|Cyberspying : 2008 : Frequency-X Blog : Blog : Home|
Posted by Gunter Ollmann on July 18, 2008 at 5:14 PM EDT.
Should you be worried about cyberspying as you travel the globe? A recent article in the Wall Street Journal – “U.S. Fears Threat of Cyberspying at Olympics” – discusses the dangers posed by Chinese hacking groups to travelers heading over for the Beijing Olympics. In particular, whether (and how) the U.S. government should publicly warn businesspeople and travelers of the threat.
Merrily skipping past the political connotations of cyberspying, I think it would be prudent to take a look at the advice business travels and their corporations should be following.
Having traveled extensively in these regions and had all sorts of cyberspying run-ins myself, and having sent many consultants onsite to competitive and hostile environments around the world who have had similar “war stories”, I can testify to the need to adopt as many of these safety measure as possible.
While there is an emphasis on foreign travel, having seen the way my laptop IPS software flashes warnings continuously (port scans, worm attacks and vulnerability scans) whenever I connect to practically any international hotel chain’s in-room Internet connection, you may want to apply this advice to any out-of-office travel destination here or abroad. In fact, I suspect that you’re at just as much risk of cyberspying when bringing a laptop to Caesars Palace during the August Blackhat in a few weeks time, compared with traveling to the Beijing Olympics.
So, who’s the target for cyberspying? The U.S. Cyber Consequences Unit has created some guidelines on the topic and identifies your laptop could be at risk if your company is:
(or, if you’re at a technical security conference anywhere in the world, you may want to also add “just because your laptop happens to be within range”)
The advice given to business travelers when traveling abroad by the U.S. Cyber Consequences Unit is:
Now, as I read through all this advice, I know that I simply cannot follow it all. Sure, it would work if I only had to do a presentation and nothing else, but if (as usual) I also have to do my normal work while I’m traveling abroad (no rest for the wicked) – answering emails, completing strategy documents, writing proposals, joining conference calls, etc. – this advice is impractical for me, and would become more impractical the more frequently you have to travel on business (especially if your business is IT consultancy).
Don’t get me wrong, the advice listed above is excellent, but I know for a fact that I could not employ it completely for the work I need to do abroad. In fact I’ve implemented many of these myself over the years. For comparrison, here’s a list that I tend to make do with when traveling:
Having read through the U.S. Cyber Consequences Unit’s advice, I think I’ll also be adding one more item to the list:
I like that idea, and hadn’t really given that a though in the past. It would certainly enable me to spot a laptop keylogger quicker whenever someone tries it in the future.