0
Video: World Cup fans beware: Russia travel comes with cyber risk
Look, I grew up in New Jersey and lived in Florida, so I’m pretty comfortable with the idea of scary places. But the kind of scary I’m talking about here is foreign governments that might be after your digital soul.
No Facebook. No Twitter.
No matter how much you might want to check your Facebook or share your travel joys, don’t. No excuses. As soon as you use your own password (even with multi-factor auth) to access your own account, you open the door to the bad guys not only having access to your accounts, but being able to build a map of your relationships.
Just don’t do it. No arguments. Don’t.
Create temporary email accounts
Do not use your own email account. Instead, create a temporary email account, preferably on a service you don’t normally use. If you’re a Gmail user, create an Outlook.com account, and vice versa.
Understand this: You won’t actually be emailing to your friends and associates. You will be emailing to an intermediary, who will then email your friends and associates. You’ll use this account to email that intermediary. More on that in a minute.
Hire a virtual personal assistance service
Virtual personal assistants were all the rage about four years ago, but have since declined in excitement and press attention. What they do (and most are outside the US) is provide online services and phone-based services for a fee. For example, you could ask your personal assistant service to find you a lawn care service and make an appointment. Or you could ask your virtual personal assistant to send an email for you.
Read also: We found 24 cloud services your business definitely needs to try
Let me be clear. Never, ever give access to any of your accounts to this service. Create accounts that are temporary and wholly new. Treat this service as an answering service, not as a virtual assistant. Your email on your main email accounts will go completely unread and untouched by anyone while you’re away.
This is an intermediary letter drop for those you specifically tell to email to this address and service.
In this case, I’m going to reluctantly recommend you set up a temporary relationship with one of the more well-known services. Certain services like GetFriday or AskSunday allow you to set up some initial parameters that they remember between tasks. For example, you could train them that “email my wife” means sending a message to a specific email address that they keep track of.
Other personal services (like FancyHands) do not remember details between assignments. This won’t work for our application.
The purpose of the virtual assistant service is to act as a temporary intermediary for sending and receiving communications. Do not give them access to your main email account. Ever!
Instead, let the four or five people you need to communicate with regularly know that you’ll be receiving email via the personal assistant service. Let’s say you need to communicate with two clients. Give those two clients the email address of your virtual personal assistant. If they want to reach you while you’re away, that’s how to do it.
Next, train your virtual personal assistant to transcode messages. In other words, if your two clients are bob@wackywidgets.com and carol@widgetsareus.com, you’ll want to give each a code name. So Bob becomes Ted and Carol becomes Alice.
Here’s how you train your assistant: When he or she gets an email from Bob, copy the text from the message and send yourself an email on your temporary email account. Indicate that the message is from Ted. It will be up to you to keep track of who’s who in your mind (don’t write this stuff down).
Read also: Personal virtual assistants will become part of the enterprise IT
If you need to send a message to Bob, send an email to your personal assistant and indicate that the following text is to be sent to Ted. Likewise, with sending or getting mail from Carol, you and the assistant will use the codename Alice.
The idea here is that no one in the country you’re visiting will be able to relate you to your specific clients or friends. Yes, there is a risk is using an outside company to do this letter drop service, but what you’re doing is reducing your footprint in the country you’re visiting.
Get yourself a prepaid credit card at the local Walgreens (or whatever) and pay for this service with that prepaid card. While we’re on the topic of credit cards, it’d be best if you can be issued a temporary card just for travel. It’s risky taking a prepaid card, because if you lose it, you’re screwed. Some banks will issue temporary travel cards, and that’s probably best.
Once you return home, cancel this service. Go back to your regular email practice.
What about encrypted communication apps like Signal and WhatsApp?
I don’t trust them. WhatsApp is owned by Facebook and while encrypted, could well be subject to hidden agreements with host countries. Almost all of the major vendors in the US state openly that they abide by the laws of the countries within which they operate. So, if the Russian government wants to see what’s inside WhatApp and requires some level of backdoor access, it will be extremely difficult for you to know and be sure that’s not happening.
Read also: Russia moves to block Telegram after encryption key denial
Signalis a slightly different beast in that it’s an open-source encryption and communication tool, so, presumably, that source has been vetted by many concerned eyes. I still don’t trust it, not unless I downloaded the source, went through it line-by-line, compiled it myself, and then ran it on my phone. Even then, you’re running into issues of developer certificates that can be linked back you to and your accounts on iOS, or side-loaded apps, which means you’ve already rooted your Android to load a secure app.
And, of course, if you don’t compile it yourself, you lose all the open-source security benefits, because you have no idea what whoever posted the app put inside it before compiling.
I wouldn’t use these. Instead, I’d be very careful about what I say back to anyone at home. In fact, I’d probably limit myself to an “I arrived safely” call on the hotel’s phone and “I’m leaving now” and that’s it. Since the hotel and the host government already know your home address, that’s not too much to share. And two very short calls on pre-existing circuits won’t damage your digital profile anywhere else.
WWDD: What would David do?
To be honest, I wouldn’t use a virtual personal assistant when traveling. I’d use code. What I would do is set up a temporary AWS or Digital Ocean server, on a completely new account, paid with a temporary credit card.
Then, I’d write a script that parsed incoming email messages, stripped off their header information, rewrote appropriate header information, and sent the messages on to their intended destination.
Read also: AWS announces Secrets Manager, more tools for security
This is not something most people can do. I’ve written my own list servers and mail managers before, so coding mail management software is something I have years of experience with. But, for those of you who need to travel and can’t spin up your own custom servers and server code, the virtual assistant approach is moderately workable.
For that matter, I wouldn’t use a VPN service provider either. I’d spin up another server, host my own VPN software on it, and connect my Linux-based disposable machine to my disposable VPN server in the cloud, and then never go to a site that can be traced back to me. No Amazon. No Facebook. No Twitter. Nothing.
But that’s me. You need to decide what you’re willing to put up with and how much effort you’re willing to take.
No passwords or password management programs
Do not bring along your password management program. Instead, create just a few passwords for your temporary email accounts. Commit them to memory.
Read also: Password managers: A cheat sheet for professionals (TechRepublic)
Once again, let me be clear: Let’s say you desperately need access to your Gmail while away… Don’t. Period. Live with being disconnected from your main accounts for a week.
What about photos?
I do not have a great answer for photos. It is possible to embed malware within simple JPGs. You can hope that your browser (or those you send pictures to) can defend against the relatively uncommon hacks in JPGs.
One recommendation would be to use another temporary server, set up an ImageMagick script to convert all the images to something like PNG, which would strip out the metadata. Unfortunately, even something like ImageMagick can’t detect steganography, so you can’t be sure that the actual image content is pure. Equally unfortunately, ImageMagick and the servers it runs on have also had a history of compromise.
Read also: What Google’s Backup and Sync app can and can’t do (CNET)
Frankly, your best bet is to upload those images to something like Google’s image cloud and hope that Google’s built in enough scanning protections to make those images safe. Just remember that if you take this approach, you’re using an account that’s new, temporary, and completely unrelated to any accounts you normally own. I wouldn’t do this, though.
Here’s my WWDD for this: If you truly want to keep your photos safe while traveling, bring a film camera. Amazon still sells film, and you can buy SLR film cameras. If I were traveling someplace digitally scary and I wanted to take pictures, that’s the approach I’d take.
The one foolproof method to stay digitally safe while traveling
All these techniques showcase how difficult it can be if you’re traveling, want to stay safe, and are smartly paranoid. That said, I left the best technique for last. Here it is.
Leave all your toys at home.
Read also: No internet: The unbearable anxiety of losing your connection
That’s it. Just travel. Take your trip. Keep a careful eye on your tickets and passport and enjoy the trip. Don’t worry about digital devices. Leave them at home.
What about you? If you travel someplace digitally scary, what would you do to stay safe? Let me know in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
Previous and related coverage
Follow these steps to protect yourself from cyberattacks while traveling
Kroll cybersecurity and investigations senior managing director Alan Brill explains how to protect smartphones, tablets, and other internet-connected devices from cybercriminals while traveling.
FBI to all router users: Reboot now to neuter Russia’s VPNFilter malware
The FBI is recommending that all small business and home router owners reboot devices, even if they’re not among the brands known to be affected.
US special counsel indicts 13 members of Russia’s election meddling troll farm
Special Counsel Robert Mueller’s office said Friday that a grand jury has indicted 13 Russian nationals and three Russian entities accused of election meddling.
Kaspersky Lab to shift US customer data from Russia to Switzerland
Kaspersky Lab also plans to move the tools and systems used to compile products from its source code to the country.
Telegram drags Google, Amazon cloud services into Russia privacy battle
Russia’s quest to stop encrypted messaging app Telegram also blocks thousands of Amazon, Google addresses.
US slaps new sanctions on Russia over NotPetya cyberattack, election meddling
The FBI also warned of Russian government actors targeting the energy grid and other critical infrastructure.
Beyond Kaspersky: How a digital Cold War with Russia threatens the IT industry
What would an escalation of tensions mean for the future of our relationships with Russian software companies, developers, and strategically outsourced tech talent?
Related Topics:
Security TV
Data Management
CXO
Data Centers
0