I was asked by a CIO friend of mine what are the best practices for protecting laptops and phones during foreign travel and in particular China.
What you can count on when you land in China is that your phone will be electronically hijacked immediately for SMS (text) and SMTP (email). The software stacks that control both protocols will be compromised. The Chinese are not the only ones doing this. The FBI “How the FBI Intercepts Cell Phone Data” and UK Security services are doing the same.
How is this done?
You simply place yourself in a van in between signal towers in order to intercept signals in order to gain access to these protocol stacks. There is an order of magnitude of difficulty between hacking Apple ios products and Droid but all are compromisable and the equipment can be acquired for under $10k.
According to the New York Times, “McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.” New York Times article
A lot of the times the hack is not detected until months later when product integrity is compromised, and even then, it seems that companies are reticent to advertise news of a hack for fear of a reduction in share price. Below are some tips on what you should do to prevent both your phone and laptop from being hacked into.
Foreign countries can perform software installs from these signal towers. This is done silently and can result in just about any spyware/malware being installed all the way up the phone up to it being turned into a remote recording device.
What I do like is secure platforms that are coming out that enable secure IM communication.
Phone Security Summary Tips and Assumptions (Attestation RedZone)
At a minimum, nothing on the phone including phone calls should be considered private. In the worst case scenario, all conversations via phone coming and going in proximity to the phone are not private.
- Fact -There is little that can be done to prevent your phone from being hijacked except to not connect to any Data Networks for the length of the stay.
- Tip – If you use WIFI keep track of all accounts accessed and change passwords on return using a different device.
- Tip – If a foreign data/phone network is a must then this should be a throw away phone with as little personal or private data on it as possible. All accounts used on this phone should immediately have passwords changes through other methods upon return. The phone should be wiped and really not used again unless it can be completely reimaged by the provider.
Laptop Security Summary Tips and Assumptions (Attestation RedZone)
Do not leave the laptop powered on while unattended
- Ensure that normal AV/antispyware is installed. Firewall blocking all incoming information.
- Educate foreign travelers about being wary of connecting to the internet via proxy like one usually needs to do working from a hotel.
- Copy and paste passwords if possible from an encrypted USB. Never type passwords as there may be a key logger resident.
- Use a password protected and encrypted USB key that also requires a special pin for access.
- Be very careful of SSL certificate warnings. They can possible to interrupt communications by perverting DNS.
- Disable SSLv2 & SSLv3 on local browsers to prevent MITM access to SSL communications via POODLE or BEAST.
- While in the foreign country, pay attention to URLs and what information is being entered especially http versus https.
- Keep track of all accounts accessed and change passwords on return (from a device that was not in China)
- Use Disk Encryption…..almost a no-brainer
If you have direct questions for me you can reach me at firstname.lastname@example.org
RedZone Technologies Enterprise Security Innovation from Core to Edge
Security: Assessments, Integration, Products, Managed Services, Cloud Analytics
CIO Exec Series – Innovation, Ideas, and Insight| Virtual Roundtables|Podcasts| Education|
Delivering on Promises| Customers for Life
Enterprise Security from Core to Edge – Education
Here is a link to a video I had produced related to the Fundamentals of IT Health and Security Assessments.
- AD Health Assessment
- Network Infrastructure Health Assessment
- IT Security Advanced Persistent Threat Education
Best ways to listen in.
ITunes – iPhone
Sticher for Android
Soundcloud – any plus pc