Jet airliner
Political staffer Huma Abedin has been dominating media headlines as of late for a number of issues, including leaked emails uncovered by Citizens United and released publicly by Fox News. In the exposed emails, she refers to an intent to leave her mobile device, specifically a BlackBerry, behind during a 2009 trip to Russia.
In the political sphere, Abedin is receiving blowback for what some perceive as trying to hide or obscure controversial information, but the truth is, Abedin and fellow travelers were following smart information security practices by ditching regularly-used mobile devices when traveling abroad, especially to destinations where law permits monitoring, analysis, and retention of any data traversing local communication networks.
The ubiquity of mobile devices has brought about positive change for communication. When traveling, the ability to stay in touch with family, friends, and work colleagues is often desired and/or necessary. Many people admit to a feeling of discomfort when disconnected from internet-connected devices, yet connectivity also introduces risk.
Leavin’ home, out on the road
Protecting personal privacy in the face of government surveillance isn’t a new phenomenon. Some in the information security community have been proselytizing for better foreign travel mobile device practices and controls for nearly a decade. Now, with high-powered computers in our pockets, it’s more important than ever to take precautionary measures, especially if sensitive information is at risk. Whatever side of the political scale you’re on, it’s hard to argue that political aides should play fast and loose with mobile devices when traveling to countries where private communications are expected to be monitored, censorship is commonplace, or the use of certain technologies could potentially lead to criminal investigation or charges.
Abedin’s (suspected) intentions aside, and despite the ease of traveling with one’s regular device and hassle of readying entirely new devices or communication channels, it’s a good idea to consider mobile communications when traveling overseas. “Preparedness is the key to staying safe when planning for foreign travel,” says Michael Podszywalow, senior security consultant at SpyByte LLC. He further advises, “Incorporating elements of both information and physical security are a necessity.” Here are a few things to think about before boarding a plane for work or personal business:
Consider a burner device
A prepaid phone or temporary and inexpensive laptop/tablet without any history or stored data can be a traveler’s best friend, especially when visiting geographies where the local government has a right to surveil communications, seize devices, or review device information without a warrant. This will also help when or if the device is confiscated. If a regular device must be used, carefully wipe any unnecessary and/or sensitive data, including passwords, user IDs, travel information, credit card numbers, etc. before departure.
Create dummy accounts
Whenever possible, set up temporary email accounts with new user IDs and passwords to communicate with parties back home. Even through a dummy account, don’t send any sensitive information via email, text, or instant messaging. Change all passwords after departing the country, even if you never plan to use the temporary account again.
Limit use of social media sites
Social media is a beacon to the world about users’ thoughts, activities, and plans. Social media sites are heavily monitored (and not just by adversaries), and savvy surveillance operations can learn a lot about you from those postings.
Update operating systems and software
Ensure that devices are current with the latest patches and updates.
Back up and encrypt data
Any information stored on a device should be backed up regularly, regardless of travel plans. If any remote possibility exists where a device could be accessed by an unauthorized user (or seized at border control), you’ll want to make sure you have your data stored somewhere safe (and possibly air gapped). Sensitive data—especially work data or personal information—should be encrypted. Many mobile devices now ship with this capability. Make sure to turn it on, when possible, or install tools before departure. Note that using encryption doesn’t mean a foreign government won’t be able to decrypt and view your data, but it will be more challenging for them to do so, and may ward off some unnecessary intrusions.
Avoid accessing financial, health, or other personal sites while on travel
Unless absolutely necessary, don’t login to your banking or credit card website(s), patient portal, retirement accounts, or other sites with highly personal information while abroad. If you must, change your passwords as soon as possible following your trip, and inform providers of the situation so they can flag any potential deviance.
Forgo public WiFi and Bluetooth
In fact, don’t use open WiFi when on “friendly” soil either. Disable these protocols when traveling so that it becomes significantly more difficult for an unauthorized or unwanted party to surreptitiously use them to incept communications.
Be stingy
Don’t share devices, accounts, or work on a shared device in a cyber café, hotel business center, public space, or similar. If connecting in a public location, work over a VPN connection whenever feasible.
Somebody’s tryin’ to make me stay…
The above are just a few common sense security tips for using mobile devices when traveling abroad. “It’s about more than digital security,” says Podszywalow, “it is really a blend of understanding one’s surroundings and the dangers that could ensue from a lack of awareness and preparedness.” MISTI will host a live webinar on October 7, 2016 on Addressing Foreign Travel Security Concerns, which will dive deeper into methods to reduce data risk when traveling abroad, and provide suggestions for a security briefing to corporate executives upon return as part of an overall risk management strategy.
