A Traveling Executive’s Guide to Cybersecurity

I read this article on Oodaloop. A site I follow frequently. I found this article to be important not only for Businessmen/Women but also for each one of us in our everyday lives. Governments world over are using means to pry on our lives and work. It therefore, becomes even more important to be aware of good security practices. I am reproducing the article as it is without any edits.

One of the most frequent questions we are asked by global executives and their security teams is how to protect their information and technology systems while traveling abroad.

With this in mind we built this reference with an eye towards serving the OODA members who travel abroad for business, especially those who will operate in a nation that is NOT a Western style liberal democracy.  Of course, these tips also apply to individuals traveling abroad for non-business purposes or who just want to improve their overall individual security posture.

Understand the Threat

Your security team should be dynamically tracking the threat to your enterprise and your executives as well as the general threat issues associated with your travel destination.  Executives should be provided with a tailored threat briefing prior to high risk travel, but in general they should understand that:

  • Foreign governments target traveling business people and government employees to steal information of use to the government and will often share captured intellectual property with internal businesses.
  • If you are traveling for business purposes, you can assume that you are of interest to a hostile foreign government.
  • Since these governments control the physical space they can use their authority to separate people from their equipment. When there is physical access to a device the likelihood of a potential penetration increases significantly.
  • Some governments will also compel travelers to log into their devices for inspection, which raises the likelihood of compromise of the device by malware which can be controlled by the government.
  • Criminal groups and governments operating overseas can also control networks, including hotel networks and WiFi. This can raise the possibility of intercepting sensitive information.
  • Some governments will force individuals to NOT use VPNs so the communications can be monitored. This also introduces risk.
  • In some high threat countries, there is also a risk of very high resolution cameras being trained on keyboards to capture login credentials.
  • Background information for future attacks can also be gathered by people around you during travel, including people who pose as travelers themselves but also hotel staff, business associates, drivers, guides, translators and other assistants.
  • Even “safer” travel destinations are not safe as hostile governments often conduct intelligence and espionage operations on foreign soil.
  • You can assume that intelligence and espionage operations are being conducted at all major industry events and conferences, regardless of their host location.

If your organization does not have a threat intelligence team, reach out to OODA and we can help produce a more tailored threat briefing.

Raise Your Defenses

Given these threats, how can you protect your digital information and electronic devices while you are traveling?  Our recommendations are broken down into three distinct categories depending on the location of travel and the assessed threat level.

  • Tier 1:  The minimum essential cybersecurity best practices that should be incorporated into every trip and an executives’ daily cyber hygiene.
  • Tier 2:  Additional protections that should be put in place for travel to some countries or by organizations that want to adopt a more robust security profile.
  • Tier 3:  Advanced security practices for travel to high risk countries or for highly targeted executives.

Tier 1 Cybersecurity Practices:

  • Enable two-factor authentication for all cloud services.
  • Use secure encrypted messaging services instead of SMS or other insecure chat services. Additionally, many of these services also allow for encrypted voice and video calling. It is very hard for even hostile intelligence services to break communications to or from reputable secure messaging systems. We recommend Wickr Pro given its robust encryption, group chat, secure file sharing, and enterprise management features.
  • Use mobile devices that have a track record for robust security patch implementation or provide additional security features as part of their standard offering. You should prioritize the use of mobile devices from these manufacturers:
    • Apple
    • Google Pixel phones
    • Blackberry
    • Samsung
    • Essential
  • Utilize password management tools to track and manage passwords. Enable two factor authentication for access to your password manager. We recommend Dashlane and 1Password as solutions.
  • Use a portable USB device with hardware based encryption. We recommend the Aegis Secure Key (Link).
  • Ensure your laptop and other devices are patched and that all applications are patched as well. If you are bringing a laptop, make sure you enable hard drive encryption. This will not stop a dedicated hostile intelligence service, but may slow them down a bit, and may stop lower level criminals.
  • Do not use USB charging ports offered in hotels, airports, or other locations. Always use your charging brick or utilize a special USB data blocker. A data blocker will prevent the USB connection from being used for data purposes and prevents a USB compromise of your device (referred to as Juice Jacking). We recommend the PortaPow Data Blocker (Link).
  • Only connect to cloud services and applications using SSL/HTTPS connections.

Tier 2 Cybersecurity Practices:

  • Only travel with essential devices. Consider using an Apple iPad or mobile phone instead of bringing a laptop.
  • If you must bring a laptop, make sure your IT department has wiped all extraneous data from the hard drive and that you are only bringing information essential to the trip. Keep in mind that governments have access to forensic tools that will let them recover most data from hard drives, even those that have been erased via traditional deletion methods. If you cannot confidently state that no sensitive data has ever been stored on that device, considering buying a new one before traveling.
  • Enable a self destruct password for your encrypted USB key. We recommend you use a self-destruct password that might be easily guessed by someone who gets physical access to the device. For example, if they try your phone number as the PIN, the device will erase all contents.  Use of your phone number as a self-destruct code is also easier to remember under duress.
  • Use a hardware based solution for two-factor authentication and keep the device on your person at all times. These devices support one-time passwords, public key encryption, and authentication and are considered by the security community to provide the highest level of security for authentication purposes. Yubikey (Link) and Google’s Titan Security key are recommended solutions.
  • Create a separate user for password management solutions and share only essential passwords with that account. When traveling, use your “travel user” account and not your primary password manager account.
  • Never let your device leave your control. This includes never leaving it in the hotel room. The hotel safe is NOT safe. In fact, you should assume that it is designed to let hostile intelligence services get in fast.
  • Utilize VPN technologies to mask and protect communications.
  • Use a secure cloud browser for required web service access. We recommend Authentic8 (link) as a solution.
  • Obtain a travel safety briefing detailing particular risks for the travel destination, highlights recent security incidents, and “in case of emergency” recommendations that includes contact details for the local embassy or consulate.

Tier 3 Cybersecurity Practices:

  • Disable biometric authentication for your electronic devices and require a robust passcode for each login.
  • Remove cached two-factor authentication logins for cloud and enterprise applications requiring the two-factor PIN or hardware token to be used for each login.
  • Enable Wickr Open Access which uses a series of globally deployed proxies and protocols to help avoid censorship protocols that might restrict communications.
  • Utilize “burner” mobile devices that will be discarded or re-purposed after travel. We recommend wiping them clean and donating them to specialized non-profit organizations.
  • If email is required, use trip specific and non-enterprise secure email solutions. Create a dedicated account for travel and instruct colleagues and assistants to direct urgent messages to that account.
  • Only use dedicated VPN hardware to obtain internet access over untrusted locations like hotel WiFi, preferably hardware that will also intercept and process captive portal access controls.

A Concluding Scenario:

Consider an executive who travels to nations with hostile intelligence services but needs to stay in touch with HQ while on the go. This executive has decided to travel with her iPad and use it exclusively during travel. She downloads the Wickr Pro application to her iPad and instructs her team to direct all communications to Wickr Pro. She also has her IT department provide her with a Yubikey (or buys one herself) and connects it to the iPad via a Lightning to USB connector. She uses iCloud and/or Google Docs and turns on multi-factor authentication on both using the Yubikey.

When this executive needs to send and receive email she interfaces with her corporate email via the mail app on her iPad (she will use multi factor login to send, receive and read the mail). She uses Wickr for all messaging, including voice conversations. She takes notes using a cloud synced service like Google Docs, Apple Notes, or Microsoft OneNote.

Our hero in this story also does NOT allow her iPad out of her sight. It is with her at all times. When she charges it she uses a USB data blocker cable or adapter so that only power it flowing through to the device.

Guess what? There is still some risk in this scenario, but the risk has been significantly mitigated. Even the Chinese Ministry of State Security will need to think through how much of an effort they will want to mount to penetrate the operations of this savvy executive.

Importance of Strong Passwords

Millions of people are using easy-to-guess passwords on sensitive accounts, suggests a study.

The analysis by the UK’s National Cyber Security Centre (NCSC) found 123456 was the most widely-used password on breached accounts.

The study helped to uncover the gaps in cyber-knowledge that could leave people in danger of being exploited.

The NCSC said people should string three random but memorable words together to use as a strong password.

Sensitive data

For its first cyber-survey, the NCSC analysed public databases of breached accounts to see which words, phrases and strings people used.

Top of the list was 123456, appearing in more than 23 million passwords. The second-most popular string, 123456789, was not much harder to crack, while others in the top five included “qwerty”, “password” and 1111111.

The most common name to be used in passwords was Ashley, followed by Michael, Daniel, Jessica and Charlie.

When it comes to Premier League football teams in guessable passwords, Liverpool are champions and Chelsea are second. Blink-182 topped the charts of music acts.

People who use well-known words or names for a password put themselves people at risk of being hacked, said Dr Ian Levy, technical director of the NCSC.

“Nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band,” he said.

Hard to guess

The NCSC study also quizzed people about their security habits and fears.

It found that 42% expected to lose money to online fraud and only 15% said they felt confident that they knew enough to protect themselves online.

It found that fewer than half of those questioned used a separate, hard-to-guess password for their main email account.

Security expert Troy Hunt, who maintains a database of hacked account data, said picking a good password was the “single biggest control” people had over their online security.

“We typically haven’t done a very good job of that either as individuals or as the organisations asking us to register with them,” he said.

Letting people know which passwords were widely used should drive users to make better choices, he said.

The survey was published ahead of the NCSC’s Cyber UK conference that will be held in Glasgow from 24-25 April.

New Malware Attacks

Just when you thought you had all of your defenses in place when fighting Malware, Cyber Attacks, and Ransomware… think again! Cybercriminals are busy crafting new methods of attacks that are ready to take your data for prey and pounce on your personal information. Here are 10 new sneaky attacks to be on the look-out for in the new year!

Rivaling governments and geopolitical cyber-warfare funding the efforts of cybercriminal gangs to create chaos, steal intellectual property, and profit from fraud and extortion by breaching personal data.
New variants of ransomware (including doxware, which threatens to publish sensitive data like browsing histories unless a ransom is paid)
Much more widespread use of cryptojacking (stealing computing resources to mine cryptocurrency without sharing the profits)
More distributed denial-of-service (DDoS) attacks on critical servers and networks, abetted by the conscription of armies of Internet-of-Things (IoT) devices
Increasing use of fileless malware (which never becomes disk-resident, only loads directly into memory, and thus evades many signature-based endpoint anti-malware measures)
More synergistic attacks (in which multiple malware attacks are injected onto a system and the poorest-defended one activated using AI and ML to improve attack techniques
Continued reliance on phishing as the most effective attack vector for malware, with more sophisticated attacks targeted at higher-value individuals.
Increasingly target cloud services and edge computing environments with malware attacks
Enslave legions of IoT devices for use in DDoS and cryptojacking attacks
Exploit the new attack surfaces and rich data targets presented by 5G networks and applications.

A Threatpost Report : Attackers Completely Destroy VFEmail’s Secure Mail Infrastructure

“Every file server is lost, every backup server is lost.”

A catastrophic, smash-and-destroy cyberattack has eliminated the U.S. infrastructure for secure email service VFEmail. It’s a rare example of a purely destructive offensive, apparently unmotivated by financial gain or espionage goals.

An attacker wiped out the company’s U.S. servers on Monday evening, including backups, destroying almost two decades worth of user data in just a few hours. VFEmail owner Rick Romero noted that the attack took aim at VFEmail’s “entire infrastructure,” including mail hosts, VM [virtual machine] hosts, an SQL server cluster and the virtual machines themselves.

“At this time, the attacker has formatted all the disks on every server,” tweeted the company. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost.”

Romero added that kind of access means that whoever did this had multiple passwords: “If they all had one password, sure, but they didn’t. That’s the scary part,” he tweeted. The company account added, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via SSH exploit, and there was no ransom. Just attack and destroy.”

In an update posted to the company’s website, Romero identified the hacker as “last seen aktv[at]” – he caught the malefactor in the act, but wasn’t able to salvage much.

Romero said in the website update that incoming mail was now being delivered, but that getting anything historical back would be unlikely.

While attacks that do nothing more than destroy infrastructure have been launched in the past (think Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer), the question remains as to why someone would want to take out a niche-focused Wisconsin-based email provider. Wiper attacks and other destructive efforts are generally used to send a political message.

“This kind of destructive attack, with no stated motive or demands, is quite rare,” Chris Morales, head of security analytics at Vectra, said via email. “An organization losing all of their data, and all of their customer data, is a nightmare scenario that could easily put a small company out of business and cause a huge financial impact on a large enterprise. Sony suffered this type of catastrophic destruction in 2014, which was attributed to North Korea.”

Romero intimated that this could indeed signal the end for his privacy-focused company, which he started in 2001: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”

Beyond the possibility of a personal vendetta being behind the incident, Justin Fier, director for Cyber Intelligence and Analysis at Darktrace, said that the incident could be attackers simply wanting to cover their tracks after successful data exfiltration.

“It’s easy to imagine the attacker may gotten what they wanted and figured the best way to clean up was to destroy all the evidence,” he said via email. “In the past, this tactic was frowned upon as it is inherently noisy, and many attackers want to be as stealthy as possible. However, we’ve clearly entered a new era of attacks.”

He added, “This attack has some of the telltale signs of nation-state activity and it’s interesting to consider why a nation state might want to do this. What information was on VFEmail’s servers that a nation-state might want to obtain, or, on the other hand, what might they not want found?”

Details are scant in terms of how the attack was carried out so effectively – the multiple password aspect could suggest an inside job. Meanwhile, some security researchers are questioning why there was not better backup in place.

“This raises questions of what disaster recovery strategy was in place and why data wasn’t backed up into cold storage, thus making it unavailable to attackers,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data. The fact that attackers were able to access and erase all the information demonstrates that the systems were not protected in an effective way.”

Morales meanwhile added that “the first thought that comes to mind is this is a service being sold as a secure email. The second is that if this is secure email then where are the offline backups and archives? Offline backups might not give a full restore to the exact date data was lost, but it would prevent the complete loss of all historical user data. Offline backup is the same strategy organizations are using to counter loss from ransomware.”