Risky Travels: Can You Stay Secure?
Security risks for computer users on the go keep multiplying.
Staying connected while you're traveling is a challenge. Establishing secure connectivity is even trickier. My work has involved a lot of travel over the last few years. While it's exciting -- and sometimes tedious -- the one constant of traveling is the challenge of maintaining secure, reliable and affordable connectivity on the road.
Fortunately, you can get relatively reliable connectivity in most places, even though speeds can be surprising. The slowest public access speed I have seen was a 9600 baud modem connection shared between two computers. Considering that was on a remote island with only a satellite telephone connection to the mainland, even that was remarkable.
While getting a connection might be easy, paying for it is another matter. Hotels are notorious for charging guests "extras" for things like connectivity. I have seen rates that were more than $30 a day -- and that was in a place where the local phone company charges their subscribers that much for an entire month of DSL service.
There are also wireless hotspots, cafés and hotels that offer fast, reliable Internet connections for cheap or free. Connecting anywhere is indeed getting easier all the time, but it still creates some unique security challenges.
Want Coffee with That?
If you're traveling without your computer, the most obvious choice for Internet access is to visit an Internet café. These days, you can find them just about anywhere. Internet cafés often brew some good coffee, as well, so they're a pleasant place to take a break and do some browsing.
However, public-access computers in Internet cafés, airports or hotel lobbies are not a secure way to access your corporate network. While these computers are often configured to prevent someone from installing a key logger or other monitoring device, it's often a simple solution that is easy for a criminal to circumvent. The technician at a neighborhood Internet café may be an honest and knowledgeable guy, but he probably can't stop a determined hacker from installing rogue programs on one of the computers. Even in places you trust, you'll find surprising risks.
Unfortunately, I have seen many cases of people displaying risky computing behavior, even when they should know better. For example, I often teach in classrooms where students all log on with administrative privileges (the Administrator password is identical on all computers). With this configuration, any student in the classroom could install a keystroke logger on any of the computers.
Typically, about half of the attendees, many of whom work in the security field, still check their work e-mail during class or do other things that require them to enter passwords. While it's unlikely that anyone has ever tampered with any of the classroom computers, there's no guarantee that this hasn't happened in any classroom, lab, hotel lobby or Internet café.
There are different ways to protect yourself against password theft on a public computer, like one-time passwords. However, even those don't protect you against someone intercepting the characters you type or taking snapshots of everything displayed on your computer screen. The only effective defense against those types of threats is to stay away from public-access computers unless what you're doing doesn't involve anything confidential.
There's nothing wrong with checking the weather report from an Internet café, but be careful when reading and sending e-mail. If you need to check your e-mail while you're out of the office, take along your laptop. If you leave your laptop at home during your next trip, consider setting up a free e-mail account or getting a phone that can send and receive e-mail.
No Privacy on Public Networks
The best way to avoid the security problems associated with public computers is to use your own equipment. Lugging around a laptop can be tedious, but it makes computing away from home that much more secure. Taking your computer outside the firewall and the protected environment of your network and attaching it to a public network does require some extra precautions, however, like enabling a personal firewall and being more diligent about installing security updates and virus protection.
Even if you do all the right things, you should still be concerned about privacy when you connect your laptop to a public network, whether wired or wireless. Even the best personal firewall will leak some information. Whenever you connect a computer running Windows to any network, it has to initiate broadcasts and send DNS queries for domain information. Someone who monitors network traffic with a protocol analyzer like Microsoft Network Monitor or Ethereal can capture and view this network traffic. Within that traffic is information like computer, domain and user names. Having this information won't let a hacker break into your network, but it may still reveal some information you don't want to share.
To fully understand the risks, at some point you should connect a laptop that is part of your Windows domain to a segment of your network that you monitor with a protocol analyzer. Look at the broadcasts and other packets transmitted by the computer. Then you can make an assessment of whether any of the transmitted data would constitute a security breach if it became available outside of your organization.
Another thing to keep in mind is that all network traffic going across most public wired or wireless networks is not encrypted -- unless you connect to an SSL-protected Web site or use some application that encrypts the communications between server and client. To ensure confidentiality while you're connecting to the Internet from a hotel room or a wireless hotspot, you'll need to establish a VPN connection to your corporate network as soon as possible after initially establishing connectivity. Then you can work relatively securely over this VPN.
One thing you can't hide is the hardware (MAC) address of your network adapter. Getting this information doesn't allow someone access to confidential information, but it may let someone hijack your connection and impersonate your computer. The biggest risk there is that someone can capture packets between your computer and a wireless hotspot. Most of these hotspots require some initial authentication. After that, however, they rely solely on the MAC address to ensure that network packets come from an authenticated computer.
A hacker monitoring network packets to and from the hotspot can easily change his own computer's MAC address to match yours. Because the hotspot treats all network packets from that address as authenticated, the hacker would get free Internet access.
Both public computers and public networks present their own security risks. The only way to truly stay secure while you're on the road is to bring your own computer and connect to your own network. Bringing your computer is the easy part. Connecting to your own network can be more challenging, but a VPN connection can do the trick.
More InformationDangerous TVs
Most travelers who are very careful about using computers while staying at hotels don't even think about the security of their hotel television sets. After all, how could there be any security implications of watching the latest episode of CSI? The good news is that you can relax while you’re watching your favorite show -- it won't let hackers invade your hotel room.
Most hotel television systems give you more than a variety of channels: They offer Internet surfing, pay-per-view movies and access to your hotel bill. The medium over which all of this is delivered is a shared coaxial cable.
Anyone else connected to the same cable system and who tunes into the right channel can watch what is being displayed on your TV screen at that moment. In most cases, the only protection the hotel provides is configuring each television to prohibit selecting a channel number used for transmitting anything other than TV programming.
TV tuners that connect to laptop computers aren't much better. These tuners don't enforce the television's restrictions and they can let someone a few rooms down marvel at the Internet pages you’re viewing or watch the movie that you just paid to see.
What's worse is that someone might be watching as you're checking your hotel bill on the TV screen. The information displayed normally contains your name and room number, and that's all someone needs to charge a few drinks at the bar or wireless connection time to your room. – J.W.
Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping
companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.