eSecurityPlanet columnist Ken van Wyk tells us how to protect our data when we're on the road... whether we're using a laptop, a PDA or a smart phone.
During the past few months, I've reverted back to being a ''road
warrior'' of sorts. Apart from spending far too much time with my 1K
buddies over at United, all the travel has made me think about the
security of the data on my laptop, PDA, and (Linux-based) phone.
Think about it a bit... How do you protect your data on your traveling
laptop? Chances are that your company supplied you with a laptop along
with the usual suspects of security software: anti-virus, personal
firewall, and maybe even some anti-spyware software. If you're really
lucky, you also got some encryption software and such with that laptop --
even if you had to buy it and install it yourself.
But what about your data? Allow me to explain.
While traveling, I've been watching what other travelers do, in addition
to being perhaps a bit overly paranoid about my own data. Here are a few
things I've noticed:
We all have some of our own stuff on our laptops, personal
electronic gizmos, and such. It probably covers a spectrum from 'so what
if I lose it' (e.g., copies of our favorite music files) to 'I don't want
anyone else to get this' (e.g., local copies of personal finance
management software). You've probably got some personal email, as well.
Consider, too, the shared security attributes of the sites that we
connect to. Ever use that public access 'business PC' at the hotel to
print out your boarding pass for tomorrow's flight home? How did you log
into the airline's Website? Do you use that username/password anywhere
else? Not a problem, you say, since the Website is SSL encrypted? Don't
take that confidence to the bank!
When we travel, we're not always as careful as we ought to be about
our data. When you put your laptop through the airport security
magnetometer (sometimes erroneously called a metal detector), do you make
sure your laptop went in before you walk through yourself? When you're at
a business meeting, do you leave your laptop in the meeting room while
you and your buddies go out to lunch? When you leave your hotel room at
night, do you leave your laptop in the room?
Are you thinking I'm being too paranoid? I've heard that many times.
However, consider this: I've had two laptops stolen out of the trunk of
my car in broad daylight while attending a conference, and I've had my
hotel room broken into and personal items stolen twice while on vacation
with my wife (in the paradise of Hawaii, no less!).
I'm not making up bad things that might happen. I'm responding to bad
things that have happened to me. If that doesn't make a (security) guy
paranoid, I don't know what will.
So, here are a few suggestions on how you might want to protect your
data. Well, you also can protect your company's data this way, but let's
not kid ourselves as to why we really want to protect what's on our
Be paranoid and vigilant. Keep your valuables with you at all times.
Sure, it's a pain to carry that bulky laptop bag to lunch, but it's worth
Never, never, never enter re-usable username/password credentials on
a public access computer. The chances of that computer not being a
veritable digital petri dish of malware are very low. The chances of
someone else snarfing your username/password or other sensitive data --
you didn't use a credit card there, did you? -- are significant.
When I use a hotel's printer, I put the file I want to print onto a USB
stick and take the USB stick to the public access PC to print the file.
If I'm feeling really dirty after that, I re-format the USB stick on my
Linux machine at home. (Even printing directly from a Web application
(e.g., airline boarding pass) is easy this way if you use a virtual
printer like eFax (www.efax.com) to capture the printer output and save
it into a .TIF file.)
If you travel with a PDA, smart phone, or other personal electronic
devices, make use of all of the security features that they have to
offer. For example, my phone is GSM-based, and I use the PIN lock feature
to lock the small SIM smartcard inside the phone. That way, if someone
gets my phone, they'll have to enter the PIN to use it, and after three
failed entries, the SIM locks itself and all the data on it. That won't
stop everyone, but it'll sure slow down a lot of people.
If you use wireless networks when you travel (and who doesn't these
days), be certain to use good personal firewall software on your PC, as
well as an IPSec-based VPN to connect to your office network, if at all
possible. That'll keep the miscreants at public hotspots at bay. At
least, they'll be more likely to go after someone else...
Encrypt the stuff you don't want anyone else to see. Oh, and store
that stuff on small, removable media that you keep with you at all times.
I grabbed a 1 gigabyte USB2 stick about a year ago from one of the
megastores when it went on sale for about $40. In fact, I keep a few USB
sticks with me. They're perfect for protecting my most important stuff
(like draft copies of these columns, of course).
The stuff that's too important to keep even on a USB stick that
stays with you at all times should not be traveling. I have a couple of
PGP secret keys that don't leave home, for example. I also don't travel
with the RSA one-time password that I use to access my investment funds.
That stuff can wait until I'm home. The ox is slow, but the earth is
Oh, and you do have backups at home, right?
If you're thinking all of this advice is fine and well, but it would take
far too much time to actually implement, consider the amount of time and
effort it'll take you when someone steals your identity and riddles your
personal credit history with all sorts of nasties that you could have