With a host of celebrations ahead this month, people will be traveling to all sorts of destinations with a variety of plans, be they quality time with friends and family, or perhaps a getaway from the holiday hustle and hype. All this travel offers opportunity. An opportunity for you to relax. An opportunity for hackers to get hold of your data. Skycure, a mobile threat defense company, studied the world’s most popular tourist attractions using data gathered from the Skycure Threat Intelligence network and identified actual network threats occurring from mobile devices over the past year. Destinations in large cities such as New York City, Paris, San Francisco and Las Vegas topped the list. Three separate Disney Parks were in the top 15 risiest tourist destinations, including Disneyland Paris, Disneyland in Anaheim, and Disney World’s Magic Kingdom in Orlando.
In contrast, the Taj Mahal in Agra, India, is the world’s safest top tourist attraction for mobile users. This is mostly due to the ban on using mobile phones within the Taj Mahal and partly due to a lack of connectivity. Few mobile phones and poor connectivity mean that there’s low value for attackers to create malicious hotspots near the attraction.
Within the United States, the safest top tourist attraction was the Great Smoky Mountains national park in Tennessee, most likely due to it being a large area with little connectivity.
The top 15 tourist attractions with the highest risk are:
- Times Square, New York City, N.Y.
- Notre Dame Cathedral, Paris, France
- Disneyland Paris, Marne-la-Vallee, France
- Golden Gate Park, San Francisco, Calif.
- Ocean Park, Hong Kong
- Las Vegas Strip, Las Vegas, Nev.
- Hollywood Walk of Fame, Hollywood, Calif.
- Union Station, Washington, D.C.
- Faneuil Hall Marketplace, Boston, Mass.
- Disneyland Park, Anaheim, Calif.
- Navy Pier, Chicago, Ill.
- St. Peter’s Basilica, Vatican City
- Grand Palace, Bangkok, Thailand
- Disney World’s Magic Kingdom, Orlando, Fla.
- Pike Place Market, Seattle, Wash.
“Unfortunately for mobile tourists, the most magical places on earth can sometimes be the most dangerous,” said Adi Sharabani, CEO of Skycure. “When you’re in a high-traffic area like these famous destinations, you’re a target for hackers. Unlike your computer, your phone is always on, even when you’re taking in the sights. Mobile tourists are a lucrative target for cybercriminals.”
The threats were identified with Skycure’s patent pending Active Honeypot technology and crowd wisdom, which creates the company claims creates the world’s most complete picture of the internet from a mobile perspective. Skycure conducts millions of security tests on a monthly basis and monitors tens of thousands of mobile devices. Travelers can check for top mobile threats in any destination by visiting https://maps.skycure.com.
I took a look at the map and it’s pretty interesting, although data points are few and far between. As a security researcher, I’m already familiar with most of the threats in my areas in NYC and San Francisco. Almost every threat listed on the map is an open network, typically with the word “free” in the network name. If you take anything away from this blog post, please avoid connecting to open WiFi networks with “free” in the name. Free networks tend to be free as certain services tend to be absent, namely security and password protection. With such open access to network, hackers can get away with just about anything. If you are curious as to the dangers of networks this accessible, read this blast from the past from Rolling Stone. Free networks are a hazard, especially if you think any kind of commerce, banking, or communication is happening on them.
It’s really easy (I showed a news crew how to do this about 15 minutes back in 2004 and it’s probably easier now) to set up an open WiFi network and run all the traffic through a proxy server in order to steal usernames and passwords. In this case, SSL won’t protect you because the proxy can be configured to decrypt SSL and capture credentials – criminals in particular target credentials for mobile banking and corporate networks. Most users simply look for whether they’re using SSL or not and don’t examine the SSL certificate. This lulls them into a false sense of security as the traffic is encrypted between their device and the proxy where it is decrypted and examined, then re-encrypted and transmitted to the Web.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter. Follow his adventures with Elvis the information security French bulldog on Instagram.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.