Security guide to customs-proofing your laptop

If you travel across national borders, it's time to customs-proof your laptop.

Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. Laptops and other electronic devices can be seized without reason, their contents copied, and the hardware returned hours or even weeks later.

Executives have been told that they must hand over their laptop to be analyzed by border police--or be barred from boarding their flight. A report from a U.S.-based marijuana activist says U.S. border guards browsed through her laptop's contents; British customs agents scan laptops for sexual material; so do their U.S. counterparts.

These procedures are entirely legal, according to court precedents so far. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine." One lawsuit is seeking to force the government to disclose what policies it follows.

The information security implications are worrisome. Sensitive business documents can be stored in computers; lawyers may have notes protected by the attorney-client privilege; and journalists may save notes about confidential sources. Regulations like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley may apply. A 2006 survey of business travelers showed that almost 90 percent of them didn't know that customs officials can peruse the contents of laptops and confiscate them without giving a reason.

Fortunately, you have some technological defenses against overly snoopy border agents. Keep reading for our easy-to-understand, Homeland-Security-inspired, color-coded News.com Guide to Customs-Proofing Your Laptop. (And no, we're not responsible if you end up cooling your heels in some Burmese prison for using PGP; check local laws and use good judgment.)

Let's assume you've already backed up your files before traveling in case your laptop gets seized for an indefinite period of time. The next thing to know is that merely setting an account password is insufficient.

Unless you use encryption, a customs agent can simply remove your laptop's hard drive, plug it into another computer, and peruse its contents. There are plenty of programs, including Guidance Software's EnCase Forensic, that let police extract every bit of data possible from that hard drive.

To guard against that, you can set aside a section of your computer's hard drive to be encrypted. This is the simplest approach because not all the files will be encrypted; the operating system itself and, in most cases, applications you use will remain unencrypted.

For Apple OS X users, FileVault does this by seamlessly scrambling the contents of your home directory (to enable, select the Security panel in Preferences and also click the "Use secure virtual memory" option). PGP sells volume encryption software for OS X and Windows. There's also the free TrueCrypt application, which runs on Windows Vista, Windows XP, OS X, and Linux.

Most people use encrypted volumes to do things like save sensitive files--think tax returns, bank and credit card statements, medical records, and so on.

But encryption isn't enough. Research published last month ("Lest We Remember: Cold Boot Attacks on Encryption Keys") demonstrates how encryption keys can be extracted from a laptop that's placed in sleep mode when the contents are retained in RAM. They haven't released the software to extract the contents yet, but it's not terribly difficult to write and you may not want to bet your privacy on government agencies being ignorant of this attack.

The solution is to let the contents of RAM decay by turning off your computer and letting it sit for a few minutes. A test they did showed that, after five minutes, the memory contents had completely disappeared and could not be retrieved.

Turning off your computer is especially important for OS X users, at least until Apple patches a security glitch that keeps account passwords in RAM. In the default configuration, the account password is the keychain password and yields passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, etc.

There's more. You'll want to delete cookies and browser-stored passwords for Web sites. Erase the cache and Web browsing history. Securely delete files not protected by the encrypted volume so they can't be undeleted at the border. Here are still more tips.

Another problem is that if customs agents have physical possession of your laptop and you can't see what they're doing, they can install spyware. (They have the technical ability to do so; let's put aside for the moment in which circumstances they would have the legal authority to do so. Besides, in some non-democratic regimes, questions about due process are irrelevant.)

There are at least three cases in which the Feds have, with a court order, installed spyware on a suspect's computer. As encryption becomes more popular, so will the use of fedware. There may be no easy way to detect it--security software vendors generally say they will--short of booting off of a DVD or another trusted device and checking the operating system for tampering. Linux users can use a Knoppix CD or DVD for this.

All these extra steps are irksome, and stem from the fact that Threat Level Yellow with an encrypted volume doesn't completely protect you.

Why not? Unix-derived systems including Apple's OS X store details about VPN usage and user login times in unencrypted form. Some applications including Thunderbird save working copies of documents in an unencrypted area (/tmp or /private/tmp) outside the home directory. And the contents of the computer's virtual memory file may be readable as well.

That brings us to Threat Level Orange, at which point you should encrypt everything. That means you won't have to worry about whether applications leak data outside the virtual safe of an encrypted volume.

Microsoft has included the BitLocker Drive Encryption feature in the Enterprise and Ultimate versions of Windows Vista. A perpetual license for PGP Whole Disk Encryption 9.8--often viewed as the gold standard of encryption products--for Windows costs $149. Macintosh users are out of luck for now, though PGP did tell us last month that whole disk encryption for OS X is "in active development." Linux users have loop-aes and dm-crypt to choose from.

The same advice as Threat Level Yellow holds for laptopping-across-the-border: shut down your computer for a few minutes to make sure the memory decays.

While you're at Threat Level Orange, you might as well take some additional steps to harden your machine against other attacks. One of those is guard against having the entire contents of your computer's memory siphoned off through FireWire.

This isn't new. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the FireWire port. A subsequent presentation by Adam Boileau in 2006 expanded the FireWire attack to Windows-based systems; he released exploit code this month.

Under OS X, according to a security guide (PDF) by Paul Day, setting an Open Firmware password disables physical memory access for FireWire devices. Here's how to set an Open Firmware password.

If they're out to get you, or if you're sufficiently paranoid to think they are, you're at Threat Level Red.

One downside with encrypted drives is that they can be a huge blinking neon side to customs officers saying: "Contraband! Likely! Here!" Even if you're law-abiding, an encrypted drive could mean unwanted hassles and delays, and the unpleasant prospect of customs officials preventing you from entering the country unless you type in your password. In the U.S., whether you can be compelled to divulge it by court order remains an unanswered question--and other nations may not observe such legal niceties.

One answer is steganography, which means concealing data in a way that nobody even knows it's there. It's an electronic form of invisible ink. Data can be stored in MP3s, in videos, and even in apparently-empty space on the hard drive.

Unfortunately, steganographic file systems are about as well developed as cryptographic ones were a decade ago--they're still more of a laboratory curiosity than something that's been thoroughly tested and built into commercial products. One exception is TrueCrypt, which offers two levels of plausible deniability, including a standard TrueCrypt volume that appears when you're forced to give your "password," and a hidden one that remains concealed.

Some technologists remain skeptical. Jon Callas, PGP's chief technology officer, says:

I have a rather negative opinion about steganographic file systems. I just flat don't believe they work. I don't believe you can hide the data so that nobody can find it...

If this customs official says, "Aha! I see you have a steganographic file system, tell me the other password,' what do you do?" It is unsafe to use a product that has a steganographic file system since you can never prove you have no steganographic data...

For stegonography to work it must be custom-built for you. Or you're relying on the fact that the person searching for the data is stupid.

So what's left? Concealing the data in other ways. Bring your laptop with tourist snapshots and no steganography. Put your sensitive files on your camera's memory card or your phone's SD card; Sandisk's 32 GB SD card is supposed to ship soon.

Finally, there's always the option of bringing your data across the border electronically--by securely downloading it once you and your laptop have made it safely past customs. It may not work for everyone, and extremely large files may make it unwieldy as an option, but it may be the safest and easiest way to travel internationally nowadays.

Note: I'll be doing a live chat on this topic on Thursday (today) at 11am PT / 2pm ET. Join us!

[BonesReview]

Use online storage

Aside from the possible difficulty in retrieving information in
certain countries, this is really a great article for the idea of online
applications. Wouldn't it be a good idea to use something like
FirstClass (http://www.firstclass.com) for your business. Everything
is accessible from every location and nothing is stored locally. In
addition, communication can be encrypted. Part of that could be
said for Google Docs, Amazon's S3 storage, an any other online
office/storage application.

[sirtbelch]

Drinking the Kool-Aide on a daily basis

Read my reply to topic?do you really think your information kept online is not being searched on a daily basis? Encryption is a joke! Do you think that the government would allow technology to proliferate that they couldn't deal with?

Storing your files online is the opposite from keeping them hidden?it's the exact opposite, it's handing them over the the authorities, and saying: "here guys, find anything you don't like?"

If Bin Laden is reading this, then I guess the jig is up, i have given him helpful information that will give him comfort and aide, i guess I'm un-patriotic, and supporting terrorists. In fact, it's the complete opposite: another massive attack on US soil would be the end of all this covert oversight, and the end of the world as we know it?something that even Bin Laden is hopefully smart enough to avoid.

[fhharris]

Anything out of your care custody and control

is subject to being investigated intercepted or just plain ripped off. You think Google is better, different or less patriotic than AT&T?

I wouldnt bet my life on it.

[mackenzie2881]

The nanny state

If someone wants to have porn on their notebook (as long as it is with consenting adults) then the government has no right snooping around. I'm fed up with the government interfering in peoples' lives. This is just another example.

[sirtbelch]

true?but pointless?

While I totally agree with you, your point is null. Why would the government try to do anything to hurt the Adult Film industry? It grosses more then Hollywood! More importantly, however, it keeps wayward internet explorers distracted and sedated.

In Rome, I believe they used "bread and games" in America, they use "porn and chicken". So, don't worry, my 'handy' friend, your porn is safe going through customs.

[sirtbelch]

Do you really think?

?That anything anyone can do will be able to prevent people from accessing your computer? Take the NSA wire-tapping scandal, they have continuously admitted that phones-taps were a minority in their illegal activities. The majority of discretions had to do with unbelievably large nets scanning "electronic communications". Just look at the side bar of your gmail account, how exactly do you think those advertisements are targeted?

We live in an age of lofty ideals that are nothing but that. The internet is massive and powerful, it's a free market for information (and disinformation), but is there anyone who really thinks that there's no control? Imagine if Bin Laden posted a video on Youtube after another 9/11-like attack?if Pakistan could shut off Youtube worldwide, what do you think the sheer might of the US government could do? Youtube, Facebook and Blogs could be shutdown due to 'terrorists using them to recruit new members'?or even for promoting 'anti-government sentiment'.

Brand me a conspiracy theorist if you must, but I don't think I've made any points that are too far from the truth?now all I have to do is sit back and wait for someone to kick in my door?

[pjhenry1216]

well...

The US has already said various online communities are being used to recruit and train terrorists, yet they haven't been shut down. The government can get away with some stuff, mostly the things that people don't use every day or things that don't affect them directly. However, you take away things like youtube or facebook, or worse, blogging (which would be impossible since its not like blogs are stored on one ip address), you'll have so many people up in arms that they'll revolt if nothing is done to restore those services. The only reason the government is getting away with the things that they do is because of an apathetic population. people don't care enough about the things being taken away. but if the government takes away too much, they will care.

[Daniel L Smith]

Activating FileVault

"For Apple OS X users, FileVault does this by seamlessly
scrambling the contents of your home directory (to enable,
select the Security panel in Preferences and click the "Use secure
virtual memory" option)."

A rather strange name for the option -- one would think the
"Use secure virtual memory" option would be used to activate
secure virtual memory.

Turns out the *correct* way to turn on FileVault is to click the
button labeled "Turn on FileVault". Surprising, I know.

[gypsyx]

FileVault and Secure VM

It's really as simple as it sounds.

"Turn On FileVault..." turns on FileVault.

"Use secure virtual memory" turns on secure virtual memory.

It's amazing that CNET got it wrong, considering Apple made it
easy enough for my grandmother to get right.

[Seaspray0]

Good, but what if you are you?

the problem with the seamless solution is that it's... well... seamless. If you are logged in as the user, then what good does it do? You can see it unencrypted. Microsoft also has the ability to do seamless file/folder encryption.

What this type of encryption is good for is if someone boots the computer to a seperate operating system where the encryption then can't be broken easily.

Btw, for windows users: right click a folder, select properties, on the general tab click "advanced". Check the "encrypt contents to secure data" box.

[247mark]

Remove the drive

and overnight it to your destination.

[dlairman]

remove the drive????

...because nothing that is shipped overnight across internatinoal borders is *ever* searched.

Right.

Do this and the drive is out of your control for a more substantial period of time than wouldbe expected during an average border-crossing inspection.

[amitjain17]

How About this?

How about renaming all your data files to .mp3 or .jpg or something. They dont know which files are what and if they double click on it, it wont work. When you use the files, just rename the extension.

[ImRaptor]

File headers

An extension is not what makes a JPEG a picture file. It is not uncommon these days to have a file type renamed with a different extension than what the type is and have the program openning the file to pop and say "The file type does not match the extension, do you want to open as they proper type?"

File headers are typically quite obvious as to what kind of file they are, extensions just make things easier, but in the end, and extension is just part of a name.

[WriteRight]

Paedophiles are sick people

What kind of sick person are you? As a father of two children I suggest all paedophiles should be castrated.

[czvo024]

Those who report tax evasion to the IRS are usually audited themself

Just saying there Mr. Indignant better than everone else because you you can prove you had sex.

[hlywd217]

Perhaps you should do some reading....

There is a difference between a child molester and pedophiles.

Ever here that cute saying...all potatoes are tubers but not all tubers are potatoes?

Someone who is just a pedophile is not at all harmful to children. It's just an attraction...the division of those who act on that attraction can also be divided into two categories: child molesters/rapists OR adults who have consensual sex with children/teens.

Anyway, etymologically speaking...a pedophile is just a person that loves children. pedo/(child)phile(lover of, enthusiast for). It sounds that you good sir are, at the heart of the matter, a pedophile yourself.

[sysopdr]

Suggestion for beter security

Hi,

I use a laptop but I don't have much on it. I have no personal data and only put data I need on it for the trip I am doing. I keep the sensitive stuff on my Desktops at Work and home.
What a lot of people don't do is make sure the machine they are carrying is clean and when returning they don't clean it before they return.
It might have been clean going out but coming back the have everything they did while away.
Use secure remote access to data and only take what you need and clean everything before you return. My best advice for you.

But then again, do you really need to travel, can you do it remotely from home base? If you are traveling just t travel you are wasting your own time, risking the security of your system, wasting money and causing unnecessary travel and pollution. Travel virtually, it's safer, faster and reduces costs.

//_

[pingpong111]

Better idea

Fix the law.

[GGMCD]

Even in transit?

Do they search your laptop even if you are in transit? God this could be a nightmare from Italy to New Zealand via the UK and US, nothing dodgy on my laptop but 60,000 photos and 3 portable hard drives will take them a age to browse through. maybe best couring everything home first :/

[DrorHarari]

TrueCrypt already supports full disk encryption

So no need for Vista Ultimate etc.

Also on Mac and Linux

[ve7prt]

Didn't know that

Only problem is Baike, that means the guards would have to install security software on your computer to do their search, right? My computers do not have any such software installed, and changing the file extension changes which program is loaded when you click the file. Considering that, changing the file extension would be a quick and dirty way of convoluting a one-off snoop. Now, OTOH, if they copy the contents of your drive to another machine and browse that way, all bets would be off.

Having said that, please read the last paragraph of my last post: "Best option would be to store your sensitive files on a jump drive,"... Then hide that jump drive in your luggage or somewhere not easily reached. Then your laptop would only contain the actual software you use. Your files would be safe (you hope!) on the jump drive.

Cheers!
Mike

[AnonTip]

Lie-detectors already being used

Good story, but leaves out a couple important facts:

1. If you are busted and have encryption installed on your machine, new laws now also make you guilty of "obstruction of justice" charges.

2. CNET & others have reported that airports have been experiementing with lie detectors since 2005. So be careful not to hesitate or otherwise "act suspicously" when your are asked:
"Are you a terrorist?"
"Have you ever used illegal drugs?"
"Have you even had bad thoughts about your government or law enforcement?"
"Do you have knowledge of any criminal activity?"
"Have you ever lied on your taxes?"
"Have you ever been aroused by images of kids under 18?"
"Have you ever viewed images of kids under 18 on your computer?"

Welcome home :)

[The_Decider]

Funny

You haven't been paying attention to recent court cases. The ruling is the exact opposite of what you claim.

http://www.news.com/8301-13578_3-9834495-38.html?tag=bl

[declan00]

obstruction of justice charges

You say: "If you are busted and have encryption installed on your machine, new laws now also make you guilty of "obstruction of justice" charges."

What law is that, exactly?

[Peter.register]

The point is not how to hide data but to avoid unwanted hassles. I have traveled the world and I can tell you that it is a waste of time what custom officials and police are doing. I've been stopped and searched so many times that it adds up hours if not days of my life. Innocent people are being hassled around the world. Orwell's future is here now. Governments want absolute power and will stop at nothing to secure this. Of course they pretend to achieve this with democratic means, buts it's all a charade. Historically, EVERY government that has taken this path has imploded from huge financial costs that are associated with such a Big Brother approach. Paranoia ultimately leeds to self-destruction. The 'founding fathers' of the United States of America would have been promptly arrested and sentenced to death for acts of terrorism and treason and the the US would never have existed if the British had the attitude, surveillance technology, and anti-terror laws of today. Governments are not interested in the well-being of their citizens. Our priorities are lop-sided: Do we live to work or do we work to live? Does a government serve it's citizens or are the people serving the government? To impose freedom is to create fascism.

PS: I have lots of nude pictures of my gorgeous wife for the customs officials to wank off to.

[Peter.register]

It won't be long now before we can't sing 'Happy Birthday' without securing copyrights.

[SapereAud33]

Try today, you already have to pay royalties for happy birthday if it is depicted in a movie.

[asshatmcgee]

welcome to 2008, where nothing is legal and america is the land of the not free. At least it's easier than ever to get drugs.

[azeerover]

PingPong has the right idea, "Fix the law." But that won't happen, most people think there's only two candidates for president, and neither of them will address the problem. If you bother to vote, try voting for an underdog candidate just to show your displeasure with the mainstream partys. In the US, you've got the government you voted for, so it's your own fault if you've made bad choices. For myself, I couldn't hack the paranoia and loss of freedoms, so left the US five years ago. For all the hype about China and "human rights", the average Chinese guy in the street has more freedom and less intervention in their lives by their government than the average US citizen has. You have more people in prison per capita than anywhere else in the world. You lost your freedoms long ago, and are just now beginning to take notice. Be careful how you respond - big brother is watching!

[willdryden]

I just use a thumb drive and put it in a half empty cigarette pack. My computer has nothing on it they can use anyway. The more you try to hide things on the computer, the more they will think there is something to find on it and keep it longer looking.

[SapereAud33]

Careful with Filevault it has many know security holes and uses very weak encryption standards. Oh and one more idea, what do 99% of people have and carry across the border that can also hold large amounts of data (starts with an I ends with a pod) and what wouldn't be considered suspicious type of file to have on it. (starts with a mp ands with a 3) just a thought. Sapere Aude

[Darren_Chaker]

To add to the above article, if you or your company have information you do not want a third party to obtain, you MUST:

1. Encrypt the file/folder; Have a pass phrase, do NOT use a word due to software that can do dictionary attacks in multiple languages, but you must utilize a pass phrase with numbers and characters. DO NOT write it down. If you are a corporation, remember, industrial espionage is rampant. Ex-KGB, and other out of work intelligence officers make a living applying their trade to the highest bidder these days. I prefer PGP.

2. Use a wiping utility, CyberScrub, Evidence-Eliminator, etc. that wipes the cache area of your computer; this is where passwords are sometimes stored, and the software also has features that allow you to destroy web browsing history, photographs, etc.

3. Trust your computer to no one. Software and hardware devices are cost as little as $30 and will record each character you type and e-mail it to the person who wants to know your passphrase, bank account info, etc. Of course, do NOT open e-mail you do not know who it is from since their is spyware you can be e-mailed, and it will install once opened.

4. If you want to put the icing on the computer security cake, use a proxy that does not keep logs of their users activity. Most do not.