Vulnerabilities / Threats
9/15/2008
04:43 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

DHS Report Says Leave Laptops At Home

The federal agency said anyone who brings their computer or cell phone out of the country is risking privacy and data security violations.

The U.S. Department of Homeland Security appears to be of two minds about the security of information on portable devices.

On the one hand, it defends border searches of laptops as necessary to limit the movements of terrorists, to deter child pornography, and to enforce U.S. laws.

"One of our most important enforcement tools in this regard is our ability to search information contained in electronic devices, including laptops and other digital devices, for violations of U.S. law, including potential threats," said Jayson Ahern, deputy commissioner, U.S. Customs and Border Protection, in an online post in June.

On the other hand, it has warned business and government travelers not to carry laptops or other electronic devices when traveling abroad, as a way to prevent "unauthorized access and theft of data by criminal and foreign government elements."

In a document titled "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities," published June 10 by the DHS's critical infrastructure threat analysis division and recently posted to Wikileaks, DHS urges business leaders and U.S. officials to "leave [electronic devices] at home" when traveling.

"Foreign governments routinely target the computers and other electronic devices and media carried by U.S. corporate and government personnel traveling abroad to gather economic, military, and political information," the document warns. "Theft of sensitive information can occur in a foreign country at any point between a traveler's arrival and departure and can continue after returning home without the victim being aware."

Recognizing that for some it may be impossible to travel without a laptop and phone, DHS recommends buying a single-use cell phone locally, carrying a designated "travel" laptop with a minimum of information on it, and using temporary Internet e-mail accounts that are not associated with a corporate or government entity.

"Even with these strategies, however, travelers should assume that all communications are monitored," the DHS Threat Assessment says.

Such warnings recall a U.S. State Department's Bureau of Consular Affairs advisory to U.S. travelers headed to China for the 2008 Olympic Games. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," the bureau warned. "All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences, and offices may be accessed at any time without the occupant's consent or knowledge."

In other words, expect no privacy or data security anywhere.

Peter P. Swire, a law professor at Ohio State University's Moritz College of Law and a senior fellow at the Center for American Progress, says travelers ought to take such warnings seriously and practice good computer hygiene. "Don't expose your laptop to viruses and Internet cafes," he said. "Don't put your memory stick into any receptacle where it doesn't belong."

The federal courts have held that border searches of laptops and other electronics represent a permissible exception to the Fourth Amendment. But case law on the issue supports a distinction between two types of searches -- routine and nonroutine.

Nonroutine searches, such as a strip search, are distinguished by their invasiveness and require a "reasonable suspicion" that the person searched is involved in an illegal activity.

It's not clear from a legal perspective whether laptop searches are routine or nonroutine, and it probably won't be until the Supreme Court rules on the issue or Congress passes a law requiring reasonable suspicion for searches of electronic devices, which could happen next year.

Ahern, from the CPB, meanwhile, insists that border searches are routine and no different from searches of a suitcase or vehicle, a position that the Association of Corporate Travel Executives and the Electronic Frontier Foundation are fighting to change.

One consequence of the U.S. government's position is that it emboldens other governments to claim similarly unconstrained information access rights, at the border and beyond.

Swire said he supports laptop searches when there's reasonable suspicion of wrongdoing. "If that became the global standard, the problem overseas would be much less," he said. "If the U.S. had a better policy, we would be in a better position to object to these intrusive practices."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!