Traveling Computer Security 5

Posted by JD 12/22/2016 at 17:02

7 things all travelers with smartphones and computers should do to be secure while traveling.

The List

  1. Stay patched. if your OS isn’t being patched, complain to the vendor IN WRITING and get a newer device that does get patched. Also, complain to your govt representatives. Any OS provided to the general public needs 5 yrs of support.
  1. When online with any network away from home or work, use a paid VPN. Period. This applies especially in airports, hotels, libraries, cafes, restaurants where you don’t know the networking. If you are technology savvy, run your own VPN, just don’t use PPTP. Stay with IPSec or L2TP or OpenVPN. This applies to commercial VPN providers which seem to default to the highly-cracked PPTP.
  1. Encrypt all portable devices. Laptops, smartphones, netbooks. WHEN these devices are stolen or lost, you’ll thank me. Use whole-drive-encryption with a 2FA device to prevent trivial unlocking.
  1. Backup everything you consider important. That should be everything, but some people might be willing to just backup data and settings. Backups should be encrypted with a non-trivial password too.
  1. Use long, random, passwords. Nothing is more important than length (20+ characters) and being random. Never use dates, words, l33t-sp34k. Password managers make this easy.
  1. Never reuse passwords. Use a password manager to ensure all online accounts are using different, long, random, passwords. If you never have to type the password, why not use 50+, random, characters? If you are typing more than 3 passwords, then you are doing it wrong.
  1. Have different email addresses for home, financial (banks/broker), and business uses. That is at least 3. Having a separate 1 for social networks would be smart too. Being able to read/send email with an account means all passwords can be reset. Never forget that most email is like a postcard, not like a letter. Anyone between the sender and receiver gets to read all the content like a postcard. Free webmail providers do this as a business model. gmail, yahoomail, hotmail are all examples.

Advanced Stuff

  • Use two-factor authentication, but not SMS/phone as the 2nd factor. SMS is spoof-able. Either U2F or Yubikey + pin. Sadly, cloud providers who support U2F seem to require a phone be connected to the account to use U2F devices. That sorta defeats the purpose, IMHO.
  • A chromebook is probably the most secure OS available today. It is possible to run ChromeOS without using anything from google, BTW. There is a fork.
  • Replace the smartphone OS with an aftermarket OS that is maintained and patched for older devices not being supported by the vendor anymore. I’m looking at all the Samsung, Nexus devices specifically, which lose support 2-3 yrs after purchase.
  • Watch out for cheap smart-phones. Many (most?) of these have pre-installed spyware capturing location, userids, contacts, passwords, web-browsing, etc.
  • Run internet connected programs inside a sandbox or VM. firejail is handy for this, but there are other methods. Also, beware that firejail may not do what you think it does, so read the manpage carefully to know what access it blocked and what access may not be blocked by default.
  • For this crowd specifically, take steps to combat the “evil maid attack” against your encrypted devices. Basically, only boot off a device you keep on your person 100% of the time, not 99.99999%.
  • Always have a 2nd OS on netbooks/laptops to boot and show airport security people. It should only have enough OS to get online and use a web browser. Something like TinyCore would be sufficient. 1G storage needed at most, but 200MB would be enough. Would be best to make this the default during travel.

Summary

Did I mention staying patched, using long, random, passwords, and having versioned backups? Those 3 things are the most important of all of them.

Other Articles Here About this Stuff

  1. ryan.d.bertrand@gmail.com 01/02/2017 at 23:50

    JD,

    I have upgraded my WAN connection and am now using an AT&T edge router and fiber optic cable. The router I am using is a :
    Manufacturer Pace Plc
    Model 5268AC

    router. I want to know if I can use “O p e n V P N” software to create a vpn tunnel through my router on a non standard SSH port?

    Ryan

  2. JD 01/03/2017 at 12:31

    You can.
    OpenVPN isn’t the same as ssh. You can use either to make a secure tunnel. ssh is 10x easier than openvpn.

    AT&T probably isn’t an upgrade, BTW.

  3. JW4.6 01/05/2017 at 17:01

    SSH is so much nicer than OpenVPN, imo, though I still have a lot to learn about keyless ssh best practices, and—my newest discovery—sshuttle.

  4. DC 01/05/2017 at 21:49

    Hey JD,

    Long-time listener, first-time caller. Really appreciate all your thorough and coherent articles over the years. Finding your site was one of the best things to come from reading lifehacker…

    Two questions with relation to ChromeOS:

    • I’m a ThinkPad keyboard/trackpoint kind of guy which has made me steer clear of actual chromebooks. Is ChromiumOS a viable alternative from this article’s perspective, or does a majority of the benefit come from the verified boot and auto-update type functionality that Google adds to ChromeOS?
    • Any suggestions for password management? I am invested in the KeePass ecosystem but I haven’t found much useful information about any of the Chrome App clients.

    Thanks very much,
    -Dustin

  5. JD 01/06/2017 at 14:07

    ssh has a different purpose than openvpn. There is some overlap, but not much. ssh doesn’t tunnel UDP traffic, which is a liability.
    In short, openvpn is best for end-users. ssh is good for experts who understand the limitations AND capabilities.

    I use keepassx v1. Don’t like DotNET or Mono. I’ve written about it here a few times. 1 system-of-record which gets all the modifications. rsync pushes the DB out to all devices, automatically, daily.

    ChromiumOS isn’t as secure on any platform as ChromeOS is on a Chromebook, with a TPM chip, with secureboot, not in developer mode. Still, that doesn’t mean it isn’t useful or even preferable to many people who don’t think google is our friend.

    I don’t use chrome-browser. Don’t see why I’d want to give free access to almost everything I do online to that company, the largest data suck in the world.