Caught Off Guard…and Online
Your personal technology is vulnerable not only in your hotel room safe but tucked in your pocket walking down a street. We talked with technology expert David Holtzman about the unknown risks you take with your proprietary business information when you travel. —Editor.
So if I’m going to Toronto, I don’t worry about it. If I’m going to Beijing, I worry a lot. China’s government is known to have programs to explicitly attack and hack almost any digital device that any foreigner brings in. They don’t want the money. They want the information.
When I went to Beijing this year, I took a second laptop with me. I scrubbed the laptop before I did anything with it. I formatted it, reinstalled the operating system—didn’t put anything personal on it. Everything I needed that was personal I kept on an encrypted hard drive I plugged in when needed. When I got back, I tested the laptop, and it had at least three malware programs that had been installed by somebody at some point while I was in Beijing.
The best way to protect something is to encrypt it—or just don’t bring it on your trip at all.
You also have to worry, depending on your nationality, coming back into the United States. ICE has a renewed interest in taking people’s computers and phones and downloading the contents, looking for who knows what. They’ve even done this to some Americans. This has happened at the Canadian border on many occasions recently. And there are a lot of cases in court right now challenging this.
Even if you’re American, if you have an iPhone with a bunch of encrypted junk and you cross the border into the United States, in theory these guys can grab your phone and try to force you to unlock it. And there are devices that will enable them to read it even if you don’t cooperate.
In Russia you should expect someone to try to take your data. I think that’s true in most countries. I would even worry about France.
At this point, if you’re travelling internationally, I think you should assume anything digital you have on you is probably going to get read. If you don’t want it read, encrypt it.
With Apple laptops, you can encrypt the whole hard drive pretty easily. If you encrypt the hard drive, it’s pretty solid. If they have a really good reason to go after you, they’re going to have to get your password to unlock it and at least you’ll know.
Wi-Fi is another big problem. One of the biggest scams in the world today is free Wi-Fi. Airport free Wi-Fi, coffee shop free Wi-Fi. There’s a device—I actually have one—called a Pineapple, which costs about $150. A Pineapple is totally legal in this country. You plug it into your laptop, you go into an airport or hotel, and it allows you to create a fake Wi-Fi network.
You can pick a name for it. So let’s say you’re in a Marriot Hotel and you create a Wi-Fi called “Marriot Guest Network #2.” Everybody will start seeing that. They’ve got the password from Marriott Guest Network, so they just assume it’s an extension and they type in the password. Since it’s a man-in-the-middle thing, everything you type in goes into that, and then it passes it through to wherever you were trying to go, like Amazon or your personal web account or your bank.
I would guess at least one of every six computers is hacked and nobody knows. The hacker that put something on there isn’t ready to do anything with it. Or they just nailed a million computers at once and may turn them into a bot net. Or they may start pulling information out next Tuesday at 1 a.m. You just won’t know.
She was terrified. That’s called spear phishing because it’s targeted. It looked personal. I talked her down off the cliff and explained what it was. Then I went back and looked in my junk folder, and I had the same email. And it had one of my old passwords.
The theory used by hackers is that most people, if they use a password on this system, may use the same on another site. The truth is most people do. We need so many. I mean, I must have 500 passwords. Most people have at least 50 or 60, and when you have all these passwords you can’t make them up and remember them. Hackers can programmatically go after that.
To protect yourself, there is something called a password locker. You pay an annual subscription, and it encrypts your passwords so you get one master password and you use that to unlock each of the other passwords.
Of course, the problem is if you allow somebody to get your master. Now they have all of your passwords. So that goes back to my original point that there is no absolute security. These are mitigation strategies. Everyone should absolutely use one of these password lockers.
A Stingray is not a tower; it’s just a box. The way cell phones work is your phone signal goes from cell to cell to cell. It just hands it off. If you walk down the block, you’re probably going to go through three different cells without even knowing it. There are probably 20 cell phone towers my phone could see right now. You put a Stingray down, anywhere, and it looks like one of those towers to your phone. So as you walk down the street, you may very well connect to that Stingray instead of a real cell phone tower.
It’s another variation of the man-in-the-middle concept. So now everything you type is going through that Stingray, which is then going out to the real internet. So if you use a password, guess what? They just got your password. If it’s a voice call, they got your voice call, they’ve got your text messaging. This is very common in congested urban areas like Washington and New York.
The reason this is so common is because law enforcement started using this and when citizens wanted to go to court and stop it, the government stepped in and protected their ability to use it. They want to do it without getting a warrant or a subpoena, which has allowed the industry to thrive. Everybody in the world has these things. I doubt there’s a single government that doesn’t have Stingrays.
This is one of a traveler’s biggest vulnerabilities. I don’t think the average person could tell. As a consequence, you have to assume anywhere you are in the world, anything you’re saying on a cell phone, anything you text, has been taken by somebody and looked at. So that’s a pretty big risk.
Another kind of risk is “snarfing.” This relates to Bluetooth. Bluetooth is a horrible protocol from a security viewpoint. The only saving grace for Bluetooth is its short range, but if somebody gets within 20 or 30 feet of you, it’s not impossible to use Bluetooth and go onto your phone and steal everything. That’s why it’s called snarfing.
There are special phones sold that can protect against all of these things. They’re expensive.
If you’re doing something that’s potentially very lucrative and you’re a good target for industrial espionage, bottom line is just think long and hard about putting it on any device that’s out of your control. Don’t allow anybody physical access to your phone or laptop. Minimize the amount of interconnectedness you do. Use your own cell phone hotspot if you have one.
From your perspective, you’re just browsing. But you’re not really, because the program is doing a bunch of complicated things so they can be sure they’re charging you for it. If they weren’t, it would just be a straight pass-through, and you’d be a lot safer. Because they want to make sure you don’t get it for free, they take over part of your computer, which makes you vulnerable.
The National Security Agency grabs every piece of traffic on the open internet it can get its hands on—every single email anywhere in the world. They capture and store it in a place in Utah at a data mountain facility called Bumblehive. This is well known. And they’ve been doing this for at least six years.
Holtzman is president of Global POV. firstname.lastname@example.org