ASIS International 53th Annual Seminar & Exhibits in Las Vegas Sept. 24th -27th 2007.
“Computer and Information Security While Traveling”
Tuesday, September 25th
“Securing Your Personal and Corporate Data while on the Road”
“The Road Warrior”
Computer Security while away from the office!
With the ever-increasing dependence that our businesses develop toward digital data, the more vulnerable we are to the loss or exposing of that data to persons outside of our business. Everyday business travelers unknowingly expose themselves and company data that they are responsible for to not only physical danger but also to the dangers of being compromised by others. They are subject to everything from physical attacks, forcible robbery and burglary of their vehicles and rooms to the interception of critical data by either copying of files of interception of wired or wireless communications.
I have seen business travelers have their bags snatched from public transportation, stolen from their hotel rooms and even armed assailants spraying the hotel sidewalk with an AK 47 in front of a group of defense contractors and demanding their laptops. Basic security measures should always be taken whenever and wherever you are, like not having your business name showing on your luggage tag. Not broadcasting who you work for if you or your company are media worthy or ransom worthy and not talking about your business or personal information with strangers. While physical security is always important to us all, for the purpose of this presentation we are going to discuss communication and digital vulnerabilities and security practices.
Company secrets and critical information is being unknowingly revealed to competitors, information brokers and just curiosity seekers everyday by simply ignoring some basic computer security procedures. The risk of having your information compromised while using local wireless networks, or Wi-Fi hotspots, is extremely high. In one recent study by the Anti Terrorism Accreditation Board only 36% of Wi-Fi spots are security protected or encrypted. Further studies of hotels, airports, train stations, coffee shops and other public area equipped with wireless internet access repeatedly show that the systems are not only pinged and probed but competitive intelligence is being gathered. While 36% sounds like a terribly deficient number, it is really a great achievement over the study done 14 months earlier that found almost no Wi–Fi users employing any security procedures.
One does not have to be a master programmer or computer expert the likes of Lew Wagner or Ray Barnard to be able to hack sites. There are open source codes available to anyone on the net. Like the 18-year old unsupervised German high school student Sven Jaschan from the village of Waffensen, (between Bremen and Hamburg, in the northern Germany) that just started the recent Sasser problem. Sasser is reported to have been the 5th most costly virus in history and he produced it using exploit code that was already published, and just used techniques like passing the FTP’ing code and passing command-line strings to the operating system.
With the use of existing web sites and bulletin boards, hackers can obtain all the information needed to access a victim’s laptop because anyone using an unsecured wireless network may access any of the other users of the unsecured wireless network. I often hear people tell me that they have nothing important on their system and so they are not worried. Think how damaging it would be if the hacker was not attempting to look at your files but was a Pedophile that is looking for a place to store his files so that they can not be traced to him. We have seen many cases of Hackers using Wi-Fi hotspots to store their files on other computers.
If you have some time and would like to see some interesting things about Wi-Fi and how to access it, look up some of these sites. If you want to know where the Wi-Fi spots are in your area, check out This site maps the hot spots around the world and gives you the names of the Network connection. a product that they do not support but still offer that which picks up the digital packets that are sent giving you the ability to obtain passwords, logins, credit card numbers or other information. You can obtain all the default passwords and user Id’s for routers, access points and switches from a site You can go to and find the following: (taken from
WiGLE: An online database which accepts "stumbles" or "WiLDs" in the "wi-scan", "wi-scan with extensions" and "CWGD" formats (GPS tagged data about 802.11 wireless networks). NetStumbler, DStumbler, Kismet, Pocket Warrior and other clients generate data in these formats. Data is stored in a database, locations are triangulated, and data is shared via web requests.
JiGLE: An interactive, zoomable java-based client to WiGLE. Plot, relate, and look up wireless networking from stumbles or from the WiGLE database, overlaying them on GIS maps of cities. Current version: 0.7.2
You can see very quickly that with a minimal amount of experience or knowledge and a fair amount of motivation a person could cause you and your company catastrophic damages.
With our lives becoming more and more “wireless”, we increase our risk of being over heard. If a signal is being sent through the air, it can be intercepted. The item pictured to the left is made to connect to your laptop and has a roof mount antenna so that you can drive around looking for hot spots to monitor. Individuals are at risk of eavesdropping from competitors, spouses, nosy neighbors or just plain curious people with to much time on their hands. We have seen cases where an Attorney actually went around his neighborhood drilling holes in walls and putting cameras in to watch his neighbors. We have all seen the cases of people’s telephone conversations being monitored from Newt Gingrich’s cell calls to the bugs in the flower pots at the jail in LA to hear the police talking about Michael Jackson’s case. The most important thing that we must all remember is that it can happen to any of us.
Each time that you log on to a public Wi-Fi site you are transmitting your password and login name over the open airwaves along with in many cases your credit card information. Identity theft is one of the largest theft problems in the world today and sending unsecured data is just making it easier for them to destroy your life.
While unless you or your company are very news worthy or are involved in State Security or some other reason to make you stand out, your main risk at home is just either cheap neighbors that don’t want to pay for high speed access or nosy ones that want to snoop around your hard drive. There is a chance of someone driving up and down the street looking for bandwidth to access, but in most cases they will find stronger signals at a commercial area like warehouses or office building.
Most of us have read about the Lowe’s store in SouthfieldMichigan where 3 college students sat in the parking lot and captured credit card information as well as the packets of information necessary for them to break into several other Lowe’s stores across the county. In statements to the FBI the men stated that they found the improperly secured site while “Wardriving” earlier in the year.
There are many other cases and most go unnoticed because of lack of auditing and lack of reviews of the audits that are in place. In the Lowe’s case the reason that they were caught is that they altered the source code for the credit processing and Lowe’s IT people picked it up. The question being do you have someone 24/7 monitoring your system for discrepancies? There are cases where the people actually obtained access to the building and installed a Wi-Fi access point to the internal network in the middle of all the business servers so that they could make withdrawals and transfers at will.
While it is impossible to make your network totally secure from every attack, we can instruct you in some ways that will make it easier for them to go to the next hot spot and leave yours alone. With two thirds of the systems unsecured, there is not much reason for a wardriver to spend the time cracking your security when all he has to do is log on to the other two thirds that have nothing.
With only the investment of a little time, you will be able to breath a little easier knowing that you have greatly reduced your risk of outside attack.
Assuming that your network administrator already has a dedicated Virtual Private Networks (VPNs) and uses tools like RADIUS and has a good handle on your corporate Wi-FI security, we are going to focus the next few minutes on what you can do when outside of your corporate environment when using public hot spots.
As a business person in a tight job market or a government employee that let a terrorist gain access to a restricted location due to their poor security practices, who would want to be them reporting to the CEO’s office on Monday morning. With much more potential danger than just losing a bid or a sale in today’s world, we could be risking the lives of others from risk of terror attacks, criminal attacks or sexual predators’ attacks that are being initiated over the net. Think of the press if a pedophile used your access code to log in to your company system and then used that system to entice children out to a soft drink company’s festival only to be attacked. How would you feel if you found out that your log in was used to access the data needed to obtain entry to an airport vendor giving a hijacker access to a plane?
The first step is to install a firewall. When installing your firewall, be sure to manually install it and not just click the “Install” button. Many programs have backdoors that can bypass the firewall if it is installed by the default button. A good firewall will prevent would-be hackers from seeing any other machine that is connected to the hotspot. Firewalls close down the ports that the hackers us to access and control your computer. There are some good ones on the market and you will have to pay for them.
I prefer Norton Personal Firewall, it will cost you about $69.00 and you may find it with a rebate at MicroCenter or go to It will also add spam blocking and virus protection.
Secondly, insure that your file sharing is disabled on your laptop. I personally also disable the IR port on my laptop. You also need to use Wired Equivalent Privacy (WEP) WEP is an encryption technique that while not proving a problem to the NSA, it will deter the amateur or weekend hacker. I would also recommend that you turn on the 128-bit encryption. Interception software needs to capture millions of bits of data to crack a WEP code and the more bits of encryption the more data that they will need to intercept to crack it. You should also change your WEP key often. Most wireless networks will let you store multiple WEP keys and you can switch them at your will.
You will also need to filter the MAC addresses on your network. MAC filtering is the list of network devices that have legitimate access to the network. Each network card has a unique code called a MEDIA ACCESS CONTROL or MAC address. It will look something like 00:60:55:32:1A:B2. Using MAC filtering will stop unauthorized access even if they have cracked your WEP code.
Wi-FI manufactures after 2003 have started adding an additional layer of protection called Wi-Fi Protected Access (WPA). Your entire system will have to be WPA compatible to include down loading the WPA patch for Windows from Microsoft.
You should also insure that your network name does not invite probing. You do not want to name your network something like IRS Political Investigations division or Credit Card Verification Department or White House West Wing. Don’t be so descriptive that you make it easy or enticing to the hacker.
The loss of few things in a business are as financially devastating to the future of the company as the loss or damage of our computer system. While the computer gives us access to other businesses around the world, it also gives Cyber thieves access to your confidential information. It is becoming more common for companies to find that competitors, foreign countries or hackers have targeted them. As IT security specialist it is our responsibility to insure that our entire system is not compromised because of an
employee not taking the appropriate security precautions while away from our hardened facility. We all have a sense of security when we are at home and we have a tendency to slack off of our security precautions when working from home.
We all saw the news articles about the Director of the CIA loosing his Security Clearance to enter the Pentagon. He left information on his Laptop while at home.
We have had clients that have had their phone lines compromised giving the attacker access to their office computer system as well as the current data being transmitted.
To limit the access to the facility computers employee's must be made aware of the risk from their home, hotel and clients offices.
If planning a trip, we must remember to first of all to protect our travel plans; if working a highly classified case, I always make my own travel plans. As an investigator, I have gotten complete travel plans on individuals to include copies of all of their airline travel for the year by asking the travel agent to fax it to me. Most people in the world are not security aware.
Limit the information that you give to others including your secretary to only what is needed. You must keep all confidential information with you and not in your computer case.
When using communication lines in client’s offices and hotels, be aware that they could be monitored. In many countries it is common practice for the Government of those countries to monitor all activities of foreign businessmen. There have been documented cases where entire commercial aircraft had every seat bugged to hear the conversations of businessmen.
Steps that you can take to limit your risk are to brief your employees in the risk and common practices of "Competitive Intelligence" operatives. Make them aware of the limitations of your system, such as Firewalls or PKI etc. Secure the LAN's between sites. If there is not a need for connection to the internet, disconnect it. Advise them to carry their own printers when traveling and to use the FAX in their computer to reduce the chance of a third party seeing classified information.
Limit the information that is provided in meeting and conference rooms in hotels. Have those rooms and your hotel room swept for compromised communications. Carry a portable shredder and copier if you are going to need to make copies. When working trade shows be sure that the staff are well versed in what information is classified. Many inexperienced and overzealous employees give far to much information to your competitor.
Never leave classified information on your hard drive. If you do not have a CD Writer, carry a Zip drive, external hard drive or memory stick and work from them. Carry the memory stick or external hard drive in you pocket or separate from your computer so if the computer is stolen you will not lose your confidential data.
Always remember that phone lines are not secure and if there is a way for the person on the other end to read or hear something that you are sending or saying to them, there is a way that someone in the middle can read or hear that data also.
The following is a list of some of the items that your presenters carry with them while they are traveling.
Notebook Computer
Computer carrying bag
RJ-11 cables
Acoustic coupler
Wireless access point
RJ-45 jack on the desk
ASUS WL-330 WAP It also functions as a wireless repeater and Wi-Fi adapter for non-Wi-Fi laptops
Transformer
A short RJ-45 connector cable, Long RJ – 45 cable
PDA-size carry wallet
Echo Indigo PC Card audio adapter
3M Privacy Filter (Blocks seeing your laptop screen if not directly in front of it)
Retractable cables
Zip-Linq line (phone, Ethernet, USB, FireWire) In-line couplers like GoldX QuickConnect kit, five possible USB cable combinations
Equipment bags with mesh sides
PDAs that can be recharged from your laptop's USB ports
AC/car/airplane transformer
Small flashlight, Spare battery
Small digital camera
Noise-canceling headphones
MP3 player
Microsoft portable mouse (and the ultrathin 3M mouse pad for use on glass hotel desktops)
Several CD-Rs for backup
Portable CD Carry case
Spare CompactFlash and Secure Digital cards, and cases
Security devices, Steel cable, or Audio Alarm
Wi Fi hot spot locater
We would like to thank you for your time and if you have any questions you may reach Ron or I at the ITSC table in the lobby or you may reach us by email at the below email addresses or our web sites at or Thank you again for coming and may you have a safe trip home and we look forward to seeing you next year.