traveling safely sirt it security roundtable l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Traveling Safely SIRT IT Security Roundtable PowerPoint Presentation
Download Presentation
Traveling Safely SIRT IT Security Roundtable

Loading in 2 Seconds...

play fullscreen
1 / 34

Traveling Safely SIRT IT Security Roundtable - PowerPoint PPT Presentation


  • 235 Views
  • Uploaded on

Traveling Safely SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu May 7, 2010 Agenda What and where are the risks? Using Internet cafes and WiFi hot spots safely (is that possible?!) Protecting your eID and other passwords

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Traveling Safely SIRT IT Security Roundtable' - jaden


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
traveling safely sirt it security roundtable

Traveling SafelySIRT IT Security Roundtable

Harvard Townsend

Chief Information Security Officer

harv@ksu.edu

May 7, 2010

agenda
Agenda
  • What and where are the risks?
  • Using Internet cafes and WiFi hot spots safely (is that possible?!)
  • Protecting your eID and other passwords
  • Protecting your personal and financial info
  • ATM security
  • Airport risks
  • Laptop security
  • Things to do before you leave (important!!)
  • USB Flash drive security
  • Beware of export restrictions on certain technologies
  • K-State VPN service
what are the risks
What are the risks?
  • Physical theft (esp. your laptop or phone, and of course wallet/purse)
  • Information loss/theft (personal, institutional, passwords, acct info)
  • Identity theft
  • Financial fraud/theft
where are the risks
Where are the risks?
  • Internet cafés
  • WiFi hot spots
  • Any public computer, even some private ones (e.g. hotel business center)
  • Airports
  • ATM machines
  • Any country with lax law enforcement or untrustworthy government
is china a risk
Is China a Risk?
  • January 2010 – Google discloses cyber attacks from China that target Gmail accounts of Chinese human rights activists as well as intellectual property; some 30 other corporations similarly attacked; Google implicates the Chinese government
  • January 25, 2010 – five web sites of Chinese human rights groups hit by DDoS
  • April 2010 – NY Times reporter’s email hacked while in China; reports that many of his colleagues experienced the same thing
  • April 2010 - Researchers at University of Toronto exposed a cyber spy ring that pilfered documents and email from computers in 100 different countries; the common thread is the attacks originated from computers in China and targeted the Dalai Lama (stole his email), Tibetan human rights advocates, the Indian Defense Ministry, and foreign journalists who cover China and Taiwan
  • China is a hotbed for cybercrime, state-sponsored or otherwise
  • Extremely lax IT security
  • Recent amendment to Chinese Law on Guarding State Secrets states that "Information transmissions should be immediately stopped if they are found to contain state secrets," and that if state secrets have been found to be leaked, the companies must keep records of the incident and notify authorities. The definition of state secrets in China is quite broad; information such as maps and economic statistics could be considered prohibited for discussion. There’s no such thing as privacy or net neutrality in China!www.washingtonpost.com/wp-dyn/content/article/2010/04/27/AR2010042704503.html
internet caf s
Internet Cafés
  • Technology typically not managed well. Susceptible to:
    • Worms, Trojan horses, etc.
    • Keyloggers
    • USB thumb drive infections
  • Browser cache, temporary files, deleted files, log data leave a trace of your activity
  • Staff sometimes part of the conspiracy
internet caf s7
Internet Cafés

What can you do about it?

  • Avoid them altogether, or just use them for innocuous activities like checking the weather, bus/train/flight schedules, tourist sites
  • Research local Internet Cafés before you leave or ask someone you trust (hotel concierge?) to determine which ones are reputable
  • Never use them for financial transactions
  • If at all possible, don’t use your K-State eID and password (even secure web access with https does not protect you from keyloggers)
  • Make sure it has antivirus software running and up-to-date – do a manual scan if possible; check for a firewall too
  • Or run a free web-based AV check (like Trend’s HouseCall - http://housecall.trendmicro.com/), although this can be time-consuming and you’re paying for your time on the computer
  • Check installed programs, programs running in memory for anything suspicious (difficult for average user, esp. if the programs are in a foreign language)
internet caf s8
Internet Cafés

What can you do about it?

  • When you delete a file, use a secure delete tool like “Eraser” (if you can install programs on the computer)
  • NEVER let it save your login/account informationin the browser
  • Use “Private Browsing” in Firefox or IE which doesnot save any history/cache/cookies
  • Or clear the browser cache, cookies, history beforeyou leave
    • Firefox – Pull down Tools menu, select “Clear Private Data”, check all the boxes, select “Clear Private Data now”
    • IE – Pull down Tools menu, select “Delete Browsing History…”, select “Delete All”
  • Watch for shoulder-surfing
  • Don’t leave your computer unattended with any sensitive information showing, or authenticated sessions open (lock the screen)
  • Carry your own programs on a USB flash drive (browser, AV software, email client, password safe, VPN client, Secure erase, etc.)
  • Summary – AVOID or BE PARANOID!
other public computers
Other public computers
  • Treat them ALL with suspicion
  • Hotel business centers
    • Probably better than Internet café, esp. at reputable hotel, but even those are not without risk
    • They typically use an acct with Administrator privileges, so anyone can install anything
    • Use same precautions as Internet Cafés
    • Don’t use for financial transactions, your eID/password, or other sensitive sessions if at all possible
    • Plug your own laptop in if possible; turn off File/Printer sharing
other public computers10
Other public computers
  • Public libraries
    • In U.S., have extensive filtering that can prevent some malware too. Might be better managed than other public computers, depending on the staff at that library
  • Public Kiosks
    • “Danger, Will Robinson!” (just check the weather and news)
the wifi dilemma
The WiFi Dilemma
  • It’s SOOO useful and SOOO risky
  • Unsecured wireless networks are very easy to snoop – someone near you or even across the street can watch ALL of your traffic
  • Are freely available programs that watch WiFi traffic looking for anything that looks like a username and password, or account info
  • Hotels – just because you have to register/pay or authenticate doesn’t mean it’s secure. They typically are not encrypted and you don’t know who is in the room next to you.
wireless security
Wireless security
  • Use K-State’s VPN service to access K-State systems; this does NOT protect your other Internet traffic
  • Don’t do financial transactions or other sensitive work in public WiFi zones, if possible; HTTPS reduces the risk
  • General wireless security:www.onguardonline.gov/wireless.html
  • Wireless terminology:www.onguardonline.gov/wireless.html#glossary
protecting your eid
Protecting your eID
  • Avoid using it in Internet Cafés and other public computers, if possible
  • Use K-State VPN service to access K-State resources when possible
  • Change your eID password when you get home as a precaution
protecting your personal and financial information
Protecting Your Personaland Financial Information
  • Take all the online precautions mentioned thus far
  • Always know where your passport is
    • Stow it securely on your person
    • Hide it in your hotel room or put it in a safe
  • Beware of pick-pockets
  • Conceal your valuables
  • Don’t let a vendor/server take your credit card out of your sight
  • Pay with cash as much as possible (so you don’t have to use your credit card)
  • Let your credit card companies know your travel destination and dates (can now do this online with some major credit cards)
atm security
ATM security
  • US Secret Service estimates annual loss from ATM fraud at $1 billion ($350K per day!), 80% of that due to card skimming (bogus card reader placed over the top of the real card reader)
  • “ATM skimmer” = device attachedto an ATM machine to steal bank account info
  • Rampant in Europe, growing threatin U.S. too
  • Look for indicators of tampering with the keypad or card swipe/feed mechanism
  • Device fits over real card reader and stores or transmits (via cell phone, for example) the data from the magnetic stripe on the card; criminals also get PIN with camera or fake keypad
  • Can buy skimmers online for $1500-$2500
atm skimmers
ATM Skimmers

Bogus keypad designed for

Diebold ATM

Skimmer found at Citibank ATM in

Woodland Hills, CA, Dec. 2009

Skimmer found at Wachovia Bank in

Alexandria, VA, Feb. 28, 2010; loss

to customers exceeded $60,000

atm security17
ATM security
  • Only use ATMs in the lobby of reputable banks; esp. beware of solitary ATMs in secluded places at night
  • Watch for people looking over your shoulder
  • Make a few large withdrawals instead of many smaller ones so you use the card less often
airports
Airports
  • High risk of theft
    • 16,000 laptops lost or stolen in airports in US and Europe PER WEEK!!
  • Will cover laptop security later
  • Don’t let valuables out of your site, esp. at security screening; criminals target airports and create diversions to distract you while they steal your laptop
airports19
Airports
  • Use same precautions with the public WiFi in airports that you would in any public WiFi hot spot
  • General rule – don’t connect to unknown wireless networks
  • Remember that just because you pay for the service does not mean it’s secure.
airports20
Airports
  • Beware of the oft-seen but bogus “Free Public WiFi” adhoc/computer-to-computer wireless network – don’t try to connect to it.
  • It may give someone access to your computer if you have file sharing enabled without password protection or an account without a password
  • In most cases, it’s harmless, but your computer may start advertising “Free Public WiFi” to people near you
airports21
Airports
  • Know what you can and cannot bring into the country – don’t discover that at the Customs check at the destination airport
  • Israel would not allow iPads into the country for about two weeks in April due to an unfounded fear that its WiFi implementation might interfere with communications and did not meet European Union standards (not true)
laptop security
Laptop Security
  • Six stolen on K-State campus thus far in 2010
  • Stolen laptops a daily occurrence in Manhattan
  • Never leave unsecured laptop unattended
  • Use a locking security cable
    • Hotel room
    • Public locations, coffee shop
    • Conferences, training sessions
    • Cost $15-$50, combination or key lock
  • Don’t leave it in view in your vehicle
    • Don’t trust the trunk - remember the quick release lever inside the vehicle?
  • Use strong password on all accounts
  • Don’t store sensitive info on it, but if you have to, encrypt the entire hard drive (K-State uses PGP Whole Disk Encryption software for this purpose): www.k-state.edu/its/security/pgp
laptop security23
Laptop Security
  • Don’t let it out of your sight when you travel
  • Be particularly watchful at airport security checkpoints
  • Always take it in your carry-on luggage
    • Never put it in checked luggage
  • Use a nondescript carrying case
    • One that doesn’t look like a laptop carrying case
    • Remove the manufacturer logo from the case
  • Be careful when you take a nap in the airport
    • Wrap the carrying case strap around your body
    • Or use the locking security cable to secure it
  • Take a cheap netbook or an iPad instead of your laptop
tracking recovery software
Tracking & RecoverySoftware
  • If stolen, the computer contacts the company the next time it’s on the Internet; the company then traces it and contacts law enforcement to recover it; very effective in the U.S.; inconsistent results outside the U.S.
  • This software led to the recovery of a laptop stolen in Columbia, MO, that later appeared on the K-State network (January 2010)
  • ComputraceLoJack for Laptops from Absolute Software (www.absolute.com) is an example
  • Pre-installed in BIOS on many laptops
    • Dell
    • HP
  • Have to buy the license to activate
  • Costs about $30-$50 per year
before you leave home
Before you leave home

THESE ARE REALLY IMPORTANT!!!

  • Backup your data
  • Record identification information
    • Record make, model, serial number of laptop
    • Take pictures of it
    • Label it with ownership and contact info; a conspicuous label is a significant deterrent
  • Write down credit card account numbers and phone numbers for credit/debit card companies (and take it with you); can’t use U.S. toll-free numbers overseas but can call them collect so take the right phone numbers with you
  • If leaving the country, notify the financial institutions of the accounts you will use (destination and dates of travel); otherwise, they are likely to lock your account when they see transactions from another country
  • Notify the U.S. state department if going to a volatile location: travelregistration.state.gov
usb flash drive security
USB Flash Drive Security
  • DO NOT store confidential data on them!!
    • Too easy to lose, easy target of theft
  • Common way malware spreads – don’t use it in a computer you cannot trust, like an Internet Café; just putting the drive in the computer can infect it
  • Don’t use it as a backup device
  • Delete files so they aren’t recoverable
    • Good tool for this is Eraser (eraser.heidi.ie)
  • Encrypt files on it with TrueCrypt (truecrypt.org) or -
  • Buy an encrypted USB flash drive
    • Ironkey a popular brand; 8 GB encrypted drive about $200 - www.ironkey.com
export controls
Export Controls
  • “Export” broadly defined by Feds, includes “actual shipment of any covered goods or items”
  • Export Administration Regulations (EAR) by the Commerce Dept. controls technology – types of encryption technology have historically been an issue
  • Int’l Traffic in Arms Regulations (ITAR) by the State Dept. controls weapons (duh!)
  • K-State’s University Research Compliance Office (URCO) has training availablewww.k-state.edu/research/comply/ecp/index.htm
is the cisco vpn client restricted
Is the Cisco VPN clientrestricted?

“Civilian Solutions: Restricted Encryption and Unrestricted”

  • Cisco's restricted strong encryption solutions may be exported or re-exported to most civilian/commercial end users located in all territories except the embargoed destinations and countries designated as supporting terrorist activities. Countries listed in Part 746 of the EAR as embargoed destinations requiring a license are Cuba, Iran, North Korea, Sudan, and Syria.
  • See list of countries with embargos at www.bis.doc.gov/policiesandregulations/regionalconsiderations.htm
cisco vpn client
Cisco VPN client?

“Government Solutions: Restricted Encryption”

  • Government entities not located in the following countries require a U.S. export license in order to obtain restricted non-retail strong encryption items: Austria, Australia, Belgium, Canada, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, United States.
virtual private network vpn
Virtual Private Network (VPN)
  • VERY good thing to use to access K-State from off-campus, like public WiFi hotspots
  • Encrypts all network traffic between your computer and the K-State border
  • Makes your computer appear to be on campus to get access to restricted resources
  • Does NOT necessarily encrypt everything that goes to the Internet (“split tunneling”)
  • Also does not encrypt traffic once it is on campus, but that’s not important when you’re traveling
virtual private network vpn32
Virtual Private Network (VPN)
  • Must install Cisco “VPN Client” software
  • Information and software (including a new 64-bit Windows client) available at:www.k-state.edu/its/security/vpn/
  • Cannot use it on campus yet (to secure your wireless, for example); will be able to soon.
  • If can get to Internet but not K-State, modify the “Transport” configuration in the VPN client:
    • Enable Transparent Tunneling
    • IPSec over TCP
slide33

Connected

Disconnected