Vulnerabilities / Threats
9/15/2008
04:43 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

DHS Report Says Leave Laptops At Home

The federal agency said anyone who brings their computer or cell phone out of the country is risking privacy and data security violations.

The U.S. Department of Homeland Security appears to be of two minds about the security of information on portable devices.

On the one hand, it defends border searches of laptops as necessary to limit the movements of terrorists, to deter child pornography, and to enforce U.S. laws.

"One of our most important enforcement tools in this regard is our ability to search information contained in electronic devices, including laptops and other digital devices, for violations of U.S. law, including potential threats," said Jayson Ahern, deputy commissioner, U.S. Customs and Border Protection, in an online post in June.

On the other hand, it has warned business and government travelers not to carry laptops or other electronic devices when traveling abroad, as a way to prevent "unauthorized access and theft of data by criminal and foreign government elements."

In a document titled "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities," published June 10 by the DHS's critical infrastructure threat analysis division and recently posted to Wikileaks, DHS urges business leaders and U.S. officials to "leave [electronic devices] at home" when traveling.

"Foreign governments routinely target the computers and other electronic devices and media carried by U.S. corporate and government personnel traveling abroad to gather economic, military, and political information," the document warns. "Theft of sensitive information can occur in a foreign country at any point between a traveler's arrival and departure and can continue after returning home without the victim being aware."

Recognizing that for some it may be impossible to travel without a laptop and phone, DHS recommends buying a single-use cell phone locally, carrying a designated "travel" laptop with a minimum of information on it, and using temporary Internet e-mail accounts that are not associated with a corporate or government entity.

"Even with these strategies, however, travelers should assume that all communications are monitored," the DHS Threat Assessment says.

Such warnings recall a U.S. State Department's Bureau of Consular Affairs advisory to U.S. travelers headed to China for the 2008 Olympic Games. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," the bureau warned. "All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences, and offices may be accessed at any time without the occupant's consent or knowledge."

In other words, expect no privacy or data security anywhere.

Peter P. Swire, a law professor at Ohio State University's Moritz College of Law and a senior fellow at the Center for American Progress, says travelers ought to take such warnings seriously and practice good computer hygiene. "Don't expose your laptop to viruses and Internet cafes," he said. "Don't put your memory stick into any receptacle where it doesn't belong."

The federal courts have held that border searches of laptops and other electronics represent a permissible exception to the Fourth Amendment. But case law on the issue supports a distinction between two types of searches -- routine and nonroutine.

Nonroutine searches, such as a strip search, are distinguished by their invasiveness and require a "reasonable suspicion" that the person searched is involved in an illegal activity.

It's not clear from a legal perspective whether laptop searches are routine or nonroutine, and it probably won't be until the Supreme Court rules on the issue or Congress passes a law requiring reasonable suspicion for searches of electronic devices, which could happen next year.

Ahern, from the CPB, meanwhile, insists that border searches are routine and no different from searches of a suitcase or vehicle, a position that the Association of Corporate Travel Executives and the Electronic Frontier Foundation are fighting to change.

One consequence of the U.S. government's position is that it emboldens other governments to claim similarly unconstrained information access rights, at the border and beyond.

Swire said he supports laptop searches when there's reasonable suspicion of wrongdoing. "If that became the global standard, the problem overseas would be much less," he said. "If the U.S. had a better policy, we would be in a better position to object to these intrusive practices."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4884
Published: 2014-10-21
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4885
Published: 2014-10-21
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4887
Published: 2014-10-21
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4888
Published: 2014-10-21
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4889
Published: 2014-10-21
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.