The Trouble With Bringing Your Business Laptop To China 402
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
some reading (Score:3, Informative)
http://www.schneier.com/blog/archives/2009/07/laptop_security.html [schneier.com]
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices [eff.org]
Re:That's only one of the problems (Score:5, Informative)
Controlled technology includes software as well as hardware.
Re:That's only one of the problems (Score:5, Informative)
how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?
It's the information the technologist has stored on it that is the problem. The export control laws are enforced by the Bureau of Industry and Security [doc.gov], and they are arcane, complex, and woefully out of date. Just to give one example, if you're a microprocessor designer, and have a design that operates at temperatures exceeding 125C, that design is controlled; carrying that design in your laptop when you go to China is a violation of the law -- whether or not it is even accessed while in China. (It's also illegal to show that design to any person of Chinese citizenship, even if you both are in the US at the time; that, too, is considered export under the law.)
solutions: (Score:4, Informative)
There are several ways around this, with increasing levels of overhead.
0) don't bring the laptop to begin with. (Hehe.. har.. yeah, who am I kidding?)
1) yank the HDD completely, boot the laptop using a custom knoppix DVD, with an RDP client. Save your work in the cloud/at the enterprise, behind a strong enterprise password. Malware magically vanishes when the laptop powers down. No local data to collect.
2) use something like black ice defender.
3) use whole disk encryption with almost reigious zeal.
Personally, I prefer the live dvd approach. It has fringe benefts of always being a fresh, clean environment, and a complete black hole for forensic data recovery. Only the rubber hose method to get you to reveal the RDP account password remains as a reliable method of intrusion, though this assumes you aren't an idiot, and weren't so stupid as to package a keyring on the live DVD. (The whole idea is to keep sensitive data OFF the system!) If you absolutey NEED a keyring, find some way to use an actual usb keyfob to store it, and always carry your keys.
Regardless of the method used, remember that allowing unauthorized persons access to the physical system is practically synonymous with being pwned. The live dvd method only gives them physical access to a terminal.
Re:encryption (Score:4, Informative)
Mandatory and automatic lock-up of a computer after a period of inactivity is neither new nor hard to enforce.
Re:That's what encryption is for. (Score:4, Informative)
This exactly. Encrypt the laptop but don't actually keep anything important on it. Instead use Truecrypt and a USB thumb drive. Have the thumb drive keyed to a different password than the laptop.
Further, as far as customs, drop a live CD of any variety in the CD drive, and have the laptop default to booting the CD. Now when custom guys asks to inspect your laptop, say sure, and let it boot the live CD. You can be amused while they laugh at how slow your laptop boots. In the end let em clone the HD, whatever, even if the NSA cracks it there is nothing on it. Everything important is on the thumb drive that you have "hidden" away (usually in plain sight on a keychain).
As far as the article, carrying your corporate secrets encrypted in your pocket will make any thieves job harder, and having the laptop encrypted will force them to install keylogger hardware, a more time consuming and harder thing to get away with. If I were such an executive and had real concerns I would just get a throwaway laptop, or better yet have some fun and epoxy all the case screws in. There are possibilities.
Re:encryption (Score:5, Informative)
A hardware keylogger inline with the keyboard cable takes care of that. It only means they'll have to break in twice instead of once.
Silly (Score:4, Informative)
We don't even have people that travel outside the country and yet your security standards state that:
A. The laptop is wiped and re-imaged upon return. Every time.
B. The user simply uses the laptop to VPN into our corporate network which is protected by a random keyfob plus all the usual security.
C. Corporate laptops never leave the site of the user. You take it with you everywhere you go. Period.
Granted, I don't think C gets followed all that much. But A and B are pretty solid. Who the hell keeps a personal laptop for work anymore?
Re:encryption (Score:2, Informative)
What good is HDD encryption when they have/had physical access to the device? If you get physical access tot he HW all you have to do is take a copy of the HDD (erm, DD will do this for you) and crack it at your leisure.
There was a story from a few years back where a fellow had his laptop confiscated. It was encrypted with TrueCrypt and the US govt tried, and failed, to break the encryption for months. So no, it's not an easy thing
Besides this, the article is bollocks made up by people who have had too much pot/coffee and not enough exposure to the real world. China's govt doesn't give a shit about your crappy companies secrets
China most certainly does care about your companies secrets if the company is involved in military contracts. Even if you don't travel, they are trying to get at the data that is here. Some of the recent fighter aircraft programs have had problems in particular with data theft.
Encryption: Not allowed (Score:5, Informative)
Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
Re:throw away laptops (Score:5, Informative)
ChromeOS encrypts all user data by default, automatically verifies the integrity of all software during startup, and reverts to a known-good version in the event any compromise is discovered. Boot verification is based on code and data stored in ROM, so subverting it requires modifying the hardware. Run-time compromise must be done by leveraging web-style attacks (cross-site scripting, etc.) and can normally only achieve what web-style attacks can achieve which is access to data from other sites, etc. In the event deeper compromise is achieved, it's lost as soon as the device is restarted, until the user visits the malicious web site again.
Use a Chromebook, connect only to trusted sites and only over SSL, and you become an extremely hard target for compromise. Little if any of your data is actually stored on the device, what is cached on it is encrypted. When you get home, reboot and you're very, very likely to have a trustworthy system again. Do a factory reset and it's guaranteed to be clean (barring hardware hacks), since all data will be gone, and any modified code will be detected by the verified boot process. And, as a last resort, you only paid $200 for the thing, so if you fear hardware hacks, just chuck it and buy a new one. It's unlikely to add more than about 5% to the cost of your trip.
http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
Re:Industrial espionage (Score:4, Informative)
The use of the awkward word "stuffs" has been, in my experience, a strong (actually, perfect) indicator that the speaker is Chinese.
I almost didn't post this for fear that the chicom astroturfers (you?) will adapt, but i think it's important to get the word out regardless.
Protip to westerners: keep your eyes open for awkwardly idiomatic phrases, especially when the speaker is defending China either directly or indirectly.
Protip to the other side: stuff is an uncountable plural word already. "stuffs" is just "stuff." it's like saying "mices."
I've been using "stuffs" from time to time as long as I remember. Native American English speaker here, not a bit of Chinese in my family, other than in-laws.
Now that I think of it, I've NEVER heard anyone but other Americans or Australians even use it.
Protip: My anecdote says your anecdote is full of crap.
Re:Shred of Evidence (Score:5, Informative)
US export law is no joking matter. It is impossible to exaggerate how goofy the rules are, and how much trouble you can get in for violating them. It doesn't matter if you're a hacker in a basement or a Fortune 100 defense contractor -- you do not want to mess around with these people.
Some examples [doc.gov] of the evidence you're asking for.
More here [doc.gov]. I think my favorite is the veterinary supply wholesaler in Waukee, Iowa who was fined $250,000 for sixteen unlicensed exports of cattle prods to Mexico.