Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- 02 December, 2013 14:18
With all the large-scale surveillance programs on the Internet, is it even possible to travel safely internationally these days? I say it is, but it depends on just how far you want to dial up the paranoia.
Let's consider two broad categories, data at rest and data in transit.
Data at rest
I travel internationally quite a lot, and I have several security guidelines and rules that I follow. One of my top concerns is that, should a device of mine be stolen or seized by customs, all the data on that device, whether it's mine or my customers', will be adequately protected from prying eyes.
Here, in no particular order, are some things to consider:
* Don't bring it if you don't need it. This seems basic enough, but amid all the preparations you need to make for a major trip, it can be overlooked. If there is data on your device that you don't absolutely need with you, then just copy it for storage on a server, archive it, delete it, whatever, but don't bring it along. If you consistently work with highly sensitive data, then it might be a good idea to maintain a separate laptop just for travel that contains only the data essential to the trip you're currently on and gets wiped upon your return so you don't inadvertently take something on your next trip that you don't need.
* Encrypt it if you bring it. If it is sensitive, then encrypt it. Consider full disk encryption with a single strong password, or at least a couple of small USB drives that are fully encrypted. The encryption password you use should be strong, but one you'll remember. Never store that password.
* Memorize all your other important passwords. You increase your data's security when you use more than one password for your device and its data. Use strong passwords, and don't write them down. If a written backup is essential for you, store it back at home or in your office, but never with you.
* Keep it with you. When I travel, my laptop is almost always with me. I don't leave it back at my hotel room because I'm not going out for long. If at all possible, I take it with me. If I can't do that, then I transfer all sensitive data to a USB device and keep that in my pocket.
* Don't trust the hotel safe. Hotel safes sound better than they actually are. It's the human element that's easily compromised, and hotel clerks just aren't as security-conscious as bankers. If you're traveling with something that really matters, keep it with you.
* Shut down your laptop when you're done using it, and use a boot-up password. Leaving your laptop in sleep mode is just asking for trouble, since some hardware ports (e.g., Firewire) enable adversaries to read data off a running laptop, even when the screen is locked.
* Enable device firewalling. Whatever software you're using, be sure to firewall your laptop to the fullest degree you can.
* Have an emergency plan. If your laptop is seized, or it simply breaks, always ensure that you can head to a nearby computer store to replace it, and then restore your essential data and apps without undue burden. That means you will need encrypted backups on a cloud storage site.
* Get good legal counsel before you go. You need to know something about the laws in the countries you will be visiting so that you have some sense of what rights you have should you be compelled to provide the encryption keys to unlock your laptop and/or removable media.
Whether you follow all of these guidelines depends on how much you value the data you're bringing along on your trip.
Data in transit
As we've learned more about the National Security Agency's surveillance of communications, my concern about the privacy of my data in transit has grown. And I know you're not naive enough to believe that it's just the NSA that does this stuff. The safest assumption is that spies are everywhere.
Again, here's some food for thought:
* SSL is not enough. I used to trust SSL a lot more than I do these days. Thanks to Diginotar and other root CA compromises, I hold SSL security in sadly low regard. That's not to say we shouldn't use SSL, but we need to be careful. In particular, I'm concerned about networks and countries that may try to eavesdrop on my SSL traffic. To have even a modicum of trust in using SSL, I need to ensure that my domain name lookups happen on a network that is not controlled by the network I'm on and in the country I'm visiting. How do I do that? Read on.
* VPNs are your friends. My cardinal rule of data communication when I'm traveling is to use a VPN whenever possible. Get into the habit of connecting to your VPN every time you connect to a network. Always. No excuses. Well, one excuse... Some networks block outbound VPN connections. In those cases, you need to decide whether the benefits outweigh the risks. At the very least, there is a substantial chance that all your communications are being monitored in those cases. Can't afford a VPN concentrator? Nonsense. There are many free or otherwise inexpensive VPN endpoint solutions available. Apple's Mavericks Server product, which includes a VPN service, is only $20.
* Hotel Internet access shouldn't be trusted. Hotel and other public Wi-Fi is sometimes free or at least inexpensive, but is it worth it? Yes, I use hotel networks often, but never without a VPN. If the hotel net forbids VPN connections, I don't use it for anything other than basic Web browsing from my iPhone or iPad. I avoid any circumstance that may require me to enter a site password.
* Get a country SIM for your tablet computer. In most countries, you can get a 3G (or better) SIM card for a week or so, with an enormous amount of data available, for just a few dollars. Some countries demand your passport to register a data SIM, but many only require cash. Either way, it's been my experience that I can use a SIM in my iPad and then VPN out through that via a USB tethered hotspot to my laptop. It may not be the fastest means of communicating (although it can sometimes be faster than hotel "high-speed Internet" offerings), but it works pretty well. Using a local data SIM is also generally the least expensive way of getting pretty solid communications in most countries.
* Business center and kiosk PCs are like petri dishes full of bacteria. Don't touch them. Period. If you do, never enter a password, and never use removable media in one.
* Accept that it's likely that your data communications are being eavesdropped on. Even with the measures I've described here, there's a good chance that someone is watching you. Accept that, and be sure you follow the local rules and laws.
Maybe you aren't paranoid enough to do all of these things. That's all right, as long as you're paranoid enough to do those things that your particular data deserves. Admittedly some of the measures listed above can be pretty darned inconvenient. You need to decide for yourself which measures you can accept and which ones you can't. Again, it depends on the value of the data you're communicating. If you're just browsing news sites or similar things, then who cares? But if you're connecting in to your company's email server, you may want to think very carefully about ignoring my advice.
It's fun traveling to far-away places. I drafted this column while returning from a business trip to Malaysia, Singapore and Brunei. I met some wonderful people, saw some old friends and had a great experience overall. But I always like to keep a careful eye on my data security.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about security in Computerworld's Security Topic Center.