Security Advisor

Risky Travels: Can You Stay Secure?

Security risks for computer users on the go keep multiplying.

• By Joern Wettern
• 10/01/2006

Fortunately, you can get relatively reliable connectivity in most places, even though speeds can be surprising. The slowest public access speed I have seen was a 9600 baud modem connection shared between two computers. Considering that was on a remote island with only a satellite telephone connection to the mainland, even that was remarkable.

While getting a connection might be easy, paying for it is another matter. Hotels are notorious for charging guests "extras" for things like connectivity. I have seen rates that were more than $30 a day -- and that was in a place where the local phone company charges their subscribers that much for an entire month of DSL service.

There are also wireless hotspots, cafés and hotels that offer fast, reliable Internet connections for cheap or free. Connecting anywhere is indeed getting easier all the time, but it still creates some unique security challenges.

Want Coffee with That?
If you're traveling without your computer, the most obvious choice for Internet access is to visit an Internet café. These days, you can find them just about anywhere. Internet cafés often brew some good coffee, as well, so they're a pleasant place to take a break and do some browsing.

However, public-access computers in Internet cafés, airports or hotel lobbies are not a secure way to access your corporate network. While these computers are often configured to prevent someone from installing a key logger or other monitoring device, it's often a simple solution that is easy for a criminal to circumvent. The technician at a neighborhood Internet café may be an honest and knowledgeable guy, but he probably can't stop a determined hacker from installing rogue programs on one of the computers. Even in places you trust, you'll find surprising risks.

Unfortunately, I have seen many cases of people displaying risky computing behavior, even when they should know better. For example, I often teach in classrooms where students all log on with administrative privileges (the Administrator password is identical on all computers). With this configuration, any student in the classroom could install a keystroke logger on any of the computers.

Typically, about half of the attendees, many of whom work in the security field, still check their work e-mail during class or do other things that require them to enter passwords. While it's unlikely that anyone has ever tampered with any of the classroom computers, there's no guarantee that this hasn't happened in any classroom, lab, hotel lobby or Internet café.

There are different ways to protect yourself against password theft on a public computer, like one-time passwords. However, even those don't protect you against someone intercepting the characters you type or taking snapshots of everything displayed on your computer screen. The only effective defense against those types of threats is to stay away from public-access computers unless what you're doing doesn't involve anything confidential.

There's nothing wrong with checking the weather report from an Internet café, but be careful when reading and sending e-mail. If you need to check your e-mail while you're out of the office, take along your laptop. If you leave your laptop at home during your next trip, consider setting up a free e-mail account or getting a phone that can send and receive e-mail.

No Privacy on Public Networks
The best way to avoid the security problems associated with public computers is to use your own equipment. Lugging around a laptop can be tedious, but it makes computing away from home that much more secure. Taking your computer outside the firewall and the protected environment of your network and attaching it to a public network does require some extra precautions, however, like enabling a personal firewall and being more diligent about installing security updates and virus protection.

Even if you do all the right things, you should still be concerned about privacy when you connect your laptop to a public network, whether wired or wireless. Even the best personal firewall will leak some information. Whenever you connect a computer running Windows to any network, it has to initiate broadcasts and send DNS queries for domain information. Someone who monitors network traffic with a protocol analyzer like Microsoft Network Monitor or Ethereal can capture and view this network traffic. Within that traffic is information like computer, domain and user names. Having this information won't let a hacker break into your network, but it may still reveal some information you don't want to share.

To fully understand the risks, at some point you should connect a laptop that is part of your Windows domain to a segment of your network that you monitor with a protocol analyzer. Look at the broadcasts and other packets transmitted by the computer. Then you can make an assessment of whether any of the transmitted data would constitute a security breach if it became available outside of your organization.

Another thing to keep in mind is that all network traffic going across most public wired or wireless networks is not encrypted -- unless you connect to an SSL-protected Web site or use some application that encrypts the communications between server and client. To ensure confidentiality while you're connecting to the Internet from a hotel room or a wireless hotspot, you'll need to establish a VPN connection to your corporate network as soon as possible after initially establishing connectivity. Then you can work relatively securely over this VPN.

One thing you can't hide is the hardware (MAC) address of your network adapter. Getting this information doesn't allow someone access to confidential information, but it may let someone hijack your connection and impersonate your computer. The biggest risk there is that someone can capture packets between your computer and a wireless hotspot. Most of these hotspots require some initial authentication. After that, however, they rely solely on the MAC address to ensure that network packets come from an authenticated computer.

A hacker monitoring network packets to and from the hotspot can easily change his own computer's MAC address to match yours. Because the hotspot treats all network packets from that address as authenticated, the hacker would get free Internet access.

Stay Safe
Both public computers and public networks present their own security risks. The only way to truly stay secure while you're on the road is to bring your own computer and connect to your own network. Bringing your computer is the easy part. Connecting to your own network can be more challenging, but a VPN connection can do the trick.