During the past few months, I’ve reverted back to being a ”road
warrior” of sorts. Apart from spending far too much time with my 1K
buddies over at United, all the travel has made me think about the
security of the data on my laptop, PDA, and (Linux-based) phone.
Think about it a bit… How do you protect your data on your traveling
laptop? Chances are that your company supplied you with a laptop along
with the usual suspects of security software: anti-virus, personal
firewall, and maybe even some anti-spyware software. If you’re really
lucky, you also got some encryption software and such with that laptop —
even if you had to buy it and install it yourself.
But what about your data? Allow me to explain.
While traveling, I’ve been watching what other travelers do, in addition
to being perhaps a bit overly paranoid about my own data. Here are a few
things I’ve noticed:
electronic gizmos, and such. It probably covers a spectrum from ‘so what
if I lose it’ (e.g., copies of our favorite music files) to ‘I don’t want
anyone else to get this’ (e.g., local copies of personal finance
management software). You’ve probably got some personal email, as well.
connect to. Ever use that public access ‘business PC’ at the hotel to
print out your boarding pass for tomorrow’s flight home? How did you log
into the airline’s Website? Do you use that username/password anywhere
else? Not a problem, you say, since the Website is SSL encrypted? Don’t
take that confidence to the bank!
our data. When you put your laptop through the airport security
magnetometer (sometimes erroneously called a metal detector), do you make
sure your laptop went in before you walk through yourself? When you’re at
a business meeting, do you leave your laptop in the meeting room while
you and your buddies go out to lunch? When you leave your hotel room at
night, do you leave your laptop in the room?
Are you thinking I’m being too paranoid? I’ve heard that many times.
However, consider this: I’ve had two laptops stolen out of the trunk of
my car in broad daylight while attending a conference, and I’ve had my
hotel room broken into and personal items stolen twice while on vacation
with my wife (in the paradise of Hawaii, no less!).
I’m not making up bad things that might happen. I’m responding to bad
things that have happened to me. If that doesn’t make a (security) guy
paranoid, I don’t know what will.
So, here are a few suggestions on how you might want to protect your
data. Well, you also can protect your company’s data this way, but let’s
not kid ourselves as to why we really want to protect what’s on our
laptops.
Sure, it’s a pain to carry that bulky laptop bag to lunch, but it’s worth
it.
a public access computer. The chances of that computer not being a
veritable digital petri dish of malware are very low. The chances of
someone else snarfing your username/password or other sensitive data —
you didn’t use a credit card there, did you? — are significant.
When I use a hotel’s printer, I put the file I want to print onto a USB
stick and take the USB stick to the public access PC to print the file.
If I’m feeling really dirty after that, I re-format the USB stick on my
Linux machine at home. (Even printing directly from a Web application
(e.g., airline boarding pass) is easy this way if you use a virtual
printer like eFax (www.efax.com) to capture the printer output and save
it into a .TIF file.)
devices, make use of all of the security features that they have to
offer. For example, my phone is GSM-based, and I use the PIN lock feature
to lock the small SIM smartcard inside the phone. That way, if someone
gets my phone, they’ll have to enter the PIN to use it, and after three
failed entries, the SIM locks itself and all the data on it. That won’t
stop everyone, but it’ll sure slow down a lot of people.
days), be certain to use good personal firewall software on your PC, as
well as an IPSec-based VPN to connect to your office network, if at all
possible. That’ll keep the miscreants at public hotspots at bay. At
least, they’ll be more likely to go after someone else…
that stuff on small, removable media that you keep with you at all times.
I grabbed a 1 gigabyte USB2 stick about a year ago from one of the
megastores when it went on sale for about $40. In fact, I keep a few USB
sticks with me. They’re perfect for protecting my most important stuff
(like draft copies of these columns, of course).
stays with you at all times should not be traveling. I have a couple of
PGP secret keys that don’t leave home, for example. I also don’t travel
with the RSA one-time password that I use to access my investment funds.
That stuff can wait until I’m home. The ox is slow, but the earth is
patient.
If you’re thinking all of this advice is fine and well, but it would take
far too much time to actually implement, consider the amount of time and
effort it’ll take you when someone steals your identity and riddles your
personal credit history with all sorts of nasties that you could have
prevented.