March 13, 2008 4:00 AM PDT

Security guide to customs-proofing your laptop

Posted by Declan McCullagh

If you travel across national borders, it's time to customs-proof your laptop.

Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. Laptops and other electronic devices can be seized without reason, their contents copied, and the hardware returned hours or even weeks later.

Executives have been told that they must hand over their laptop to be analyzed by border police--or be barred from boarding their flight. A report from a U.S.-based marijuana activist says U.S. border guards browsed through her laptop's contents; British customs agents scan laptops for sexual material; so do their U.S. counterparts.

These procedures are entirely legal, according to court precedents so far. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine." One lawsuit is seeking to force the government to disclose what policies it follows.

The information security implications are worrisome. Sensitive business documents can be stored in computers; lawyers may have notes protected by the attorney-client privilege; and journalists may save notes about confidential sources. Regulations like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley may apply. A 2006 survey of business travelers showed that almost 90 percent of them didn't know that customs officials can peruse the contents of laptops and confiscate them without giving a reason.

Fortunately, you have some technological defenses against overly snoopy border agents. Keep reading for our easy-to-understand, Homeland-Security-inspired, color-coded News.com Guide to Customs-Proofing Your Laptop. (And no, we're not responsible if you end up cooling your heels in some Burmese prison for using PGP; check local laws and use good judgment.)

Let's assume you've already backed up your files before traveling in case your laptop gets seized for an indefinite period of time. The next thing to know is that merely setting an account password is insufficient.

Unless you use encryption, a customs agent can simply remove your laptop's hard drive, plug it into another computer, and peruse its contents. There are plenty of programs, including Guidance Software's EnCase Forensic, that let police extract every bit of data possible from that hard drive.

To guard against that, you can set aside a section of your computer's hard drive to be encrypted. This is the simplest approach because not all the files will be encrypted; the operating system itself and, in most cases, applications you use will remain unencrypted.

For Apple OS X users, FileVault does this by seamlessly scrambling the contents of your home directory (to enable, select the Security panel in Preferences and also click the "Use secure virtual memory" option). PGP sells volume encryption software for OS X and Windows. There's also the free TrueCrypt application, which runs on Windows Vista, Windows XP, OS X, and Linux.

Most people use encrypted volumes to do things like save sensitive files--think tax returns, bank and credit card statements, medical records, and so on.

But encryption isn't enough. Research published last month ("Lest We Remember: Cold Boot Attacks on Encryption Keys") demonstrates how encryption keys can be extracted from a laptop that's placed in sleep mode when the contents are retained in RAM. They haven't released the software to extract the contents yet, but it's not terribly difficult to write and you may not want to bet your privacy on government agencies being ignorant of this attack.

The solution is to let the contents of RAM decay by turning off your computer and letting it sit for a few minutes. A test they did showed that, after five minutes, the memory contents had completely disappeared and could not be retrieved.

Turning off your computer is especially important for OS X users, at least until Apple patches a security glitch that keeps account passwords in RAM. In the default configuration, the account password is the keychain password and yields passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, etc.

There's more. You'll want to delete cookies and browser-stored passwords for Web sites. Erase the cache and Web browsing history. Securely delete files not protected by the encrypted volume so they can't be undeleted at the border. Here are still more tips.

Another problem is that if customs agents have physical possession of your laptop and you can't see what they're doing, they can install spyware. (They have the technical ability to do so; let's put aside for the moment in which circumstances they would have the legal authority to do so. Besides, in some non-democratic regimes, questions about due process are irrelevant.)

There are at least three cases in which the Feds have, with a court order, installed spyware on a suspect's computer. As encryption becomes more popular, so will the use of fedware. There may be no easy way to detect it--security software vendors generally say they will--short of booting off of a DVD or another trusted device and checking the operating system for tampering. Linux users can use a Knoppix CD or DVD for this.

All these extra steps are irksome, and stem from the fact that Threat Level Yellow with an encrypted volume doesn't completely protect you.

Why not? Unix-derived systems including Apple's OS X store details about VPN usage and user login times in unencrypted form. Some applications including Thunderbird save working copies of documents in an unencrypted area (/tmp or /private/tmp) outside the home directory. And the contents of the computer's virtual memory file may be readable as well.

That brings us to Threat Level Orange, at which point you should encrypt everything. That means you won't have to worry about whether applications leak data outside the virtual safe of an encrypted volume.

Microsoft has included the BitLocker Drive Encryption feature in the Enterprise and Ultimate versions of Windows Vista. A perpetual license for PGP Whole Disk Encryption 9.8--often viewed as the gold standard of encryption products--for Windows costs $149. Macintosh users are out of luck for now, though PGP did tell us last month that whole disk encryption for OS X is "in active development." Linux users have loop-aes and dm-crypt to choose from.

The same advice as Threat Level Yellow holds for laptopping-across-the-border: shut down your computer for a few minutes to make sure the memory decays.

While you're at Threat Level Orange, you might as well take some additional steps to harden your machine against other attacks. One of those is guard against having the entire contents of your computer's memory siphoned off through FireWire.

This isn't new. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the FireWire port. A subsequent presentation by Adam Boileau in 2006 expanded the FireWire attack to Windows-based systems; he released exploit code this month.

Under OS X, according to a security guide (PDF) by Paul Day, setting an Open Firmware password disables physical memory access for FireWire devices. Here's how to set an Open Firmware password.

If they're out to get you, or if you're sufficiently paranoid to think they are, you're at Threat Level Red.

One downside with encrypted drives is that they can be a huge blinking neon side to customs officers saying: "Contraband! Likely! Here!" Even if you're law-abiding, an encrypted drive could mean unwanted hassles and delays, and the unpleasant prospect of customs officials preventing you from entering the country unless you type in your password. In the U.S., whether you can be compelled to divulge it by court order remains an unanswered question--and other nations may not observe such legal niceties.

One answer is steganography, which means concealing data in a way that nobody even knows it's there. It's an electronic form of invisible ink. Data can be stored in MP3s, in videos, and even in apparently-empty space on the hard drive.

Unfortunately, steganographic file systems are about as well developed as cryptographic ones were a decade ago--they're still more of a laboratory curiosity than something that's been thoroughly tested and built into commercial products. One exception is TrueCrypt, which offers two levels of plausible deniability, including a standard TrueCrypt volume that appears when you're forced to give your "password," and a hidden one that remains concealed.

Some technologists remain skeptical. Jon Callas, PGP's chief technology officer, says:

I have a rather negative opinion about steganographic file systems. I just flat don't believe they work. I don't believe you can hide the data so that nobody can find it...

If this customs official says, "Aha! I see you have a steganographic file system, tell me the other password,' what do you do?" It is unsafe to use a product that has a steganographic file system since you can never prove you have no steganographic data...

For stegonography to work it must be custom-built for you. Or you're relying on the fact that the person searching for the data is stupid.

So what's left? Concealing the data in other ways. Bring your laptop with tourist snapshots and no steganography. Put your sensitive files on your camera's memory card or your phone's SD card; Sandisk's 32 GB SD card is supposed to ship soon.

Finally, there's always the option of bringing your data across the border electronically--by securely downloading it once you and your laptop have made it safely past customs. It may not work for everyone, and extremely large files may make it unwieldy as an option, but it may be the safest and easiest way to travel internationally nowadays.

Note: I'll be doing a live chat on this topic on Thursday (today) at 11am PT / 2pm ET. Join us!