for financial transactions, your
    eID/password, or other sensitiveinformation if
    at all possible

10
The WiFi Dilemma
  • Its SOOO useful and SOOO risky
  • Unsecured wireless networks are very easy to
    snoop someone near you or even across the
    street can watch ALL of your traffic
  • Are freely available programs that watch WiFi
    traffic and intercepts anything that looks like a
    username and password, or account info
  • Hotel wireless just because you have to
    register, pay, and/or authenticate doesnt mean
    its secure. Typically they are not encrypted and
    you dont know who is in the room next to you.
  • Firesheep can intercept Facebook and Twitter
    sessions to change your status, send messages,
    and/or post on the wall of friends

11
Wireless security
  • Dont do financial transactions or other
    sensitive work in public WiFi zones, if possible
    HTTPS reduces the risk, as does the full tunnel
    VPN service
  • Use K-States VPN service to access K-State
    systems the default split tunnel encrypts all
    traffic to/from K-State, but does NOT protect
    your other Internet traffic
  • A full tunnel option is now available that
    encrypts ALL wireless traffic you should use
    this every time youre in a public WiFi location,
    even in Manhattan

12
Virtual Private Network(VPN) Service
  • Install the Cisco AnyConnect VPN client
    available to all fac/staff/students
  • Software and instructions available at
    www.k-state.edu/its/security/vpn
  • Available for Windows, Mac OS X, Linux, iOS
    (iPhone), and Android
  • This is covered in this years required annual IT
    security training

13
Full Tunnel (everything encrypted)
Split Tunnel (only K-State traffic encrypted)
Disconnected
Connected
14
Protecting your eID
  • Avoid using it in Internet Cafés and other public
    computers, if possible (due to risk of it being
    stolen by keylogger malware)
  • Use K-States VPN service to access K-State
    resources when possible
  • Change your eID password when you get home as a
    precaution
  • Use a web-based password manager like LastPass to
    manage your passwords (even though lastpass was
    hacked last year)

15
Protecting Your Personaland Financial Information
  • Take all the online precautions mentioned thus
    far
  • Always know where your passport is
  • Stow it securely on your person
  • Hide it in your hotel room or put it in a safe
  • Beware of pick-pockets
  • Conceal your valuables
  • Dont let a vendor/server take your credit card
    out of your sight
  • Pay with cash as much as possible (so you dont
    have to use your credit card)
  • Use virtual credit card number if available
    from your card-issuing bank only good for a
    single purchase, or single merchant, or limited
    time is in essence a throw-away card number tied
    to your account can generate yourself online
  • Get a chip PIN credit card increasingly
    required for overseas travel, especially in
    Europe
  • Risk of RFID in new passports exaggerated
  • Let your credit card companies know your travel
    destination and dates (can now do this online
    with some major credit cards)

16
ATM security
  • US Secret Service estimates annual loss from ATM
    fraud at 1 billion (350K per day!), 80 of that
    due to card skimming (bogus card reader placed
    over the top of the real card reader)
  • ATM skimmer device attached to an ATM machine
    to steal bank account info
  • Rampant in Europe, growing threat in U.S. too
  • Look for indicators of tampering with the keypad
    or card swipe/feed mechanism
  • Device fits over real card reader and stores or
    transmits (via cell phone, for example) the data
    from the magnetic stripe on the card criminals
    also get PIN with camera or fake keypad

17
ATM Skimmers
Bogus keypad designed for Diebold ATM
Skimmer found at Citibank ATM in Woodland Hills,
CA, Dec. 2009
Skimmer found at Wachovia Bank in Alexandria, VA,
Feb. 28, 2010 loss to customers exceeded 60,000
18
ATM security
  • Only use ATMs in the lobby of reputable banks
    esp. beware of solitary ATMs in secluded places
    at night (risk of assault/theft)
  • Watch for people looking over your shoulder
  • Make a few large withdrawals instead of many
    smaller ones so you use the card less often
    (although carrying lots of cash is risky)

19
Airports
  • High risk of theft
  • Fall 2008 report 16,000 laptops lost or stolen
    in airports in US and Europe PER WEEK!!
  • Will cover laptop security later
  • Dont let valuables out of your site, esp. at
    security screening criminals target airports and
    create diversions to distract you while they
    steal your laptop
  • Put your smartphone in your shoe or carry-on bag
    (i.e., out of sight) when going through X-ray to
    reduce risk of theft

20
Airports
  • Use same precautions with the public WiFi in
    airports that you would in any public WiFi hot
    spot
  • General rule dont connect to unknown wireless
    networks
  • Remember that just because you pay for the
    service does not mean its secure.
  • Use Personal/WiFi Hotspot feature of Smartphone
    (laptop connects to Internet via WiFi through
    your phone) beware of eating up your cell phone
    data plan allotment
  • Use MiFi device (WiFi connectionthrough
    cellular 3G/4G network)

21
Airports
  • Beware of the oft-seen but bogus Free Public
    WiFi adhoc/computer-to-computer wireless
    network dont try to connect to it.
  • It may give someone access to your computer if
    you have file sharing enabled without password
    protection or an account without a password
  • In most cases, its harmless, but your computer
    may start advertising Free Public WiFi to
    people near you

22
Airports
  • Know what you can and cannot bring into the
    country dont discover that at the Customs
    check at the destination airport
  • Israel would not allow iPads into the country for
    about two weeks in April 2010 due to an unfounded
    fear that its WiFi implementation might interfere
    with communications and did not meet European
    Union standards (not true)
  • Are recent reports of Israeli airport security
    taking apart computers looking for explosives

23
Airports
  • Speaking of excessive Israeli airport security...

24
Laptop Security
  • 20 stolen on K-State campus in 2010
  • Stolen laptops a daily occurrence in Manhattan
  • Never leave unsecured laptop unattended
  • Use a locking security cable
  • Hotel room
  • Public locations, coffee shop
  • Conferences, training sessions
  • Cost 15-50, combination or key lock
  • Use strong password on all accounts
  • Dont store sensitive info on it, but if you have
    to, encrypt the entire hard drive (K-State uses
    PGP Whole Disk Encryption software for this
    purpose) www.k-state.edu/its/security/pgp
  • Dont leave it in view in your vehicle
  • Dont trust the trunk - remember the quick
    release lever inside the vehicle?

25
Laptop Security
  • Dont let it out of your sight when you travel
  • Be particularly watchful at airport security
    checkpoints
  • Always take it in your carry-on luggage
  • Never put it in checked luggage
  • K-State administrator traveling in Asia last
    year, told at check-in in Kuala Lampur airport in
    Malaysia to reduce weight of carry-on put laptop
    in checked bag gone when he arrived at
    destination
  • Use a nondescript carrying case
  • One that doesnt look like a laptop carrying case
  • Remove the computer manufacturer logo from the
    case
  • Be careful when you take a nap in the airport
  • Wrap the carrying case strap around your body
  • Or use the locking security cable to secure it
  • Take a clean (i.e., no data) netbook or iPad
    instead of your laptop
  • Take similar precautions with your smartphone
    they are prime targets for theft and now hold
    much data

26
Tracking RecoverySoftware
  • If stolen, the computer contacts the company the
    next time its on the Internet the company then
    traces it and contacts law enforcement to recover
    it very effective in the U.S. inconsistent
    results outside the U.S.
  • This software led to the recovery of a laptop
    stolen in Columbia, MO, that later appeared on
    the K-State network (January 2010)
  • Computrace LoJack for Laptops from Absolute
    Software (www.absolute.com) is an example
  • Pre-installed in BIOS on many laptops
  • Dell
  • HP
  • Have to buy the license to activate
  • Costs about 30-45 per year per computer

27
Before you leave home
  • THESE PRECAUTIONS ARE REALLY IMPORTANT!
  • Backup your data
  • Record identification information of your laptop
  • Record make, model, serial number of laptop
  • Take pictures of it
  • Label it with ownership and contact info a
    conspicuous label is a significant deterrent
  • Write down credit card account numbers and phone
    numbers for credit/debit card companies (and take
    them with you) cant use U.S. toll-free numbers
    overseas but can call them collect so take the
    correct phone numbers with you
  • Take a paper copy of your passport info page in
    case it is lost or stolen

28
Before you leave home
  • Dont rely solely on electronic device for your
    reservations, confirmation numbers, itinerary,
    etc. Have paper copies.
  • In case device stolen or battery dies
  • Can show cab driver a piece of paper with the
    address of your destination instead of handing
    him your Smartphone
  • If leaving the country, notify the financial
    institutions of the accounts you will use
    (destination and dates of travel) otherwise,
    they are likely to lock your account when they
    see transactions from another country
  • Notify the U.S. state department if going to a
    volatile location travelregistration.state.gov

29
Take my stuff, please!
30
Whats on your mind?
31
USB Flash Drive Security
  • DO NOT store confidential data on them!!
  • Too easy to lose, easy target of theft
  • Common way malware spreads dont use it in a
    computer you cannot trust, like an Internet Café
    just putting the drive in the computer can infect
    it
  • Dont use it as a backup device (too easy to lose
    it)
  • Delete files so they arent recoverable
  • Good tool for this is Eraser (eraser.heidi.ie)
  • Encrypt files on it with TrueCrypt
    (truecrypt.org) or
  • Buy an encrypted USB flash drive
  • Ironkey a popular brand 8 GB encrypted drive
    about 200 - www.ironkey.com

32
Export Controls
  • Export broadly defined by Feds, includes
    actual shipment of any covered goods or items
  • Export Administration Regulations (EAR) by the
    Commerce Dept. controls technology types of
    encryption technology have historically been an
    issue
  • Intl Traffic in Arms Regulations (ITAR) by the
    State Dept. controls weapons (duh!)
  • K-States University Research Compliance Office
    (URCO) has training availablewww.k-state.edu/rese
    arch/comply/ecp/index.htm
About PowerShow.com