Wednesday, February 29, 2012

Traveling Light in a Time of Digital Thievery

This sounds exciting, like intrigue for spy fiction:
When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.
He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
Never types his password in directly? News for you: if are concerned about only key stroke logging, you forget what other avenues of approach a threat can take if it's kernel resident. On-screen keyboards and even one time password tokens (e.g. RSA SecurID tokens) can and have been defeated as well. If this is your level of threat, these countermeasures aren't good enough. This should not be the extent of the threat to consider:
Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
Here's better advice:
Now, United States companies, government agencies and organizations are doing the same by imposing do-not-carry rules. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said its members could bring only “clean” devices to China and were forbidden from connecting to the government’s network while abroad. As for himself, he said he traveled “electronically naked.”
and probably the best advice:
McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.
The cost of doing business in places like that is the cost of "burn devices". The hardware, data, and software on them, should all be thrown away upon exit. Don't risk powering it back on. Like a disposable camera. Send your data in before you leave in-country, and let go of any and all emotional attachment to the hardware.

If China & Russia can do this, so can any other country or, perhaps even a commercial organization, of any substantial size (yes, even the United States can and will snoop on your devices).

No comments: