Airport insecurity - are you a high-risk traveller?

Filed Under: Data loss, Privacy, Social networks

Physical security at airports is a curious affair. Writers like Bruce Schneier have been pointing this out for years. Schneier, indeed, is said to have been the first to use the term 'security theatre' to describe the often arbitrary, frequently petty, sometimes pointless and occasionally actually counter-productive rules and regulations which various security guards at various airports in various countries trot out as if they were laws.

Sometimes, it's not theatre, but farce, which my Mac's dictionary delightfully defines as "a comic dramatic work using buffoonery, ... crude characterisation and ludicrously improbable situations".

I was recently forced to surrender of a tin of deodorant because it bore the label 100g/153ml, yet allowed to keep a second tin of exactly the same product labelled 100g.

(I won't name the brand, but to the marketing person who came up with that 'enhancement', I will say, "Well done!")

Current airport security precautions are not entirely pointless. X-raying carry-on baggage is sensible enough, and so is checking that passengers don't get on the wrong plane, if only to prevent a nasty bout of air-rage when they find out they are going to Perth instead of Cairns, which is roughly the same as going to Moscow instead of Madrid.

But I've never met anyone who thinks that aiport security precautions are effective, because it's so easy to see the gaping holes, and it's so obvious how much time is frittered away enforcing abstruse regulations which would better be spent actually looking out for genuine risks.

Of course, since we're all smart enough to realise that airport security isn't, you'd think we'd be smart enough to watch out for our own security once we're inside. Sadly, we don't - especially when it comes to computer security.

Here's a good example. The Qantas lounge in Sydney, home to some of the world's most impressively industrial cheese and biscuits, now boasts huge-screen Mac computers for guests to use. They're gorgeous, new, and quick. You can even boot them into Windows if you must.

But if you are serious about your own security, and you read my report on kiosk hacking from Kiwicon, you'll know that your best bet is not to use airport internet access terminals at all. If you must use them, stick to the most general browsing - for example, the same sort of headlines everyone else is likely to be reading.

Someone who travelled ahead of me to Brisbane recently didn't follow my advice. Worse still, he didn't even log out, reboot or reset his browser when he shot off to catch his plane.

I've adapted the details to protect the identity of the risk-taking traveller, but I can tell you that he works for a large consulting and business analysis company, that his name is Wieweet Iemand, that he was probably born in, or once lived in, a town in the Netherlands called Ergensdorp, and that towards the end of November he met with his client, a large mining conglomerate called Diggittup, to discuss Biznistuff.

There's more, but I will spare him further embarrassment. (Mr Iemand from Brisbane: if you see this, there's a spelling mistake on your LinkedIn profile. It would be pragmatic if you were to fix it.)

Please, Naked Security readers, take care not to leave a trail of personally identifiable information behind you when you travel. It's bad enough to do so at any time, but you are particularly at risk when you are on a trip.

And avoid those kiosks. Generations before you managed to circumnavigate the globe without checking their email every hour and Tweeting every few minutes. Getting online is useful, and important, but sometimes it's safer just to make it wait.

PS: I didn't mention Wikileaks once!

, , , , , , ,

You might like

5 Responses to Airport insecurity - are you a high-risk traveller?

  1. To prevent such leaks, I suggest that those using public terminals/computers run ccleaner portable version (http://www.piriform.com/ccleaner/download/portable) to clean up their tracks. It does not require admin access or installation. YOu can just download the zip file, extract it and run the exe inside. Select all the options and select run ccleaner or something like that.

    • Paul Ducklin · 1357 days ago

      No. That doesn't solve the general kiosk problem (read the earlier article I link to above :-) If you are using a kiosk on which _you_ can download and run arbitrary executables, then you need to assume that the guy before you did something similar. And you should assume that his goal was not to erase what went before, but to sniff what came next, i.e. your whole session.

      The problem is not just what you might behind when you finish, but what you might inherit (e.g. keylogging, packet sniffing, DNS redirection) when you start.

      I think you would be wise to treat a kiosk on which users can download and run an executable of their choice, from an arbitrary location of their choice, as well-and-truly pwned. So you should treat your entire session as well-and-truly public, whether you clean it up later or not. (Anyway, if you can't trust the kiosk, you can't trust the cleaner to run properly, either.)

      • If the kiosky deletes previous files is it safe? (Its XP embedded edition). Plus, is there any Anti-Virus that does not require installation or admin powers?

        I'm the same as the above facebook user, just using twitter.

      • Speaking of Sydney Airport, there is an Everywhere Internet kiosk there. Their PCs force not just a logout, but a complete reboot when you finish using them - during which reboot process the entire system is ghosted from a master image over Everywhere Internet's network. Essentially, when you logon you can be more or less guaranteed that you're logging on to a clean PC. I believe this system would even be able to thwart a rootkit (though I'm not certain about that, I admit.)

        There are several other reasons that I prefer and trust Everywhere, but since they aren't security-related, I won't repeat them here.

        • Paul Ducklin · 1284 days ago

          This sounds safer than kiosks which retain data between logouts - even data stored in files you're not supposed to be able to write to.

          In the Kiwicon presentation I link back to, however, Paul Craig also showed a range of other related flaws in popular kiosk systems - including some worrying bugs - such as the ability to access historical info and to adjust security settings without proper authorisation - in the back-end systems which support each network of kiosks.

          This is separate, of course, from the security of the image the kiosk boots into. (And the re-imaging of the Everywhere kiosk wouldn't have helped the gentleman in the article - he forgot to logout altogether. [*])

          [*] It's not his real name, as Dutch speakers will realise. The details were changed for the article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog