[ISN] Taking your laptop into the US? Be sure to hide all your data first

From: InfoSec News (alerts@private)
Date: Thu May 15 2008 - 00:52:39 PDT


By Bruce Schneier
The Guardian
May 15 2008

Last month a US court ruled that border agents can search your laptop, 
or any other electronic device, when you're entering the country. They 
can take your computer and download its entire contents, or keep it for 
several days. Customs and Border Patrol has not published any rules 
regarding this practice, and I and others have written a letter to 
Congress urging it to investigate and regulate this practice.

But the US is not alone. British customs agents search laptops for 
pornography. And there are reports on the internet of this sort of thing 
happening at other borders, too. You might not like it, but it's a fact. 
So how do you protect yourself?

Encrypting your entire hard drive, something you should certainly do for 
security in case your computer is lost or stolen, won't work here. The 
border agent is likely to start this whole process with a "please type 
in your password". Of course you can refuse, but the agent can search 
you further, detain you longer, refuse you entry into the country and 
otherwise ruin your day.

You're going to have to hide your data. Set a portion of your hard drive 
to be encrypted with a different key - even if you also encrypt your 
entire hard drive - and keep your sensitive data there. Lots of programs 
allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt 
(truecrypt.org) is also good, and free.

While customs agents might poke around on your laptop, they're unlikely 
to find the encrypted partition. (You can make the icon invisible, for 
some added protection.) And if they download the contents of your hard 
drive to examine later, you won't care.

Be sure to choose a strong encryption password. Details are too 
complicated for a quick tip, but basically anything easy to remember is 
easy to guess. (My advice is at tinyurl.com/4f8z4n.) Unfortunately, this 
isn't a perfect solution. Your computer might have left a copy of the 
password on the disk somewhere, and (as I also describe at the above 
link) smart forensic software will find it.

So your best defence is to clean up your laptop. A customs agent can't 
read what you don't have. You don't need five years' worth of email and 
client data. You don't need your old love letters and those photos (you 
know the ones I'm talking about). Delete everything you don't absolutely 
need. And use a secure file erasure program to do it. While you're at 
it, delete your browser's cookies, cache and browsing history. It's 
nobody's business what websites you've visited. And turn your computer 
off - don't just put it to sleep - before you go through customs; that 
deletes other things. Think of all this as the last thing to do before 
you stow your electronic devices for landing. Some companies now give 
their employees forensically clean laptops for travel, and have them 
download any sensitive data over a virtual private network once they've 
entered the country. They send any work back the same way, and delete 
everything again before crossing the border to go home. This is a good 
idea if you can do it.

If you can't, consider putting your sensitive data on a USB drive or 
even a camera memory card: even 16GB cards are reasonably priced these 
days. Encrypt it, of course, because it's easy to lose something that 
small. Slip it in your pocket, and it's likely to remain unnoticed even 
if the customs agent pokes through your laptop. If someone does discover 
it, you can try saying: "I don't know what's on there. My boss told me 
to give it to the head of the New York office." If you've chosen a 
strong encryption password, you won't care if he confiscates it.

Lastly, don't forget your phone and PDA. Customs agents can search those 
too: emails, your phone book, your calendar. Unfortunately, there's 
nothing you can do here except delete things.

I know this all sounds like work, and that it's easier to just ignore 
everything here and hope you don't get searched. Today, the odds are in 
your favour. But new forensic tools are making automatic searches easier 
and easier, and the recent US court ruling is likely to embolden other 
countries. It's better to be safe than sorry.

Bruce Schneier is a security technologist and author: schneier.com/blog

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Thu May 15 2008 - 01:06:00 PDT