personal

One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.


Security Intelligence

Seagate is trying to fight off a suit filed by employees whose personal information was lost when the storage giant was hit with a phishing attack.

The company is currently in the midst of a hearing over whether the aggrieved workers have grounds to sue their employer for negligence after someone in human resources was duped into handing over copies of employee W‑2 tax forms.

The suit [PDF], originally filed in July through the Northern California District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the March 1, 2016 incident when a phishing attack lead to the W‑2 information on all Seagate employees, as well as family members and beneficiaries named in employee W‑2 forms.

The suit claims that the attackers have already begun using the information lifted in the breach. It asks that Seagate be required to pay out damages and fees to a nationwide class of Seagate employees and others named in the pilfered W‑2s.

"No one can know what else the cybercriminals will do with the employees' and third-party victims' personally identifiable information. However, the employees and third-party victims are now, and for the rest of their lives will be, at a heightened risk of identity theft," the suit alleges.

"Many employees and third-party victims have already suffered out-of-pocket costs attempting to rectify fraudulent tax returns and engaging services to monitor and protect their identity and credit."

The storage giant, however, disputes the claims and is trying to have the case thrown out of court.

This week, Seagate has entered into hearings on a motion that the case be dismissed on the grounds that it should not be held responsible for the actions of the criminals who carried out the phishing attacks.

"Plaintiffs seek to hold Seagate responsible for harm allegedly caused by third-party criminals," Seagate claims.

"But Plaintiffs cannot state a claim based solely on the allegation that an unfortunate, unforeseen event occurred. They must actually allege facts that show they are entitled to relief from Seagate."

Should Seagate's motion to have the suit thrown out fail, the case will continue toward a jury trial later this year. ®

Sponsored: Flash storage buyer's guide


The Register - Security

Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.
Researchers at Rapid7 spotted bugs in Fisher-Price and hereO products that could expose data.

Researchers at Rapid7 discovered vulnerabilities in Fisher-Price's Smart Toy and hereO's GPS platforms that could allow an attacker to collect the personal information of a user.

The Smart Toy is a stuffed animal that connects to an online account via Wi-Fi to provide users with a customizable educational and entertainment experience.

The toy's platform contained an improper authentication handling vulnerability that could allow an unauthorized user to obtain a child's name, age, date of birth, gender, spoken language and more, according to a Feb. 2 security blog post.

Many of the platform's web service application program interface (API) calls didn't appropriately verify the “sender” of messages and could allow a would-be attacker to send requests that shouldn't be authorized under ideal operating conditions, according to the post.

In addition to compromising privacy, an attacker could use the bug to launch social engineering campaigns or to force the toy to perform actions that users didn't intend, the researchers wrote.

The platform in a GPS tracker that allows family members to share their location with each other was also vulnerable to outside manipulation.

The hereO GPS platform contained an authorization bypass vulnerability which could allow an attacker to access every family member's location, according to the post.

Once exploited, an attacker could discreetly add their account to any family's network and manipulate notifications through social engineering to avoid detection.

Researchers gave the example of an attacker adding themselves to a family's network under the “name” 'This is only a test, please ignore,' in an attempt to avoid raising suspicion.

Both vulnerabilities were reported to their respective vendors and have since been rectified. Rapid7's Security Research Manager Tod Beardsley told SCMagazine.com in an email correspondence that these issues didn't require patches or firmware upgrades.

Beardsley said that both vendors acted “reasonably and responsibly” during the disclosure process. It's nearly impossible to ship products without some bugs when dealing with the internet of things (IoT) or software in general, he said.

“The goals of companies dedicated to securing personal information should be twofold,” Beardsley said.

”One, make sure that bugs are found in the design and development phases, and two, once vulnerabilities are identified after launch, they are easily and quickly remediated without too much effort by the end users,” he said.

Other IoT toys have been found to pose risks to users as well.

Last year, researchers identified security concerns in Mattel's Hello Barbie that could allow an attacker to extract, internal Mac addresses, Wi-Fi network names, account IDs, and MP3 files from the popular doll.

ToyTalk, the company that operates the doll's speech services, reportedly admitted the doll could be hacked but said the vulnerable information did not identify children, nor did it compromise any audio of a child speaking.


Latest articles from SC Magazine News