It’s the end of the year, and that often means -- for some of us at least -- traveling by air. I think I’m a pretty good air traveler. For example, in the United States, I generally know what the TSA agents like and I have been complimented on my strategy to get through the checkpoints quickly.
I mean they often pat me on my back. Then up and down both legs. My shoulders and arms.
Lately, though, the TSA in the United States has been upgrading its scanning machines so that everyone -- not just those who pay to be Clear and TSA Pre -- can go through without having to take electronic items out of your luggage. Your lugged can go through the conveyor belt along with your jackets and shoes.
Before this upgrade, I would take a clear gallon zip lock bag and label each: Mac supplies. Dell supplies. Podcasting microphones and other supplies. And then I keep these bags on one side of my duffle so I can pull them all out quickly. My laptops (yeah, plural laptops) would slide out of my backpack last. Always put your laptop, if separated, into the last tray so that it’s not sitting out there in the open on the other side while you’re still waiting to go through the metal detector. And my mobile phone, I put that in my jacket pocket, wad that up next to my shoes, then I’m clear to go through. In short, I would always disclose as much as I could what electronics and personal toiletries I was carrying onboard. It really does speed things up in security.
As I said, things are getting easier and you don’t have to take out as much as you used to.
Then there’s individual countries, such as Canada were they give you a tiny clear plastic bag and insist you fit all your toiletries in that. Ugh.
Not everyone carries onboard what they’re bringing. People still check their bags. Often, though, there's a fee for each bag checked. Not everything works out the way you think so I prefer to keep everything with me as much as possible.
In a moment I’ll share a couple of travel stories from a well-known hacker, one who took creepy surveillance technology and flipped it around. It’s a story about how a hacker got even with someone who tried to steal his checked luggage.
Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging out expectations about the people who hack for a living. I’m Robert Vamosi and in this episode … well, it’s going to be short. What with the holidays I’m gearing up for next year already, but I didn’t want to leave you without an episode. So let’s get started.
Kevin Mitnick is a world famous hacker. In the 1980’s he tried teaching himself computers by obtaining software from corporate giants like Oracle and AT&T. They didn’t see it that way; they viewed it as Kevin was stealing the software. As a result, spent much of the late 1980s as a wanted man.
I will say this, Kevin never sold this software And, often Kevin didn't even use a computer to obtain this software, he used social engineering. He would get on the phone and work his way up the organization until someone somewhere agreed to give him access to what they wanted. Kevin did time, and afterward has devoted his life to teaching others about social engineering attacks.
So, Kevin travels the world. As a convicted felon, however, he sometimes has challenges re-entering the United States. He’s been stopped at Customs. He’s had his bags searched. And as a result, he’s found ways of coping.
He’s told me how he sometimes (maybe always) protects sensitive data on his laptops. First, he encrypts confidential data on his hard drive then transmits the encrypted files to secure cloud servers around the world. Then he wipes the data from his laptop in case the border control agent decides they want to search his laptop. He notes that wiping data is not the same as simply deleting it from your device. Deleting only changes the master boot record; the data is still there. This is because digital forensics is able to reconstruct deleted data.
Wiping overwrites the data in the file with random data. Wiping solid state devices is hard, so he uses a standard hard drive for travel. He uses a program that wipes the data with at least 35 passes. File shredding software does this by overwriting the data hundreds of times in each pass, making the data forensically hard to recover.
Another way Kevin could do this is to do a full image backup of a device onto an external hard drive, then ship that hard drive back to the US. Then wipe the hard drive on the laptop. Again, the device he carried with him across the border would have no active data on it.
Mobile phones are another matter. One trick that Kevin suggests is that you enable Touch ID or some other biometric. Before he enters border control, he reboots his device. The device will require that he enter his passphrase after a reboot before it will open again. In the United States, you can be compelled to provide your fingerprint, but you cannot be compelled to provide your password. In different countries that might not be true; you may indeed have to provide your password. For example, crossing the border into Canada.
KEvin tells the story of when he rented a car to take him from Chicago to Toronto for a speaking engagement. In Michigan, at a border crossing, they were stopped for inspection. Kevin and his driver where instructed to leave the car and were separated for questioning. The driver was compelled by the Canadian border officer to give over his passphrase to access his phone. Kevin, determined not to do that, decided on a different strategy.
As one of the Canadian officers approached his suitcase, KEvin shouted that it was locked. The officer said she had a right to search it, and KEvin delayed. Finally he handed over the physical key to open the suitcase. The delay worked; the officer never got around to asking KEvin for his iPhone passphrase.
That’s a bit extreme for most of us, but I often think of that when I travel outside the country. Doctors, lawyers, and even business professionals have sensitive data on their devices that don’t need to be exposed to routine searches -- even by border control agents.
I’ve been in and out of Canada many times and never had a problem.
That said, I don’t have a criminal record. So there’s that.
So in addition to wiping his hard drives, Kevin includes GPS trackers like Apple AirTags on all his luggage. Most of the time there’s nothing interesting. The luggage arrives as expected, even if it’s on another flight. Then, there was the time it was lost in Chicago, and Kevin was able to flip the script and use surveillance technology to his advantage.
The story starts in Florida. Kevin and his girlfriend planning to go to Chicago, but bad weather in Florida forced their hand. They’d be stuck until the morning at least.
[thunder and rain and wind]
They had to leave early and when they got to the airport, things were already a mess. Nonetheless, they checked in for their flight and went to find the lounge. Kevin was there, in the lounge, when they canceled his flight. His luggage, however, it was already on its way to Chicago on another flight. He wouldn't be able to leave until the next morning.
Kevin became very concerned about his luggage arriving so far ahead of his rescheduled flight.
Perhaps I should explain. Kevin teaches and speaks at conferences. HE carries with him a lot of electronic equipment in addition to his clothes and such. So over dinner he checked on the status of his luggage
Yes, the bags were still together and had arrived at O’Hare International in Chicago. Kevin talked with the airline and they swore they’d lock up his luggage. KEvin checked again. One of his bags was no longer at OHare.
It was on the move. Worse, perhaps because his previous flights at been so uneventful, the battery on teh tracker was only at eleven percent, and declining.
The next morning, Kevin and his girlfriend returned to the Florida airport. It was clear skies. They arrived at O’Hare. One suitcase there, the other … in an apartment building in the city. By now the tracker’s battery was down to nine percent. Kevin and girlfriend grabbed a cab.
As they sped down the Dan Ryan Expressway, the bag in the apartment in Chicago appeared to be moving once again. The new address was a consignment shop in a strip mall.
The cab dropped Kevin and his girlfriend off at the strip mall, and they went inside the shop.
It was a consignment shop, full of items that people had brought in in exchange for money. The providence of these items should be that they were all legally obtained. Clearly, if Kevin’s bag was among them, that wasn’t the case. Kevin, however, couldn’t find his bag.
Nonetheless, the app said I was within ten feet of my suitcase or at least the tracker. Thinking it could be off by a few feet, he went into the stores to either side. But no luck.
Kevin came back to the consignment shop.
Kevin and his girlfriend concentrated on the suitcases and sure enough they found the empty suitcase. They then started to find custom tailored shirts that Kevin wore.
Since the bag was on the move while they were riding down the Dan Ryan Expressway, the person who left these must have done so very recently. Kevin asked the manager what he knew.
"Oh, you just missed him. But he'll be back in an hour to get his money."
What? Kevin was in luck. That is, if he could get the local police involved. Kevin went out into the parking lot and explained the situation to the Chicago Police Department. The officer who took the call was very responsive -- after all, this was a chance to nab a thief. Moreover, OHare had reported a string of similar thefts. This could be a chance to tie up more than one case.
Shortly after, police officers arrived at the strip mall and set up a plan of action. A sting operation. They would park in adjacent properties and wait for the man’s return.
Time passed. There was the obvious concern that the thief wouldn’t return. Then again, the thief probably needed the money. Especially if the same thief had done this before.
As promised the guy walked in and, a few minutes later, was under arrest.
When Kevin finally got his luggage back, not all of it was reclaimed. Some items were missing, perhaps not turned into the consignment shop but at the thief’s home. And the tracker? It was down to two percent.
Long story story, the thief is now behind bars and will be there for a long time.
All this goes to show what can happen when you mess with a hacke