Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 116 blog entries.

Vulnerability in Ivanti Endpoint Manager Mobile Could Allow for Unauthorized Access to API Paths

I. Targeted Entities

  • Ivanti Users

II. Introduction

Norwegian authorities recently revealed a critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), posing a significant security threat. The flaw enables unauthenticated remote attackers to bypass authentication and gain access to the server’s API, potentially leading to data theft and unauthorized system modifications.

III. Additional Background Information

On July 24th, the Norwegian Government Security and Service Organization (DSS) and the Norwegian National Security Agency (NSM) informed the public about a zero day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management and mobile application/content management (Tenable). This vulnerability has received a maximum CVSS score of 10, which means that it is very easy to exploit and does not require particular tools or skills to do so (Mnemonic).

This vulnerability, classified as CVE-2023-35078, is an authentication bypass in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application program interface (API), normally accessible only to authenticated users (Tenable). Successful exploitation would allow an attacker to be able to access “specific API paths”. By utilizing these unrestricted API paths, a malicious actor could potentially steal personally identifiable information (PII) such as names, phone numbers, and other mobile device details. An attacker can also make other configuration changes, including the creation of an EPMM administrative account on the server that can make further changes to a vulnerable system (CISA). The attack consists of changing the URI path to the API v2, which can in fact be accessed without any authentication methods (Mnemonic). According to the API documentation, all API calls are based on the URL format: https://[core-server]/api/v2/. If we add the path to a vulnerable endpoint, it is easy to execute commands withouth needing authentication, as shown here: https://[core-server]/vulnerable/path/api/v2. Luckily, it is fairly simple to detect whether the vulnerability has been exploited in a system. This can be done by checking the logs from the mobile management software to determine if the API v2 endpoint in Ivanti’s EPMM has been targeted (Uzun). This may be evident if regular API calls to unusual paths are present in the logs.

Ivanti reported that the vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older unsupported versions/releases are also at risk (CISA). Furthermore, the company has promptly issued security patches for the EPMM vulnerability. Customers can fix it by upgrading the software to EPMM versions 11.8.1.1, 11.9.1.1, and 11.10.0.2. These fixed versions cover also unsupported and End-of-Life (EoL) software versions that are lower than 11.8.1.0 (Uzun).

According to the articles posted by Ivanti, the vulnerability was exploited in the wild as a zero-day against a small number of customers (Tenable). However, it is known that the unnamed attackers utilized this flaw to compromise 12 government ministries in Norway (Muncaster).

IV. MITRE ATT&CK

  • T1190 – Exploit Public Facing Application
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
  • T1059 – Command and Scripting Interpreter
    Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
  • T1018 – Remote System Discovery
    Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.
  • T1015.003 -Server Software Component: Web Shell
    Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
  • T1070 – Indicator Removal
    Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
  • T1005- Data from Local System
    Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
  • T1572 – Protocol Tunneling
    Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
  • T1090 – Proxy (Internal Proxy)
    Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

V. Recommendations

  • Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

  • Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.

  • Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

  • Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.

  • Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.

  • Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.

  • Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

  • Manage Default Accounts on Enterprise Assets and Software: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

  • Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

VI. IOCs (Indicators of Compromise)

VIII. References

Mnemonic. (2023, July 25). Advisory: Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability. https://www.mnemonic.io/resources/blog/ivanti-endpoint-manager-mobileepmm-authentication-bypass-vulnerability/

Tenable®. (2023, July 25). CVE-2023-35078: IVaNti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access vulnerability. https://www.tenable.com/blog/cve-2023-35078-ivanti-endpoint-managermobile-epmm-mobileiron-core-unauthenticated-api-access

Uzun, T. (2023, July 25). Critical Zero-Day in Ivanti EPMM (Formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/

Cybersecurity and Infrastructure Security Agency CISA. (2023, July 24). Ivanti releases security updates for Endpoint Manager Mobile (EPMM) CVE-2023-35078. https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-securityupdates-endpoint-manager-mobile-epmm-cve-2023-35078

Muncaster, P. (2023, July 25). Ivanti patches Zero-Day bug used in Norway attacks. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/ivantipatches-zeroday-bug-norway/

Uzun, T. (2023, August 4). Critical Zero-day in Ivanti EPMM (formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Nahyan Jamil, Erika Delvalle, Alessandro Lovadina, Sreten Dedic, EJ Bulut, Uday Bilakhiy, Yousef Blassy.

2024-07-11T11:29:27-04:00August 31, 2023|
Read More

Caitlin Sarian – @CybersecurityGirl

Caitlin Sarian AKA @CybersecurityGirl

Caitlin Sarian, also known as @CybersecurityGirl, is a cybersecurity content creator and the Former Senior Manager of Privacy and Security at TikTok.

Caitlin is a multifaceted woman with a variety of passions in life; from cybersecurity to modeling she embraces bringing her whole self to the table, even when it’s scary. In this episode, Caitlin joins Tashya and Pam to talk about her growth throughout her past decade in cyber, how she maintains her confident mindset even if she’s the only person like her in the room, and the impact she hopes to make with her cybersecurity content. Caitlin, Tashya, and Pam also share insights on the ongoing efforts needed to continue making space for women to flourish in this dynamic field.

Find Caitlin on social media: @CybersecurityGirl (TikTok) | @Cybersecurity_Girl (Instagram)

Find us on social media: @DoWeBelongPod

Black Girls in Cyber Summit: bgicrefresh.com

2024-06-25T15:20:48-04:00August 21, 2023|
Read More

Kacy Zurkus – Senior Content Manager at RSA Conference

Kacy Zurkus - Senior Content Manager at RSA Conference

Kacy Zurkus is a Senior Content Manger at RSA Conference. In this episode, Kacy joins Tashya and Pam to talk about RSA Conference, ways women can utilize and share their cyber expertise aside from getting up on that big conference stage, and how she believes human behavior has the power to transcend generation and industry. She also shares her advice on networking, finding your community, and making the most of your RSA conference experience.

Learn more about RSA Conference: https://www.rsaconference.com/

Connect with Kacy on LinkedIn: https://www.linkedin.com/in/ksz714

Follow us on social media: @DoWeBelongPod

2024-06-25T15:20:26-04:00August 2, 2023|
Read More

Network Noise: Cyber Tabletop Exercise and Incident Response Planning – Tampa

Join Cyber Florida Senior Fellow Stacy Arruda, Founder and CEO of the Arruda Group and former FBI Supervisory Special Agent, for an eye-opening experience that will help you better understand how to prevent and recover from cyberattacks. The event starts with Network Noise, a three-hour tabletop exercise where real-world cyberattack scenarios illustrate the far-reaching effects a cyberattack can inflict on your organization. Bring your leadership team to learn how cyberattacks impact not only IT but also legal, finance, operations, human resources, public relations, and other departments.

Once you understand the threat, move on to preparation with a session on creating a comprehensive cyber incident response plan specific to your organization. You’ll leave equipped with a template and foundational plan you can take back to complete and test with your organization.

The International Association of Certified ISAOs (IACI) and Cyber Florida jointly present this session of Cybersecurity Education.

REGISTRATION DEADLINE IS AUGUST 25.

2023-09-12T09:24:39-04:00July 27, 2023|
Read More

Network Noise: Cyber Tabletop Exercise and Incident Response Planning – Orlando

Join Cyber Florida Senior Fellow Stacy Arruda, Founder and CEO of the Arruda Group and former FBI Supervisory Special Agent, for an eye-opening experience that will help you better understand how to prevent and recover from cyberattacks. The event starts with Network Noise, a three-hour tabletop exercise where real-world cyberattack scenarios illustrate the far-reaching effects a cyberattack can inflict on your organization. Bring your leadership team to learn how cyberattacks impact not only IT but also legal, finance, operations, human resources, public relations, and other departments.

Once you understand the threat, move on to preparation with a session on creating a comprehensive cyber incident response plan specific to your organization. You’ll leave equipped with a template and foundational plan you can take back to complete and test with your organization.

The International Association of Certified ISAOs (IACI) and Cyber Florida jointly present this session of Cybersecurity Education.

REGISTRATION DEADLINE IS AUGUST 10.

2023-08-23T17:18:46-04:00July 26, 2023|
Read More

CyberPathway and CAE Training for SDPBC Teachers

Calling all teachers from the school district of Palm Beach County! Join Palm Beach State College on August 5-7, 2023 for a two-day training with intensive cybersecurity seminars, workshops and trainings. The event is designed to bring together teachers, faculty, computer science, IT, networking, cybersecurity, ethical hackers, industry speakers, practitioners and professionals.

Attend one day or both!

Saturday, August 5, 2023
10am – 4pm

Lake Worth Campus

Monday, August 7, 2023
3:30pm – 7pm

Virtual

2023-09-16T17:53:40-04:00July 20, 2023|
Read More

Shawnee Delaney – the CEO of Vaillance Group and a Former DIA Spy

Shawnee Delaney - CEO of the Vaillance Group and a Former DIA Spy

From the young age of 8 years old, Vaillance Group CEO and Founder Shawnee Delaney knew that she wanted to make the world a better place.

Shawnee spent the better part of a decade working with the Defense Intelligence Agency and conducting Human Intelligence operations in war zones across the world. She is a subject matter expert on a multitude of cybersecurity topics, a single mom of three, a sought-after public speaker, and a truly generous person who wants nothing more than to make the world better however she can.

Simply put – Shawnee is the textbook example of a woman who doesn’t let anything stand in her way. In this episode, Shawnee joins Tashya and Pam to talk about her former life as a spy, the power of visualization, and remaining hopeful in a world that sometimes makes it difficult to do so.

Connect with Shawnee: https://www.linkedin.com/in/shawnee-delaney

Find us on social media: @DoWeBelongPod

2024-06-25T15:20:00-04:00June 30, 2023|
Read More

Zero-Day Vulnerability in MOVEit

I. Targeted Entities

  • MOVEit Customers

II. Introduction

A critical SQL injection vulnerability has been discovered in MOVEit, a managed file transfer software. Exploiting this flaw, remote attackers gained unauthorized access to the database, enabling them to execute arbitrary code.

III. Additional Background Information

The Cybersecurity & Infrastructure Security Agency has issued an alert about the use of a SQL injection vulnerability in the MOVEit Transfer web application, CVE-2023-34362. This could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. According to its development company Progress, an attacker may be able to infer information about the structure and contents of the database and execute SQL queries that alter or delete data, depending on the database engine that is being used, such as MySQL or Azure SQL (Progress). All versions of MOVEit Transfer are affected by this vulnerability (Pernet), and the exploitation of the MOVEit Transfer environment can occur via HTTP or HTTPS.

An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance (Tenable). On compromised systems, unauthorized access may appear as unexpected file creation in the MOVEit Transfer root folder c:MOVEit Transferwwwroot or appear similar to exfiltration traffic such as unexpected large file downloads and uploads (Kroll) from unknown IP addresses (Pernet).

The threat actors deployed a LEMURLOOT web shell named human2.aspx located in the wwwroot folder of the MOVEit install folder. The file name has probably been chosen to remain unnoticed since another legitimate component of the software called human.aspx is used by MOVEit for its web interface. The web shell’s access is protected by a password. Attempts to connect to the web shell without the proper password results in the malicious code providing a 404 Not Found error (Pernet).

LEMURLOOT is written in C# and is designed to interact with the MOVEit Transfer environment. The malware can authenticate incoming connections using a hard-coded password and after successfully breaching into the system, it can run multiple commands and scripts from the X-siLock-Step1 – 3 fields that will download sensitive files from the MOVEit Transfer database, extract Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with the LEMURLOOT web shell is gzip compressed (Mandiant)

The vulnerability is known to affect all versions of the MOVEit Transfer product with the earliest known exploitation dating to May 27, 2023 (Mandiant). Patches are available for all years of the MOVEit Transfer product. Currently, other MOVEit products such as MOVEit Automation, Client, Mobile, Gateway, etc. are not susceptible to vulnerability and do not require any immediate action (Progress).

IV. MITRE ATT&CK

  • T1190 – Exploit Public Facing Application
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
  • T1059.001 – Command and Scripting Interpreter: PowerShell
    Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
  • T1059.003 – Server Software Component: Web Shell
    Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
  • T1210 – Exploitation of Remote Services
    Adversaries may exploit remote services to gain unauthorized access to internal systems once inside a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel privileges to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

V. Recommendations

  • Disable HTTP and HTTPS traffic to their MOVEit transfer Environment
  • Check for indicators or unauthorized access in the last 30 days
  • Apply patches as they become readily available
  • Kroll advises MOVEit Administrators look in the “C:MOVEit Transferwwwroot” directory for suspicious .aspx files such as “human2.aspx” or “machine2.aspx”.

VI. IOCs (Indicators of Compromise)

VII. Additional OSINT Information

VIII. References

Kroll. (2023, June 7). Critical MOVEit Transfer Vulnerability (CVE-2023-34362).
https://www.kroll.com/en/insights/publications/cyber/responding-critical-moveit-transfer-vulnerability-cve-2023-34362

Mandiant. (2023, June 2). Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft.
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Pernet, C. (2023, June 6). Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America. TechRepublic.
https://www.techrepublic.com/article/zero-day-moveit-vulnerability/

Tenable®. (2023, June 2). CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild.
https://www.tenable.com/blog/cve-2023-34362-moveit-transfer-critical-zero-day-vulnerability-exploited-in-the-wild

Progress Customer Community. (2023, June 16). Community.progress.com.
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Benjamin Price, Erika Delvalle, Nahyan Jamil, and Alessandro Lovadina

2024-07-11T11:29:51-04:00June 23, 2023|
Read More

James “Jim” Aldrich

Jim joined the Center in July 2022 after serving over 50 years in the Intelligence Community (IC) in a variety of positions focused on Signals Intelligence (SIGINT) and Cyber Security missions as well as associated Education & Training. He is a retired Marine Corps Intelligence Officer, and Arabic linguist, who served 28 years in a wide range of assignments within the U.S. and overseas locations. After retiring in 1998, he worked for the Aerospace Corporation supporting the National Reconnaissance Office from 1998-2002 and then became a National Security Agency (NSA) employee for 20 years; the last 18 as a member of the Senior Executive Service (SES). He held several positions spanning the agency’s SIGINT and Cyber Security missions: NSA Representative to U.S. Special Operations Command, NSA Representative to U.S. Transportation Command and NSA Representative (forward deployed) in the U.S. Central Command area of responsibility. In these roles he evaluated the customers’ requirements and ensured agency resources were applied – where possible. 2004 – 2010 Jim served as the senior NSA official in Operations at the agency’s facility on Fort Gordon Georgia – focused largely on support to USSOCOM, USCENTCOM, and JSOC. Based on his breadth of experience, and previous work as both an Instructor and Course Director, he was selected to serve as the Deputy Commandant of NSA’s National Cryptologic University; responsible for orchestrating Education & Training to over 40,000 civilians and military members working with the agency. In his last assignment at NSA his office provided strategic planning support to the NSA Board of Directors and several large NSA organizations located both in the U.S. and overseas locations. Jim is a graduate of Texas A&M (BA in International Relations) and the U.S. Naval War College (MA in National Security & Strategic Studies) and has also completed several Senior Executive level leadership courses sponsored by the IC and DoD. He has been married to his wife Marilyn since 1973. Jim & Marilyn both grew up in southeastern Illinois farm country. They live near Center Hill Florida on a 14-acre horse farm. They have three adult children, ten grandchildren and a growing number of great grandchildren.

2023-06-22T10:17:14-04:00June 22, 2023|
Read More

Cyber Safety Tips for Travel

Technology is a modern-day traveler’s best friend. It can make the trip-planning process more convenient and cost-effective: booking accommodations and flights, researching must-see spots, and financial planning can all be done with a connection to the internet and a Google search. And for most of us, it doesn’t stop once we’re actually on vacation – we still use our devices to share pictures, navigate, and stay connected to the world back home.

While cyber and technology can be great for enhancing travel, there are also risks associated with planning your travel online. Cyber travel scams such as fake websites and juice jacking are becoming increasingly common, which is why it’s essential to consider your assets in the digital world before heading off to explore the physical one.

As you prepare to embark on your next adventure, consider the following tips from the National Cybersecurity Association and the Cybercrime Support Network to help you remain protected against cyber travel scams and ensure that your biggest worries this summer are high humidity levels and reapplying SPF.

Common Cyber Travel Scams

Fake Websites

There are dozens of online sites claiming to offer the best travel deals and packages. A good rule to remember in this instance is: if it seems too good to be true, it probably is. Scammers create fake travel booking websites that look like legitimate ones, but are designed to steal your money and personal information. They might offer attractive deals on flights, hotels, and vacation packages, but when you make a payment, your money goes straight into the scammers’ pockets.

Wi-Fi Hotspot Scams

Scammers set up fake Wi-Fi hotspots in public places like airports, cafes and hotels. These fake hotspots often have legitimate-sounding names—such as “Free Airport Wi-Fi” or “Hotel Guest Wi-Fi”— but they are designed to steal your personal information. Once you connect to the fake Wi-Fi network, the scammers can intercept your internet traffic and gain access to your sensitive information—such as passwords, credit card numbers and other personal data.

Prize Scams

Prize scams involve scammers contacting you to say that you’ve won a free vacation, cruise or other travel prize. However, in order to claim your prize, you have to pay for taxes, fees or other expenses upfront. Once you pay, the scammers disappear, and you never receive your prize.

Vacation Rental Scams

Vacation rental scams involve scammers listing fake vacation rentals on legitimate websites like Airbnb, HomeAway and VRBO. These scammers often offer attractive rental rates and photos of beautiful properties, but once you make a payment and show up, you find out that the property doesn’t exist, isn’t available for rent, or isn’t as described.

Juice Jacking

Public charging stations allow travelers to charge their devices. However, hackers can modify these charging stations to install malware onto connected devices, which can then steal personal data such as passwords, credit card numbers, and other sensitive information. In some cases, the malware can even lock the device and demand a ransom to release it.

Security Checklist for Traveling

Before you go
  • Travel lightly. Limit the number of devices you take with you on your trip. The more laptops, tablets and smartphones you take with you, the more risk you open yourself up to.
  • Check your settings. Check the privacy and security settings on web services and apps. Set limits on how and with whom you share information. You might want to change some features, like location tracking, when you are away from home.
  • Set up the “find my phone” feature. Not only will this feature allow you to locate your phone, it gives you the power to remotely wipe data or disable the device if it gets into the wrong hands.
  • Password protect your devices. Set your devices to require the use of a PIN, passcode or extra security feature (like a fingerprint or facial scan). This will keep your phone, tablet or laptop locked if it is misplaced or stolen.
  • Update your software. Before hitting the road, ensure all the security features and software is up-to-date on your devices. Keep them updated during your travels by turn on “automatic updates” on your devices if you’re prone to forgetting. Updates often include tweaks that protect you against the latest cybersecurity concerns.
  • Back up files. If you haven’t backed up the data on your devices, like photos, documents or other files, do so before heading on vacation. If your device is lost, stolen, broken or you otherwise lose access to it, you won’t lose all your data. You can back up your data on the cloud, on an external device like a hard drive or, preferably, both.
On the go
  • Actively manage location services. Location tools come in handy while navigating a new place, but they can also expose your location ‒ even through photos. Turn off location services when not in use, and consider limiting how you share your location on social media.
  • Use secure wi-fi. Do not transmit personal info or make purchases on unsecure or public Wi-Fi networks. Don’t access key accounts like email or banking on public Wi-Fi. Instead, use a virtual private network (VPN) or your phone as a personal hotspot to surf more securely.
  • Think before you post. Think twice before posting pictures that indicate you are away. Wait until you getting back to share your magical memories with the whole internet. You might not want everyone to know you aren’t at home.
  • Protect physical devices. Ensure your devices are always with you while traveling. If you are staying in a hotel, lock them in a safe if possible. If a safe is not available, lock them in your luggage. Don’t leave devices unattended or hand them over to strangers. Using your device at an airport or cafe? Don’t leave it unattended with a stranger while you go to the restroom or order another latte.
  • Stop auto-connecting. When away from home, disable remote connectivity and Bluetooth. Some devices will automatically seek and connect to available wireless networks. Bluetooth enables your device to connect wirelessly with other devices, such as headphones or automobile infotainment systems. Disable these features so that you only connect to wireless and Bluetooth networks when you want to. If you do not need them, switch them off. While out and about, these features can provide roving cybercriminals access to your devices.
  • If you share computers, don’t share information. Avoid public computers in hotel lobbies and internet cafes, especially for making online purchases or accessing your accounts. If you must use a public computer, keep your activities as generic and anonymous as possible. Avoid inputting credit card information or accessing financial accounts. If you do log into accounts, such as email, always click “logout” when you are finished. Simply closing the browser does not log you out of accounts.

More Resources

Information retrieved from the National Cybersecurity Association and the Cybercrime Support Network.

2024-07-18T13:17:36-04:00June 21, 2023|
Read More

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.