CHAPTER FOURTEEN

Obtaining Anonymity Is Hard Work

A few years ago I was returning to the United States from a trip to Bogota, Colombia, and upon arriving in Atlanta, I was quietly escorted by two US Customs agents into a private room. Having previously been arrested, and having served time in prison, I was perhaps a bit less flustered than the average Joe would have been. Still, it was unsettling. I had not done anything wrong. And I was in that room for four hours—five short of the maximum that I could be held without being arrested.

The trouble started when a US Customs agent swiped my passport and then stared at the screen. “Kevin,” the agent said with a big smile on his face. “Guess what? There are some people downstairs who want to have a word with you. But don’t worry. Everything will be okay.”

I had been in Bogota to give a speech sponsored by the newspaper El Tiempo. I was also visiting the woman who was my girlfriend at the time. While I was waiting in that room downstairs, I called my girlfriend back in Bogota. She said the police in Colombia had called asking for her permission to search a package I had put in a FedEx box to the United States. “They found traces of cocaine,” she said. I knew they hadn’t.

The package contained a 2.5-inch internal hard drive. Apparently the Colombian—or maybe the US—authorities wanted to check the contents of the drive, which was encrypted. The cocaine was a lame excuse to open the package. I never got my hard drive back.

Later I learned that the police had torn open the box, taken the electronic equipment apart, then destroyed my hard drive while trying to open it by drilling a hole in it to check for cocaine. They could have used a special screwdriver to open the drive. They didn’t find any drugs.

Meanwhile, back in Atlanta, officials opened my luggage and found my MacBook Pro, a Dell XPS M1210 laptop, an Asus 900 laptop, three or four hard drives, numerous USB storage devices, some Bluetooth dongles, three iPhones, and four Nokia cell phones (each with its own SIM card, so I could avoid roaming charges while speaking in different countries). These are standard tools in my profession.

Also in my luggage was my lock-picking kit and a cloning device that could read and replay any HID proximity card. The latter can be used to retrieve credentials stored on access cards by placing it in close proximity to them. I can, for example, spoof a person’s card credentials and enter locked doors without having to make a forged card. I had these because I had given a keynote presentation about security in Bogota. Naturally, the customs agents’ eyes lit up when they saw them, thinking I was up to something else—e.g., skimming credit cards, which was impossible with these devices.

Eventually agents from US Immigration and Customs Enforcement (ICE) arrived and asked why I was in Atlanta. I was there to moderate a panel at a security conference sponsored by the American Society for Industrial Security (ASIS). Later an FBI agent on the same panel was able to confirm the reason for my trip.

Things seemed to get worse when I opened my laptop and logged in to show them the e-mail confirming my presence on the panel.

My browser was set to automatically clear my history when started, so when I launched it I was prompted to clear my history. When I confirmed and clicked the OK button to clear my history, the agents freaked out. But then I just pressed the power button to power down the MacBook, so my drive was inaccessible without my PGP passphrase.

Unless I was under arrest, which I was told repeatedly that I was not, I should not have had to give up my password. Even if I had been under arrest, I wouldn’t technically have had to give up my password under US law, but whether that right is protected depends on how long one is willing to fight.1 And different countries have different laws on this. In the UK and Canada, for example, authorities can force you to reveal your password.

After my four hours, both ICE and the customs agents let me go. If an agency like the NSA had targeted me, however, they would have likely succeeded in figuring out the contents of my hard drive. Government agencies can compromise the firmware in your computer or mobile phone, impair the network you use to connect to the Internet, and exploit a variety of vulnerabilities found in your devices.

I can travel to foreign countries that have even more stringent rules and never have the problems I have in the United States because of my criminal record here. So how do you travel abroad with sensitive data? And how do you travel to “hostile” countries such as China?

If you don’t want to have any sensitive data available on your hard drive, the choices are:

1. Clean up any sensitive data before you travel and perform a full backup.

2. Leave the data there but encrypt it with a strong key (although some countries may be able to compel you to reveal the key or password). Do not keep the passphrase with you: perhaps give half of the passphrase to a friend outside the United States who cannot be compelled to give it up.

3. Upload the encrypted data to a cloud service, then download and upload as needed.

4. Use a free product such as VeraCrypt to create a hidden encrypted file folder on your hard drive. Again, a foreign government, if it finds the hidden file folder, may be able to force you to reveal the password.

5. Whenever entering your password into your devices, cover yourself and your computer, perhaps with a jacket or other item of clothing, to prevent camera surveillance.

6. Seal your laptop and other devices in a FedEx or other Tyvek envelope and sign it, then put it in the hotel room safe. If the envelope is tampered with, you should notice it. Note, too, that hotel safes aren’t really that safe. You should consider buying a camera device that you can put inside the safe to take a photo of anyone opening it and send the photo via cellular in real time.

7. Best of all, don’t take any risk. Carry your device with you at all times, and don’t let it out of your sight.

According to documents obtained by the American Civil Liberties Union through the Freedom of Information Act, between October of 2008 and June of 2010, more than 6,500 people traveling to and from the United States had their electronic devices searched at the border. This is an average of more than three hundred border searches of electronic devices per month. And almost half of those travelers were US citizens.

Little known fact: Anyone’s electronic devices can be searched without a warrant or reasonable suspicion within one hundred air miles of the US border, which likely includes San Diego. Just because you crossed the border doesn’t necessarily mean you are safe!

Two government agencies are primarily responsible for inspecting travelers and items entering the United States: the Department of Homeland Security’s Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE). In 2008, the Department of Homeland Security announced that it could search any electronic device entering the United States.2 It also introduced its proprietary Automated Targeting System (ATS), which creates an instant personal dossier about you—a very detailed one—whenever you travel internationally. CBP agents use your ATS file to decide whether you will be subject to an enhanced and sometimes invasive search upon reentering the United States.

The US government can seize an electronic device, search through all the files, and keep it for further scrutiny without any suggestion of wrongdoing whatsoever. CBP agents may search your device, copy its contents, and try to undelete images and video.

So here’s what I do.

To protect my privacy and that of my clients, I encrypt the confidential data on my laptops. When I’m in a foreign country, I transmit the encrypted files over the Internet for storage on secure servers anywhere in the world. Then I wipe them physically from the computer before I return home, just in case government officials decide to search or seize my equipment.

Wiping data is not the same as deleting data. Deleting data only changes the master boot record entry for a file (the index used to find parts of the file on the hard drive); the file (or some of its parts) remains on the hard drive until new data is written over that part of the hard drive. This is how digital forensics experts are able to reconstruct deleted data.

Wiping, on the other hand, securely overwrites the data in the file with random data. On solid-state drives, wiping is very difficult, so I carry a laptop that has a standard hard drive and wipe it with at least thirty-five passes. File-shredding software does this by overwriting random data hundreds of times in each pass over a deleted file, making it hard for anyone to recover that data.

I used to make a full image backup of my device onto an external hard drive and encrypt it. I would then send the backup drive to the United States. I wouldn’t wipe the data on my end until the drive was confirmed to be received by a colleague in readable condition. Then I’d securely wipe all personal and client files. I wouldn’t format the entire drive, and I’d leave the operating system intact. That way, if I was searched, it would be easier to restore my files remotely without having to reinstall the entire operating system.

Since the experience in Atlanta, I’ve changed my protocol somewhat. I have started to keep an up-to-date “clone” of all my travel computers with a business colleague. My colleague can then just send the cloned systems to me anywhere in the United States, if needed.

My iPhone is another matter. If you ever connect your iPhone to your laptop to charge, and you click “Trust” when it shows you the “Trust This Computer” question, a pairing certificate is stored on the computer that allows the computer to access the entire contents of the iPhone without needing to know the passcode. The pairing certificate will be used whenever the same iPhone is connected to that computer.

For example, if you plug your iPhone into another person’s computer and “trust” it, a trusted relationship is created between the computer and the iOS device, which allows the computer to access photos, videos, SMS messages, call logs, WhatsApp messages, and most everything else without needing the passcode. Even more concerning, that person can just make an iTunes backup of your entire phone unless you previously set a password for encrypted iTunes backups (which is a good idea). If you didn’t set that password, an attacker could set one for you and simply back up your mobile device to his or her computer without your knowledge.

That means if law enforcement wants to see what’s on your passcode-protected iPhone, they can do so easily by connecting it to your laptop, since it likely has a valid pairing certificate with that phone. The rule is: never “trust this computer” unless it’s your personal system. What if you want to revoke your entire Apple device’s pairing certificates? The good news is that you can reset your pairing certificate on your Apple devices.3 If you need to share files, and you are using an Apple product, use AirDrop. And if you need to charge your phone, use the lightning cable plugged into your system or an electrical outlet, not into someone else’s computer. Or you can buy a USB condom from syncstop.com, which allows you to safely plug into any USB charger or computer.

What if you only have your iPhone and not your computer when traveling?

I have enabled Touch ID on my iPhone so that it recognizes my fingerprint. What I do is reboot my iPhone before approaching immigration control in any country. And when it powers up, I deliberately do not put in my passcode. Even though I have enabled Touch ID, that feature is by default disabled until I first put in my passcode. The US courts are clear that law enforcement cannot demand your password. Traditionally, in the United States, you cannot be compelled to give testimonial evidence; however, you can be compelled to turn over a physical key to a safe. As such, a court can compel you to provide your fingerprints to unlock the device.4 Simple solution: reboot your phone. That way your fingerprint won’t be enabled and you won’t have to give up your passcode.

In Canada, however, it’s the law; you must, if you are a Canadian citizen, provide your passcode when it’s requested. This happened to Alain Philippon, from Sainte-Anne-des-Plaines, Quebec. He was on his way home from Puerto Plata, in the Dominican Republic, when he refused to provide the border agents in Nova Scotia with his mobile phone’s passcode. He was charged under section 153.1(b) of the Canadian Customs Act for hindering or preventing border officers from performing their role. The penalty if you’re found guilty is $1,000, with a maximum fine of $25,000 and the possibility of one year in jail.5

I know firsthand about the Canadian password law. I hired a car service like Uber to take me from Chicago to Toronto in 2015 (I didn’t want to fly in severe thunderstorms), and when we crossed the border into Canada from Michigan, we were immediately sent to a secondary inspection site. Maybe it was because a Middle Eastern guy with only a green card was driving. As soon as we arrived at the secondary inspection point, we entered a scene straight out of CSI.

A team of customs agents made sure we left the vehicle with all our belongings inside, including our cell phones. The driver and I were separated. One of the agents went to the driver’s side of the car and removed his cell phone from the cradle. The agent demanded the driver’s passcode and started going through his phone.

I previously had made up my mind never to give out my password. I felt I would have to choose between giving up my password and being allowed to travel into Canada for my gig. So I decided to use a bit of social engineering.

I yelled over to the customs agent searching the driver’s phone. “Hey—you aren’t going to search my suitcase, right? It’s locked so you can’t.” It immediately got her attention. She said they had every right to search my suitcase.

I replied, “I locked it, so it cannot be searched.”

Next thing I know, two agents walked over to me and demanded the key. I started asking them why they needed to search my suitcase, and they explained again that they had the right to search everything. I pulled out my wallet and handed the agent the key to my suitcase.

That was enough. They completely forgot about the cell phones and concentrated on my suitcase instead. Mission accomplished through misdirection. I was let go and, thankfully, was never asked for my cell-phone password.

In the confusion of being screened, it is easy to become distracted. Don’t let yourself fall victim to circumstance. When going through any security checkpoint, make sure your laptop and electronic devices are the last on the conveyor belt. You don’t want your laptop sitting at the other end while someone ahead of you is holding up the line. Also, if you need to step out of the line, make sure you have your laptop and electronic device with you.

Whatever privacy protections we may enjoy at home don’t necessarily apply to travelers at the US border. For doctors, lawyers, and many business professionals, an invasive border search might compromise the privacy of sensitive professional information. This information might include trade secrets, attorney–client and doctor–patient communications, and research and business strategies, some of which a traveler has legal and contractual obligations to protect.

For the rest of us, searches on our hard drives and mobile devices might reveal e-mail, health information, and even financial records. If you’ve recently traveled to certain countries deemed unfriendly to US interests, be aware that this may trigger additional scrutiny from customs agents.

Repressive governments present another challenge. They may insist on looking at your electronic devices more thoroughly—reading your e-mail and checking your Downloads folder. There is also a possibility—especially if they take your laptop from you—that they might attempt to install tracking software on your device.

Many companies issue burner phones and loaner laptops when employees travel abroad. These devices are either thrown away or wiped clean when the employee returns to the United States. But for most of us, uploading encrypted files to the cloud or buying a new device and disposing of it upon return are not practical options.

In general, don’t bring electronics that store sensitive information with you unless you absolutely need to. If you do, bring only the bare minimum. And if you need to bring your mobile phone, think about getting a burner phone for the duration of your visit. Especially since voice and data roaming rates are outrageous. Better to bring an unlocked burner phone and purchase a SIM card in the country you are visiting.

You might think that getting in and out of customs is the most nightmarish part of any trip. But it might not be. Your hotel room can also be searched.

I made several trips to Colombia in 2008—not just the one when I was stopped in Atlanta. On one of the trips I made later that year, something strange happened in my Bogota hotel room. And this was not a questionable hotel; it was one of the hotels where Colombian officials frequently stayed.

Perhaps that was the problem.

I had gone out to dinner with my girlfriend, and when we came back, my door lock displayed yellow when I inserted my room key. Not green. Not red. But yellow, which typically means the door is locked from the inside.

I went down to the front desk and had the clerk issue me a new key card. Again, the lock displayed a yellow light. I did this again. Same result. After the third time, I persuaded the hotel to send someone up with me. The door opened.

Inside, nothing looked immediately wrong. In fact at the time, I chalked the whole thing up to the lock being crappy. It wasn’t until I returned to the United States that I realized what had happened.

Before leaving the United States, I had called a former girlfriend, Darci Wood, who used to be the lead technician at TechTV, and asked her to come over to my place and swap out the hard drive in my MacBook Pro laptop. At the time, MacBook Pro hard drives weren’t easy to remove. She did it, though. In its place she put a brand-new drive that I had to format and install the OSX operating system on.

Several weeks later, when I returned from that trip to Colombia, I asked Darci to come over to my place in Las Vegas to swap back the drives.

Immediately she noticed something was different. She said someone had tightened the hard-drive screws much more than she had. Clearly someone in Bogota had removed the drive, perhaps to make an image copy of it when I left my room.

This happened more recently to Stefan Esser, a researcher known for jailbreaking iOS products. He tweeted a picture of his poorly remounted hard drive.

Even a drive with very little data has some data on it. Fortunately, I used Symantec’s PGP Whole Disk Encryption to encrypt the entire contents of my hard drive. (You could also use WinMagic for Windows or FileVault 2 for OSX; see here.) So the clone of my hard drive would be worthless unless the thief could obtain the key to unlock it. It is because of what I think happened in Bogota that I now bring my laptop with me when I travel, even when I’m going out to dinner. If I have to leave my laptop behind, then I never leave it in hibernate mode. Rather, I power it down. If I didn’t, an attacker could possibly dump the memory and obtain my PGP Whole Disk encryption keys.6 So I turn it all the way off.

At the beginning of the book I talked about the many precautions that Edward Snowden took to keep his communication with Laura Poitras private. Once Snowden’s secret cache of data was ready to be released to the public, however, he and Poitras needed a place to store it. The most common operating systems—Windows, iOS, Android, and even Linux—contain vulnerabilities. All software does. So they needed a secure operating system, one that is encrypted from day one and requires a key to unlock it.

Hard-disk encryption works like this: when you boot up your computer, you enter a secure password or, rather, a passphrase such as “We don’t need no education” (from the famous Pink Floyd song). Then the operating system boots up, and you can access your files and perform your tasks without noticing any time delay, because a driver performs the encryption tasks transparently and on the fly. This does, however, create the possibility that if you get up and leave your device, even for a moment, someone could access your files (since they are unlocked). The important thing to remember is that while your encrypted hard drive is unlocked, you need to take precautions to keep it secure. As soon as you shut down, the encryption key is no longer available to the operating system: that is, it just removes the key from memory so the data on the drive is no longer accessible.7

Tails is an operating system that can be booted up on any modern-day computer to avoid leaving any forensically recoverable data on the hard drive, preferably one that can be write-protected.8 Download Tails onto a DVD or a USB stick, then set your BIOS firmware or EFI (OSX) initial boot sequence for either DVD or USB to boot the Tails distribution. When you boot, it will start up the operating system, which features several privacy tools, including the Tor browser. The privacy tools allow you to encrypt e-mail using PGP, encrypt your USB and hard drives, and secure your messages with OTR (off-the-record messaging).

If you want to encrypt individual files instead of your entire hard drive, there are several choices. One free option, TrueCrypt, still exists but is no longer maintained and doesn’t offer full-disk encryption. Because it is no longer maintained, new vulnerabilities will not be addressed. If you continue to use TrueCrypt, be aware of the risks. A replacement for TrueCrypt 7.1a is VeraCrypt, which is a continuation of the TrueCrypt project.

There are several programs for sale, too. One obvious one is Windows BitLocker, which is generally not included in the home editions of the Windows operating system. To enable BitLocker, if installed, open File Explorer, right-click on the C drive, and scroll down to the “Turn on BitLocker” option. BitLocker takes advantage of a special chip on your motherboard known as a trusted platform module, or TPM. It’s designed to unlock your encryption key only after confirming that your bootloader program hasn’t been modified. This is a perfect defense against evil maid attacks, which I will describe shortly. You can set BitLocker to unlock when you power up or only when there’s a PIN or a special USB that you provide. The latter choices are much safer. You also have the option of saving the key to your Microsoft account. Don’t do that, because if you do you will have more or less given Microsoft your keys (which, as you will see, it might already have).

There are several issues with BitLocker. First, it uses a pseudorandom number generator (PRNG) called Dual_EC_DRBG, short for dual elliptic curve deterministic random bit generator, which might contain an NSA back door.9 It is also privately owned, meaning that you just have to take Microsoft’s word that it works and that it doesn’t have any back doors for the NSA—which may not be the case with open-source software. Another problem with BitLocker is that you must share the key with Microsoft unless you purchase it for $250. Not doing so may allow law enforcement to request the key from Microsoft.

Despite these reservations, the EFF actually does recommend BitLocker for the average consumer looking to protect his or her files.10 However, be aware there is a way to bypass BitLocker as well.11

Another commercial option is PGP Whole Disk Encryption from Symantec. A lot of universities use this, as do many corporations. I have used it in the past as well. PGP Whole Disk Encryption was created by Phil Zimmermann, the man who created PGP for e-mail. Like BitLocker, PGP can support the TPM chip to provide additional authentication when you turn on your PC. A perpetual license sells for around $200.

There is also WinMagic, one of the few options that requires two-factor authentication instead of just a password. WinMagic also doesn’t rely on a master password. Rather, encrypted files are grouped, and each group has a password. This can make password recovery harder, so it may not be suitable for everyone.

And for Apple there’s FileVault 2. After installation, you can enable FileVault 2 by opening System Preferences, clicking on the “Security & Privacy” icon, and switching to the FileVault tab. Again, do not save your encryption key to your Apple account. This may give Apple access to it, which they in turn could give to law enforcement. Instead choose “Create a recovery key and do not use my iCloud account,” then print out or write down the twenty-four-character key. Protect this key, as anyone who finds it could unlock your hard drive.

If you have iOS 8 or a more recent version of the operating system on your iPhone or iPad, its contents are automatically encrypted. Going a step further, Apple has said that the key remains on the device, with the user. That means that the US government cannot ask Apple for the key: it’s unique to each and every device. FBI director James Comey claims that unbreakable encryption ultimately is not a good thing. In a speech he said, “Sophisticated criminals will come to count on these means of evading detection. And my question is, at what cost?”12 The fear is that bad things will be kept under the cover of encryption.

The same fear delayed my case for months as I languished in jail back in the 1990s. My legal defense team wanted access to the discovery that the government planned to use against me at my trial. The government refused to turn over any encrypted files unless I provided the decryption key. I refused.13 The court, in turn, refused to order the government to provide the discovery because I wouldn’t give them the key.14

Android devices, beginning with version 3.0 (Honeycomb), also can be encrypted. Most of us choose not to do so. Beginning with Android 5.0 (Lollipop), encrypted drives are the default on the Nexus line of Android phones but optional on phones from other manufacturers, such as LG, Samsung, and others. If you choose to encrypt your Android phone, note that it could take up to an hour to do so and that your device should be plugged in during the process. Reportedly, encrypting your mobile device does not significantly hinder performance, but once you’ve made the decision to encrypt, you can’t undo it.

In any of these whole-disk encryption programs, there always remains the possibility of a back door. I was once hired by a company to test a USB product that allowed users to store files in an encrypted container. During analysis of the code, we found that the developer had put in a secret back door—the key to unlock the encrypted container was buried in a random location on the USB drive. That meant that anyone with knowledge of the location of the key could unlock the data encrypted by the user.

Worse, companies don’t always know what to do with this information. When I completed my security analysis of the encrypted USB device, the CEO called me and asked whether he should leave the back door in or not. He was concerned that law enforcement or the NSA may need to access a user’s data. The fact that he needed to ask says a lot.

In its 2014 wiretap report, the US government reported encountering encrypted drives on only twenty-five out of the 3,554 devices that law enforcement had searched for evidence.15 And they were still able to decrypt the drives on twenty-one of the twenty-five. So while having encryption often is good enough to keep a common thief from accessing your data, for a dedicated government, it might not pose much of a challenge.

Years ago researcher Joanna Rutkowska wrote about what she called an evil maid attack.16 Say someone leaves a powered-down laptop whose hard drive is encrypted with either TrueCrypt or PGP Whole Disk Encryption in a hotel room. (I had used PGP Whole Disk Encryption in Bogota; I had also powered down the laptop.) Later, someone enters the room and inserts a USB stick containing a malicious bootloader. The target laptop must then be booted off the USB to install the malicious bootloader that steals the user’s passphrase. Now the trap is set.

A maid, someone who can frequent a hotel room without too much suspicion, would be the best candidate to do this—hence the name of the attack. A maid can reenter almost any hotel room the next day and type in a secret key combination that extracts the passphrase that was secretly stored on the disk. Now the attacker can enter the passphrase and obtain access to all your files.

I don’t know whether someone did this on my laptop in Bogota. The hard drive itself had been removed and then replaced with the screws turned too tightly. Either way, fortunately, the drive contained no real information.

What about putting your electronics in a hotel safe? Is it better than leaving them out or keeping them in suitcases? Yes, but not much better. When attending a recent Black Hat, I stayed at the Four Seasons in Las Vegas. I placed $4,000 cash in the safe with various credit cards and checks. A few days later, I went and tried to open the safe but the code failed. I called security and they opened it up. I immediately noticed that the pile of $100 bills was much less thick. There was $2,000 left. So where did the other $2,000 go? Hotel security had no idea. A friend of mine who specializes in physical pen testing tried hacking the safe but could not exploit it. Today, it’s still a mystery. Ironically, the safe was called a Safe Place.

A German antivirus company, G DATA, found that in hotel rooms where their research staff stayed, “more often than not” the safe had the default password (0000) in place. In cases like that, no matter what private password you select, anyone knowing the default password could also gain access to your valuables inside. G DATA did say that this information was not discovered systematically but anecdotally over several years.17

If an attacker doesn’t know the default password for a given hotel-room safe, another option for him is to literally brute-force the lock. Although the hotel manager is entrusted with an emergency electronic device that plugs into the USB port and unlocks the safe, a savvy thief can simply unscrew the plate on the front of the safe and use a digital device to open the lock underneath. Or he can short-circuit the safe and initiate a reset, then enter a new code.

If that doesn’t bother you, consider this. G DATA also found that the credit card readers on room safes—often the means by which you pay for their use—can be read by a third party who could skim the credit card data and then use or sell that information on the Internet.

Today hotels use NFC or even magnetic-strip swipe cards to lock and unlock your room. The advantage is that the hotel can change these access codes quickly and easily from the front desk. If you lose your card, you can request a new one. A simple code is sent to the lock, and by the time you get to your room, the new key card works. Samy Kamkar’s MagSpoof tool can be used to spoof the correct sequences and open a hotel room lock that uses magnetic-strip cards. This tool was used on an episode of the TV show Mr. Robot.

The presence of a magnetic strip or an NFC chip has given rise to the idea that personal information might be stored on the hotel key card. It’s not. But the urban legend continues. There’s even a famous story that originated in San Diego County. Supposedly a sheriff’s deputy there issued a warning that a hotel guest’s name, home address, and credit card information had been found on a hotel key card. Perhaps you’ve seen the e-mail. It looks something like this:

Southern California law enforcement professionals assigned to detect new threats to personal security issues recently discovered what type of information is embedded in the credit card–type hotel room keys used throughout the industry.

Although room keys differ from hotel to hotel, a key obtained from the DoubleTree chain that was being used for a regional identity theft presentation was found to contain the following information:

image Customer’s name

image Customer’s partial home address

image Hotel room number

image Check-in date and checkout date

image Customer’s credit card number and expiration date!

When you turn them in to the front desk, your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a handful of cards home and, using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

The bottom line is, keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.18

The truthfulness of this e-mail has been widely disputed.19 Frankly, it sounds like bullshit to me.

The information listed certainly could be stored on a key card, but that seems extreme, even to me. Hotels use what can be considered a token, a placeholder number, for each guest. Only with access to the back-end computers that do the billing can the token be connected with personal information.

I don’t think you need to collect and destroy your old key cards, but hey—you might want to do so all the same.

Another common question that concerns travel and your data: What’s in the bar code on the bottom of your plane ticket? What, if anything, might it reveal? In truth, relatively little personal information, unless you have a frequent flyer number.

Starting in 2005, the International Air Transport Association (IATA) decided to use bar-coded boarding passes for the simple reason that magnetic boarding passes were much more expensive to maintain. The savings have been estimated at $1.5 billion. Furthermore, using bar codes on airline tickets allows passengers to download their tickets from the Internet and print them at home, or they can use a mobile phone at the gate instead.

Needless to say, this change in procedure required some sort of standard. According to researcher Shaun Ewing, the typical boarding-pass bar code contains information that is mostly harmless—name of passenger, name of airline, seat number, departure airport, arrival airport, and flight number.20 However, the most sensitive part of the bar code is your frequent flyer number.21 All airline websites now protect their customer accounts with personal passwords. Giving out your frequent flyer number is not like giving out your Social Security number, but it still is a privacy concern.

A bigger privacy concern is the loyalty cards offered at supermarkets, pharmacies, gas stations, and other businesses. Unlike airline tickets, which have to be in your legal name, loyalty cards can be registered under a fake name, address, and phone number (a fake number you can remember), so your purchasing habits cannot be linked back to you.

When you check into your hotel and boot up your computer, you might see a list of available Wi-Fi networks, such as “Hotel Guest,” “tmobile123,” “Kimberley’s iPhone,” “attwifi,” “Steve’s Android,” and “Chuck’s Hotspot.” Which one should you connect to? I hope you know the answer by now!

Most hotel Wi-Fi doesn’t use encryption but does require the guest’s last name and room number as authentication. There are tricks to get around paywalls, of course.

One trick for getting free Internet at any hotel is to call any other room—perhaps the one across the hall—posing as room service. If the hotel uses caller ID, just use the house phone in the lobby. Tell the party answering the phone that her two burgers are on the way. When the guest says she didn’t place an order, you politely ask for her surname to fix the error. Now you have both the room number (you called it) and the surname, which is all that’s needed to authenticate you (a nonpaying guest) as a legitimate guest at that hotel.

Let’s say you are staying at a five-star hotel with Internet access, free or otherwise. As you log on, perhaps you see a message informing you that Adobe (or some other software maker) has an update available. Being a good citizen of the Internet, you might be tempted to download the update and move on. Except the hotel network should still be considered hostile—even if it has a password. It’s not your home network—so the update might not be real, and if you go ahead and download it you may inadvertently install malicious code on your PC.

If you are on the road a lot, as I am, whether to update or not is a tough call. There is little you can do except verify that there is an update available. The problem is, if you use the hotel’s Internet to download that update, you might be directed to a spoofed website providing the malicious “update.” If you can, use your mobile device to confirm the existence of the update from the vendor’s site and, if it’s not critical, wait until you’re back in a safe environment, such as a corporate office or back home, to download it.22

Researchers at Kaspersky Lab, a software security company, discovered a group of criminal hackers they call DarkHotel (also known as Tapaoux) who use this technique. They operate by identifying business executives who might be staying at a particular luxury hotel, then anticipate their arrival by placing malware on the hotel server. When the executives check in and connect to the hotel Wi-Fi, the malware is downloaded and executed on their devices. After the infection is complete, the malware is removed from the hotel server. Apparently this has been going on for almost a decade, the researchers noted.

Although it primarily affects executives staying at luxury hotels in Asia, it could be common elsewhere. The DarkHotel group in general uses a low-level spear-phishing attack for mass targets and reserves the hotel attacks for high-profile, singular targets—such as executives in the nuclear power and defense industries.

One early analysis suggested that DarkHotel was South Korea–based. A keylogger—malware used to record the keystrokes of compromised systems—used in the attacks contains Korean characters within the code. And the zero-days—vulnerabilities in software that are unknown to the vendor—were very advanced flaws that were previously unknown. Moreover, a South Korean name identified within the keylogger has been traced to other sophisticated keyloggers used by Koreans in the past.

It should be noted, however, that this is not enough to confirm attribution. Software can be cut and pasted from a variety of sources. Also, software can be made to look as though it is created in one country when it is actually created in another.

To get the malware on the laptops, DarkHotel uses forged certificates that appear as though they are issued from the Malaysian government and Deutsche Telekom. Certificates, if you remember from chapter 5, are used to verify the origin of the software or the Web server. To further hide their work, the hackers arranged it so that the malware stays dormant for up to six months before becoming active. This is to throw off IT departments that might link a visit with an infection.

Kaspersky only learned of this attack when a group of its customers became infected after staying at certain luxury hotels in Asia. The researchers turned to a third-party Wi-Fi host common to both, and the Wi-Fi host partnered with the antivirus company to find out what was happening on its networks. Although the files used to infect the guests were long gone, file deletion records were left behind that corresponded to the dates of the guests’ stays.

The easiest way to protect yourself against this kind of attack is to connect to a VPN service as soon as you connect to the Internet at the hotel. The one I use is cheap—only six dollars per month. However, that’s not a good choice if you want to be invisible, since it won’t allow anonymous setup.

If you want to be invisible, don’t trust the VPN provider with your real information. This requires setting up a fake e-mail address in advance (see here) and using an open wireless network. Once you have that fake e-mail address, use Tor to set up a Bitcoin wallet, find a Bitcoin ATM to fund the wallet, and then use a tumbler to essentially launder the Bitcoin so it cannot be traced back to you on the blockchain. This laundering process requires setting up two Bitcoin wallets using different Tor circuits. The first wallet is used to send the Bitcoin to the laundering service, and the second is set up to receive the laundered Bitcoin.

Once you have achieved true anonymity by using open Wi-Fi out of camera view plus Tor, find a VPN service that accepts Bitcoin for payment. Pay with the laundered Bitcoin. Some VPN providers, including WiTopia, block Tor, so you need to find one that doesn’t—preferably with a VPN provider that doesn’t log connections.

In this case, we are not “trusting” the VPN provider with our real IP address or name. However, when using the newly set-up VPN, you must be careful not to use any of the services connected to your real name and not to connect to the VPN from an IP address that can be tied back to you. You might consider tethering to an anonymously acquired burner phone, see here.

It’s best to purchase a portable hotspot—purchased in such a way that it would be very difficult to identify you. For example, you can hire someone to purchase it for you so your face does not appear on a surveillance camera in a store. When you’re using the anonymous hotspot, you should turn off any of your personal devices that use cellular signals to prevent the pattern of your personal devices registering in the same place as the anonymous device.

To summarize, here’s what you need to do to use the Internet privately while traveling:

1. Purchase prepaid gift cards anonymously (see here). In the EU, you can purchase prepaid credit cards anonymously at viabuy.com.

2. Use open Wi-Fi after changing your MAC address (see here).

3. Find an e-mail provider that allows you to sign up without SMS validation. Or you can sign up for a Skype-in number using Tor and a prepaid gift card. With Skype-in, you can receive voice calls to verify your identity. Make sure you are out of camera view (i.e., not in a Starbucks or anywhere else with camera surveillance). Use Tor to mask your location when you sign up for this e-mail service.

4. Using your new anonymous e-mail address, sign up at a site such as paxful.com, again using Tor, to sign up for a Bitcoin wallet and buy a supply of Bitcoin. Pay for them using the prepaid gift cards.

5. Set up a second anonymous e-mail address and new secondary Bitcoin wallet after closing and establishing a new Tor circuit to prevent any association with the first e-mail account and wallet.

6. Use a Bitcoin laundering service such as bitlaunder.com to make it hard to trace the currency’s origin. Have the laundered Bitcoin sent to the second Bitcoin address.23

7. Sign up for a VPN service using the laundered Bitcoin that does not log traffic or IP connections. You can usually find out what is logged by reviewing the VPN provider’s privacy policy (e.g., TorGuard).

8. Have a cutout obtain a burner portable hotspot device on your behalf. Give the cutout cash to purchase it.

9. To access the Internet, use the burner hotspot device away from home, work, and your other cellular devices.

10. Once powered up, connect to VPN through the burner hotspot device.

11. Use Tor to browse the Internet.