Cybersecurity for Travelers

Just as is it much easier for you to physically contract a virus or disease when exposed to new environments, the same is true for information security; you are at greater risk when away from home.

Cybersecurity experts generally agree that about 20 percent of travelers are subject to cyber targeting when abroad. All agree that travel puts you at additional information security risk. While some countries are known to host far more serious and focused attacks, data and identity thieves operate across the globe. When you enter their backyard, you are a target of opportunity.

There are many examples of travelers reporting suspicious activity following foreign travel, including:

Emails received from ostensible friends or contacts seeking an out of character favor. These are examples of email “spoofing,” an attack methodology facilitated by stolen user IDs and passphrases (known as “credentials”).
Changes in the operation of your device, even remote alteration of the operating system. With the right software, adversaries can covertly activate a microphone or camera, monitor emails, read stored files, steal credentials, etc.

To understand why you’re at greater risk when you’re in new environments, it’s valuable to consider these points:

Your value as a target;
The way you access the internet;
The way you store and charge your devices; and
Changing border control policies.

Taking these points one by one, let’s dig into their impact on upon your risk profile:

Your Value as a Target

When assessing your worth as an information security target, it is critical to avoid “mirror imaging:” assuming that others think and act in a certain way because that is how you (and assumedly all rational people) behave. This logic doesn’t hold water, though. The norms, attitudes and preconceptions of other cultures naturally mold different perspectives and values. Therefore, while we may not think of ourselves as a high-profile target, others definitely do:

If you represent leading business, research, media, academic or governmental entities, there’s no doubt that you’re of interest to attackers.
If the country you’re visiting is unfriendly to the United States, and/or if there is civil unrest, violence and crime, you’re a top target for cyber-attack, cybercrime, monitoring and surveillance.
Even the average American tourist represents value to attackers. Their electronic devices are tools to mount attacks against others, and to increase their circles of stolen data and exploited networks.
It may not only be the host country targeting you. Third-country criminals and governments often leverage the accessibility, deniability and reduced prosecution risk of having their target anywhere overseas.

The bottom line is that you’re a valid target, whether at home or when traveling. The difference being is that when you’re on the road, your profile is higher and you’re more accessible.

The Way You Access the Internet

Attacker accessibility is made easier by most travelers in how they access the internet; by using public Wi-Fi in hotels, airports, cafes and restaurants.

The problem is that attackers regularly create false Wi-Fi spots that masquerade as genuine hotel or airport networks, complete with branded online materials and stronger signals to lure users. Packet analyzers are then used to selectively read and store critical data like passwords. Even hotel business centers and hard-cable internet access in hotel rooms cannot be trusted, particularly overseas.

Even without actively seeking internet access, laptops, smartphones and tablets are susceptible to remote Bluetooth connections. While traditional anti-virus tools may have difficulty detecting the kind of spyware that foreign governments and sophisticated organized criminals use, there are ways to reduce your risk:

Refrain from accessing sensitive data and networks when traveling.
Limit remote access to your device. Disable Bluetooth and Wi-Fi. While all Bluetooth devices have some inherent vulnerabilities, the older versions are far more susceptible to hacking and eavesdropping.
Use your smartphone to create a Wi-Fi “hotspot.” While suspect in some foreign countries, cellular service remains the safer alternative.
Use a Virtual Private Network (VPN) to encrypt your data. While a VPN can slow your connection, it’s better than losing your data.

The Way You Store and Charge Your Devices

The next way that your information security risk factor is degraded when traveling involves storage of your devices. Quite simply, travel increases the chance of equipment being physically exploited, stolen, inspected or impounded.

A good rule is that if you leave your device unattended, assume it has been tampered with. Of course, it is often difficult and dangerous to carry your devices with you. The tradeoff is that if you leave it in an empty hotel room (even in a hotel safe), you are open to exploitation from state-sponsored entities. Conversely, taking it with you in public opens you to theft or misplacement. In the end, the matter becomes simpler the fewer devices and data that you need to protect.

Following device storage, the next area where travelers put themselves at risk is with device charging. What traveler hasn’t been relieved to charge their smartphone or tablet at those handy airport USB stations? The problem is that the USB interface may be allowing the charging station to download stored data by the gigabyte.

The safest route for charging your device is to use the supplied power cord that plugs into a regular electrical outlet or your own battery-powered mobile charging device. If you absolutely must recharge via USB at a station, completely power off the device before plugging it in.

At the conclusion of your trip, it is best to turn over your devices to your corporate IT staff for their forensic inspection, wiping and operating system reloading.

Changing Border Control Policies

In recent years, the authorities and actions of border and immigration officials have increased both in the United States and overseas. To a far greater degree than any time before, electronic communication devices are subject to involuntary official governmental review and possible duplication of hard drive contents.

The U.S. Department of Homeland Security advised in 2008 that border agents are allowed to search through files on laptops, smartphones or other digital devices when you enter the country, even when there is no reasonable cause. They can keep data or the entire computer, copy what they want and share this data with other agencies, and force you to give the password if the data is encrypted.

While their internal guidelines call for data destruction if the data isn’t found to be suspicious, there is no assurance for the data owner as to how securely the data will be stored during the assessment period and when it will be destroyed.

Overseas, rules concerning cross-border transportation of communication devices and data range broadly, both in terms of statute and enforcement. A good rule to follow is that a device out of your control during “secondary screening” should be assumed to have been exploited.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.