Don’t Get Hacked on Vacation | Travel Cybersecurity Tips

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. Adam, I will say good morning. We are doing this in the morning. It is a coffee edition.

Who says I have just coffee?

Well, you can keep that to yourself, I guess.

You know what? Last year at this time, I was in the Dominican Republic on a beach.

I've never been to the Dominican Republic. I guess I got to go sometime. I haven't been to the beach for a while either. Anyway, we are talking about traveling, right? That is the subject for today. A lot of people travel.

So when you travel, you're supposed to have American Express traveler's checks.

That's a little passé, put it that way. You don't have them anymore. And I think a lot of our audience won't even remember those old commercials. That's crazy.

Yeah, I'm old.

Spring chicken, as I like to say. Anyway, so yeah, we're going to talk a little bit about traveling. First, I want to remind everyone, please help us if you're in the audience and liking what you see. If you're listening on Spotify or another podcasting platform, please follow us. Send us comments on YouTube, like, subscribe, smash the notifications button. What else?

Feel free to put us in your will, should you want to leave a sizable amount of money so we can continue our podcast. Preferably something in the seven figures so we can get a mansion and record from there Yeah, we're going to right past patreon. We're just like, you know, give us give us the big score You know when I when I did EMS and I did it in Brooklyn there was a volunteer ambulance Corps and the people that lived in that neighborhood were pretty well off and a lot of the elderly people did leave part of their estate to the ambulance corps. So I'm figuring, let's write off of that.

I see stuff for that all the time, whether it's from like church or charities, local institutions. I belong to a museum or two. They're like, here's how you can include us in your will. I'm like, what?

Yeah. Well, a lot of these people were elderly, didn't really have anybody. And I remember one time when I did work in the 911 system, nothing to do specifically about this volunteer ambulance corps. We showed up at somebody's house three in the morning. It was a paramedic unit and an EMT unit. I was the EMT unit. And the paramedic, the woman was elderly. She was lonely. He actually, we spent an extra 15 minutes there and he cooked her breakfast, made her eggs and, um, and toast and everything. And we sat down with her while she ate the meal. And then we left. But the point I'm making is there are people that do appreciate the support and we definitely appreciate the support. So 80% or more of your will would be good.

Yes, we'll gladly take it. However, if you have no one else to give it to besides us, you might want to consider reaching out to that once-loved one you hadn't talked to in a while and do a little better than us, I guess, you know? All right. So we were talking about traveling, though, a happier subject than your planning. It's not about estate planning.

Well, listen, you're planning to travel. to the afterlife.

Oh, God, that's scary. Well, if you're traveling to the afterlife, you probably won't need Wi-Fi or Internet connectivity, put it that way, because that's what we're going to talk about.

Yes, sir.

So as we have said on the show, I think several times, public Wi-Fi, you can't trust it. And Adam, tell us why. The first of the many reasons you can't trust public Wi-Fi.

Because you don't know who it is, what it's from, where it's coming from. You have no attribution to where that wireless is coming from, and it might be monitored. It might be a man-in-the-middle attack. I can go on.

Okay, well, that's right. The first thing is, you don't know who it is, even though it might say, like, you know, hotel Wi-Fi. Well, that doesn't mean it's put together by the hotel. It could be anything. In fact, there are some old ones, like if you see something like public Wi-Fi, sometimes those are scams and stuff. They're just trying to get you to attach to them.

So I'm not an iPhone user, right? But I know that iPhones and other Macs specifically will connect to a certain Wi-Fi and some people what they do is they put a stronger signal on, they make their or they get some kind of access point or maybe a pineapple website. Yeah, pineapple, right?

Yeah, pineapple. I'm sorry? That's, that's, that's something that will, what do you call it? It's like a rogue access point. Yeah, yeah. You get people to connect to that instead of the real thing.

So you put it in your backpack, you put it, you put a very popular SSID, which is the name of a Wi-Fi. The name that comes up. Yeah. And people connect to that. And then you connect to something else. So they really get an internet access, but they get an internet access through your pineapple. And now you're a man in the middle getting everybody's information.

That's right, and it's about intercepting traffic. They can intercept your traffic. That's what it boils down to. But, Adam, our viewers and listeners might say, but I get the little lock on the browser or whatever. It says the site is secure. Isn't that okay? But not really, right?

Tell us why. Well, I mean, if it's a man-in-the-middle attack, you can get a certificate that's issued that is correct from the from the proxy, which is where you're connecting to, which is the man in the middle, and then they're accepting the certificate on your behalf. So it might not necessarily be, you know, your bank, it might be the proxy that is the correct certificate.

Okay, let's take it down a level and explain what a man in the middle attack is generally and how it plays in the game.

Well, I can give you a very simple analogy.

Yes, very, very simple.

Remember, a man in the middle attack is You have three people and you want to say something to, so you have A, B, and C, and you're A, and you turn around and you want to talk to C, but as you're talking to C, you're really talking to B, and B's talking to C, and they don't even know B's there. They're listening to you, and they're relaying your information. Hey, it's a nice day. B gets it. Hey, it's a nice day. C says, oh, it is, and then B says, I got it, it is, and sends it back to A.

That's right. So you are talking to your bank or wherever you think you're talking to. And in fact, you're talking to them encrypted. But in the middle, because you're on this malicious Wi-Fi, not the official one. There's someone listening. And what Adam was explaining about the certificates are there are ways and attacks that are not tremendously difficult, believe it or not, where someone can even put themselves in the middle and they basically will get your traffic, decrypt it, read it, and then encrypt it again and send it off to your bank to the other side. So both of you think you're talking to each other. But you're not. And that's not good. So I always say, if you're in a public place, using public Wi-Fi, whatever it is, if you must use it, it's OK for certain things. I mean, if you're Googling something stupid, or if you're doing random stuff, checking the weather, whatever. But if you're going to be accessing something with an account, and especially if you're going to be going to your bank or doing anything financial, you need to take some measures, which would include what?

Um, for Wi-Fi? Um, I would, I would, not everybody has a disposable income, but I would recommend if you can to do at least two things. One, this is not part of the disposable income, having a VPN and two, whenever possible, have the control of what you're using, um, as far as communicating to the internet. And that would be, using maybe a cellular chip built into your laptop or some kind of way of plugging in a USB to cell communicator so you know which service you're using. But even that doesn't necessarily protect you either. It's only you're taking steps to mitigate your attacks or being compromised. But let's say you do use a VPN.

Yeah, let's start with VPN, because that's the one that a lot of people hear about. A lot of places like, you know, they advertise pretty heavily in, you know, YouTube and other places. So what are these VPNs all about? Let's get into that.

So what a VPN is, for those who don't know, is you're creating basically a tunnel. And let's talk about what a tunnel is, right? If you're looking at a tunnel, you can't see, if you're talking about a literal tunnel, like you're standing on the side of a road, you can't see in the tunnel, but you can see what's going in. And then you can see what's going out. But whatever's happening in between, that is encrypted. No one can see into it. So if you're using a VPN tunnel for your computer, all that traffic is sent from the source, which is your laptop, to the destination, which is the site you're going to. Everybody else can't peek in who's in between those two locations. And it works, obviously, bi-directionally. The data coming back, you can't see either.

Well, it's a little more complicated than that because with the tunnel, what happens is it's, we call it the tunnel. And basically you can think of the tunnel as like Adam was saying, your traffic in there is protected. There it's trusted. So if when you send to put your stuff in the VPN, you're going to go through the VPN tunnel. And then when you get to the end of it, you know, with high assurance, not perfectly, but you know that it got there reliably. And then they give you a safe path out to wherever you're going. And it actually looks, wherever you're going, it looks like you're coming from that point. It's called the VPN termination point. So that's it. And, you know, the big benefit of that is that now, even if you're on that that rogue public Wi-Fi that's unsafe, that typically they can't break into with the same attacks that they're using to break into regular websites and regular mobile applications and things like that. So you've protected yourself against that. So that's the idea, right?

Yes, absolutely. The only caveat to that, and you can correct me if I'm wrong, is even though your traffic for the most part is safe, Your laptop is still sitting on a public Wi-Fi where people can try to probe your physical device, which is what you have to be careful about as well.

Right, well, that's right. You're still, as we say, on an untrusted network. And you need to realize that you are. So you're still on an untrusted network. Someone can still be attacking you on there. And that's kind of true when you're on public Wi-Fi, whether it's someone hacking it or not. But the VPN only protects your traffic going out. Now, the other thing to remember is that your traffic, when you're using the VPN, is not encrypted the whole way. The VPN will take you to a, what it calls a safe place where your traffic exits, and then it goes out to wherever you're going. And then from there, it's, it's basically like regular internet traffic. Although if you're talking to your bank or you're talking to a website that's encrypted with SSL or TLS, we now call it, it's still encrypted and you know, you don't have a man in the middle attack there. So you protected yourself very well.

And I would add. I see more and more people carrying travel routers now and travel routers are like these USB powered routers that protect your laptop physically from when you connect because now you're creating this barrier between you and the carrier, whether it's Wi-Fi or whatever it is. and you're protecting your ports. So you're only using utilizing the necessary ports or like HTTPS, which is what you're surfing the Internet with, which protects your device as well. So people go to hotels now and they carry these Wi-Fi routers and they connect to Wi-Fi, but they also use it for other things when they're traveling, like maybe hooking up their switch, their game system or other things that they couldn't normally do in a hotel because they don't have a physical connection to stuff.

Yeah. Well, that's crazy now that, um, you know, people used to be, you know, you'd have the, you're still doing, you have like the wifi access point in your house. That's your router that sends you onto the internet to use everything. Now, people like you say, you're traveling with little handheld game consoles and phones and their laptop that usually can't talk. So you may have a bunch of things you're using that you want to have a little router for like you have at home and it can give you some protection. Like it, you'll have a firewall and some filtering and stuff, depending on what you get.

I remember 20 years ago, God, I'm old. When people did carry like literally real routers and they would plug it in in hotels overseas and put it in when they wanted to use voice, they would plug in their phones and turn around and be able to make phone calls from their hotel because it was so expensive to use phone service. But it looks like, you know, like everything else, like fashion, you kind of come full circle around back to these routers, but now they're more compact and more portable. Battery-powered, USB-powered, you can do whatever you want with them.

Yeah, well, that's it. Like in the old days, you know, guys like Adam and I have been at security and IT for a long time. When you went on a consulting engagement or you went on a trip or something, and you're with some people like, oh, we need to work together, we need to do some stuff. There came a point where someone would basically like in their backpack be traveling around. with a little network that they'd set up. And then the little network got, you know, got Wi-Fi and then it got like internet access, you know, on the cellular stuff. And now, you know, as a consumer, you can buy one of those that's much smaller and easier right there and walk around with a little network in your pocket that'll connect you to the internet.

And if you are traveling and you're using Wi-Fi or other devices in order to connect and you have to power them, We would be amiss if we didn't mention that you should be using a USB condom. What's a USB condom, Joe?

Well, we like to say USB condom because that usually helps the hits on Google, but no. What it is is, and we've talked about this before on the show, where a lot of places now, they don't have regular plugs for power. They will have the traditional EC, whatever. But they'll also have basically a USB port that you plug USB things into. And so you can use that for power. So instead of having to use the USB cable that plugs into your phone or that has it in, then you have the little block or whatever it is, the little adapter, and you plug that into the wall, you just take the end of the USB cable, plug it in. Now, the thing is, it, and this is a little tricky, because with a phone, with a lot of things you're using, that gives you power, but it's also actually a data cable. If you're still syncing, like, you know, your phone the old-fashioned way with a cable, it carries data, it does that. And so it's, and you can get network connections out of it. And it's possible to hack that to get into your phone. And there was a thing, It's at least a year or two old now, where this big scare came out that said, oh, in the airports, they're malicious now. People are breaking into it. Don't use it. That was kind of debunked, that it wasn't really happening. But it is very possible. And I think it's eventually going to happen. So save yourself now. Use the USB condom if you must. It's a little plug that just goes on the end. And then you plug that into the wall, and then you're done.

Actually, this is a good time to plug future episodes. We have some toys that we're eventually going to demonstrate, and I need to script it with Joe for the audience, where it's an OTP cable. And what that basically means is if I plug my phone into this cable, which looks like a regular standard power data cable that Joe just mentioned, it will steal your data. So we're going to do a little bit of a demo of that in a future episode.

I have one that actually does it?

Yeah, yeah, I do.

You do? Oh, so it is. Oh, but that's the cable. That's not in the wall.

But it's almost the same, right? If I put a female USB or USB-C in there, you would never know that it was in there.

Okay, but then we should tell everyone, you know, the stuff where you're plugging your cable into the wall, potentially dangerous, may not be many known cases of it now, but using your cable. We also want to say, use your cable. If someone says, hey, my cable, or you want to borrow something, could be one of those. And there is a lot of power stations.

You can go to a power station. I've seen them in conferences where not only do they provide a place for you to plug in, but they have a like an octopus of cables, and you plug it in to power your phone, so it's already connected.

That's right. It's like, so Adam, that cable, it's called an OMG cable?

OMG cable, yes. Is it?

That's right? Okay. All right, everyone. Watch out for OMG cables. And the good ones are built so you really can't tell them apart from a real one. Is that right? Yes.

And the OMG cable, when it does reach out, you can remotely manage it from a network. So once it does connect and it reaches out, it gets an IP address. It has a network chip in there and allows you to remotely manage it.

Okay. Use your own cables. Now you'll, well, it'll make you feel a little better paying Apple for a $20 cable. It costs them 50 cents to make maybe. I don't know. Okay. Now the other thing that you alluded to briefly was don't use wifi at all and use a cellular connection. So what's that option?

Again, you know, you're still on a public network when you're using a cellular connection, but you know what connection it is. You know that it's built in. So a lot of laptops have the capability, not all laptops, but they have the capability of not only having Bluetooth and Wi-Fi, but they have the ability to switch to cellular as well.

Right. And they basically have the same chip that a cell phone has built into the laptop, right?

Yes, absolutely. And you can even text with that with certain carriers too. It's funny, right? Yeah. Um, and it's actually good if your phone dies, you need to text somebody, Oh, I'm on the road. My phone died. I'll be there in 10 minutes. But, um, at least with that, you know, who the carrier is. It might not always be feasible if you're traveling overseas, but I know what a lot of people do is they get the same service that they have in their phone with the, with the carrier. And this way, They can get a bundle and when they're traveling overseas, they pay one price for their data for that month. So it saves money, but it's safe. Safer. Well, safer. Safer. Let's, let's set it correctly.

The cellular network in terms of security. It's Wild West. Well, it's generally safer. You generally know the carrier you're talking to. It's not so easy to hack into and the hackers and the bad guys can't get into it. However, governments can get into it very easily, which we probably all know whether they're doing it right from the, right from the network itself, from inside there, you know, the really hard coordination state ones. A lot of countries do have surveillance built in. Or there's the thing, Adam, what do they call it, the Stingray, that the cops use to intercept cellular connections and stuff?

The Stingray, for lack of a better term, is a suitcase-based, and you can make it yourself also, I mean, a little cheaper there, right? It's a suitcase-based cellular tower built into into a little box and then that information is gathered and then it's sent out through maybe another cell chip or some, however they do it. I'm not an expert on that, but typically at conferences, especially targeted conferences, they have stingrays. And I know there's heat maps that show you where the normal, the normal towers would be. And then during the conference, they see extra towers that show up. It's not literally a hundred foot tower. It's like a suitcase.

Yeah, but it's short range, but it's in a confined space or in an area. We'll cover it.

So that you'll connect to that instead of it. A lot of people do that on purpose in buildings, especially banks and financial institutions, because they want to be able to monitor the data. So people don't do trades outside of normal methods. So if you're working for a bank and They have sometimes something called leaky coax and that's a wire that goes around the perimeter of the building and different floors and they'll grab your data, your cellular data, and then go through its own proxy and carrier. But I mean, everything that we're talking about has legal uses also as well. So, you know, just normal things that happen.

Well, You know, it's one of those things, not to be too cynical, but very often they say, when the government does it, it's legal. And, you know, we're not going to get into the philosophy and ethics of that. But regardless, you should be aware that, you know, if you're using a VPN, you're using some of these other things, or you say, I'm going to use the cellular network, it doesn't always protect you from your own government. It doesn't protect you from very sophisticated nation-state attackers, and you should also realize there's been some things in the news lately where those methods that the government are using for surveillance, or the data that they're collecting, sometimes they lose it, and the bad guys do get it. And that's a whole other discussion about how these things should be done, but you know, be aware, as Adam said, you can remediate, you can give yourself more protection.

Yeah, the rule of thumb is everything has the ability to be compromised. There's a hundred percent capability of compromising anything. Just because you're using safe internet doesn't mean, and when I say safe internet, that's like, it's like a, like, was it an oxymoron? I mean, it's not, there's no such thing as that.

That's true. It's not safe.

But let's just say that you think you have an expectation that from You're using VPN and you're using cellular and you're monitoring your endpoints and your endpoints and you have a built-in firewall and then you're getting the logs for your endpoint to see whether or not somebody's infiltrating it. And you're, I mean, you're doing everything humanly possible. At the end of the day, you can still be compromised. And people don't always try to get the data in the middle. Sometimes people will compromise the endpoints. The endpoints is usually the easiest part to compromise. either the source or the destination of what you're looking to get the data for. So again, if you're using a laptop, if you're using a cell phone, you have to have an expectation that somebody can get into your devices and get the data from there. So when you're traveling, just because you were saying, oh, I'm safe, I'm using a hard wire, I should be okay. You might not be okay, just be careful.

Right, and I think we'll kind of end on some realistic notes that I think are important. Realistically, for your general use, if you want to be able to use the internet when you're traveling, if you're using a VPN with a reputable provider, a good one, then you're probably OK. In fact, then you're OK for what you're going to be doing. you know, for your day-to-day stuff, banking, getting into your social media, reading your email, a reputable VPN will protect you from that stuff and you don't have to worry very much. One thing I would worry about though, that I'll point out, do not forget, Adam mentioned endpoint protection. This endpoint, your hosts, your devices, all that stuff, blah, blah, blah. That means Don't lose your laptop. Don't let someone just come by and steal the thing and grab it or take your iPad or something, or you leave your phone on the table. We say it over and over again, but sometimes that is the easiest way for someone to steal your data and get in, as they just physically steal your stuff. So be careful when you're in public with that kind of stuff.

There are plenty of people who have bare bone metal laptops that have no OSs on them, and they boot into a USB OS, and then that USB OS is disposable also. So they take their laptop out. they put the USB in, they boot to it, they do their data, they do whatever they gotta do. They might, and then that USB might be completely hard-coded that you literally can't write, but it takes everything into memory, and there's all its data, and then it's clean at the end of the day, so if you lose a laptop, but I guess that's what people would say are more James Bond-ish.

You know, it's, it's not, that's not James Bondish, but it is special cases. I mean, a lot of corporations will use that if they have very sensitive data or if they're doing business in a country that's a bit dodgy, hostile, worried about and hostile being taken. An individual traveling to a routine place, you probably don't have to worry about it. What, when, when people, you know, the truth is when people are going to steal your laptop, Usually, usually they're not interested in the data and they want the equipment to resell. However, even if you say, oh, my data is protected on there. Yeah, but you still lost the thousand dollar laptop. That's no fun.

I can tell you two or three cases, one related to somebody in my distant family and one related to a place that we both worked at where somebody walked into a country off the airplane and they said, Just open your phone for us or a laptop." And they said, I'm not doing it. And they're like, okay, you're going to jail. This is not the United States. We can do whatever we want here.

So- You may hear that in the United States too. Yeah.

Well, I mean- It's not unheard of. I mean, them asking and you doing it is two different things. But in other countries, you have no expectation that you can defend yourself. They'll just throw you in jail until you do it. So it's happened where people have done that. And if they want your data, they're going to physically say, give me your data. So sometimes it's best not to have the data on the laptop and travel with the bare amount of information that you need.

Right. Well, if you are doing something like that, if you are traveling with data, that is very sensitive.

Intellectual property.

Yeah, you're likely doing it for business and hopefully your business's security people have put in the measures to protect you and trained you on how to use it and what to do. However, if you're doing it on your own, be aware it's not easy and you're going up against some very tough adversaries. And there's a big difference between protecting against hackers and protecting against government agents, especially when they're physically right next to you. So be aware and know if you're going to a place where you're worried about that or where you should be worried about it, take some precautions. That's a little bit beyond what we're going to talk about here.

So I guess on a happy note.

Yes, let's end on a happy note.

Sure. Like and subscribe. Please leave us feedback. We do have merchandise. We even have patches now that you can put on your backpack. So please reach out. Please leave us comments. What else, Joe?

No, that's it. Please do all that. And, you know, leaving comments. This show was actually kind of inspired by a comment that we got. We wanted to go into it a little more. So send us more. If you got a topic, let us know. We're happy to do it for you.

Thank you all. And have a great rest of your day. Hey, thank you.

See you, Adam.