December 16, 2024 • 38 mins
Join us for an eye-opening discussion on cybersecurity in travel with ethical hacker Matthew Wold from Ramsey County. Matthew shares how his passion for cybersecurity took root at Ramsey County, leading to collaborations with co-hosts Eric Brown and Nick Mellem. We kick things off with a lighthearted chat about survival items on a deserted island, setting the stage for a lively and insightful conversation.
From RFID shields to OMG cables, we unpack practical tips for protecting your digital and personal safety while traveling. Learn how to navigate risks like compromised USB ports, hidden cameras in hotel rooms, and data privacy challenges across borders. With advice on VPNs, securing SIM cards, managing passwords, and safeguarding luggage, this episode is packed with essential strategies to ensure your travel experiences remain secure and worry-free.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
great.
So, uh, welcome to the audit.
My name is joshua schmidt, yourco-host and producer today.
We are joined by the usual cast, eric brown and nick mellum,
and we also have a guest,matthew wold, here today.
And, uh, math, you work forramsey county, correct?
That is correct.
I also heard you were anethical hacker.
What's that?
Mathew Wold (00:22):
oh, well, I it depends on the day, I suppose.
But you know, just doing alittle internal pen testing, a
little bit of you know trying tosee what we can break in our
own environment, seeing what'skind of out there, I guess
that's ethical.
Joshua Schmidt (00:42):
Yeah yeah, I guess that's ethical, yeah, yeah
.
Well, we wanted to rehash kindof an older topic, but it hadn't
been spoken about since April13, I think of 2023.
We did a cyber safe travelepisode with you before I even
joined the show, but we wantedto update that today for our new
listeners and maybe kind ofshed some light on some updates
(01:03):
that have happened in that world.
I know Eric had some insightsthere and kind of refreshed the
topic.
So thanks for joining us today,matt, can you give us just a
little bit of a background abouthow you got into cybersecurity
and how you started working withNick and Eric?
Mathew Wold (01:18):
Yeah.
So I got into cybersecurityofficially about five or six
years ago.
I was working for Ramsey County.
I saw what the cybersecurityfolks were doing, got a little
bit of background about it,realized that I've been kind of,
you know, doing some cyberstuff for a really long time but
didn't really know that it wascyber and was just absolutely
(01:42):
fascinated by it and went backto school and got a degree and
joined the cyber team at Ramseyand that's when I met Eric and
soon thereafter Nick, and yeah,we've been working together a
lot ever since.
Can I share a fun fact?
Joshua Schmidt (02:00):
about Matt, please do.
I got a fun fact about Mattactually I learned today, but go
ahead, Eric.
Well, I have actually two funfacts about Matt, Please do.
I got a fun fact about Matt.
Actually I learned today, butgo ahead, Eric.
Eric Brown (02:06):
I have actually two fun facts about Matt.
The first is he is on the team.
I think he's undefeated in thegame of Coup, I believe.
Oh yeah, that's fun.
Is that a good thing or a badthing?
It's a good thing because he'sa great social engineer.
(02:28):
And the second thing is matt.
Almost two years ago to the day, back on december 12th 2022,
the podcast episode of unquotedservice paths was published, and
matt did that one with us those.
Mathew Wold (02:44):
Those are both true stories, so how?
Joshua Schmidt (02:47):
come he hasn't been to game night, Eric.
Eric Brown (02:49):
He has.
I just think it was maybe timesthat you weren't there.
Nick Mellem (02:53):
It's because he doesn't want to lose his
undefeated streak in Coup Imissed it last Wednesday at a
gig, but yeah, that's cool toknow.
Joshua Schmidt (03:01):
So I usually do an icebreaker question, matt Not
that we need it, but it'salways a fun little discussion
to kick us off.
And today's icebreaker questionis if you had three items to
bring to a desert island ordeserted island, I should say no
cell phones what would youbring?
Mathew Wold (03:18):
Well, first off, I'm bringing my new hatchet,
that's for sure, zs.
Joshua Schmidt (03:25):
I was going to say my thing I learned about
matt was, he's got a hatchetcollection.
Mathew Wold (03:27):
I mean, what do you do?
You gotta have something.
Uh, let's see what else would Ibring um.
You said no cell phone, right?
No cell phone oh cool, well, Iwould bring uh, at least one of
my radios.
Okay, you know, I think that'sa loophole.
Did I find a loophole here?
Joshua Schmidt (03:45):
no, I think that's good yeah that's fair.
Mathew Wold (03:47):
You know, probably some sort of fire starter gotta
gotta stay warm the radio isvery brilliant I would assume
nick has thought about this morethan any of us.
Nick Mellem (03:55):
Maybe going through , find a loophole myself, um,
because he said no, no phone.
So I was gonna say I'll take anipad and a starlink hey, now
you're taking mine.
So, I'm going to pack up theStarlink, an iPad and probably a
bone arrow.
But if I'm playing by the rules, you know I'd probably take a
camera because you know I wantto document the event.
Right, somebody's going to wantto see the shenanigans or
(04:18):
whatever.
I don't know if I think I careabout a fire starter because I
think I can get it done with,like the blow drill or whatever
thing, pretty confident in thoseskills, so I'd probably take a
bow knife.
I don't need water because Ican start a fire.
Joshua Schmidt (04:32):
You can only have three things, Nick.
I already said, I said two.
Nick Mellem (04:35):
I'm only on.
I'm on the third Starlink.
Yeah, I'll take the iPad andStarlink then.
Joshua Schmidt (04:39):
There you go.
Okay, so you're.
You're trying to get off thedeserted island.
Maybe anybody's goal?
You're not preparing for this.
I don't know we haven't heardfrom Eric yet.
Maybe Eric wants to hunker downand just take a little break.
Eric Brown (04:53):
Eric doesn't even like to camp.
I was going to take theStarlink solar panel to recharge
and a laptop to recharge.
(05:17):
Um and uh and a laptop, but um,in all seriousness, I think I'd
have to take um a set of umclothing a-up between something
to start a fire or something toprovide shelter.
Joshua Schmidt (05:33):
but I think you could make something yeah, it's
a tough one if I was preparingfor this day.
You know I've done some time inthe boundary waters and these
uh filter straws are reallyuseful.
Nick Mellem (05:43):
I don't know how long they last.
Joshua Schmidt (05:46):
Yeah, I'd probably bring a light straw and
then probably some firestarting equipment, whether it's
a flint or something that willlast a long time, and then most
likely a knife, trying to beutilitarian here.
You know, don't want to end uplike Tom Hanks and be talking to
a volleyball for a couple ofyears, so you probably want to
have something to start a fire,to maybe send some smoke signals
(06:07):
or whatnot.
So, but you know, we wanted tokind of talk about maybe some of
the developments in the lastcouple of years.
I know, eric, you had justcalled out that now they are
syncing up air tags to Delta,correct?
So if you're traveling withyour luggage, you can throw your
air tag in your luggage andthen that's going to somehow
(06:27):
connect up with the Deltaexperience.
Eric Brown (06:30):
Delta, united Virgin , maybe British Airways and a
couple of others.
Essentially, the sharing oflocation information is able to
be shared with theirapplications where before you
could you know, they could sayyour luggage was lost and you're
(06:52):
like, no, it's right here, youknow, and they didn't have any
way of verifying that.
But if, through Apple, you'reable to share that location data
with their luggage trackingsystem, then it can help the end
user recover luggage faster.
Joshua Schmidt (07:10):
Great.
Has anybody tried that yet?
Eric Brown (07:13):
I throw an AirTag into everything when I travel.
Nick Mellem (07:16):
I do the same AirTag and all my stuff, but
I've never synced it up with theactual airlines before.
That's new, though right it'scoming out in 25,?
Eric Brown (07:24):
yes, it may be available in beta.
I'm not sure actual airlinesbefore that.
That's new, though right, it'scoming out in 25.
Yes, it might be available inbeta I?
Mathew Wold (07:26):
I'm not sure do you need to do anything to sync it
or does it just automatically?
Eric Brown (07:31):
you know, read the air tag, the nfc chip, and I'm
not 100 clear, but I think youneed to sync it up to give
permissions to their applicationto to be able to just hijack
your yeah, you wouldn't wantthem to unlawfully follow you or
track you or whatever.
I think the?
U, the USPS, needs to havesomething like this right Cause
(07:53):
I don't know how many packagesI've had lost really the years.
Joshua Schmidt (07:57):
So, when you're kind of assessing your travel
plans and their situation, whatkind of things are you thinking
about?
What kind of common securitythreats may you, you know, be
prepared for when taken off?
Mathew Wold (08:07):
Yeah, that's a really good question.
You know I kind of have a kindof a go to that.
I always kind of fall back onand bring with me.
So you know I don't rely onhotel internet at all.
So you know I have a mobilehotspot like a puck device that
you know I bring with so thatway we can all use that.
You know I have a mobilehotspot like a puck device that
you know I bring with so thatway we can all use that.
(08:28):
You know I don't really let letmy family like charge devices
in the hotel room.
So we have power packs.
You know that we'll that we'lluse.
And you know those are greattoo, cause you can you know if
you're going someplace for theday you can throw them in a
pocket or something as well.
Nick Mellem (08:43):
So you know it's just some some basic stuff like
that we were talking about theair tags, but for, like, if
you're going to the airport, isthere any precautions you take?
Besides that, you know the airtag that we said, like an RFID
wallet or you know, are youusing anything else?
Mathew Wold (08:58):
Yeah, you know, I've talked to some people who
have RFID wallets.
They work great.
I don't personally have one,but I bought those cards that
you can put into a wallet tocreate an RFID shield and I got
those off of Amazon for, like, Ithink, $10 for a pack of four
or something and I've testedthem.
(09:20):
They seem to work great.
Joshua Schmidt (09:21):
Are you testing those with the Flipper Zero or
some kind of a gadget?
Mathew Wold (09:25):
Well, I haven't tested it with the flipper zero,
but I know somebody who has, um, yeah, and so you know he.
He tested and said it worksgreat.
Um, I've tested it with justsome NFC readers and it's, it's
worked great.
Eric Brown (09:39):
So you said you don't charge your devices in the
hotel room.
You bring the the battery pack,so you're charging the battery
pack in the hotel room.
You bring the battery pack, soyou're charging the battery pack
in the hotel room and thencharging devices from the
battery packs.
Mathew Wold (09:50):
Yeah, exactly, it is because you never know what
you're plugging into, right,like you plug your phone into
some USB connector and I meanwho knows what's on the other
side of that or what it's doing.
I think one of the things I wasgoing to mention here is
there's like the OMG cables andthey're like a hundred dollars,
but those things are so, socrazy that they have like wifi
(10:14):
and like a tiny little computerbuilt right into the cable.
If you borrow a USB cable fromsomebody, you have no idea if
that's what you're getting.
And you know you plug yourphone in and you think that
everything's charging, butreally it's.
Nick Mellem (10:26):
you know wirelessly sending all of your data off to
, you know to an attacker, andyou know now they've got all
your pictures and you know Godonly knows what happens then I
do remember when I drove back toMinneapolis I think it was
February, I'd make the drivequite often and one of the
hotels I stayed in they had a.
It was like a lamp and a powerbank like or there was an outlet
(10:47):
on there or whatever.
And uh, they had a, uh, anethernet port you could plug
into on there, but it had theethernet port coming out of it
you could plug into.
I think I sent eric and acouple other people the picture,
just like you know.
Nice, try, holiday in orwhatever, but it it is what
you're saying, matt.
It makes a lot of sense becausea lot of people would just
mindlessly plug into that andyou have no idea what's on the
(11:08):
other side of it.
Yeah, and it's just like youknow.
I don't want to say a lack ofeducation, but people just don't
know better, right, so it'sreally no fault of their own in
a lot of cases, but I guessthat's why we're here having the
conversation.
Mathew Wold (11:19):
Right.
I mean you think about it andyou have a family, right, and
you go on vacation and peoplewant to charge their Apple Watch
, they want to charge theirphone, they want to charge their
iPad.
I mean there's like 6 billionthings that you want to charge.
You're not going to carry.
You know connectors for all ofthis stuff, so it's you know.
You walk in and you see allthese USB ports and you think,
(11:40):
oh, this is perfect.
Like I can just plug everythingin here.
Eric Brown (11:44):
Well, is it okay to plug?
Say you know you have a charger.
That is like a charging brick,right, like you know?
Let's say it's an iPhone or anAndroid phone, the USB cable
plugs into it, it plugs into thewall.
Are those?
Mathew Wold (12:01):
okay, is it yours.
Did you bring it from home?
I did, then I would say, yeah,it's, it's fine, you know, if
you borrow it from somebody thatyou don't know, I, I mean, I'd
steer clear.
Nick Mellem (12:13):
So you're saying plugging into an outlet is fine,
but if you're gettingsomebody's USB cable or
something else it's right, yeah,I mean.
Mathew Wold (12:21):
I mean, have you seen even on Amazon where they
have those?
You know the USB or you knowthe plug in and it's got like a
tiny little camera on there andnow you know you borrow that
from somebody or from, like, theperson at the front desk.
I'm not saying everybody at thefront desk is shady, but you
know you plug that in and all ofa sudden, you know there's a
(12:42):
night crew.
You never know what you're goingto get.
Now you got a Wi-Fi camerastaring right at the bed.
You know, I'm just saying like.
Nick Mellem (12:53):
Outside of the cyber realm.
Is there anything else that youmust take to fill out your kit
that would go along with thecyber world?
Mathew Wold (13:01):
They make things that you know that you can put
into a suitcase where you canput it up against the door to
just reinforce that door.
And if we want to go down in aside tangent here about RFC and
and doors, you know we were atwild west hack and fast and they
had.
They had the door with the NFC.
(13:21):
You know reader and um cam wasable to clone that thing in like
five minutes and and get intohis hotel room.
Joshua Schmidt (13:30):
Where are you guys going on vacation?
Nick Mellem (13:33):
Well, I, yeah, I think a lot of it too is.
And what I'm thinking aboutwith all the cyber stuff is is
the physical security portionright?
I think as securityprofessionals, we think about
that just as much.
Uh, the physical securityportion.
So, you know, the weaponry,leave that at home.
You know we're not advocatingpeople try to get through
security with any sort ofdevices like that.
But the items that Matt'stalking about to keep the doors
(13:55):
stopped to, you know, stopsomebody from reversing the
peephole.
You know things like that wouldbe, you know, wise to look into
.
Eric Brown (14:04):
You know there's and also the government
restrictions of the countryyou're going to.
I was on a trip to Mexico awhile back and I'm the guy at
the airport that needs, you know, like six, eight bins because
I'm taking a bunch of laptops,ipad, you know just the whole
thing.
I'm all spread out.
You want to be comfy, you needit right In Mexico you can't
(14:32):
have I think it's more than twolaptops.
If I'm recalling, I think Iwent in with three.
They didn't say anything, but Ithink they can fine you or
whatever, which I foundsurprising, but I think they
counted an iPad as a laptop.
I don't really remember, reallyremember.
But the point being, check whenyou're going to go to that
(14:54):
country, check what therestrictions are in that country
before you show up.
And if you're going to acountry that's hostile to the US
or doesn't allow encryption,then make sure that you're
leaving those devices at home,because they could be
confiscated.
You could get into a lot oflegal trouble with that as well.
(15:16):
So just be cognizant of that.
And then you can always checkthe State Department website and
Matt, sorry if you're going totalk about this, I'm stealing
your thunder but the StateDepartment website to see what
level country it is that youmight be going to.
Nick Mellem (15:31):
I would not have thought about the number of
computers you could bring into acountry, because that would be
the same way I'd bring twocomputers and an ipad.
Joshua Schmidt (15:39):
I would not have thought about that as being an
issue or being fined they don'twant, they don't want you
getting too powerful with yourcpu power, I guess, or I don't
know, maybe they're afraidyou're gonna sell it or
something.
I'm not sure okay, okay, thatmakes sense.
Well, that leads into my nextquestion how does traveling to a
different country affect youknow, your, your security
posture?
You kind of already started toanswer that, but let's say, um,
(16:02):
I have to do some work, you know, and I need to bring my laptop
and I need to get on teams oryou know some other kind of um
file sharing service.
Um, what kind of precautionswould it be taking as a business
professional in that scenario?
What would you recommend toorganizations, or the messaging
to an organization when givingadvice for people traveling
(16:23):
during the holidays or any timeof year, really?
Mathew Wold (16:26):
Well, I guess I would say, as a security
engineer first check with yourorganization to see if they even
allow you to take technology,their technology outside of the
US.
I mean, that might just be ano-go for them.
So check first.
Just if you take technology, Ithink it's your responsibility
(16:47):
to be responsible for it and tolock it up and to have it with
you.
So I think that would be what Iwould say You're checking with
your company.
Eric Brown (16:59):
Some companies have security restrictions about
logging in from outside of thecountry and you may need to go
through managerial approval inorder to be able to log in
remotely and they may have toenable things for the period of
time that you're away so you canconnect in, you know.
(17:19):
Again, just to Matt's point,check that out before you take
the company device.
Joshua Schmidt (17:25):
So it sounds like it's pretty specific
company to company, depending ontheir policy and what kind of
information you may be at.
Eric Brown (17:32):
And there's also, you know, just kind of going
down the rabbit hole of data.
There's data sets that you maybe entitled to view in the US
but you aren't entitled to viewwhen you're outside of the US.
So, being cognizant of howidentifiable information is
treated in different countriesthat have different data privacy
(17:54):
laws, if you're traveling forvacation, usually best to leave
the work devices unless you'vechecked it out and you're
approved to take it with you.
But just to be cognizant of it.
I think we saw a fair amount ofinstances where during COVID,
people were working from othercountries because we were
(18:16):
working remotely during thepandemic, but some people took
that remote to be further awaythan their house and that led to
some interesting scenarios.
Mathew Wold (18:27):
Another thing to remember is I think a lot of
times people say, oh, I'll bringthe technology with and if I
don't need it I'll just put itin the hotel room safe, and
it'll be safe there.
But the reality is that thosesafes have a universal code that
the hotel staff knows to openthem up.
(18:48):
So that way, if you set it andyou forget the password that you
put on there, that they can getyour stuff back.
So you put your stuff in thereand you leave for the day and
you think that it's safe.
But it's really not.
And they do make like asecondary, like lock that you
can put on there.
And that's something that youknow you have to bring with you.
But I guess I would say you know, if you're leaving like a cell
phone behind and you're going toput it in there, if you have a
(19:10):
cell phone where you can takethe SIM card out I mean, the SIM
card's a lot smaller If you canjust pop that out and put it in
your pocket, don't lose it, butyou know.
Then you know what.
If you have an eSIM Well,that's a whole different story
Then you better stick that phonein your pocket.
Eric Brown (19:27):
What if?
Nick Mellem (19:27):
you have a Neuralink chip.
I think the best course ofaction is to, whatever
technology you bring, plan oncarrying it around so the neural
link chip would work then so,eric, you're rocking three,
three laptops on on vacation,huh, sometimes four.
Joshua Schmidt (19:46):
So when you are uh trying to get uh, are you
using starlink?
When you're, you know, tryingto work, or do do a little bit
of maintenance there, a littlehousekeeping, are you using
public Wi-Fi, using VPNs, tosafeguard yourself, or what does
that look like?
Eric Brown (20:03):
Usually I'll have a SIM card and hotspot from the
country, similar to what Mattwas saying, and then always VPN.
So depending on theorganization that I'm working
with, it'll be a different VPNclient, but coming back to the
US over that VPN connection.
Nick Mellem (20:23):
Always VPN.
Joshua Schmidt (20:24):
Always VPN.
And then I noticed the recentApple update had a new password
manager.
You know it was a little bitmore substantial than it used to
be.
Are there any thoughts aroundthat?
Versus using a Bitwarden,because I just recently got
switched over?
Now they have this new function, I'm going.
Should I be paying forBitwarden or should I migrate
back to the native Applepassword app?
Nick Mellem (20:47):
I don't know Personally, these guys might
feel differently.
I don't know if one is probablybetter than the other.
I mean, maybe Bitwarden iscould be.
I use Prot.
I don't know if one is probablybetter than the other, right, I
mean, maybe Bitwarden is couldbe right.
I use Proton myself, but I alsouse the Apple password manager
where I migrated them you know.
So they match each other andthat's not a convenience, right.
But I don't see the Applepassword manager, the new
(21:07):
application, as a threat, youknow, to using that on my
personal devices, just because Itake other precautions, vpns
and whatnot, if I'm going to beusing any sort of public Wi Fi,
which is very rare, but if it'sthe only option, if you don't
have self service for whateverreason.
Yeah, you know, I guess Eric orWalt, do you guys have any
thoughts on if it's as secure?
Eric Brown (21:29):
I think it's as secure.
It'd be interesting to hearwhat you think, matt.
For me it comes down to how amI getting to the passwords?
What if I don't have an Appledevice with me and I need my
password to get into somethingonline With a Bitwarden?
It's available anywhere there'san internet connection, where
(21:51):
there's an internet connection.
Nick Mellem (21:53):
So I I think I don't know this, but I would
imagine there is access via theweb if you go to iCloudcom and
you'd be able to sign in withyour credentials.
I don't know that, but Iwouldn't know my credentials.
You wouldn't know your passwordto your iTunes or to your Apple
ID.
Eric Brown (22:09):
No, because it's probably this long and it's in
Bitward.
Nick Mellem (22:12):
That's true, that is very true.
Same with me.
That's great, you got me.
What do you?
Mathew Wold (22:17):
think, wald, you know my Bitwarden password is
quite lengthy and you know.
But I tried to do something alittle bit different.
Where I didn't like take awhole bunch of scrambled letters
and stuff, I tried to, you know, just make, like you know, a
long passphrase with somenumbers and some symbols, just
(22:41):
so that way, I mean, even at theend of the day, how long would
it take you to string all thosewords and numbers together, you
know, in various locations?
Eric Brown (22:47):
I don't know, I'm looking in my vault right now
and I have 689 passwords in thevault, so you know just the idea
of remembering one long onelike you're talking about, matt.
You know a passphrase to get in, awesome.
But then those that are inthere, some are scrambled
(23:07):
numbers and letters, some arepassphrases.
It just it's hard to even knowwhat they are, because at least
my brain can't keep track of allof the different more than like
three.
Mathew Wold (23:23):
Yeah, and that's what I was saying.
Right, my Bitwarden password issomething that's at least
memorable, that I can remember,but everything else is just a
scrambled mess of letters andnumbers and symbols.
And you know, I think that'sthe way it should be.
But you know, I've been tryingto slowly migrate over to sites
that allow a ub key, to try tostart doing passwordless sign on
(23:46):
with with ub key.
Joshua Schmidt (23:48):
So you know yeah , so you're carrying that around
on your key chain then, or whatdoes that look like?
Mathew Wold (23:56):
Yeah, so I have two .
I have one that's plugged intomy keyboard and then I have
another one that, yeah, that Ijust carry.
You know, I try not to carry iton a key chain, but you know,
it just kind of comes around.
It's an NFC one, so I can justtap it to my phone.
Eric Brown (24:12):
When we were at defcon a couple of years ago
there was a dude that had gottenthe nfc chip embedded under his
skin and then he could use thatto open you know his hotel room
or you know other um nfc.
(24:33):
You reprogram it to the badgethat would open that NFC reader.
So he's kind of combiningsomething you have and something
you are with that implant.
He said it was the size of agrain of rice, but that too you
could probably do the same thingwith the NFfc version of a
(24:56):
password key like a ubp yeah,and if you remember they were,
they were, um, doing that, thatimplant right there.
Mathew Wold (25:06):
You had to sign the waiver and I think it was like
was it like 200 or something or100 bucks and they would.
And they would inject you rightthere with it do.
Joshua Schmidt (25:14):
Do any of your cats have chips?
Nick Any any chips in the cats?
Eric Brown (25:18):
You got to chip them .
Nick Mellem (25:20):
Oh, you got to.
Got to chip them, Got to takecare of the cats.
Joshua Schmidt (25:25):
You guys had mentioned.
Um, you know there's somedanger in obviously getting on
local networks and and publicwifi and things like that.
So, matt, someone with apineapple they're sniffing the
traffic.
What are they seeing on thereand that would kind of grant
them any kind of credentials oraccess to your information.
Mathew Wold (25:45):
Yeah, so the really cool thing about it is that you
can set up basically like afake Facebook login.
So when somebody is connectedto the Pineapple and they go to
facebookcom, it redirects themto the fake Facebook login they
put in their username andpassword.
They have no idea that itsteals those credentials and
(26:08):
just sends them over to the realFacebook and it's seamless,
right.
But in that Pineapple you canbuild your own pages, so, like
if you wanted to build, like aWells Fargo or whatever you
could, you could basically spoofanything and make the user
think that that's what they'relogging into, and so you know.
(26:30):
You can just you can see.
You know where they go.
So even if they don't go to, youknow a site that you're trying
to steal credentials to.
You can see where they're going.
If they enter data into anysite, you can see the data that
they enter.
I mean there's just a ton ofstuff that you can see.
And this is again why I mean,even if you were connected to
(26:51):
the pineapple and you didn'tknow it, but you used a VPN on
your device, I mean you've justdefeated the pineapple, so you
know it's.
It's really key, do you?
Nick Mellem (27:00):
think you know on that topic.
Well, do you see any you knowin that threat landscape of
Bluetooth, what would be ahacker's capability with that?
Is there any concern withkeeping your Bluetooth on, or
would you recommend travelersturn that off if they're not
actually using it?
Mathew Wold (27:27):
Yeah, I mean, there's always.
It's a threat vector, right?
I mean it's a way to transmitdata, you know.
So if you don't need it, ifyou're not going to be, you know
, if you're traveling and you'renot going to be using Bluetooth
headphones or something else,you know why, leave it on and
and leave that door potentiallyopen or vulnerable, just turn it
off.
I mean, it's so easy to do,just just shut it off and turn
it back on when you need it.
You know it's probably a good,unless you're using Bluetooth
all the time.
(27:47):
You know, maybe it's a good,good general rule of thumb
anyways.
But there's a lot of ways thatyou could do it.
I suppose you know you couldsend some sort of request to
another device and somebody may,you know, not even realize that
they're, you know, they mayjust say, oh yeah, accept, you
know.
And then all of a sudden, youknow they've downloaded some
malicious file to their, totheir phone, or Can I give you
(28:10):
just my rundown of like quickhits on travel safety?
Eric Brown (28:15):
OK, so kind of, starting on the home front, make
sure your credit's locked, andthat's just a good practice
overall.
To make sure you've locked yourcredit so people can't open up
credit in your name, but I thinkwe'd advocate that for anything
.
And then when you're traveling,it's the air tags you know.
(28:35):
So you know where your luggageputting your kid's backpack,
what have you right, so you keepcloser tabs on those sorts of
things.
We don't have to register ourcredit cards anymore until our
credit card companies wherewe're traveling to, fortunately.
But you have the number to thecredit card company handy so
(28:57):
that you can call them.
They usually have anon-toll-free number so you can
call them from out of country.
Look up the country that you'regoing to call them from out of
country.
Look up the country that you'regoing to, especially if it's
like a level three countryHopefully you're not going to a
level four country and make sureyou know where the US embassy
is.
You can go through the StateDepartment's recommendations of
(29:18):
registering with the embassy incountries where it may not be as
safe for Americans to traveland then have a meetup plan for
your family.
So if you do get separated,where are you meeting?
And then what is your plan ofaction from there?
(29:39):
Quick aside story I wastraveling with my mom to Japan.
I had gotten onto the train andmy mom was just getting, you
know, just about to step on andthe doors were closing and she
would have been left behind onthe platform.
But you know, fortunately I wasable to push the doors open.
But just have a plan Like, ifsomething like that happens
(30:01):
between you know, your spouse,friends, kids, whatever that
you're traveling with, and thenit's always good too to have a
passphrase so that if you get acall saying that you know, hey,
we have something's happened tolittle Jimmy, and little you
know they put little Jimmy onthe phone that with voice
spoofing these days it's reallyeasy to sound like little Jimmy.
So if little Jimmy can recitethe passphrase, then you either
(30:25):
know it's a problem or a scam.
And then, as you get into moreof the personal security side,
you can make those choices about.
Do you get a hotspot in aforeign country?
So, relatively cheaply you canget a hotspot.
You can get a SIM card, put itin your phone or rent a device
in that country.
Usually they'll ship it to youahead of time or you pick it up
(30:49):
in the airport in that country.
It's a pretty cheap way to keepyour own your data contained,
and Matt talked about using thathotspot.
Get a VPN If you don't have onealready from work.
Certainly go through the travelpolicies at work.
Make sure that you, if youaren't supposed to be taking
(31:11):
work equipment or viewingwork-related files while you're
out of the country, don't dothat.
Leave that stuff behind andavoid posting and celebrating
you're out of.
Like you know it's cool You'retraveling, but then posting that
all over Facebook.
People know that you're nothome, which is not always good,
(31:32):
and encourage your familymembers.
At least have the conversationwith them, right, like you know,
if you're traveling, then youknow your mother's not posting.
Oh, you know Matt's over in,you know Cancun or whatever,
right, because she's happy foryou, but now that's you know
giving away information aboutyou that you may not want to
give away.
Some people may be like oh youknow, my trash is coming on
(31:55):
Friday, I'm leaving on Wednesday, I'll be back on Saturday
Leaving the trash out for thatlong of period of time if you're
in an area where you're puttingindividual carts out to the
street, may not want to do thatbecause there are dumpster
divers.
I think he nailed it.
Nick Mellem (32:09):
I'm sorry to everybody that waited that long
for the real advice, but thereyou go there.
Mathew Wold (32:14):
Liam neeson isn't, isn't coming to save you if
something happens, but you knowall the advice you know to the,
to the international travel.
There is that state departmentum website or that, the app that
you can download for yourdevice.
You know so, that way, if, ifyou're in a level two country
and it suddenly turns into alevel three country, you know
(32:36):
they'll.
They'll alert you through theapp and you know it does have
the, the embassy information inthere too, in case you weren't
proactive.
Eric Brown (32:46):
Years ago I was traveling with a friend and you
always think like this stuff'snever going to happen to me and
until it does.
Traveling with with a friend,um, on vacation, and I was I was
real young, this is likepre-security, like way
pre-security, and just barelyinto it.
We were going to a tropicallocation, um, and for some
(33:10):
reason she thought it was a goodidea to bring, like I don't
know, eight, nine pair of shoes.
I not sure why, um, but this Ithink she had two suitcases.
One was was full of shoes andmakeup and contacts, and then
the other one had her clothesand then she had a carry-on and
(33:32):
I had my suitcase and carry-onand it was a mess juggling all
of this stuff.
But we got it into the plane,got to the country, got out,
went to the baggage to pick upthe baggage.
And this is decades ago, waybefore air tags were even a
thought from Apple, so it wasn'treally possible to track
(33:54):
luggage.
Back then and this is beforethey, you know the airlines were
putting those stickers thattracked baggage.
You just kind of showed up atthe carousel and hope for the
best.
Well, all the bags came out,except for the one with the
shoes.
We're not sure if it came outand was picked up or we got it
and then kind of turned aroundand one of the bags was gone.
So that made for an interestingexperience, because the bag's
(34:17):
gone and then you're spendinglike an hour looking for it and
you got to report it in aforeign country and then dealing
with the aftermath of nothaving contacts and you know
other toiletry items and pickingthose back up in that foreign
country was interesting to saythe least.
And we had to travel to placesthat probably wouldn't have gone
(34:39):
to, that were kind of wayoutside the quote, unquote
bounds of normal travel.
So I would say you know, be justbe mindful.
And now air tags can certainlyhelp.
Would say you know, be just bemindful, and now air tags can
certainly help.
But you know, criminals knowthat their tags are in there and
they're gonna look for that andyou know, yank them out too.
So be careful, kind of whereyou put them, make it a little
harder to find.
And then I'd also say you know,some of us, like Nick um with
(35:02):
those cats, sometimes travelswith the cats not.
So make sure you know theregulations around um pet travel
and what it takes to get a petin and out of the country and
then nick also has.
Is it louis vuitton luggage,nick, only louis vuitton.
So if you're traveling withlouis vuitton luggage, great, um
(35:23):
, but just know that I mean,that's kind of setting yourself
up to be a target.
I don't know, are they twogrand each?
Two or three?
Nick Mellem (35:33):
I forget.
Eric Brown (35:35):
I might not want to do that myself, because now it's
if I can afford that on a bag.
What's in the bag?
It just seems to be?
Nick Mellem (35:43):
You want to be a what is the word?
You want to be a soft target,not a hard target.
Right, I have it flipped around.
You don't want to call yourselfout or something flashy.
I think the other thing, too,that I always do, and I've been
doing this for years, like 10,15, 20 years I've been carrying,
I always carry my wallet, myfront pocket.
Joshua Schmidt (36:00):
Yes, that's a good one I would even take that
one step further.
And there are these necklacewallets you can get so it can
sit under your shirt, right onyour person, so you're not even
in a pocket.
Um, make it a little one stepharder for people to get to.
That's my one security tip Iwill add in and I got one more
question here before we wraptoday.
So you know, eric, youmentioned the airlines.
(36:20):
You know what kind of role dohotels and airlines assume in
protecting their customers?
Cybersecurity risks, if any is.
It sounds like the onus is onon the individual.
There's there's really noaccountability there in terms of
the hotel or or the travelagency, or whatever it may be I
don't think, I don't think theywould assume anything besides
(36:41):
your data that they hold foryour reservation or whatever are
you rocking the insurance whenyou take off?
Mathew Wold (36:48):
uh, matt uh, a little knr, insurance.
Yeah look, it cannot run ransom.
Uh, no what is that matt, I, uh, I haven't gone any place.
I mean, I've thought about it,like at some point I'd like to
take my family to, you know,outside of of the US, and I've
thought, how much is this K&Rinsurance?
(37:12):
Because, listen, if somethinghappens I don't want to, like I
said, liam Neeson's not there,so I'm going to need some help.
Nick Mellem (37:19):
And you don't think the State Department's going to
send Delta for us or anythinglike that.
Mathew Wold (37:23):
I mean not for me.
Nick Mellem (37:26):
We'll get you back at all costs, Matt.
Trust me, we're coming in hot.
Joshua Schmidt (37:29):
We can send Nick down there.
Nick, were you in Afghanistan?
Nick Mellem (37:32):
Yep, marja, that rings a bell.
There's no safe travel tips foryou to go there.
Joshua Schmidt (37:39):
You're on your own.
Nick Mellem (37:42):
Unless you got a Blackhawk and an Apache.
Joshua Schmidt (37:45):
All right, well, I think that just about does it
for today, and thanks again,Matt, for joining us.
It was a fun conversation.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Josh Schmidt,co-host and producer.
We have Eric Brown and NickMellum.
You can like, share andsubscribe.
We are now hosting video onSpotify.
You can find us on YouTube,Apple and wherever you get your
podcasts.
(38:05):
Thanks for listening.
Eric Brown (38:07):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
(38:29):
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onapple, spotify or wherever you
(38:52):
source your security content.
great.
So, uh, welcome to the audit.
My name is joshua schmidt, yourco-host and producer today.
We are joined by the usual cast, eric brown and nick mellum,
and we also have a guest,matthew wold, here today.
And, uh, math, you work forramsey county, correct?
That is correct.
I also heard you were anethical hacker.
What's that?
Mathew Wold (00:22):
oh, well, I it depends on the day, I suppose.
But you know, just doing alittle internal pen testing, a
little bit of you know trying tosee what we can break in our
own environment, seeing what'skind of out there, I guess
that's ethical.
Joshua Schmidt (00:42):
Yeah yeah, I guess that's ethical, yeah, yeah
.
Well, we wanted to rehash kindof an older topic, but it hadn't
been spoken about since April13, I think of 2023.
We did a cyber safe travelepisode with you before I even
joined the show, but we wantedto update that today for our new
listeners and maybe kind ofshed some light on some updates
(01:03):
that have happened in that world.
I know Eric had some insightsthere and kind of refreshed the
topic.
So thanks for joining us today,matt, can you give us just a
little bit of a background abouthow you got into cybersecurity
and how you started working withNick and Eric?
Mathew Wold (01:18):
Yeah.
So I got into cybersecurityofficially about five or six
years ago.
I was working for Ramsey County.
I saw what the cybersecurityfolks were doing, got a little
bit of background about it,realized that I've been kind of,
you know, doing some cyberstuff for a really long time but
didn't really know that it wascyber and was just absolutely
(01:42):
fascinated by it and went backto school and got a degree and
joined the cyber team at Ramseyand that's when I met Eric and
soon thereafter Nick, and yeah,we've been working together a
lot ever since.
Can I share a fun fact?
Joshua Schmidt (02:00):
about Matt, please do.
I got a fun fact about Mattactually I learned today, but go
ahead, Eric.
Well, I have actually two funfacts about Matt, Please do.
I got a fun fact about Matt.
Actually I learned today, butgo ahead, Eric.
Eric Brown (02:06):
I have actually two fun facts about Matt.
The first is he is on the team.
I think he's undefeated in thegame of Coup, I believe.
Oh yeah, that's fun.
Is that a good thing or a badthing?
It's a good thing because he'sa great social engineer.
(02:28):
And the second thing is matt.
Almost two years ago to the day, back on december 12th 2022,
the podcast episode of unquotedservice paths was published, and
matt did that one with us those.
Mathew Wold (02:44):
Those are both true stories, so how?
Joshua Schmidt (02:47):
come he hasn't been to game night, Eric.
Eric Brown (02:49):
He has.
I just think it was maybe timesthat you weren't there.
Nick Mellem (02:53):
It's because he doesn't want to lose his
undefeated streak in Coup Imissed it last Wednesday at a
gig, but yeah, that's cool toknow.
Joshua Schmidt (03:01):
So I usually do an icebreaker question, matt Not
that we need it, but it'salways a fun little discussion
to kick us off.
And today's icebreaker questionis if you had three items to
bring to a desert island ordeserted island, I should say no
cell phones what would youbring?
Mathew Wold (03:18):
Well, first off, I'm bringing my new hatchet,
that's for sure, zs.
Joshua Schmidt (03:25):
I was going to say my thing I learned about
matt was, he's got a hatchetcollection.
Mathew Wold (03:27):
I mean, what do you do?
You gotta have something.
Uh, let's see what else would Ibring um.
You said no cell phone, right?
No cell phone oh cool, well, Iwould bring uh, at least one of
my radios.
Okay, you know, I think that'sa loophole.
Did I find a loophole here?
Joshua Schmidt (03:45):
no, I think that's good yeah that's fair.
Mathew Wold (03:47):
You know, probably some sort of fire starter gotta
gotta stay warm the radio isvery brilliant I would assume
nick has thought about this morethan any of us.
Nick Mellem (03:55):
Maybe going through , find a loophole myself, um,
because he said no, no phone.
So I was gonna say I'll take anipad and a starlink hey, now
you're taking mine.
So, I'm going to pack up theStarlink, an iPad and probably a
bone arrow.
But if I'm playing by the rules, you know I'd probably take a
camera because you know I wantto document the event.
Right, somebody's going to wantto see the shenanigans or
(04:18):
whatever.
I don't know if I think I careabout a fire starter because I
think I can get it done with,like the blow drill or whatever
thing, pretty confident in thoseskills, so I'd probably take a
bow knife.
I don't need water because Ican start a fire.
Joshua Schmidt (04:32):
You can only have three things, Nick.
I already said, I said two.
Nick Mellem (04:35):
I'm only on.
I'm on the third Starlink.
Yeah, I'll take the iPad andStarlink then.
Joshua Schmidt (04:39):
There you go.
Okay, so you're.
You're trying to get off thedeserted island.
Maybe anybody's goal?
You're not preparing for this.
I don't know we haven't heardfrom Eric yet.
Maybe Eric wants to hunker downand just take a little break.
Eric Brown (04:53):
Eric doesn't even like to camp.
I was going to take theStarlink solar panel to recharge
and a laptop to recharge.
(05:17):
Um and uh and a laptop, but um,in all seriousness, I think I'd
have to take um a set of umclothing a-up between something
to start a fire or something toprovide shelter.
Joshua Schmidt (05:33):
but I think you could make something yeah, it's
a tough one if I was preparingfor this day.
You know I've done some time inthe boundary waters and these
uh filter straws are reallyuseful.
Nick Mellem (05:43):
I don't know how long they last.
Joshua Schmidt (05:46):
Yeah, I'd probably bring a light straw and
then probably some firestarting equipment, whether it's
a flint or something that willlast a long time, and then most
likely a knife, trying to beutilitarian here.
You know, don't want to end uplike Tom Hanks and be talking to
a volleyball for a couple ofyears, so you probably want to
have something to start a fire,to maybe send some smoke signals
(06:07):
or whatnot.
So, but you know, we wanted tokind of talk about maybe some of
the developments in the lastcouple of years.
I know, eric, you had justcalled out that now they are
syncing up air tags to Delta,correct?
So if you're traveling withyour luggage, you can throw your
air tag in your luggage andthen that's going to somehow
(06:27):
connect up with the Deltaexperience.
Eric Brown (06:30):
Delta, united Virgin , maybe British Airways and a
couple of others.
Essentially, the sharing oflocation information is able to
be shared with theirapplications where before you
could you know, they could sayyour luggage was lost and you're
(06:52):
like, no, it's right here, youknow, and they didn't have any
way of verifying that.
But if, through Apple, you'reable to share that location data
with their luggage trackingsystem, then it can help the end
user recover luggage faster.
Joshua Schmidt (07:10):
Great.
Has anybody tried that yet?
Eric Brown (07:13):
I throw an AirTag into everything when I travel.
Nick Mellem (07:16):
I do the same AirTag and all my stuff, but
I've never synced it up with theactual airlines before.
That's new, though right it'scoming out in 25,?
Eric Brown (07:24):
yes, it may be available in beta.
I'm not sure actual airlinesbefore that.
That's new, though right, it'scoming out in 25.
Yes, it might be available inbeta I?
Mathew Wold (07:26):
I'm not sure do you need to do anything to sync it
or does it just automatically?
Eric Brown (07:31):
you know, read the air tag, the nfc chip, and I'm
not 100 clear, but I think youneed to sync it up to give
permissions to their applicationto to be able to just hijack
your yeah, you wouldn't wantthem to unlawfully follow you or
track you or whatever.
I think the?
U, the USPS, needs to havesomething like this right Cause
(07:53):
I don't know how many packagesI've had lost really the years.
Joshua Schmidt (07:57):
So, when you're kind of assessing your travel
plans and their situation, whatkind of things are you thinking
about?
What kind of common securitythreats may you, you know, be
prepared for when taken off?
Mathew Wold (08:07):
Yeah, that's a really good question.
You know I kind of have a kindof a go to that.
I always kind of fall back onand bring with me.
So you know I don't rely onhotel internet at all.
So you know I have a mobilehotspot like a puck device that
you know I bring with so thatway we can all use that.
You know I have a mobilehotspot like a puck device that
you know I bring with so thatway we can all use that.
(08:28):
You know I don't really let letmy family like charge devices
in the hotel room.
So we have power packs.
You know that we'll that we'lluse.
And you know those are greattoo, cause you can you know if
you're going someplace for theday you can throw them in a
pocket or something as well.
Nick Mellem (08:43):
So you know it's just some some basic stuff like
that we were talking about theair tags, but for, like, if
you're going to the airport, isthere any precautions you take?
Besides that, you know the airtag that we said, like an RFID
wallet or you know, are youusing anything else?
Mathew Wold (08:58):
Yeah, you know, I've talked to some people who
have RFID wallets.
They work great.
I don't personally have one,but I bought those cards that
you can put into a wallet tocreate an RFID shield and I got
those off of Amazon for, like, Ithink, $10 for a pack of four
or something and I've testedthem.
(09:20):
They seem to work great.
Joshua Schmidt (09:21):
Are you testing those with the Flipper Zero or
some kind of a gadget?
Mathew Wold (09:25):
Well, I haven't tested it with the flipper zero,
but I know somebody who has, um, yeah, and so you know he.
He tested and said it worksgreat.
Um, I've tested it with justsome NFC readers and it's, it's
worked great.
Eric Brown (09:39):
So you said you don't charge your devices in the
hotel room.
You bring the the battery pack,so you're charging the battery
pack in the hotel room.
You bring the battery pack, soyou're charging the battery pack
in the hotel room and thencharging devices from the
battery packs.
Mathew Wold (09:50):
Yeah, exactly, it is because you never know what
you're plugging into, right,like you plug your phone into
some USB connector and I meanwho knows what's on the other
side of that or what it's doing.
I think one of the things I wasgoing to mention here is
there's like the OMG cables andthey're like a hundred dollars,
but those things are so, socrazy that they have like wifi
(10:14):
and like a tiny little computerbuilt right into the cable.
If you borrow a USB cable fromsomebody, you have no idea if
that's what you're getting.
And you know you plug yourphone in and you think that
everything's charging, butreally it's.
Nick Mellem (10:26):
you know wirelessly sending all of your data off to
, you know to an attacker, andyou know now they've got all
your pictures and you know Godonly knows what happens then I
do remember when I drove back toMinneapolis I think it was
February, I'd make the drivequite often and one of the
hotels I stayed in they had a.
It was like a lamp and a powerbank like or there was an outlet
(10:47):
on there or whatever.
And uh, they had a, uh, anethernet port you could plug
into on there, but it had theethernet port coming out of it
you could plug into.
I think I sent eric and acouple other people the picture,
just like you know.
Nice, try, holiday in orwhatever, but it it is what
you're saying, matt.
It makes a lot of sense becausea lot of people would just
mindlessly plug into that andyou have no idea what's on the
(11:08):
other side of it.
Yeah, and it's just like youknow.
I don't want to say a lack ofeducation, but people just don't
know better, right, so it'sreally no fault of their own in
a lot of cases, but I guessthat's why we're here having the
conversation.
Mathew Wold (11:19):
Right.
I mean you think about it andyou have a family, right, and
you go on vacation and peoplewant to charge their Apple Watch
, they want to charge theirphone, they want to charge their
iPad.
I mean there's like 6 billionthings that you want to charge.
You're not going to carry.
You know connectors for all ofthis stuff, so it's you know.
You walk in and you see allthese USB ports and you think,
(11:40):
oh, this is perfect.
Like I can just plug everythingin here.
Eric Brown (11:44):
Well, is it okay to plug?
Say you know you have a charger.
That is like a charging brick,right, like you know?
Let's say it's an iPhone or anAndroid phone, the USB cable
plugs into it, it plugs into thewall.
Are those?
Mathew Wold (12:01):
okay, is it yours.
Did you bring it from home?
I did, then I would say, yeah,it's, it's fine, you know, if
you borrow it from somebody thatyou don't know, I, I mean, I'd
steer clear.
Nick Mellem (12:13):
So you're saying plugging into an outlet is fine,
but if you're gettingsomebody's USB cable or
something else it's right, yeah,I mean.
Mathew Wold (12:21):
I mean, have you seen even on Amazon where they
have those?
You know the USB or you knowthe plug in and it's got like a
tiny little camera on there andnow you know you borrow that
from somebody or from, like, theperson at the front desk.
I'm not saying everybody at thefront desk is shady, but you
know you plug that in and all ofa sudden, you know there's a
(12:42):
night crew.
You never know what you're goingto get.
Now you got a Wi-Fi camerastaring right at the bed.
You know, I'm just saying like.
Nick Mellem (12:53):
Outside of the cyber realm.
Is there anything else that youmust take to fill out your kit
that would go along with thecyber world?
Mathew Wold (13:01):
They make things that you know that you can put
into a suitcase where you canput it up against the door to
just reinforce that door.
And if we want to go down in aside tangent here about RFC and
and doors, you know we were atwild west hack and fast and they
had.
They had the door with the NFC.
(13:21):
You know reader and um cam wasable to clone that thing in like
five minutes and and get intohis hotel room.
Joshua Schmidt (13:30):
Where are you guys going on vacation?
Nick Mellem (13:33):
Well, I, yeah, I think a lot of it too is.
And what I'm thinking aboutwith all the cyber stuff is is
the physical security portionright?
I think as securityprofessionals, we think about
that just as much.
Uh, the physical securityportion.
So, you know, the weaponry,leave that at home.
You know we're not advocatingpeople try to get through
security with any sort ofdevices like that.
But the items that Matt'stalking about to keep the doors
(13:55):
stopped to, you know, stopsomebody from reversing the
peephole.
You know things like that wouldbe, you know, wise to look into
.
Eric Brown (14:04):
You know there's and also the government
restrictions of the countryyou're going to.
I was on a trip to Mexico awhile back and I'm the guy at
the airport that needs, you know, like six, eight bins because
I'm taking a bunch of laptops,ipad, you know just the whole
thing.
I'm all spread out.
You want to be comfy, you needit right In Mexico you can't
(14:32):
have I think it's more than twolaptops.
If I'm recalling, I think Iwent in with three.
They didn't say anything, but Ithink they can fine you or
whatever, which I foundsurprising, but I think they
counted an iPad as a laptop.
I don't really remember, reallyremember.
But the point being, check whenyou're going to go to that
(14:54):
country, check what therestrictions are in that country
before you show up.
And if you're going to acountry that's hostile to the US
or doesn't allow encryption,then make sure that you're
leaving those devices at home,because they could be
confiscated.
You could get into a lot oflegal trouble with that as well.
(15:16):
So just be cognizant of that.
And then you can always checkthe State Department website and
Matt, sorry if you're going totalk about this, I'm stealing
your thunder but the StateDepartment website to see what
level country it is that youmight be going to.
Nick Mellem (15:31):
I would not have thought about the number of
computers you could bring into acountry, because that would be
the same way I'd bring twocomputers and an ipad.
Joshua Schmidt (15:39):
I would not have thought about that as being an
issue or being fined they don'twant, they don't want you
getting too powerful with yourcpu power, I guess, or I don't
know, maybe they're afraidyou're gonna sell it or
something.
I'm not sure okay, okay, thatmakes sense.
Well, that leads into my nextquestion how does traveling to a
different country affect youknow, your, your security
posture?
You kind of already started toanswer that, but let's say, um,
(16:02):
I have to do some work, you know, and I need to bring my laptop
and I need to get on teams oryou know some other kind of um
file sharing service.
Um, what kind of precautionswould it be taking as a business
professional in that scenario?
What would you recommend toorganizations, or the messaging
to an organization when givingadvice for people traveling
(16:23):
during the holidays or any timeof year, really?
Mathew Wold (16:26):
Well, I guess I would say, as a security
engineer first check with yourorganization to see if they even
allow you to take technology,their technology outside of the
US.
I mean, that might just be ano-go for them.
So check first.
Just if you take technology, Ithink it's your responsibility
(16:47):
to be responsible for it and tolock it up and to have it with
you.
So I think that would be what Iwould say You're checking with
your company.
Eric Brown (16:59):
Some companies have security restrictions about
logging in from outside of thecountry and you may need to go
through managerial approval inorder to be able to log in
remotely and they may have toenable things for the period of
time that you're away so you canconnect in, you know.
(17:19):
Again, just to Matt's point,check that out before you take
the company device.
Joshua Schmidt (17:25):
So it sounds like it's pretty specific
company to company, depending ontheir policy and what kind of
information you may be at.
Eric Brown (17:32):
And there's also, you know, just kind of going
down the rabbit hole of data.
There's data sets that you maybe entitled to view in the US
but you aren't entitled to viewwhen you're outside of the US.
So, being cognizant of howidentifiable information is
treated in different countriesthat have different data privacy
(17:54):
laws, if you're traveling forvacation, usually best to leave
the work devices unless you'vechecked it out and you're
approved to take it with you.
But just to be cognizant of it.
I think we saw a fair amount ofinstances where during COVID,
people were working from othercountries because we were
(18:16):
working remotely during thepandemic, but some people took
that remote to be further awaythan their house and that led to
some interesting scenarios.
Mathew Wold (18:27):
Another thing to remember is I think a lot of
times people say, oh, I'll bringthe technology with and if I
don't need it I'll just put itin the hotel room safe, and
it'll be safe there.
But the reality is that thosesafes have a universal code that
the hotel staff knows to openthem up.
(18:48):
So that way, if you set it andyou forget the password that you
put on there, that they can getyour stuff back.
So you put your stuff in thereand you leave for the day and
you think that it's safe.
But it's really not.
And they do make like asecondary, like lock that you
can put on there.
And that's something that youknow you have to bring with you.
But I guess I would say you know, if you're leaving like a cell
phone behind and you're going toput it in there, if you have a
(19:10):
cell phone where you can takethe SIM card out I mean, the SIM
card's a lot smaller If you canjust pop that out and put it in
your pocket, don't lose it, butyou know.
Then you know what.
If you have an eSIM Well,that's a whole different story
Then you better stick that phonein your pocket.
Eric Brown (19:27):
What if?
Nick Mellem (19:27):
you have a Neuralink chip.
I think the best course ofaction is to, whatever
technology you bring, plan oncarrying it around so the neural
link chip would work then so,eric, you're rocking three,
three laptops on on vacation,huh, sometimes four.
Joshua Schmidt (19:46):
So when you are uh trying to get uh, are you
using starlink?
When you're, you know, tryingto work, or do do a little bit
of maintenance there, a littlehousekeeping, are you using
public Wi-Fi, using VPNs, tosafeguard yourself, or what does
that look like?
Eric Brown (20:03):
Usually I'll have a SIM card and hotspot from the
country, similar to what Mattwas saying, and then always VPN.
So depending on theorganization that I'm working
with, it'll be a different VPNclient, but coming back to the
US over that VPN connection.
Nick Mellem (20:23):
Always VPN.
Joshua Schmidt (20:24):
Always VPN.
And then I noticed the recentApple update had a new password
manager.
You know it was a little bitmore substantial than it used to
be.
Are there any thoughts aroundthat?
Versus using a Bitwarden,because I just recently got
switched over?
Now they have this new function, I'm going.
Should I be paying forBitwarden or should I migrate
back to the native Applepassword app?
Nick Mellem (20:47):
I don't know Personally, these guys might
feel differently.
I don't know if one is probablybetter than the other.
I mean, maybe Bitwarden iscould be.
I use Prot.
I don't know if one is probablybetter than the other, right, I
mean, maybe Bitwarden is couldbe right.
I use Proton myself, but I alsouse the Apple password manager
where I migrated them you know.
So they match each other andthat's not a convenience, right.
But I don't see the Applepassword manager, the new
(21:07):
application, as a threat, youknow, to using that on my
personal devices, just because Itake other precautions, vpns
and whatnot, if I'm going to beusing any sort of public Wi Fi,
which is very rare, but if it'sthe only option, if you don't
have self service for whateverreason.
Yeah, you know, I guess Eric orWalt, do you guys have any
thoughts on if it's as secure?
Eric Brown (21:29):
I think it's as secure.
It'd be interesting to hearwhat you think, matt.
For me it comes down to how amI getting to the passwords?
What if I don't have an Appledevice with me and I need my
password to get into somethingonline With a Bitwarden?
It's available anywhere there'san internet connection, where
(21:51):
there's an internet connection.
Nick Mellem (21:53):
So I I think I don't know this, but I would
imagine there is access via theweb if you go to iCloudcom and
you'd be able to sign in withyour credentials.
I don't know that, but Iwouldn't know my credentials.
You wouldn't know your passwordto your iTunes or to your Apple
ID.
Eric Brown (22:09):
No, because it's probably this long and it's in
Bitward.
Nick Mellem (22:12):
That's true, that is very true.
Same with me.
That's great, you got me.
What do you?
Mathew Wold (22:17):
think, wald, you know my Bitwarden password is
quite lengthy and you know.
But I tried to do something alittle bit different.
Where I didn't like take awhole bunch of scrambled letters
and stuff, I tried to, you know, just make, like you know, a
long passphrase with somenumbers and some symbols, just
(22:41):
so that way, I mean, even at theend of the day, how long would
it take you to string all thosewords and numbers together, you
know, in various locations?
Eric Brown (22:47):
I don't know, I'm looking in my vault right now
and I have 689 passwords in thevault, so you know just the idea
of remembering one long onelike you're talking about, matt.
You know a passphrase to get in, awesome.
But then those that are inthere, some are scrambled
(23:07):
numbers and letters, some arepassphrases.
It just it's hard to even knowwhat they are, because at least
my brain can't keep track of allof the different more than like
three.
Mathew Wold (23:23):
Yeah, and that's what I was saying.
Right, my Bitwarden password issomething that's at least
memorable, that I can remember,but everything else is just a
scrambled mess of letters andnumbers and symbols.
And you know, I think that'sthe way it should be.
But you know, I've been tryingto slowly migrate over to sites
that allow a ub key, to try tostart doing passwordless sign on
(23:46):
with with ub key.
Joshua Schmidt (23:48):
So you know yeah , so you're carrying that around
on your key chain then, or whatdoes that look like?
Mathew Wold (23:56):
Yeah, so I have two .
I have one that's plugged intomy keyboard and then I have
another one that, yeah, that Ijust carry.
You know, I try not to carry iton a key chain, but you know,
it just kind of comes around.
It's an NFC one, so I can justtap it to my phone.
Eric Brown (24:12):
When we were at defcon a couple of years ago
there was a dude that had gottenthe nfc chip embedded under his
skin and then he could use thatto open you know his hotel room
or you know other um nfc.
(24:33):
You reprogram it to the badgethat would open that NFC reader.
So he's kind of combiningsomething you have and something
you are with that implant.
He said it was the size of agrain of rice, but that too you
could probably do the same thingwith the NFfc version of a
(24:56):
password key like a ubp yeah,and if you remember they were,
they were, um, doing that, thatimplant right there.
Mathew Wold (25:06):
You had to sign the waiver and I think it was like
was it like 200 or something or100 bucks and they would.
And they would inject you rightthere with it do.
Joshua Schmidt (25:14):
Do any of your cats have chips?
Nick Any any chips in the cats?
Eric Brown (25:18):
You got to chip them .
Nick Mellem (25:20):
Oh, you got to.
Got to chip them, Got to takecare of the cats.
Joshua Schmidt (25:25):
You guys had mentioned.
Um, you know there's somedanger in obviously getting on
local networks and and publicwifi and things like that.
So, matt, someone with apineapple they're sniffing the
traffic.
What are they seeing on thereand that would kind of grant
them any kind of credentials oraccess to your information.
Mathew Wold (25:45):
Yeah, so the really cool thing about it is that you
can set up basically like afake Facebook login.
So when somebody is connectedto the Pineapple and they go to
facebookcom, it redirects themto the fake Facebook login they
put in their username andpassword.
They have no idea that itsteals those credentials and
(26:08):
just sends them over to the realFacebook and it's seamless,
right.
But in that Pineapple you canbuild your own pages, so, like
if you wanted to build, like aWells Fargo or whatever you
could, you could basically spoofanything and make the user
think that that's what they'relogging into, and so you know.
(26:30):
You can just you can see.
You know where they go.
So even if they don't go to, youknow a site that you're trying
to steal credentials to.
You can see where they're going.
If they enter data into anysite, you can see the data that
they enter.
I mean there's just a ton ofstuff that you can see.
And this is again why I mean,even if you were connected to
(26:51):
the pineapple and you didn'tknow it, but you used a VPN on
your device, I mean you've justdefeated the pineapple, so you
know it's.
It's really key, do you?
Nick Mellem (27:00):
think you know on that topic.
Well, do you see any you knowin that threat landscape of
Bluetooth, what would be ahacker's capability with that?
Is there any concern withkeeping your Bluetooth on, or
would you recommend travelersturn that off if they're not
actually using it?
Mathew Wold (27:27):
Yeah, I mean, there's always.
It's a threat vector, right?
I mean it's a way to transmitdata, you know.
So if you don't need it, ifyou're not going to be, you know
, if you're traveling and you'renot going to be using Bluetooth
headphones or something else,you know why, leave it on and
and leave that door potentiallyopen or vulnerable, just turn it
off.
I mean, it's so easy to do,just just shut it off and turn
it back on when you need it.
You know it's probably a good,unless you're using Bluetooth
all the time.
(27:47):
You know, maybe it's a good,good general rule of thumb
anyways.
But there's a lot of ways thatyou could do it.
I suppose you know you couldsend some sort of request to
another device and somebody may,you know, not even realize that
they're, you know, they mayjust say, oh yeah, accept, you
know.
And then all of a sudden, youknow they've downloaded some
malicious file to their, totheir phone, or Can I give you
(28:10):
just my rundown of like quickhits on travel safety?
Eric Brown (28:15):
OK, so kind of, starting on the home front, make
sure your credit's locked, andthat's just a good practice
overall.
To make sure you've locked yourcredit so people can't open up
credit in your name, but I thinkwe'd advocate that for anything
.
And then when you're traveling,it's the air tags you know.
(28:35):
So you know where your luggageputting your kid's backpack,
what have you right, so you keepcloser tabs on those sorts of
things.
We don't have to register ourcredit cards anymore until our
credit card companies wherewe're traveling to, fortunately.
But you have the number to thecredit card company handy so
(28:57):
that you can call them.
They usually have anon-toll-free number so you can
call them from out of country.
Look up the country that you'regoing to call them from out of
country.
Look up the country that you'regoing to, especially if it's
like a level three countryHopefully you're not going to a
level four country and make sureyou know where the US embassy
is.
You can go through the StateDepartment's recommendations of
(29:18):
registering with the embassy incountries where it may not be as
safe for Americans to traveland then have a meetup plan for
your family.
So if you do get separated,where are you meeting?
And then what is your plan ofaction from there?
(29:39):
Quick aside story I wastraveling with my mom to Japan.
I had gotten onto the train andmy mom was just getting, you
know, just about to step on andthe doors were closing and she
would have been left behind onthe platform.
But you know, fortunately I wasable to push the doors open.
But just have a plan Like, ifsomething like that happens
(30:01):
between you know, your spouse,friends, kids, whatever that
you're traveling with, and thenit's always good too to have a
passphrase so that if you get acall saying that you know, hey,
we have something's happened tolittle Jimmy, and little you
know they put little Jimmy onthe phone that with voice
spoofing these days it's reallyeasy to sound like little Jimmy.
So if little Jimmy can recitethe passphrase, then you either
(30:25):
know it's a problem or a scam.
And then, as you get into moreof the personal security side,
you can make those choices about.
Do you get a hotspot in aforeign country?
So, relatively cheaply you canget a hotspot.
You can get a SIM card, put itin your phone or rent a device
in that country.
Usually they'll ship it to youahead of time or you pick it up
(30:49):
in the airport in that country.
It's a pretty cheap way to keepyour own your data contained,
and Matt talked about using thathotspot.
Get a VPN If you don't have onealready from work.
Certainly go through the travelpolicies at work.
Make sure that you, if youaren't supposed to be taking
(31:11):
work equipment or viewingwork-related files while you're
out of the country, don't dothat.
Leave that stuff behind andavoid posting and celebrating
you're out of.
Like you know it's cool You'retraveling, but then posting that
all over Facebook.
People know that you're nothome, which is not always good,
(31:32):
and encourage your familymembers.
At least have the conversationwith them, right, like you know,
if you're traveling, then youknow your mother's not posting.
Oh, you know Matt's over in,you know Cancun or whatever,
right, because she's happy foryou, but now that's you know
giving away information aboutyou that you may not want to
give away.
Some people may be like oh youknow, my trash is coming on
(31:55):
Friday, I'm leaving on Wednesday, I'll be back on Saturday
Leaving the trash out for thatlong of period of time if you're
in an area where you're puttingindividual carts out to the
street, may not want to do thatbecause there are dumpster
divers.
I think he nailed it.
Nick Mellem (32:09):
I'm sorry to everybody that waited that long
for the real advice, but thereyou go there.
Mathew Wold (32:14):
Liam neeson isn't, isn't coming to save you if
something happens, but you knowall the advice you know to the,
to the international travel.
There is that state departmentum website or that, the app that
you can download for yourdevice.
You know so, that way, if, ifyou're in a level two country
and it suddenly turns into alevel three country, you know
(32:36):
they'll.
They'll alert you through theapp and you know it does have
the, the embassy information inthere too, in case you weren't
proactive.
Eric Brown (32:46):
Years ago I was traveling with a friend and you
always think like this stuff'snever going to happen to me and
until it does.
Traveling with with a friend,um, on vacation, and I was I was
real young, this is likepre-security, like way
pre-security, and just barelyinto it.
We were going to a tropicallocation, um, and for some
(33:10):
reason she thought it was a goodidea to bring, like I don't
know, eight, nine pair of shoes.
I not sure why, um, but this Ithink she had two suitcases.
One was was full of shoes andmakeup and contacts, and then
the other one had her clothesand then she had a carry-on and
(33:32):
I had my suitcase and carry-onand it was a mess juggling all
of this stuff.
But we got it into the plane,got to the country, got out,
went to the baggage to pick upthe baggage.
And this is decades ago, waybefore air tags were even a
thought from Apple, so it wasn'treally possible to track
(33:54):
luggage.
Back then and this is beforethey, you know the airlines were
putting those stickers thattracked baggage.
You just kind of showed up atthe carousel and hope for the
best.
Well, all the bags came out,except for the one with the
shoes.
We're not sure if it came outand was picked up or we got it
and then kind of turned aroundand one of the bags was gone.
So that made for an interestingexperience, because the bag's
(34:17):
gone and then you're spendinglike an hour looking for it and
you got to report it in aforeign country and then dealing
with the aftermath of nothaving contacts and you know
other toiletry items and pickingthose back up in that foreign
country was interesting to saythe least.
And we had to travel to placesthat probably wouldn't have gone
(34:39):
to, that were kind of wayoutside the quote, unquote
bounds of normal travel.
So I would say you know, be justbe mindful.
And now air tags can certainlyhelp.
Would say you know, be just bemindful, and now air tags can
certainly help.
But you know, criminals knowthat their tags are in there and
they're gonna look for that andyou know, yank them out too.
So be careful, kind of whereyou put them, make it a little
harder to find.
And then I'd also say you know,some of us, like Nick um with
(35:02):
those cats, sometimes travelswith the cats not.
So make sure you know theregulations around um pet travel
and what it takes to get a petin and out of the country and
then nick also has.
Is it louis vuitton luggage,nick, only louis vuitton.
So if you're traveling withlouis vuitton luggage, great, um
(35:23):
, but just know that I mean,that's kind of setting yourself
up to be a target.
I don't know, are they twogrand each?
Two or three?
Nick Mellem (35:33):
I forget.
Eric Brown (35:35):
I might not want to do that myself, because now it's
if I can afford that on a bag.
What's in the bag?
It just seems to be?
Nick Mellem (35:43):
You want to be a what is the word?
You want to be a soft target,not a hard target.
Right, I have it flipped around.
You don't want to call yourselfout or something flashy.
I think the other thing, too,that I always do, and I've been
doing this for years, like 10,15, 20 years I've been carrying,
I always carry my wallet, myfront pocket.
Joshua Schmidt (36:00):
Yes, that's a good one I would even take that
one step further.
And there are these necklacewallets you can get so it can
sit under your shirt, right onyour person, so you're not even
in a pocket.
Um, make it a little one stepharder for people to get to.
That's my one security tip Iwill add in and I got one more
question here before we wraptoday.
So you know, eric, youmentioned the airlines.
(36:20):
You know what kind of role dohotels and airlines assume in
protecting their customers?
Cybersecurity risks, if any is.
It sounds like the onus is onon the individual.
There's there's really noaccountability there in terms of
the hotel or or the travelagency, or whatever it may be I
don't think, I don't think theywould assume anything besides
(36:41):
your data that they hold foryour reservation or whatever are
you rocking the insurance whenyou take off?
Mathew Wold (36:48):
uh, matt uh, a little knr, insurance.
Yeah look, it cannot run ransom.
Uh, no what is that matt, I, uh, I haven't gone any place.
I mean, I've thought about it,like at some point I'd like to
take my family to, you know,outside of of the US, and I've
thought, how much is this K&Rinsurance?
(37:12):
Because, listen, if somethinghappens I don't want to, like I
said, liam Neeson's not there,so I'm going to need some help.
Nick Mellem (37:19):
And you don't think the State Department's going to
send Delta for us or anythinglike that.
Mathew Wold (37:23):
I mean not for me.
Nick Mellem (37:26):
We'll get you back at all costs, Matt.
Trust me, we're coming in hot.
Joshua Schmidt (37:29):
We can send Nick down there.
Nick, were you in Afghanistan?
Nick Mellem (37:32):
Yep, marja, that rings a bell.
There's no safe travel tips foryou to go there.
Joshua Schmidt (37:39):
You're on your own.
Nick Mellem (37:42):
Unless you got a Blackhawk and an Apache.
Joshua Schmidt (37:45):
All right, well, I think that just about does it
for today, and thanks again,Matt, for joining us.
It was a fun conversation.
You've been listening to theAudit presented by IT Audit Labs
.
My name is Josh Schmidt,co-host and producer.
We have Eric Brown and NickMellum.
You can like, share andsubscribe.
We are now hosting video onSpotify.
You can find us on YouTube,Apple and wherever you get your
podcasts.
(38:05):
Thanks for listening.
Eric Brown (38:07):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
(38:29):
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onapple, spotify or wherever you
(38:52):
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.