Travel

Turn it Off on the Road

I travel a lot - about 40% of the time. I plug in to the Net from all sorts of places as a part of doing business. So I have some rules based on experience:

1. Turn off the WiFi adapter if it’s not in use. Why broadcast the last hotel you stayed in, and allow bad people to try and attach to your machine? Check your settings, too, to make sure you connect only to infrastructure, NEVER Ad hoc. Never.

2. When you’re in the hotel at night, have you ever checked your Event Log? That’s how I found someone from a lobby computer trying to log into my machine using various passwords and the “Administrator” login. Of course, I had changed that ID name AND created another one with no rights. The motel manager got an earful. So - turn off your laptop, or pull the network plug at night.

And make sure you have Failure logging in your local security policy. For everything. Can’t hurt, since the log overwrites.

Don’t leave the machine on the network for someone to attack all night.

3. Disable ALL shares on your computer. During the day, I have a share running so that coworkers can exchange and update files. I turn it off every night.

4. If you have to leave your laptop somewhere, first of all: don’t. I take mine back with me to the hotel. But when I leave it in the office, I turn if off. Off, whoever steals it won’t get past the disk encryption. If I leave it on, the encryption is disabled, and the possibility of hacking my password or otherwise bypassing Windows controls exists.

Your laptop is disk-encrypted, right?

4. Tape a business card to the top of your computer. A lot of laptops look alike going through security at the airport. Make sure no one has walked off with yours.

5. If you walk away from your computer, lock the screen. Make it a habit, whether you are in the office or on the road.

I had a boss that would go around locking it for you with a nasty message scrolling across the desktop - AND you had to go to him to get the password, because he went in and changed it.

Take a moment to think about what files are on your laptop and what value they might have. Consider what steps you will need to go through should your laptop be stolen.

Losing Your Credit Card Number at the Airline Check-in Kiosk

According to an article on MSNBC.com, there has been a data breach at the Toronto, Canada airport that may have been through the check-in kiosks. Similar to my blog on instant photo machines, the ability of machines to take more information than they need is certainly something that manufacturers should address, and quickly.

One airline at the airport has already suspended using credit-card information to check in, so even though a “full report” has yet to come out detailing HOW, we can draw some conclusions based on that action, and this statement:

“But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.”

That is a logical conclusion, if skimmers were not attached. Given that the skimmers would have to be inside the machines in order not to be really obvious (if you travel a lot, like I do, you know what they look like.)

But what is the most disturbing is how the airlines and kiosk makers are taking turns not commenting. There are over 70,000 self-serve kiosks in American airports, that actually capture and send ALL the mag stripe data during the course of check-in to the airline. What do the airlines do with that data? How is it transmitted?

What do you want to bet that a technique similar to Hannaford’s data breach is in play?

Is this covered under the PCI DSS credit card regulations? Probably NOT, because no charges were made. And it’s an internal network, so encryption would not be required.

Why were they capturing ALL the stripe data? Because they can. Because it’s easier to program than eliminating “some data.” Because no one thought about the security of the data the machines were handling.

Keep your credit card in your pocket when you check in. That’s where mine will be.