InfoSec on the Road

-or-

Keeping what's yours, yours.

HU UK 2011 meeting – 26th June 2011

Alexandros Papadopoulos, CISSP

How do you use computers on the road?

Withdrawing money from ATMs

E-Banking

Saving photos

Writing your blog/book

Posting in forums

Emailing for work or personal stuff

Chatting with friends and family

……………….. Skimmers

……………………………………… Sensitive info stolen (malware)

…….……..…………………………………… Data loss, privacy

Censorship, privacy, sensitive info stolen

ATMs (1)

Beware of skimmers

Designed to steal your:

Bank card's information

PIN

Cash

http://krebsonsecurity.com/all-about-skimmers/

ATMs (2) Stealing the bank card information

ATMs (3) Stealing your PIN

ATMs (4) Anything wrong with this ATM?

ATMs (5) Hidden mobile phone camera captures PIN

ATMs (6) Stealing your cash: Cash Trapping

e-banking

• Most publicly accessible computers are infected with malware

• They can therefore not be trusted for e-banking

• Carrying a password generator with you makes this a bit safer

What is malware?

• Malicious + software = malware

• Example: Zeus & URLZone - dynamically rewrite your online bank statements (after it has

stolen your bank login and used it to drip-feed money out of your account)

• Example: StuxNet – destroys nuclear plant equipment

• Generally, crooks are after your passwords

• Your phone, camera, GPS, laptop, USB stick will probably be infected

Malware – Is this legit?

Malware – amateurs!

Malware – webfake I

Malware – webfake II

Malware – Fake Bank Statement

Saving photos

• Your enemies:

• Vibrations, humidity, thieves, weight, accidental deletion, software error…

• Your allies:

• Online storage – Flickr ($25/year)

• Multiple copies

• Solid state media (SD cards)

• Encrypted storage (TrueCrypt)

Saving files (general)

• Google Docs

• Dropbox

• TrueCrypt “Portable Mode” USB sticks

Possible to have a secure “password file” with you

The best defence against all this…

• Is free!

• Allows you to completely ignore the software installed on the machine you use

• Like carrying your own computer-on-a-stick!

DIY bootable USB stick

http://www.ubuntu.com/download/ubuntu/download

This is what you get

Stories from Iran

• The charming “foreigners police” connected my camera’s SD card to one of their Windows PCs to check out my photos

• No software copyright enforcement => pirated software everywhere => no security updates => everything infected with malware

• HTTPS necessary if you want to speak your mind on email/blog.

Keep snoopy governments from (easily) reading your emails

Signs of country-level blocking

Signs of country-level proxying

Recent high-profile cases

• Stuxnet (travellers most certainly involved!)

• Hijacked webmail/Facebook accounts

• The goodies I brought home when I returned from UK2India

Invisible in Windows XP/7 with 3 different antivirus suites

Visible but untouchable in MacOS X

Finally deleted with GNU/Linux

Once you’re back home

• Systematically disinfect all removable media (GPS memory card, camera, any USB sticks you used during the trip) • Use a trusted system like a recent GNU/Linux bootable disk

to delete all files you don’t recognise from your media

• Change your passwords (bank, webmail, forums etc)

Questions?

• Personal data protection tips: http://thinkingspaces.org (my security blog)

• Surveillance self-defence project by the Electronic Frontier Foundation: https://ssd.eff.org/

• Remote backup software: http://www.crashplan.com

• Encryption software: http://www.truecrypt.org

• Anonymous browsing: https://ssd.eff.org/tech/tor

Get this presentation: http://tinyurl.com/infosecontheroad