Tuesday, August 22, 2006

The New York Times



August 22, 2006

Web Surfing in Public Places Is a Way to Court Trouble

Any business traveler who has logged on to a wireless network at the airport, printed a document at a hotel business center or checked e-mail messages at a public terminal has probably wondered, at least fleetingly, “Is this safe?”

Although obsessing about computer security is a bit like worrying about a toddler — potential hazards lurk everywhere and you can drive yourself crazy trying to avoid them — the fact is, business travelers take certain risks with the things they do on most trips.

“If you go into the average hotel and sit down in the business center and have a look at their computer, I’m sure you’ll find some interesting things that people shouldn’t have left behind,” said Paul Stamp, a security analyst with Forrester Research.

“The first step companies need to do is to educate people about how valuable the data is and also how small the circles are in which they travel,” he said, noting how loudly many people discuss business on cellphones, without a thought for who may be nearby.

Or what may be in the air. Robert Vamosi, a senior editor with the online technology publisher CNET, said wireless networks at airports — or for that matter, hotels or cafes — are not as secure as most people think.

“Someone may have some software on their computer that allows them to look at all the wireless transactions going on around them and capture packets that are floating between the laptop and the wireless access point,” he said.

These software programs are called packet sniffers and many can be downloaded free online. They are typically set up to capture passwords, credit card numbers and bank account information — which is why Mr. Vamosi says shopping on the Web is not a great way to kill time during a flight delay.

“Where I’d draw the line is putting in your bank account information or credit card number,” he said, adding that checking e-mail messages probably is not that risky, but if you want to be cautious, change your password once you are on a secure connection again.

That said, if you gain access to your corporate network through a V.P.N., or virtual private network, you are safer using public hot spots, because your data is encrypted as it travels between Gate 17 and your office’s server, where it is decoded before going to its destination.

In other words, your communications are automatically encoded by software on your computer so the data looks like gibberish to anyone trying to intercept it. If your company does not offer a V.P.N. for employees working away from the office, there are services you can subscribe to for about $10 a month that do the same thing.

Michael Sellitto, a graduate student studying international security at Harvard, said that even though he encrypted any sensitive data on his laptop, he planned to sign up for a service like HotSpotVPN to add another level of security when he is traveling, especially when using poorly protected networks at cafes and hotels.

“The problem is, the really good people have written sniffer programs so that the less-sophisticated people have access to the same technology,” Mr. Sellitto said. “Say a Microsoft Word document gets transmitted. The sniffer program will collect that and someone could open it up on their computer.”

While it is hard to say how likely it is that someone is lurking on a public network, many public networks do not have adequate security.

Last fall, InfoWorld magazine published an article about a security researcher who managed to collect more than 100 passwords, per stay, at hotels with lax security (about half the hotels she tested).

Gathering reliable statistics about security breaches is notoriously difficult, since companies are reluctant to reveal this information. Still, the most recent computer crime and security survey, conducted annually by the Computer Security Institute with the Federal Bureau of Investigation, found that the average loss from computer security incidents in 2005 was $167,713 per respondent (based on 313 companies and organizations that answered the question).

As Jim Louderback, editor of PC Magazine, noted, the statistics may not matter given the problems one data breach can cause.

“Even if it’s 1 or 2 percent,” he said. “You don’t want to run that risk.”

Using a public computer can also mean courting trouble, because data viewed while surfing the Web, printing a document or opening an e-mail attachment is generally stored on the computer — meaning it could be accessible to the next person who sits down. (To remove traces of your work, delete any documents you have viewed, clear the browser cache and the history file and empty the trash before you walk away.)

“You also run the risk that somebody has loaded a program on there that can capture your log-ins and passwords,” Mr. Louderback said, recalling an incident a few years ago when a Queens resident was caught installing this type of “key logger” software on computers at several Kinko’s locations in New York.

One way to foil these programs, which record what you type and can send the transcript to a hacker, is to use a password manager like RoboForm. This $30 software encrypts all your user names and passwords for various Web sites, then enters the data at the click of a mouse when you are prompted to log in.

There is a mobile version that can be stored on a flash drive that plugs into a U.S.B. port — making your passwords secure and portable.

There are also simple measures you can take to protect your hardware, like using a cable lock to secure your laptop in a hotel room or even a cafe (in case you leave the table for any reason), and making sure you lock your computer bag in the trunk rather than leaving it on the back seat.

For travelers who do carry around sensitive data, it is worth looking into programs like Absolute Software’s LoJack for Laptops, which can help recover a missing computer. The software reports its location when connected to the Internet — and some versions can even be programmed to destroy data if a computer is reported lost or stolen.

But perhaps the most common snoop that business travelers encounter is someone nearby “shoulder surfing” to see what is on a laptop, out of curiosity or mere boredom.

To foil prying eyes, 3M sells a Notebook Privacy Filter, a plastic film that makes it impossible to view a laptop screen from an angle.

Trevor Stromquist, a sales analyst for a manufacturing company in Minneapolis, has been using one for the last two years to dissuade nosy neighbors on the road, but he has noticed an added benefit back at the office.

“To be honest, it’s kind of a nice thing when you’re sitting in one of those long drawn-out meetings,” he said. “You can do what you need to do and no one will notice.”