Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Jun 23rd):Obfuscation Techniques;

Latest Diaries

Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious"

Published: 2017-05-29
Last Updated: 2017-06-25 16:41:51 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will not happen), this is your regular reminder on how to keep your electronics secure while traveling.

Checking a laptop is considered inadvisable for a number of reasons:

- Your laptop is out of your control and could be manipulated. It is pretty much impossible to secure a laptop if an adversary has control of it for a substantial amount of time. These attacks are called sometimes called "evil maid attacks" in reference to having the laptop manipulated while it is stored in a hotel room.

- Laptops often are stolen from checked luggage. Countless cases have been reported of airport workers, and in some cases, TSA employees, stealing valuables like laptops from checked luggage.

- Laptops contain lithium batteries which are usually not allowed to be checked as there have been instances of them exploding (and this fact may very likely block the "laptop ban")

You are typically not allowed to lock your checked luggage. And even if you lock it, most luggage locks are easily defeated. The main purpose of a lock should be to identify tampering, not to prevent tampering or theft.

Here are a couple of things that you should consider when traveling with your laptop, regardless of where you keep it during your flight:

- Full disk encryption with pre-boot authentication. This is a must of any portable device, no matter where you are flying. You will never be able to fully control your device. Larger devices like laptops are often left unattended in a hotel room, and hotel safes provide minimal security.

- Power your device down. Do not just put it to sleep. For checked luggage, this may even prevent other accidents like overheating if the laptop happens to "wake up". But powering the laptop down will also make sure encryption keys can not be recovered from memory.

- Some researchers suggest covering the screws on your laptop in glitter nail polish. Take a picture before departure and use it to detect tampering.

- Take a "blank" machine, and restore it after arrival from a network backup. This may not be practical, in particular for international travel. But you could do the same with a disk backup, and so far, USB disks are still allowed as carry-on and they are easier to keep with you. Encrypt the backups.

- Take a "blank" machine and use a remote desktop over the network. Again, this may not work in all locations due to slow network speeds and high costs. But this is probably the most secure solution.

- If you are lucky enough to own a laptop with removable hard drive, then remove it before checking your luggage. 

- Before departure, setup a VPN endpoint that allows connections on various ports and via HTTP proxies (e.g. OpenVPN has a mode allowing this). You never know what restrictions you run into. Test the VPN before you leave!

Have a plan for what happens if your laptop is lost or stolen. How will you be able to function? Even if you do not have a complete backup of your laptop with you, a USB stick with important documents that you will need during your trip is helpful, as well as a cloud-based backup. You may want to add VPN configuration details and certificates to the USB stick so you can connect to one if needed. Be ready to use a "loaner" system for a while with unknown history and configuration to give a presentation, or even to use for webmail access. This is a very dangerous solution, and you should reset any passwords that you used on the loaner system as soon as possible. But sometimes you have to keep going under less than ideal circumstances. Of course, right now, you can still bring your phone onboard, which should be sufficient for e-mail in most cases. 

In general, this advice should be obeyed anyway when traveling. It is very hard to stay not leave your laptop unsupervised over a long trip. If you don't trust hotel safes (and you should not trust them), then it may make sense to bring your own lockable container like a Pelikan case with solid locks (Pelikan also makes a backpack that works reasonably well but is a bit bulky and heavy). Don't forget a cable to attach the case to something. Just don't skimp on the locks and again: The goal is to detect tampering/theft, not to prevent it. Any case that you can carry on an airplane can be defeated quickly with a hacksaw or a crowbar, and usually, it takes much less.

Also, see this Ouch! Newsletter about staying secure while "on the road":

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201502_en.pdf

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
1 comment(s)

Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received.

Published: 2017-06-23
Last Updated: 2017-06-23 11:24:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We do continue to receive reports about DDoS extortion e-mail. These e-mails are essentially spammed to the owners of domains based on whois records. They claim to originate from well-known hacker groups like "Anonymous" who have been known to launch DDoS attacks in the past. These e-mails essentially use the notoriety of the group's name to make the threat sound more plausible. But there is no evidence that these threats originate from these groups, and so far we have not seen a single case of a DDoS being launched after a victim received these e-mails. So no reason to pay :)

Here is an example of an e-mail (I anonymized some of the details like the bitcoin address and the domain name)

We are Anonymous hackers group.
Your site [domain name] will be DDoS-ed starting in 24 hours if you don't pay only 0.05 Bitcoins @ [bit coin address]
Users will not be able to access sites host with you at all.
If you don't pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ [bitcoin address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

This particular e-mail was rather cheap. Other e-mails asked for up to 10 BTC. 

There is absolutely no reason to pay any of these ransoms. But if you receive an e-mail like this, there are a couple of things you can do:

  • Verify your DDoS plan: Do you have an agreement with an anti-DDoS provider? A contact at your ISP? Try to make sure everything is set up and working right.
  • We have seen these threats being issued against domains that are not in use. It may be best to remove DNS for the domain if this is the case, so your network will not be affected. 
  • Attackers often run short tests before launching a DDoS attack. Can you see any evidence of that? A brief, unexplained traffic spike? If so, then take a closer look, and it may make the threat more serious if you can detect an actual test. The purpose of the test is often to assess the firepower needed to DDoS your network

And please forward any e-mails like this to us. It would be nice to get a few more samples to look for any patterns. Like I said above, this isn't new, but people appear to still pay up to these fake threats.

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Obfuscating without XOR
Jun 22nd 2017
3 days ago by Xme (1 comment)

It has been a month and a bit how is your new patching program holding up?
Jun 21st 2017
4 days ago by Mark (2 comments)

Windows Error Reporting: DFIR Benefits and Privacy Concerns
Jun 20th 2017
5 days ago by Johannes (0 comments)

As Your Admin Walks Out the Door ..
Jun 20th 2017
5 days ago by Rob VandenBrink (4 comments)

View All Diaries →

Latest Discussions

TCP/9000 on the rise
created May 31st 2017
3 weeks ago by Jens (1 reply)

Broken link to handlers.sans.org
created May 30th 2017
3 weeks ago by Anonymous (0 replies)

New Option of Software and Cyber Security
created May 28th 2017
3 weeks ago by Jeff (0 replies)

SANS PGP Public Keys
created May 28th 2017
4 weeks ago by Vincent (2 replies)

Advice needed
created May 28th 2017
4 weeks ago by FNG (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
1 month ago by Bojan (6 comments)

Massive wave of ransomware ongoing
May 15th 2017
1 month ago by Xme (10 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 months ago by Brad (13 comments)

Dyn.com DDoS Attack
Oct 21st 2016
8 months ago by Johannes (9 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
4 months ago by Johannes (7 comments)