TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

Frequency-X_BlogEntry

 

Cyberspying

Posted by Gunter Ollmann on July 18, 2008 at 5:14 PM EDT.

Should you be worried about cyberspying as you travel the globe? A recent article in the Wall Street Journal – “U.S. Fears Threat of Cyberspying at Olympics” – discusses the dangers posed by Chinese hacking groups to travelers heading over for the Beijing Olympics. In particular, whether (and how) the U.S. government should publicly warn businesspeople and travelers of the threat.

Merrily skipping past the political connotations of cyberspying, I think it would be prudent to take a look at the advice business travels and their corporations should be following.

Having traveled extensively in these regions and had all sorts of cyberspying run-ins myself, and having sent many consultants onsite to competitive and hostile environments around the world who have had similar “war stories”, I can testify to the need to adopt as many of these safety measure as possible.

While there is an emphasis on foreign travel, having seen the way my laptop IPS software flashes warnings continuously (port scans, worm attacks and vulnerability scans) whenever I connect to practically any international hotel chain’s in-room Internet connection, you may want to apply this advice to any out-of-office travel destination here or abroad. In fact, I suspect that you’re at just as much risk of cyberspying when bringing a laptop to Caesars Palace during the August Blackhat in a few weeks time, compared with traveling to the Beijing Olympics.

Targets

So, who’s the target for cyberspying? The U.S. Cyber Consequences Unit  has created some guidelines on the topic and identifies your laptop could be at risk if your company is:

  • A major government or defense contractor
  • A key supplier of critical infrastructure
  • A technological leader
  • A cost leader
  • A national or industry icon
  • large, but economically vulnerable
  • embroiled in political controversy

(or, if you’re at a technical security conference anywhere in the world, you may want to also add “just because your laptop happens to be within range”)

Laptop Security

The advice given to business travelers when traveling abroad by the U.S. Cyber Consequences Unit is:

  • Buy an inexpensive laptop for travel purposes (if you really need to travel with one)
  • Install only the applications you will actually need during the trip
  • Place the documents and data files you will need during the trip into a separate, secure, encrypted flash drive that you can carry in your pocket at all times
  • Make sure the laptop itself has not been accidentally loaded with any documents or data files, stored passwords, authentication cookies, accessories with personal information, or other sensitive settings and data
  • Make sure the travel laptop has a personal firewall enabled, virus protection, and the latest security patches
  • Put commercially sold anti-tamper seals over the travel laptop’s hard drive cover and over some of its case screws
  • Disable all the laptop’s external communications:  its wireless, infrared, Bluetooth, CD-ROM, USB port, etc.
  • Enable a password to use during booting
  • Disable booting from CDs, USB storage devices, or other external drives
  • Learn how to turn specific external connections back on when you need to use them, such as the USB connection for your secure flash drive
  • Make sure you disable an external connection each time you have finished using it
  • When you return home, transfer any material you need from your secure, encrypted flash drive to your other computers by sending it from an external computer
  • Have your cyber-security team examine the travel laptop for signs of hardware tampering, do a secure wipe of the hard drive for you, and then reload it
  • Treat this laptop and flash drive in the future as outside devices that should not be directly connected to internal networks

Now, as I read through all this advice, I know that I simply cannot follow it all. Sure, it would work if I only had to do a presentation and nothing else, but if (as usual) I also have to do my normal work while I’m traveling abroad (no rest for the wicked) – answering emails, completing strategy documents, writing proposals, joining conference calls, etc. – this advice is impractical for me, and would become more impractical the more frequently you have to travel on business (especially if your business is IT consultancy).

Don’t get me wrong, the advice listed above is excellent, but I know for a fact that I could not employ it completely for the work I need to do abroad. In fact I’ve implemented many of these myself over the years. For comparrison, here’s a list that I tend to make do with when traveling:

  • Carry a copy of important documents that I know I will need abroad on a separate USB drive in self-extracting encrypted archives (with long passphrases, and digitally signed)
  • Employ full-disk encryption
  • Employ PGP encrypted mountable volumes for confidential document storage (with long passphrases – more than 50 characters and containing at least one made-up non-dictionary word/sequence)
  • Make sure the laptop has a personal IPS enabled, virus protection, the latest security patches, and that I have double-checked on the personal firewall settings and DNS settings 
  • Make sure the laptop itself has not been accidentally loaded with any documents or data files, stored passwords, authentication cookies, accessories with personal information, or other sensitive settings and data
  • Enable a password to use during booting
  • Disable booting from CDs, USB storage devices, or other external drives

Having read through the U.S. Cyber Consequences Unit’s advice, I think I’ll also be adding one more item to the list:

  • Put commercially sold anti-tamper seals over the travel laptop’s hard drive cover and over some of its case screws

I like that idea, and hadn’t really given that a though in the past. It would certainly enable me to spot a laptop keylogger quicker whenever someone tries it in the future.

     
    Copyright 2001-2008 © Gunter Ollmann