Information Security For Travelers

While I'm not opposed to technology, I usually use travel as an opportunity to unplug.  In the past I've used internet cafes and VOIP but didn't carry any electronics more sophisticated than a AA-powered MP3 player.

This time around, I'm traveling with a laptop and a phone.  I'll be getting internet access from a variety of sources.  I'll be away long enough that I have to manage my finances online.  Since I'm driving, I'll use the laptop for route planning.

While I still think it's possible to travel without electronics, it's harder than it used to be.  Time will tell if I stick to this approach.

In the meantime, I need a broader approach to protecting my data.

Threats

To start with, I have to identify my threats.  Personally, my concerns are:
  • Internet cafe malware (keyloggers)
  • Wi-Fi hotspot eavesdropping (session hijacking, credential theft)
  • Identity thieves (stealing personal data from stolen hardware)
  • Over-zealous customs and immigration officials (no one should have the authority to search my data unless I have committed a crime)
  • Data-mining firms (gathering personal and behavioral information, usually for marketing purposes)

Vulnerabilities

Now that I have identified my threats, I have to look at my vulnerabilities to those threats.

High-Risk Vulnerabilities


  • Internet cafe malware

    I have no control over the hardware or the software that the internet cafe is using.  The machines are exposed to a constant flow of public users with poor security habits.  The machine could be infected with keyloggers or other forms of malware, all passively collecting information. 

    Anything connected to or accessed from a cafe machine is highly vulnerable if no steps are taken.

  • Identity thieves

    In addition to my physical wallet and passport, I have personal information on my laptop, phone and flash storage devices.  If someone steals my laptop it would be trivial to gain access to it along with the data stored on the hard drive, including a photocopy of the contents of my wallet and passport.

Medium-Risk Vulnerabilities


  • Wi-Fi hot-spot eavesdropping

    Public wi-fi networks can be quite risky.  Other users may be capturing unencrypted transmissions, which can include session tokens or personal data.  Some sites do a good job of encrypting transmissions but some do not.

    For example, a malicious user on a poorly secured wi-fi network could easily capture the session I used to log into my email or social networking account.

Low-Risk Vulnerabilities


  • Over-zealous customs and immigration

    It is an unfortunate trend, recently, for customs and immigrations officials to temporarily seize and search electronic storage devices when crossing borders.  This is ostensibly done to prevent criminals from doing criminal things but people have been targeted for political reasons as well. 

    This is mainly a problem with the US and Canada but a destabilized government in Latin America could very well turn to such tactics.  The hardware and software to crack the traditional security measures on a phone or laptop are easily available to governments.

    While I don't have anything to hide, I don't have anything to share either.  There is nothing for me to gain by participating in such a search.

  • Data-Mining Marketers 

    Many companies use cookies and other persistent identifiers to track your activity on the internet.  This is generally for marketing purposes but these firms have a poor record on data protection and their presence is annoying at best on most web sites.

Now that I've identified the threats and my vulnerabilities to those threats, I can devise the security measures I'll employ to protect myself and my data.  In the coming posts I'll look at how to balance security and usability with various encryption technologies to mitigate the threats described above.

1 comment:

  1. interesting, thanks, i look forward to the future installments of this series. i know that doens't add to the knowledge base, i just wanted to let you know, i wanna know. you know.

    ReplyDelete