10 Don’ts author Eric Rzeszut and Bryan Lewis (both of the University of Virginia’s McIntire School of Commerce) have published a new article in EDUCAUSE Review. Entitled “Designing IT Guidelines for Global Travel,” the article points out the info security risks inherent in international travel for academics. The article also offers guidelines on how faculty, staff, and students can better protect their devices and their data, as well as a discussion of the legal ramifications from US and foreign perspectives.
“Global programs present a unique challenge for most universities. In addition to the educational experience, global program coordinators take on the responsibilities of student health and safety while shuttling students across time zones and countries. With the major logistical effort required to transport students around the world for academic pursuits, technology concerns can be an afterthought. By working closely with travel coordinators, IT departments can ensure that all parties are in compliance with operational, security as well as legal requirements as they travel in foreign lands.”
Designing IT Guidelines for Global Travel
Without the profanity, we discussed Microsoft’s new Wi-fi Sense “feature” in chapter 7 (“Don’t Be Careless with Your Phone”) of 10 Don’ts. We called it a “potentially enormous security risk,” and Gizmodo would seem to agree:
“Look, Microsoft. Just because I am Facebook friends with someone, doesn’t mean I want to share my wifi passwords with them.
I’m not really complaining about the existence of the feature in the first place — I can see how it could be helpful, if you’re a non-data-plan-having tween hopping between various wifi-enabled basements. It’s the fact that Wi-Fi Sense is enabled by default, and most people will never know that it’s there.”
Full story: Gizmodo
“Anthem, the US’ second-largest health insurer, announced today that it was the victim of a cyber-attack last week, in which its database of about 80 million records — including names, birthdays and social security numbers — was compromised.
Anthem reports that other personal member data like addresses, phone numbers, email addresses and employment information was also stolen. However, the company says that it has no evidence to show that credit card numbers, medical history, diagnosis or treatment data were exposed.”
Too early to know the source of this hack, of course. But as we point out in 10 Don’ts, many of these attacks are made possible by human error — someone being phished or otherwise social engineered out of a password, someone storing private data in a public location, someone performing sensitive tasks over an open wireless connection, etc.
Full Story: The Next Web
In Chapter 5 of 10 Don’ts, we discuss some of the dangers in using wireless networks. Though we focus mainly on public wifi networks, we also look at ways to better secure the reader’s home network.
We discuss the controversial Comcast/Xfinity plan, announced earlier this year, which adds a “secondary” wireless channel to subscribers’ home routers. This secondary channel is freely accessible to other Xfinity users who may be in the area. Comcast claims the subscriber’s personal data is not at risk and that the subscriber will not incur additional charges; however, individuals and groups have disputed these claims.
Now, two San Francisco women have filed a class-action lawsuit against Comcast and this “connection sharing” arrangement:
Two East Bay residents are suing Comcast for plugging their home’s wireless router into what they call a power-wasting, Internet-clogging, privacy threatening network of public Wi-Fi hotspots.
The class-action suit, filed last week in U.S. District Court in San Francisco on behalf of Toyer Grear and daughter Joycelyn Harris, claims Comcast is “exploiting them for profit” by using their Pittsburg home’s router as part of a nationwide network of public hotspots.
Full story: SFGate
Chapter 5 of 10 Don’ts is entitled “Don’t Do Secure Things from Insecure Places.” A proposed, New York City-wide wireless network might certainly be an “insecure place!!”
“New York City is looking to replace its antiquated public pay phones in order to bring the five boroughs what it claims will be the largest and fastest free municipal Wi-Fi network in the world. While providing Internet access to the hustling and bustling masses of the Big Apple is undoubtedly a step toward the future, there are also risks to consider.”
Full story: Newsweek
In chapter 5 of 10 Don’ts, we discuss the use of Virtual Private Networks. VPNs can be used when away from the office, from home or on the road, to securely access corporate resources. VPNs can provide a level of security even when the user is on an insecure network (such as a coffee shop or hotel wireless network).
Yet, like any other tool, VPNs can be exploited. A recent attack on the US Postal Service may have been conducted by an outsider over their corporate VPN:
“Did the hacker who breached the United States Postal Service computer system gain access through its virtual private network? It’s unclear, but a USPS spokesman revealed the shuttering of the VPN around the same time the Postal Service acknowledged the breach.
The Postal Service on Nov. 10 said it had recently learned of a cybersecurity intrusion into some of its information systems, but provided few details about the breach. Records of more than 800,000 employees were exposed in the intrusion, USPS said.”
Full story: InfoRiskToday
In Chapter 5 of 10 Don’ts, we advise the reader: “Don’t do secure things from insecure places.” We include warnings against using hotel wired and wireless connections to conduct sensitive transactions, telling the reader that there’s no telling who might be eavesdropping on their data. Hotel employees, other guests, or hackers camping out in the lobby might be trying to steal your data.
A recent analysis by Kaspersky Labs showed that there has been an ongoing, sophisticated threat of this nature in Asia, where attackers targeted corporate employees from specific sectors:
“Security researchers have uncovered a sophisticated industrial espionage campaign that targets business executives in luxury hotels across Asia once they sign on to computers using in-room wireless connections they consider private and secure.
The attacks, which go well beyond typical cybercriminal operations, have claimed thousands of victims dating back to 2009 and continue to do so, Kaspersky Lab, the world’s largest private security firm, shows in a report published on Monday.
Executives from the auto, outsourced manufacturing, cosmetic and chemical industries have been hit, the security firm said. Others targeted include military services and contractors.”
Full story: Business Insider
As a 10-day countdown to the October 20 launch of 10 Don’ts on Your Digital Devices, each day an excerpt from a different chapter will be published here.
Chapter 5 of 10 Don’ts is entitled “Don’t do Secure Things from Insecure Places.” A salesman named Tom helps illustrate our points about keeping your private data off untrusted wireless networks.
Tom is a senior sales associate for Magnatec Inc. (MTec), a large, US-based business-to-business (B2B) electrical parts supplier. He has current customers in 42 of 50 states and the potential for customers in all 50. Not surprisingly, Tom spends a great deal of his time on the road making sales calls to potential customers and servicing current customers. MTec has assigned him the typical road warrior “tools of the trade”—a laptop, tablet, and smartphone. All of Tom’s gear is preconfigured by his corporate IT department. Tom takes advantage of Internet access wherever he happens to find himself: hotel rooms, coffee shops, customer conference rooms, fast-food restaurants, public restrooms, etc. He is totally indiscriminant and approaches the decision to use an available Wi-Fi based solely on convenience. When he finds a reliable and fast Internet connection, Tom often has four to six hours of work to catch up on. This can include entering new sales orders, sending queries to his sales team, requesting technical support, submitting receipts for per diem reimbursements, and the like. Tom is on the road roughly 150 days a year, so he’s often catching up on his personal to-do list as well. Paying bills, checking credit card statements, and sending receipts for tax purposes to his accountant are all on his list.
Tom spends little or no time considering the security of the wireless networks he uses. What’s more, as readers are likely to have guessed from the description of his behavior, many of these networks are completely open, available to all of the customers at a coffee shop or the guests in a hotel at any given time. Recently, MTec introduced a virtual private network (VPN) service to more effectively protect company data in transit. MTec employees have been instructed to connect to the VPN when on the road and transmitting or receiving company data. Because connecting to the VPN requires a second (and separate) step, after connecting to Wi-Fi, Tom (along with many other MTec employees) often “forgets” or neglects that step. This puts employees’ company data (and their personal data) at serious risk.