It's that time of the year when emails replies are delayed and video calls become audio ones with distracting background noise.
Vacation time for many has arrived.
There are tips and checklists floating around about operational security (OPSEC) tips for travelers, so here's my humble contribution.
Carry Less Data
Empty your wallets and go with the bare essentials. Old receipts? Unnecessary identification and credit cards? Leave them home. A tight inventory mitigates the cost of a lost or stolen wallet.
Apply this to keys and backpack contents while you're on task.
Make Copies, in the Old Sense
The common advice for backing up documents and credit cards is to take a picture with a cell phone, store the images there, and maybe email it to yourself. This is particularly common advice for backing up passports. But there's a problem with this approach: your vital documents are now also on your phone, on the provider's network and in another provider's email storage. Trust all of them? Fine. Go with it. But it might be better to go old-school analog than to trust innumerable "others": make some photocopies and stash them at home and/or with a trusted friend.
Stop Advertising Your Trip
This one is delivered with some degree of bluntness. Apologies in advance.
It's going to be hard for some people, but let go of the notion that the entire online world needs to see those tantalizing meals and luxurious beach views. Besides, glassy-eyed staggering images of you at the bar online aren’t likely to enhance future job prospects, although insurance companies will certainly enjoy them.
Insurance companies are very clear on the parameters of “vacation fun.”
Really need the attention? Post some pictures after you’re back home.
The obvious reason has been stated before and it's worth restating again: it's simple for others to determine that your home is unoccupied and therefore a prime picking for a break-in. Or to send over a phishing query to “send funds to the desperate cousin overseas” while in unguarded vacation mode. It was easy before, and it's even easier now with the advent of public generative AI tools.
Think you’re “not a target”? You don’t have to be someone’s particular target. But with millions and millions of users potentially seeing the images, the odds won’t eternally be in your favor.
But really? For how many years did you go on vacation without publicizing it to the online world? A vacation is still a vacation if the whole world doesn't know about it, and maybe more so. Sending postcards might scratch that itch.
Map Out Beforehand
Arriving at a destination with phone connectivity isn't always possible. Maybe you're out of the carrier's coverage or need to purchase a local SIM card.
Regardless, have a decent visual sense of how to get to your destination and surrounding area. Know the basics before arrival, and that phone won't be the weakest link in directing your arrival.
Why would this be included as an OPSEC recommendation? Because familiarity with your surroundings known as situational awareness, is enhanced when you know where you’re going and not staring at a map on a phone. It should go without saying that walking while staring at a cell phone for directions also announces you as an out-of-towner to those not staring at their phones.
QR Code Menus
It's convenient for the restaurant or bar, the server and it's COVID safe, but scanning QR codes by cell phone for menus isn't a very privacy-sensitive task.
Of course QR codes were cool when they were launched. Didn't it look leet way back when some display showed a square barcode and you (imagined) that no one else knew what it was besides you?
It is certainly convenient to scan a QR code instead of typing a full URL or some shortened URL scheme. But there is always the problem of where that QR code actually routes you. Yes, the same applies then and now to URL shorteners.
I suspect that most restaurants and bars aren’t generating QR codes themselves. There’s likely a data-hungry third party offering the “free service” to the restaurant.
A paper menu for me, thank you very much.
Door Stopper
Staying in a hotel or other public residence? You can't control access when you're not there, but one cheap tool that can provide better sleep is an inexpensive door stopper. It won’t be for holding the door open, but rather inhibit it being opened.
Prop it under the door at night, test that it catches, then leave it there when in the room for an extended time. It won't necessarily stop anyone from getting in, but at least their entry shouldn't go unnoticed.
Better yet, get an battery-powered door stop which shrieks when the stopper is pressed down. Waking up to an uninvited intrusion becomes a lot easier.
I just noticed that my long-time security mitigation has been recently recognized by CNN. What’s better than being echoed by CNN?
Yet another application of time-based security.
And One For the Paranoids
I've had some experiences when the security bar was pushed up for very legitimate reasons. Those times provided a set of other lessons that some other may find useful, but most might find exaggerated or outright nutty.
The simplest is that the safest travel isn't some taxi service or other solo travel method, it's often public transportation.
Arriving some place you don't know and where they speak a language you don't know isn't an ideal moment to get into someone else's car. You don't know if they're going the right way or to some bad place. Yes, you could stare at the map on your phone, but note the situational awareness point above.
It's safer, I would argue, to use public transportation in many instances.
There's a set route, and you can ask multiple people if it's going to your destination. Checking with different people is a good error-checking tool. The same can't be said for a car with just you and a driver, and a unfamiliar territory. And if you’re jet lagged and disoriented, you’re primed up for trouble.
With those thoughts in mind, remember vacations are for relaxation and letting go. If you can remember that...
About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.
About ClearOPS. ClearOPS is a SaaS platform helping virtual CISOs and their clients prove the ROI of cybersecurity and data privacy. We use natural language processing to cultivate and manage your knowledge base of information so you can alleviate the menial tasks and focus on bringing in revenues. Inquiries: info@clearops.io