A Farewell to 2015: Musings on Traveling with Sensitive Data

150 150 Krypterix

This being mainly a security blog, I seldom get the chance to flex a few writing muscles. But with 2015 coming to a close, I often find myself thinking about how far we have come in the datavault and data security field and the way we can convey this information in a simple and concise manner to help our readers and customers. So, to give 2015 a worthy sendoff, here is a topic very close to my heart, presented as a train-of-thought essay on one of the most important experiences even for techies:  traveling.

Source: http://edceveryday.tumblr.com/

Source: http://edceveryday.tumblr.com/

With the advent of cheaper flights and portable technology, we have become modern globetrotting tech nomads, traveling with our data around the world, taking it to presentations, meetings, or just our preferred holiday destination. Staggering amounts of data are transported on various devices every day, and potential attackers are well aware of this. They have developed methods of accessing insecure systems that one might not think of immediately. Having your laptop stolen, or kept by customs is just the tip of the iceberg. You can always replace a new device, but the old one may act as a vector to your corporate network, or an access point for your online services.

Keep in mind: an insecure device is a treasure trove of data.

Do you keep your passwords in a secure vault? Do you have any scans of your personal documents lying around? Even having a corporate address book can expose your contacts to potentially serious phishing attacks. If you are an administrator of a website, code may be injected for different forms of fraud such as pharming.

At the border, be aware that there are technologies available to siphon your data for security reasons. The security guidelines in most countries are reasonable and require removal of the copied data after it has been cleared however there are times where your data will not be safely disposed of. Certain security conscious individuals even go as far as to completely replace their devices when leaving some countries, since administrator access to your computer means that spyware can be installed as well.  According to Neil O’Connor, principal consultant at independent security consultancy Activity IM, the USA still remains one of the “riskiest” countries to enter with a laptop in tow.

So what about after crossing the border? One fact which may surprise you is that while people tend to label certain countries as dangerous spots for IT security (by having a history of lax security or bad intellectual property legislature), there are no real global cyber theft Meccas. Amateur hackers, data stealers and identity thieves are mostly jumping from city to city. You are as likely to get your data stolen in Berlin as you are in Belarus. There is still a lot of work to do in the legislative area as well. We still haven’t found a truly ethical answer to questions such as what to do if an officer demands you decrypt your data?

Be wary of the devices you are connecting to. Plugging a USB drive into a hotel or cyber cafe computer can be dangerous if the computer has been compromised (in many cases, high-end hotels may be less secure than normal cyber cafes!). What about wireless connectivity? WiFi Hostpots can be a life-saver in certain situations, although one needs to be very careful when using this service. Most of the time, we just look for the SSID an surf away. It is trivially easy for an attacker to set up a passwordless hotspot with a similar SSID. The good news is, this being a PEBKAC problem, you just need a healthy dose of paranoia. Even real hotspots are not compeltely secure, due to the nature of how secure sessions work: a great example was the Firefox plugin Firesheep from 2011, which used a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter.

“As cookies are transmitted over networks, [Firesheep’s] packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim’s name”. [Wikipedia]

As for your mobile device: be sure that they are encrypted with a strong password. Offload everything except your most important data onto an external device.

If possible, never use public computers for work. They might have keyloggers installed.

Last but not least, turn off Bluetooth (discoverability) on all BT-capable devices. There have been a lot of complaints about Bluetooth’s security issues. Not only is little being done about it, but many users forget that attackers have an alternative wireless access point throught the BT stack. There are attacks such as bluejacking, bluesnarfing, which all use the fact that Bluetooth is an old technology that has only gotten more complicated through the years (the spec has 1,200 pages as of a few years ago)

“/…/one of the things that makes me so uncomfortable from a crypto standpoint is they keep making it more complex, rather than it being elegant. This is the least elegant cipher system I’ve ever seen/…/” [Steve Gibson, Security Now]

As you can see, when traveling you are making yourself vulnerable to data theft. Preparing for a trip should always include the necessary security precations. The smartest way is to keep your devices as empty as possible and leave your data on a hard drive that has no other access point except for your key.

I suggest we prepare a cyber security resolution for 2016: use only your device, with your mobile phone, and store the data on a simple solution you trust, that can’t be broken into.



I wish you all an excellent New Year.