Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide


Information Security Travel Guide: October 2008, Kauai to Houston


By Stephen Northcutt
Stephen Northcutt started this file three days before his trip to Houston TX to teach SANS Security Leadership Essentials. You will find information about his travels; he is a United Airlines 1k flyer, security researcher, author and instructor who also travels a lot. He talks about security (including information security), safety, travel experiences, restaurants, and tips for travel in these crazy times. He's interested to hear about your travels as well; you can reach him at stephen@sans.edu. The way this blog works is that the most recent material is at the top. If you got here via a Google search, what you want is probably here; try using Find (CTRL F).

[October 20, 2008]
Headed home to Kauai. I woke up at 4 AM and was down to the front desk of the Holiday Inn IAH Airport hotel by 4:25. The lady at the front desk seemed quite confused and the shuttle leaves at 4:30, so I decided to worry about getting an invoice later (most hotels put them under your door, but maybe it was too early in the morning). The shuttle guy was pleasant and I tipped him $3 as I was the only customer. Check-in went fairly smoothly; there was a large group of Asian males hanging around the counter for first class/1K, but I realized they were not using the check-in kiosk so I made my way through and checked in for my flight (UA 377). Had time to get an Egg McMuffin, milk and a Dasani water from McDonald's and by the time I had consumed that, time to board. The flight left on time, the pilot came out and introduced himself, Captain Dru Bradley, and thanked us for our business. That was nice. It has been about two years since a United pilot came out and introduced him or herself on a flight I was on. I stayed up long enough to eat breakfast, this time I chose the eggs. My seatmate chose the fruit plate and unlike the last time I chose the fruit plate, his had a yogurt. Then I slept most of the flight, I had already seen Swing Vote on a previous flight. I want to commend the flight attendants, every time I woke up my water glass was full; I made sure to thank them for that.

Had a tight connection in San Francisco. Found my gate and they were already boarding UA41 to Lihue. We didn't go, they had a mechanical, but United was able to get us another plane and I think we were only an hour late leaving for Lihue. I had the egg omlet again, I was thinking very seriously about buying one of those boxed snack packs they had rather than have eggs for the third time that day. The movie was Get Smart; I remember Maxwell Smart fondly from being a kid and it was OK as an airplane movie, but I surely do not want to own it or see it again. I guess you read about the United pilot they arrested out of London’s Heathrow, where a United Airlines pilot was arrested early Sunday for being over the legal alcohol limit. United Airlines confirmed the arrest of the 44-year-old first officer, who hasn’t been named. That is more than a bit scary and also sad; talk about throwing your career away.

[October 19, 2008] Transferring to the Holiday Inn IAH Airport hotel. My flight is pretty early in the morning, so we decided to get into position. According to one of my favorite Houston IAH travel tips pages, the best time to schedule a flight from Houston is just after lunch, but that will not get me home. Speaking of airports, I just read about the TSA Security Screener caught with 66 cameras, 31 laptop computers, 20 cell phones, 17 sets of electronic games, 13 pieces of jewelry, 12 GPS devices, 11 MP3 players, eight camera lenses, six video cameras and two DVD players. Guess he will do some time. TSA screener theft has been an issue in the past in Texas, JFK airport, and at least 30 other airports. So this travel tip is obvious, don't check valuables unless you have no alternative.

The last time I tried to stay in a Holiday Inn was in my September trip that included Richmond VA (Holiday Inn Select); our room was musty so we decided to bail out. Here at the Houston Airport hotel, there was no musty smell and the room was fairly clean; there was still toothpaste from the previous occupant on the bathroom sink, but the shower/tub was clean, no smudges on mirrors or any such. The biggest complaint I have is the computer chair; a guy like me writes whenever he gets to his hotel, whether security research, a blog like this or email, no matter, I write. The chair is too low and not comfortable for hours. Before I left Kauai on this trip, I got a massage from Dawn at Puamana Massage; she is very professional, I can recommend her without hesitation, but when she was working on my forearms I could feel pain in my tendons so I need to be careful to avoid carpal tunnel problems. If you are starting to feel pain, take it seriously because it has messed up more than one writer; some people use aspirin or similar, and here are some tips.

[October 19, 2008] Last day at the Hilton Garden Inn, Houston. Well, we can't give them points for a strong finish. Four of the students from the class went to the front desk and asked if they could take us to the IAH airport in their van, each of us had been staying in the hotel for five days. The front desk said, no, that's not negotiable. Perhaps not, but us coming back is. Also, I had left my toothbrush and leather shoes in my room and planned to make one more stop there after the 10:15 AM break for my class, SANS Security Leadership Essentials. When I got up to the room, the cleaning lady was there and she had already put my shoes in a dry cleaning bag and thrown my toothbrush in the trash. Now, granted, I should have put a Do Not Disturb sign on the room if I did not want it disturbed, but I had not checked out of the hotel yet. That, on top of the unwillingness to transport four customers all going to the same airport at the same time, causes me to score the Hilton Garden Inn, Houston, a 3 out of 5. I like the facility, I would stay there again, but I would not recommend having an event there unless the hotel showed more customer focus, such as having lunch ready on time. The lunches were also a bit skimpy, but that was probably our fault; sometimes you should spend a bit more money. I had a wonderful class, a great cross section of America; folks from Goldman Sachs, Mutual of Omaha, Target, Intuit, State and Federal Government, made for great discussions. They were interested in having the class finish a bit early, so we went long on the 4th day then I hustled on the final day, and the hotel was willing to serve 15 minutes earlier plus include our break food with the lunch. I finished teaching right at 12:00 PM and we ate together before each went their separate ways; it made for a great last lunch and a neat kind of ending.

Privacy note: Don't know if you have read about the decision in the UK to require passports to purchase cellphones. This measure seeks to stop the relative anonymity enjoyed by “criminals and terrorists” through their purchases of prepaid phones. Tough problem wherever you go - the USA, Canada, Australia, the UK - it is a struggle to balance the right to privacy of the populace with the need to combat terrorism.

[October 18, 2008] Right next to the hotel there is an interesting facility called The Mens Club, and I bet many a traveling man's dollar has been spent there; I will try to pass, but, jeepers, is that a big facility! One local claimed they used to have a pool that was very famous (infamous); who knows. In terms of restaurants, the closest is a Mediterranean buffet, actually, it is not half bad (I ate there twice), plus a small amount of fast food, Subway and a Chipotle. If you are willing to walk a few blocks, there is everything that the Galleria has to offer

[October 16, 2008] COINS, Community of Interest in Network Security. We had the COINS event here at the hotel and I invited my class. COINS is SANS outreach to local communities. For months before I came I was using LinkedIn, trying to reach people and invite them to come. We spring for free food and some drinks and I do a presentation. We have about 15 people come, all male. I am starting to wish we could do better than that. LinkedIn apparently got mad at how I use the service and has put me in some sort of penalty box. Hmmm, in trouble for offering free food and drinks; where I come from, we don't snub that

[October 14 - 19, 2008] Hilton Garden Inn Galleria. Most important, Houston is back in business from Hurricane Ike. The taxi from the George Bush Intercontinental Airport to my hotel was a whopping $70, so maybe a limo makes more sense here. Regardless, we made it and there was not much obvious hurricane damage during the drive; this city got back in business. The hotel room at the Hilton Garden was clean; and it included a fridge and microwave. The conference rooms we have to use are more than servicable. The hotel has a small pool and a gym, what's not to like. The food and beverage people seem to be trying. One complaint, the lunch is supposed to be at 12:15 PM and they were not always ready; twice the entire class had to stand in line. Once, the only obvious activity in the kitchen was a guy sweeping the floor - right in front of the window to the kitchen where my students were lined up. The best thing to do is send out a scout to check so we do not have to have the entire class wait in line for lunch, that is silly.

[October 13, 2008] LIH to LAX. I took off on flight 68, managed to score first class with miles.The flight attendants were essentially non-existent. This does not happen often on United, but sometimes they just disappear for nearly the entire flight and don't even come by with water. This is one reason I travel with a 1 liter polycarbonate water bottle. I mention it here and here in more detail. I ended up drinking most of the water on the filight and wonder what the people that did not have water with them did for hydration. My next flight was UA1192 to Denver, it went on time and was very comfortable, it was a 777 so the seat really reclined. Final hop was flight 1184 Denver to Houston we were starcrossed; we had a slight mechanical delay at departure and hit weather in flight, so we landed an hour late. My seatmate was an older African American woman heading for Peru; she claimed to be a world traveler, but clearly was not, didn't know they serve food in first class, that the seat reclined, etc. We landed late and her connection was Continental Airlines. I asked the rest of first class to let her off the plane first and one guy who really knew Houston airport walked her to the train to Continental's terminal; she had 30 minutes, so whether she made it or not is pretty much of a tossup.

[October 13, 2008] Flyday LIH to Houston. It is raining and cool this afternoon, wish I had gone swimming in the ocean one last time today. Safety Tip, if you are visiting Kauai anytime from Oct - April, be very respectful of the ocean; four visitors drowned over the weekend, two of them sisters-in-law walking along Queens Bath and a big wave swept them off the rocks to their deaths. They weren't the first and they probably are not the last. In a similar circumstance, a local friend of mine only survived by diving deep, holding tight onto a boulder to prevent being swept out to sea into the rocks and then scrambling back onshore between waves.

== Travel Tip: Direct Flights. A number of "direct" flights aren't. This Washington Times blog on the topic concerns Delta Airlines, but I have been on United Airlines flights where they say passengers continuing on to Tokyo will need to remove all their belongings for an aircraft change. This means competing for the overhead luggage space again (the link I just tossed you is for riskfactor, a great IEEE blog). The time to find out is when you are booking, be sure and ask if have them on the phone. Also, if you can see that the time between landing and takeoff is more than 30 minutes, you may be in for an aircraft change.

[October 13, 2008] Google Alerts for United Airlines. There were a couple new stories about Jake Brace, United Airlines' controversial chief financial officer, who will pocket more than $2.4 million in severance pay after he retires from the Chicago-based carrier Oct. 31. He was the guy that ditched the employee pension plan. There was also a heart wrenching blog entry about a guy who missed his United airlines flight because it was overbooked, they did not give him a hotel voucher for the night and then, when he finally was on the plane the next day, had a tire blow out on takeoff causing an emergency landing, greatly adding to his delays and travel troubles. There is also some news about how United Airlines is getting a double whammy, now that they have been hit by higher fuel prices, business travel is being reduced, the plan appears to be to reduce capacity which would mean layoffs. Finally, another riskfactor entry: the SEC is looking into what caused United Airlines stock to drop to 3 dollars, yikes! As the blog says, "However, as machine readable news increasingly becomes the norm, expect this type of thing to happen more and more." So true! Finally, here is a site with a bunch of links to airline frequent flyer programs.

(Off Topic, but useful ) More effective meetings. I also have a Google Alert set for the search term "Leadership Laboratory". I saw an interesting blog on communication breakdown with the following helpful suggestion for better, more productive meetings:
"When holding meetings, provide a quick review of what has transpired since the last meeting and what should be happening before the next one. The key to these meetings is that they be brief and held on a regular basis. It may be worthwhile to keep simple notes along the lines of:
1 what was discussed
2 what is pending
3 what should be followed up
4 items previous brought up that have been successfully handled
5 what should be brought up at the next meeting ?? and why"
For more meeting tips check here and here.

[October 12, 2008] Sailing Nawiliwili Harbor to the blue sea. Against all common sense, I agreed that Kathy and I would go sailing with Rudy and Shanda on Kai Lani. With as much time as I have had on the road recently, I am really behind, but understood that they needed at least one other seasoned deckhand. Not that I call myself that much of a sailor, I fit the cook description much better. Anyway, the winter seas are coming to Kauai and the majority of the passengers got sick, again; still, I talked with some of the businessmen, they are all a bit pessimistic concerning the next year. In a related note about the current financial system, according to the Wall Street Journal, over $500 billion has "evaporated" from folks 401k retirement plans. Kai Lani was just back from dry dock, so the good news is that everything worked, and we saw a ray jump and passed a couple sea turtles.

[October 11, 2008] Farming. We worked the morning on SANS stuff, I agreed to do a keynote in 2009 on logging and figured I'd best start that work. About 2 PM we headed out to the farm; our focus was on the tomatoes, they are out of control. That is what happens when you go on travel for six weeks, land for a few days and jump to Vegas. We put up a fence, tied some of the tomatoes to the fence. We will let them go until I get back from Houston and then harvest what we can. We did get enough, mostly Romas, to sell to the Kilauea Town Market, $16.00; laugh all you want, but we are trying to establish ourselves as a real farm. From now on, I think I will primarily concentrate on Romas, they seem to be the best for Hawaii and an excellent cooking tomato, check out this Roma Tomatoes Parmesan recipe.

[October 10, 2008] Three days out from travel day, I was reading Rob Lee's Forensics blog and they are talking about Shadow Copy. According to Microsoft, "Have you ever accidentally saved over a file you were working on? Accidental file deletion or modification is a common cause of data loss. Windows Vista includes a useful innovation to help you protect your data: Shadow Copy. Available in the Ultimate, Business, and Enterprise editions of Windows Vista, this feature automatically creates point-in-time copies of files as you work, so you can quickly and easily retrieve versions of a document you may have accidentally deleted." Awesome, how do I do this? All you have to do is right click on a file or folder and there is a menu option to restore previous version. Brilliant, not sure how I never heard of that.

Also, I have switched to the Darkoogle tool bar. This saves power when you do Google searches by rendereing your screen black with white letters. The first of these I heard of was Blackle.com. I am interested in saving energy, but assume that my searches are passing through them so need to think about that, definate security issue there. Blackle.com's privacy policy can be found here. In essence you now have multiple organizations tracking your web surfing. I could not find a privacy policy for Darkoogle. By the way, Darkle really is a word,

Just got a call from Carol C. She will not be in Houston when I get there, she is running the forensics summit in Vegas. She did recommend Ruggles Grill as her favorite restaurant in Houston. Carol says that if you like vegetables you would love Ruggles and recommends the Goat Cheese Salad and the Strip Steak with vegetable array, and says her favorite is the 14 vegetable platter. I pulled the dinner menu and it looks pretty good.

== Travel Tip: Use Google Alerts when traveling. I am getting ready to go to Houston and I am flying on United Airlines. Even though I am a couple of days out, I log into my Google account and created two new alerts, one for Houston and the other for United Airlines. That way, as newsworthy things come up, I am prepared. But, one can do a lot more with Google! For instance, I hit the web page of the event I am going to and pull the address of the hotel, in this case the Hilton Garden Inn Houston/Galleria Area. If I take the address of the hotel (3201 Sage Road, Houston) and paste that into Google, a map comes up. When I click on the map, a bigger map comes up. Then, if I click Satellite, I can see from the aerial view that my hotel has a strip mall nearby (just look for the parking spots), but has residential on both sides (East and West) within a couple of blocks. Sometimes when there is residential fairly close it means minimal access to restaurants. For instance, in our Boston/VA Beach trip, when we were staying at the Hyatt Regency Cambridge hotel. According to their write up, "the Hyatt is located along the scenic Charles River overlooking the Boston skyline and is in the midst of two uncommonly exciting cities, Boston and Cambridge." That is true, but the "in the midst" means no man's land. If you are considering the Hyatt as a conference or travel hotel, you should know that it is about a two mile walk to get to restaurants. Basically they plunked the hotel down between a University and a residential area. However, that will not be the case in Houston, we are very close to the Houston Galleria they have a large number of restaurants and you can expect a full report when I get there.

Speaking of Google alerts, I keep one for "Security Certification" and got a pointer to this blog from test4actual.com. Usually I cringe when I see these, but this one is fairly well written and accurate. My advice is to get the data straight from the vendor, most of the third party sites don't fact check well. My first "United Airlines" Alert just came into my inbox, it included one very interesting fragment of a story, "The pilot of an United Airlines airplane, from Boston to Los Angeles, was forced to make an emergency landing yesterday in the evening at Chicago airport. The cause? An unbearable smell on board, after an inexplicable indisposition suddenly took some passengers, forced to go to the toilet many times." The Chicago Tribune has the most information: http://www.chicagotribune.com/news/chi-ap-il-sickpassengers,0,3563260.story. They had not served food on the plane and the people who became ill were all from the same tour group.

== Travel Tip: When they tell you to keep your seatbelt on while seated on an airplane, they aren't kidding. I read the following in the New Zealand Herald,

"Passenger laptop computers are now being investigated as a possible cause of the Qantas mid-air emergency off Western Australia on Tuesday. The Airbus A330-300, with 303 passengers and a crew of 10, experienced what the airline described as a "sudden change in altitude" north of its destination on Tuesday. The mid-air incident resulted in injuries to 74 people, with 51 of them treated by three hospitals in Perth for fractures, lacerations and suspected spinal injuries when the flight bound from Singapore to Perth had a dramatic drop in altitude that hurled passengers around the cabin."

For the complete and somewhat graphic story, visit: http://www.news.com.au/story/0,23599,24469164-2,00.html. The reason they suspect laptops is that a similar event occurred in July and the bluetooth mouse is believed to be the culprit. Risk experts have long held concerns about so-called fly-by-wire systems; to read more, click this link and read the article entitled Flight Control System Software Anomalies.