Traveling with Computers Safely 5

Posted by JD 04/11/2014 at 23:00

I’ve been traveling overseas more and have discussed security issues with others in the IT security industry. Here is what I’ve decided.

With the recent HeartBleed issue in the openSSL libraries that impacted 80% of websites and the GnuTLS issue from last month, what should we do when security is needed most?

BTW, the NSA admitted to using the HeartBleed bug for years. My 20 yrs of professional experience with software tells me that there are probably 50 other issues like this in the openssl and gnutls software libraries. They are the best options for HTTPS traffic, but really shouldn’t be trusted when real security is needed.

What do I do?

On Travel

  • Make a backup!!! Seriously, backup all data before you go.
  • Do not run Windows.
  • Take the cheapest device(s) possible ($199 netbook)
  • Critical information needs to be on paper. Devices are stolen A-LOT! Hotels, flight data, embassy, personal contacts.
  • Use whole disk encryption whenever possible on any portable device (laptop/netbook, smartphone)
  • Use password managers that do not require an HTTPS connection. HTTPS is broken on many levels, especially outside the USA.
  • Do not take any sensitive data on these devices. Be prepared to leave them behind.
  • Turn up the firewall – disable the homegroup and LAN settings.
  • Do not leave a machine in standby or hibernate if it isn’t in your physical contact – always shutdown, even in your hotel overnight. This is the best way for the drive encryption to be more difficult.
  • Make sure you can login to the device without decrypting everything, if possible. A TinyCore partition is quick an easy to boot for customs.
  • Expect to be searched at borders. It doesn’t really happen too much, but …
  • Remote back into a desktop running in a trusted location, on a trusted network, for email and web surfing. When overseas, we can’t trust anything.
  • ALWAYS use a VPN. Without a VPN, do not use the network; school, hotel for anything more than site-seeing research.
  • Do NOT login to financial / banking websites from overseas.
  • Plus all the normal computer security things – AV, No PDFs, No Java, limited Javascript. Basically, don’t be stupid. Watching certificates with a browser plugin is probably too nerdy for most people, especially with all the re-certs happening from the latest openSSL bug, but it still is a good idea.

Device Setup

On the netbook ($199) is a remote client. No email, no heavy web browser, no sensitive data, just location information, photos and videos from the travel experience. And …

KeePassX (AES encryption) as a password manager. Only 3 passwords aren’t random, long, unique, unknown to me. Also store scans of passport, immunization records, and other critical information inside KeePassX. The DB is backed up to
6 different trusted locations. This is the most sensitive data on the netbook – double encrypted. LastPass is an honorable company, but they use HTTPS for transmission. You’ll need to decide if that protocol can be trusted for yourself.

Don’t forget to backup the devices BEFORE leaving.

Remote Desktop for Almost Everything

For the remote desktop, I use NX – it is 2x-3x more efficient than other F/LOSS alternatives. I’m actually using it NOW … from a GA-Tech conference. It is my desktop, but everything is safe back at home. There are Windows NX clients that work well, but since we aren’t traveling with Windows, that doesn’t matter. I have used NX from Europe, Thailand, Singapore, Korea, Japan, Turkey, South Africa and assorted places in the USA to my private cloud. It works surprisingly well for normal productivity applications. Streaming video and audio are problematic with all the free solutions. I understand that Citrix VDI can do 720p video streaming, but don’t have any more details and know nothing about the security features.

An IPSec VPN can provide the network safety too, but we are still left with the remote desktop inefficiencies that NX solves. Avoid PPTP-based VPNs, these days, any VPN using OpenSSL libraries would be a concern too. Since NX uses ssh as part of the protocol, there isn’t much need for a VPN too, provided all the users are trusted on the internal network.

Previously, I would rather have traveled with a tablet for the longer battery life. No NX client currently available means I’d have to trust HTTPS … no thanks. The issue with this is that any network admin … like the Chinese government … can control DNS. Other governments are the only ISP in many other countries too, so this is not just China. Using FreeNX, based on an ssh with certificate-based login, gives me peace of mind that the connection isn’t being intercepted. NX server has certs to use for the initial connection, then a password to access my specific desktop on the server. Other people can login with different user/password on the same box – It is Ubuntu with a low-graphics environment, lxde or straight fvwm.

A new-generation Chromebook has very long battery life – over 8 hrs. This can replace a tablet for travel easily and provide a more feature rich experience. I will admit that reading on a tablet is a much better experience. We have to make trade-offs during travel.

Besides this, the netbook has encrypted storage (just HOME for now), so if the netbook disappears or otherwise seems funny, I’m not worried too much about leaving the device behind and walking away. Full disk encryption would be
preferable … which I use on smartphones with a 20+ digit passphrase. The passphrase is required to have encrypted storage. I haven’t noticed any slowdown on the netbook or Android after encrypting. It really doesn’t impact performance for most uses.

If something feels funny to me on the machine, I’m willing to walk away and leave it. If I took a $1500 laptop, I’d be much less likely to do that. Heck, even with a $350 device, I’m much less likely to leave it behind.

Hotel safes are not really all that safe. The internet has reset codes for every model out there. There isn’t always a safe, so that trivial TSA luggage lock and suitcase is all we have left. It is better than nothing.

Do not run Windows.

Too Paranoid?

Most people reading this will claim that I’m too paranoid. For your consideration, a few cases that have happened overseas:

  • wireless networks (cellular data) has been use to reflash firmware by Chinese government to gain access to data on a smartphone. Cellular network providers CAN do this. It is best to have YOUR smartphone off the network in untrusted nations. Get a $20 dumbphone if you must.
  • Laptops with DMA ports (Direct Memory Access) have been compromised by maids when travelers were sleeping, showering, or out for the day to access encrypted data. DMA ports include Display Port, Firewire, and those fancy PCMCIA slots in some laptops. So, if the machine is NOT shutdown completely, then the encryption keys are available in RAM or the hibernation file.
  • Customs searches.
    • Prove the device works. That tricks us into unlocking any boot encryption. Have a trivial boot partition to prove it works that isn’t encrypted. Tiny Core or Puppy Linux are perfect for this.
    • People entering Israel have been forced to provide gmail, twitter, and facebook logins prior to entering the country.
    • On travel, we all take flash drives and SDHC memory as backups for photos and videos. This storage usually isn’t encrypted. Best to keep it tourist stuff.

What Others Say

I searched on “travel laptop security”.

Summary

Most of us don’t think we have anything interesting on our devices, but there is lots of data that gives away details, so highly personal. There may be cached work files and cached emails on our personal devices too. It is best to not have any of that data when we travel.

My No Data Needed Travel-Friendly Apps article.

Be certain to test out all your stuff before leaving. Pull the SIM from your smartphone and test for a day to learn what doesn’t work.

Please backup your devices before leaving. It might be the last time you see them.

So – what steps do you take when traveling to protect your computer and network connections?

  1. Craig 04/28/2014 at 18:10

    Wow, it’s a wonder those of us who live outside the US are able to manage to do anything on the Internet at all! My main concern is when I travel TO the US. Maybe you’ve heard of an organisation called the NSA. They’re just as evil — if not more so — than those dastardly Chinese to whom you refer.

  2. JD 04/28/2014 at 19:23

    The NSA is evil on some level too. I agree. Eventually, the people and courts in the USA will get the powers taken by the NSA back under control. I don’t worry about that too much.

    Also, I’ve worked inside government IT and know that almost everyone involved is trying to do the right thing. That doesn’t help me or anyone overseas today and it doesn’t make what they are doing inside the USA right. What the NSA does overseas honestly does not concern me. ;) Sorry.

    OTOH, the NSA is a monitoring agency. They watch, they don’t modify. Inside other countries, the spying on internet traffic that happens almost always IS NOT about protecting people, rather, it is about gaining leverage over people and corporations.

    Perhaps I’m too close to it, but I cannot think of any instance where the NSA provided inside information to any corporation (US or otherwise) for gain. The same cannot be said about the Chinese and French governments. The French government has been caught multiple times acquiring corporate data from competitors, then providing that data to French companies. The Chinese government routinely forces foreign corporations to teach Chinese companies the latest technologies, then refuses to do business with the foreign company – just ask Siemens about their technology transfer agreements.

    We all have a slightly different perspective and risk levels that we can accept.

    Inside the USA, the NSA is not supposed to be monitoring very much. It is connections outside the USA where they have a mandate to learn as much as possible, primarily to protect people living in the USA from outside bad guys, but also to protect nice people around the world when they can.

  3. Craig 04/29/2014 at 01:18

    Hi JD,

    Thanks for your reply, but it’s peppered with weasel words, starting with, “The NSA is evil on some level too.” Evil is evil, and I don’t share your optimism about your “people and courts” getting much power back any time soon short of a revolution, literal or figurative. (I live close enough to your border [4.5 kilometres, 3 miles] and am bombarded by enough American media that I feel reasonably qualified to state that opinion, and our own spy agency has been complicit in questionable NSA-connected activities domestically too so I’m not suggesting we’re any better.)

    However, I will acknowledge your valid lack of concern for what the NSA does overseas, although even your president has admitted that they went too far with countries that the US supposedly considers allies. I wonder how many of my friends would mind if I bugged their phones or read their email?

    Generally I’d also sort of agree with you about the rule of law differentiating Western democracies, but clearly that’s no longer the case, hence my lack of optimism stated above. This is why I find parochialism so galling, and why the hypocrisy of the NSA makes them (and by extension the US government), in my opinion, that much more evil … towards their own citizens, I emphasise. We know what the Chinese do and we expect that; we don’t (or didn’t) expect it of so-called democracies.

    As for “almost everyone [in the US government] involved … trying to do the right thing” … well, beside the fact that apparently “almost everyone” is not enough (or they’re all in the lower echelons where they have little or no effect), we all know what has happened to the few other people who have tried to do what they consider the right thing by bringing the excesses of the NSA to the public’s attention. The rest — “almost everyone” — are complicit in their silence.

    As for your more practical travel advice, it’s generally good and I follow most of your recommendations to the extent practical, and I don’t want to detract from that. However, again, I find the assumption that the whole world outside of the US is a lawless wasteland quite galling. When I venture further afield into that lawless wasteland (three months at a time) it’s not practical for me to do all of my work hunched over a $199 netbook along with a burner cell phone. Security (physical and technological) should be tailored to your destination and length of stay (among other things). That requires awareness and thinking, two activities I’m very much in favour of and which I find many people don’t do. (You obviously do, but we differ on our conclusions to an extent.) I spend quite a bit of time in a southern African country that has been recolonised by the Chinese, and it’s an open secret that the government there has outsourced their Internet monitoring to the Chinese.

    If you’re going to that lawless wasteland known as Europe (for example) for a three-day conference, sure, go to the trouble of preparing and taking your $199 netbook, burner cell phone and a healthy dose of paranoia, and let your contacts back in the US know you will be incommunicado; I can’t tell you how many times my computers and cell phones have been stolen or seized there. I can’t tell you how many times because it hasn’t happened, but it has entering the US.

    Finally, I’ll add one thing to your list that I do, or did. Before I board a means of mass conveyance (plane, train, etc.) with my primary machine I have in the past tried to make sure I have my hard drive backed up to a portable drive that I carry on my person and seal in a soft, plastic, waterproof container that scuba divers use. If said conveyance crashes (my own level of paranoia) and I survive, I don’t want to be the idiot that cost people their lives because I blocked them from leaving the vehicle while I was selfishly looking for and dragging my luggage towards the exit. (Think Asiana Airlines at SFO in July 2013.) However, these days I’m rather lax about that (practicality) if I know that my (encrypted) online back-ups are current.

    Cheers.

    Craig

  4. INTPJavaGirl 05/18/2014 at 19:53

    Have you tried encryption with an Android Phone or Tablet? I’ve read that it can be done fairly easily, but I’m wondering what kind of impacts it makes to running apps.

  5. JD 05/19/2014 at 02:49

    I’ve had full device encryption enabled for over a year. Don’t see any performance issue at all. My device only allows internal storage – no external SD cards allowed. That could make a difference. Any device with a slower CPU may feel the encryption. If you use high-end games, that could matter, but GLWG works just fine as to all the sudokus I have loaded.

    Plus, patterns to unlock are not allowed. A password is mandatory – and a trivial password just doesn’t make sense if going to this effort level.

    If we think about the risks, we are trying to stop unwanted people from accessing our data. I don’t think I can stop the NSA or even the cellular data provider from accessing everything on the device, but everyone else should be prevented. That’s what I choose to believe. ;) I also want to ensure that trial and error attempts don’t accidentally hit the correct password – 12+ characters, right?

    My device password is 15+ characters, relatively easy to type, but also easy to get wrong. I do all the time. It is required both at device boot AND to unlock it (as we are used to). Oh – and if you access the device using USB, it must be unlocked or that access is prevented.

    As with all levels of encryption – excellent backups are a must. Any corruption and there’s only 1 real answer – factory reset – flush all loaded data. Yep, backups are needed. I have never had issues with this and have loaded OS updates multiple times. Never needed a backup so far.