In an NBC News report last week, Chief Foreign Correspondent Richard Engel sought to demonstrate just how quickly tourists' PCs and mobile devices could be hacked in Russia, the host country of the 2014 Winter Olympics and a nation deeply associated with cyberespionage and nation-state hacking.
While the TV segment left security experts questioning its legitimacy, it serves as a reminder that travelers must adhere to business data security basics or else their organizations' sensitive data will be at risk.
In the report, Engel said his computing equipment was hacked "almost immediately" when he arrived in Moscow. Equipped with an Apple Macbook Air, a Lenovo ThinkPad running Windows 7, and an Android-based smartphone, Engel is shown navigating to Olympics-themed websites and being targeted by malware seemingly instantaneously, without any interaction with the device.
In response, Errata Security founder Robert Graham, a well-known security researcher, penned a blog post claiming Engel essentially hacked himself by knowingly visiting sites hosting malware. An NBC spokesperson has since responded to some of Graham's criticisms, noting that the story was "designed to show how less-technically savvy people can fall victim to such a cyberattack."
In a white paper detailing his role as a technical advisor behind Engel's story, Kyle Wilhoit, a threat researcher with Japan-based software security vendor Trend Micro, took the final, edited version of the resulting news segment to task, mainly because it appeared to show Engel being compromised without any user interaction. The brand-new hardware used as part of the test was also never updated, according to Wilhoit, basically meaning Engel ignored all "basic security precautions" that could have prevented the exploits he demonstrated.
Ron Hale, CEO of security training and certification consortium ISACA, said Engel's segment did some good by raising awareness around some key data security issues, though perhaps in a slightly misleading way. Hale noted that all of the attack methods displayed in the segment could be accomplished anywhere in the world, not just in Russia, because Engel utilizes a public Wi-Fi network.
Public Wi-Fi connections always represent a risk, according to Hale, because users are unaware of how such networks are managed, whether the network devices have been updated regularly, and if the network has been compromised in the past.
"You never know what the configuration of a Wi-Fi network is that you might be using, whether it's in your local coffee shop or retail store or elsewhere. You just don't know," Hale said. "You have to assume you're at risk and vulnerable to your messages being intercepted or your system being compromised. We don't understand how well people manage these systems."
Ryan Lackey, CEO of San Francisco-based CryptoSeal, agreed with Hale's assessment. Lackey said travelers may encounter a greater quantity of threats abroad, but much like how most traffic accidents happen within a mile of one's home, users are more likely to be compromised by the Wi-Fi network of a local café they frequent than a connection they use in a foreign country.
To protect devices while abroad, Lackey advised travelers to take as few computing devices as possible, especially to Russia and China, and to ensure that the software running on all machines is updated to the latest version available.
For those particularly concerned about data security, Lackey said to consider backing up and then deleting all of the irrelevant data and applications for the duration of the trip, and then reinstalling everything once back home. However, he admitted most users are unlikely to take such drastic security measures.
BYOD, government monitoring brings threats abroad to corporate networks
While enterprise users would ideally be savvy about cybersecurity basics regardless of outside prompts, the bring your own device (BYOD) movement may be allowing attackers at home and in foreign countries to infiltrate enterprise networks through compromised mobile devices.
As an example, Lackey pointed to Operation Aurora, the 2009 incident in which Google's corporate systems were infiltrated by malicious actors believed to be associated with the Chinese government. At the time of the attacks, Google's Chinese operations were cordoned off from its main corporate network. To get around that configuration, the devices of Google engineers traveling in China were compromised, he said, which gave attackers a foothold when those employees returned to the search giant's corporate headquarters in Mountain View and connected to the network.
Lackey said well-funded, sophisticated cybercriminal groups are capable of utilizing similar attacks to penetrate corporate networks. Of course, the aforementioned risk posed by public Wi-Fi means a user doesn't need to travel abroad to open an enterprise up to similar attacks.
"If I were going after a target for the purpose of compromising [intellectual property], I personally wouldn't go after visitors to China," Lackey said. "I would just go put up stuff in Internet cafes in areas that have a lot of targets, like Mountain View and Palo Alto," the home region of many technology companies.
Hale said increased government monitoring may also pose problems for organizations with employees traveling abroad. In fact, US-CERT issued a warning for travelers heading to Sochi that the Russian FSB -- the country's domestic equivalent of the FBI -- is legally allowed to "monitor, intercept and block any communication sent electronically."
"While the focus might be on terrorist activities, some countries might not be averse to picking up some other information at the same time," Hale said. "You have to assume that there's going to be a great deal more monitoring going on [at the Sochi Olympics]."
Lackey agreed that encounters with foreign intelligence services can be problematic for travelers and potentially their employers back home. For example, Lackey said anyone entering China that may have access to intellectual property, ranging from high-ranking enterprise executives to grad students at prestigious universities, will be subject to increased security searches. Often travelers will be forced to unlock laptops and other devices to be scanned, and if unwilling to comply, government agents will threaten to take away travelers' passports.
Even assuming travelers can make it through such security checks without hassle, they may also be subject to what are known as "evil maid" attacks, in which travelers' hotels allow government officials to search their guests' rooms without their knowledge. The officials will often copy the hard drives in any devices discovered.
Lackey warned that certain international travelers have also had electronic equipment modified at the hardware level, meaning scans from security software would not spot anything malicious.
"I would never take an unmanaged device with corporate access to a foreign country for fear of the data being compromised or someone gaining access to it another way and using it to connect to the network," Lackey said. "It's a hard problem. People are not willing to treat $500 devices as disposable and never use them again.
"The more you can wipe the machine, the better," Lackey added. "And just hope that you're not too much of a target."