Vulnerabilities / Threats
9/15/2008
04:43 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

DHS Report Says Leave Laptops At Home

The federal agency said anyone who brings their computer or cell phone out of the country is risking privacy and data security violations.

The U.S. Department of Homeland Security appears to be of two minds about the security of information on portable devices.

On the one hand, it defends border searches of laptops as necessary to limit the movements of terrorists, to deter child pornography, and to enforce U.S. laws.

"One of our most important enforcement tools in this regard is our ability to search information contained in electronic devices, including laptops and other digital devices, for violations of U.S. law, including potential threats," said Jayson Ahern, deputy commissioner, U.S. Customs and Border Protection, in an online post in June.

On the other hand, it has warned business and government travelers not to carry laptops or other electronic devices when traveling abroad, as a way to prevent "unauthorized access and theft of data by criminal and foreign government elements."

In a document titled "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities," published June 10 by the DHS's critical infrastructure threat analysis division and recently posted to Wikileaks, DHS urges business leaders and U.S. officials to "leave [electronic devices] at home" when traveling.

"Foreign governments routinely target the computers and other electronic devices and media carried by U.S. corporate and government personnel traveling abroad to gather economic, military, and political information," the document warns. "Theft of sensitive information can occur in a foreign country at any point between a traveler's arrival and departure and can continue after returning home without the victim being aware."

Recognizing that for some it may be impossible to travel without a laptop and phone, DHS recommends buying a single-use cell phone locally, carrying a designated "travel" laptop with a minimum of information on it, and using temporary Internet e-mail accounts that are not associated with a corporate or government entity.

"Even with these strategies, however, travelers should assume that all communications are monitored," the DHS Threat Assessment says.

Such warnings recall a U.S. State Department's Bureau of Consular Affairs advisory to U.S. travelers headed to China for the 2008 Olympic Games. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," the bureau warned. "All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences, and offices may be accessed at any time without the occupant's consent or knowledge."

In other words, expect no privacy or data security anywhere.

Peter P. Swire, a law professor at Ohio State University's Moritz College of Law and a senior fellow at the Center for American Progress, says travelers ought to take such warnings seriously and practice good computer hygiene. "Don't expose your laptop to viruses and Internet cafes," he said. "Don't put your memory stick into any receptacle where it doesn't belong."

The federal courts have held that border searches of laptops and other electronics represent a permissible exception to the Fourth Amendment. But case law on the issue supports a distinction between two types of searches -- routine and nonroutine.

Nonroutine searches, such as a strip search, are distinguished by their invasiveness and require a "reasonable suspicion" that the person searched is involved in an illegal activity.

It's not clear from a legal perspective whether laptop searches are routine or nonroutine, and it probably won't be until the Supreme Court rules on the issue or Congress passes a law requiring reasonable suspicion for searches of electronic devices, which could happen next year.

Ahern, from the CPB, meanwhile, insists that border searches are routine and no different from searches of a suitcase or vehicle, a position that the Association of Corporate Travel Executives and the Electronic Frontier Foundation are fighting to change.

One consequence of the U.S. government's position is that it emboldens other governments to claim similarly unconstrained information access rights, at the border and beyond.

Swire said he supports laptop searches when there's reasonable suspicion of wrongdoing. "If that became the global standard, the problem overseas would be much less," he said. "If the U.S. had a better policy, we would be in a better position to object to these intrusive practices."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.