Your Vacation Checklist: Cyber Edition
by Glenn A. Stout, Ph.D., CISM, GSEC, PMP, Managing Consultant, Governance & Compliance Services. This was adapted from an article published by Halock Security Labs, which serves as our security consultant.
As families prepare to take to the beaches, resorts and other vacation spots all over the world, bad actors also preparing attacks on the unsuspecting.
The younger generation will always remember to pack the essentials for their trips, but they tend to overlook security precautions. Here is a quick list to remind your family how to be cyber-safe on your trips and make your vacations memorable for the right reasons. Let’s take a look at some common attacks and how they implemented.
Hotels, resorts, and other public areas could offer “Free WiFi”. Bad actors love to exploit this. Here are 2 general ways:
- Simply attack the official WiFi connection source
- Create a rogue WiFi connection hoping to get some unsuspecting users to connect
Let’s look at both of these attacks.
Skilled attackers could get control of the official WiFi connection itself, and “capture” the data you are sending out. In this case, you are using the official WiFi, but the bad actor is intercepting and reading the data you are sending into the “air.” If that data is unencrypted, the bad actor will have that data.
If you were in a hotel, and you forgot the name of the WiFi network that was told to you at the hotel check-in desk, and you saw on your list of possible connections (where “Hotel” may be the actual name of the hotel you are in):
Hotel Guest Premium
Which would you connect to? You would most likely choose the second one. However, in this example, the “Hotel Guest Premium” WiFi connection is managed by the bad actor in the hotel room on the next floor, or right outside of the building. It will work perfectly, you will get internet access, but all unencrypted data that flows from your device though that access point is now in the possession of the bad actor.
It is also possible they will create a connection that is identical to the real one – so if you see 2 identical WiFi options, that is also cause for concern.
What you can do to minimize the risk of a WiFi attack:
The easiest and safest approach is to use a “personal hotspot” that you may get from your cellular provider. This is your own personal WiFi connection that you know is secure, it does not use the Hotel WiFi at all, it uses your cellular connection. However, depending on your provider, costs, and cellular connection, this may not be the best option.
If you must use the public/hotel WiFi:
- Non-Technical Controls:
- Ensure that you get the actual name of the WiFi from the hotel and use that connection. Some are straight forward, but if the hotel has conventions, and special programs, there may be several similar ones to choose from, which gives the bad actor the advantage to confuse you.
- If you see two identical connections, alert hotel management and do not use.
- If there is an option to use some type of code or password, take that option rather than an “open” “no password” version, if there is a choice.
- If you are required to create your own password to use for the duration of your trip – use a password that you have never used anywhere else before (this should be your everyday rule, but just a reminder).
- Technical Controls:
- Look at the web address at the top of your browser – always check to see that the ‘s’ is in the web address where you have https:// to ensure your traffic is encrypted. Check to make sure your browser session is showing the lock icon when submitting credentials, credit card, or other sensitive information.
- Encrypt your WiFi network traffic. The technology used to encrypt traffic is called VPN – or Virtual Private Network. This is generally placed on your “work” laptop. But what if you are on your personal device? I personally am using a tool that secures the connection of my devices, including my phone (when using WiFi) on my upcoming trip, and I intend on loading it on my family’s devices as well.
- While I don’t endorse products, I chose one from this list to try on a trial basis – some are free, and some come with a 30-day trial.
- Turn on VPN encryption every time you are using your computer or phone with the hotel WiFi for an encrypted connection. If the worst happens, and the bad actor somehow gets control of the connection, and your traffic is encrypted, then the data is still secure.
General Security Preparation Before a Trip
- Ensure there is a least a 4-digit PIN on everyone’s phone
- Back up all phones and tablets before the trip
- Adjust phone settings to erase all data after 10 failed attempts at the PIN – phones are often lost or stolen at beaches and clubs, if lost, the data will be safe – you backed it up, remember?
- Enable the “find my phone” app, and be sure you know all necessary passwords
- Remove all non-secure data such as passwords saved in notepad or pictures.
- Load your VPN app onto the phone, be sure you know any necessary password and test it. Set it to run automatically.
- If you don’t have one already, download and start using a password vault for all passwords. Here's a list of some free ones.
- If you have apps that directly log you into places like your bank account or credit card (without an additional password entry or thumb password) – delete the app at least for the duration of your trip.
- Note that similar actions can be taken for tablets
- Ensure that your computer requires a login and password – many “personal” laptops do not have any password or pin. Create a password that is not a single character or something simple.
- Clean it up! Delete old files that you don’t need anymore. Case in point, I was working on my taxes on this laptop last year, and some tax files were still on it. Backup and remove all data that you don’t need on the computer.
- Do a full backup of the computer.
- Do Windows update – don’t wait for the automatic one to kick in – manually do it now, run every update until it comes back “fully up to date.”
- Update your virus protection software, run an update and then do a full system scan (let it run overnight – do a full scan).
- As stated above, load your VPN software on all devices (computer, phone, tablets) that will be using hotel or free WiFi.
- If your browser “remembers” many of your passwords, disable that feature or completely clear your cache where you have to manually key in your passwords – especially to sensitive data sites like banks. If all the bad actor has to do is open a browser in your computer and try all the different bank websites, they will find one eventually where you have already provided the login and password that the browser remembers.
Social Engineering is an approach used by bad actors to convince the victim to hand over something – just by talking to them. There is generally no sophisticated “hack” or cyber-attack necessary in most cases. There is a cyber component, as the bad actor social engineers generally have to do research on their potential victims. These 2 examples of social engineering attacks are somewhat disturbing, but it is good to know what is going on out there. One of the most upsetting types of attacks is the “fake kidnapping” scam, or sometimes the fake “I am in jail” ploy. This also takes social media into account in at least the first case.
The bad actor “online stalks” a college student that has gone on vacation on some beach or foreign country, and gathers their home information, especially parent contact information. By following their posts, they learn of a special “day trip” (on a boat, a scuba trip, etc.) where the student will not be accessible for several hours via cell phone. Once out on the sea, the bad actor contacts the parents, tells them they have “kidnapped” their child, and demand a wire-transfer for ransom. Of course, the student is not available via cell phone, and the “kidnapper” will always press the parents for time – measured in minutes and hours for a ransom payment.
Fake "I am in Jail
This is more likely to happen to a non-parent of a teen. This actually happened to me within the past 60 days. I have a 20-year-old son, and someone who was pretending to be my son “Jack” called my 83 year old mother (“his grandmother”) in an assisted living facility. Being on the spectrum of memory disorder/dementia, my mother was glad to hear from her Eagle Scout grandson, but was distressed to hear that he was “in jail” and needed $20,000 to make bail. When grandma asked, “is this Jack?” – he of course said “Yes” – and now the bad actor had an actual name to use. Why did he not sound like his normal self, Grandma asked – the answer was quick and believable – he was in a fight and his mouth got injured. “Don’t tell dad I will get in trouble” – the fake Jack said. Our story ended well, as Grandma did not have any money to give, and since my son was simply sitting in class, a couple phone calls and texts settled the matter. Point is, these scammers are on the prowl, and they are very good at this.
What to do:
- Adjust social media account settings to be max private – certainly not “public”
- For a period prior to the trip – don’t post public posting about where anyone is going (Instagram, tweeting, other public postings)
- Do not make any posts DURING the trip – wait until you are home before you post pictures of; the flight, the first day, what you have for dinner on day 2, the ticket for your day long SCUBA trip the next day, etc.
- Make a communications plan with the student, where even a simple text to connect here and there during the trip will keep all parties in touch.
- Ensure the student makes parents aware of any trips where the student will be without their phone.
This article was not created to unnecessarily scare anyone. The goal was to provide reasonable controls to students and families to take so that their vacation is enjoyable and hopefully free from cyber-issues. Like anything else, bad actors are trying to find those that are easily susceptible to their approaches – they are checking doors to see which ones are open. I encourage you and your family to close as many of these doors as you can. If your “door is closed” the bad actor will move on until they find an open door – hopefully not yours.
Have a safe trip!