If you travel to China or Russia, assume government or industry spooks will steal your data and install spyware. Here's how to thwart them
You're traveling in China on business, and after checking into your hotel room you decide to grab a bite at a local restaurant. You're not planning to work, so you leave your laptop on the dresser, lock the door, and exit, feeling confident that your possessions are safe.
An hour and half later you return and note that all your stuff, including the laptop, is just where you left it. Everything seems fine, and you go about your business, conducting meetings with potential clients over the next few days before returning home.
But everything is not fine. While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer - without your having a clue.
The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.
Because so many users never detect that they've been compromised and few report the issue publicly, it's not clear how common this sort of spying is, but it does happen, say cyber security experts. In fact, you should simply assume your computer will be breached if you go to high-risk countries such as China to conduct business, says Israel Martinez, a private-sector board member at the US National Cyber Security Council, a defense industry group.
Cyber attacks overseas can happen in a variety of ways. In May 2012, the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center, issued an intelligence note saying recent analysis from government agencies shows that "malicious actors" were going after travelers abroad. There were recent instances of travelers' laptops being infected with malicious software while they were using hotel Internet connections, the report noted.
Beware these high-risk regions for cyber attacks
"We have found that travelers going to countries in Asia, the Russian Federation, the Baltic states, and even parts of South America have their systems attacked and most likely breached while abroad," says Jerry Irvine, CIO at IT outsourcing provider Prescient Solutions and a member of the National Cyber Security Partnership, an organisation established to develop shared strategies and programs to better secure critical information infrastructure in the United States.
"While these things happen in the US, the difference is that, in addition to normal criminal activity, these countries also have government-sanctioned cyber espionage to back these thieves," Irvine says.
China and Russia are the two countries most frequently identified as being high risks, notes Emilian Papadopoulos, chief of staff at Good Harbor Security Risk Management, a security consultancy. Other high-risk countries include those with significant cyber capabilities, those known to conduct cyber espionage, and those known for corporate espionage and stealing business secrets and intellectual property, Papadopoulos says. "Countries with significant state control of private industry, especially in telecommunications, may also be higher risk," he says.
How to keep the spies out of your computer
Fortunately, you can take steps to prevent these sorts of spying attacks and other security threats or remediate them after the fact. Here are some tips from security experts and practitioners:
1. Leave your own laptop at home; bring a loaner instead.
The best way you can guard against losing valuable data or having it compromised is to bring a temporary laptop or other computing device when going overseas. "Upon returning home, the devices can be wiped to remove any malicious software," says Ben Piper, president of Ben Piper Consulting, which focuses on security.
If a temporary device isn't an option, remove all data from your device before leaving on the trip, except for what is absolutely needed, Piper advises. Have your company email forwarded to a temporary email account. Log into that account when overseas; if it's compromised, only that forwarded email is stolen and the attackers don't get access to your company email account.
Whatever you do, don't connect your devices to your personal or corporate networks or services upon returning from a trip until you have a security pro ensure there's no malicious software on the devices. "The goal of spyware is to steal information, whether by accessing it directly from the device or sitting latent until the device is connected to the company network, where the malicious software can infect other devices," Piper says.
Note that traditional antispyware tools have difficulty detecting the kind of spyware that foreign governments and sophisticated organized crime rings install, Martinez says. You might even use an inexpensive laptop that you throw away upon return rather than risk not detecting the spyware - much as criminals use disposal ("burner") cellphones to evade police and leave no records.
2. If you must bring your regular computer on a trip, don't leave it unattended or vulnerable to tampering.
When the situation calls for you to bring a laptop or mobile device on a business trip, always carry it with you, rather than leaving it in a hotel room or airport club, even for short durations. And - seriously - keep it under your pillow while sleeping.
If you leave it unattended, "assume it has been tampered with and when returning from overseas, hand it over to the IT security team at your organisation, detailing the day and amount of time you left it unaccompanied," says Lance James, director of intelligence at Vigilant, a provider of managed security services provider.
In those instances where keeping your laptop with you at all times is not practical, you might use the safe in your hotel room or at the front desk. Just be clear that this won't protect you from state-sponsored spies, who will have access to such safes. "Although hotel safes are not a perfect solution, they do raise the security bar beyond the level of the casual thief," says Raymond McDonald, senior security consultant at Akibia, a security consulting firm.
Employees, including executives, should be versed in data classification and handling procedures as a part of an established security training and awareness program, McDonald says. This helps ensure they understand what types of data they're authorized to maintain on their laptops at any time and what steps they must take to protect it.
3. Be cautious with smartphones and other mobile devices.
Smartphones can also be targets for espionage. For example, a customer of security products company KoolSpan brought his Android smartphone on a recent trip to China, and as a precaution noted the operating system version and radio stack version of his phone after arriving and before going to sleep.
When he woke up, the OS and radio stack version had been changed, says Glenn Schoonover, senior director of security solutions at KoolSpan and former chief of network security at the Pentagon. "The operating systems was updated over the air without the consent of the phone owner," he says.
The customer suspects it was done by the Chinese government, which controls the telecommunications service in China, Schoonover says. "With the right software they could turn on the microphone without alerting him, thus enabling them to listen to any of his conversations, not just phone calls," Schoonover says - or even remotely control his device to monitor emails, read stored files, and so on.
Even devices with a reputation for having strong security, such as Research in Motion's BlackBerry, need to be carefully guarded. For example, the last time security technology company Cylance had an executive travel overseas, he wiped his BlackBerry and used the cleaned smartphone for phone calls only, says Stuart McClure, Cylance's CEO.
When the executive returned home, the BlackBerry did not properly boot up, so the company had to do a full firmware refresh, McClure says. "We are still working on the forensics image to determine root cause, but it is clear that something happened to the firmware image, which can only be done with an invisible update from RIM -- which is not likely -- or an attack," he says.
4. Apply encryption generously.
If your laptop or mobile device has personally identifiable information or external access to personal and corporate systems, it's imperative that the devices be totally encrypted, says Prescient Solutions' Irvine.
Vendors such as Microsoft, Check Point, and Symantec have products to totally encrypt data on hard drives and portable storage devices, Irvine says. Apple includes such full-disk encryption in its OS X, though you may want to use a defense-grade product instead.
On mobile devices, Apple's iOS is encrypted by default, and that encryption can't be turned off. But it's not defense-grade encryption, so state-sponsored cyber thieves can get around it. That's also true of Android's encryption, which must be enabled by the user. The new Windows Phone 8 also includes device encryption, which is on by default as in iOS. All three mobile OSes use SSL encryption for data sent over the Internet; Apple provides S/MIME encryption for email as well.
To get better encryption of data on mobile devices, look to mobile management tools providers, several of which offer app containers that have a higher level of encryption around the data and apps running within them; examples include AirWatch, Good Technology, and MobileIron. And every mobile device management (MDM) tool can ensure that native device encryption is enabled.
Keep in mind that encryption isn't foolproof when it comes to thwarting highly skilled spies. "Operate with the awareness that even encrypted communication may not be completely private, and therefore limit any nonpublic activities while overseas," says Vigilant's James.
5. Limit remote access to devices and wireless communications when overseas.
You should disable access to and from Bluetooth and Wi-Fi devices while traveling, Irvine says.
"All Bluetooth devices have some vulnerabilities inherent to them," Irvine says. Older versions of Bluetooth are more susceptible to hacking and eavesdropping, he notes, so "if your device is older than a year or so, it's time to upgrade.".
"Wi-Fi hotspots and even hard-cable-based Internet access at untrusted locations should not be used," Irvine says. While cellular still may be suspect in foreign countries, he says, it remains the safer alternative.
Do not work in Internet cafés and other public hotspots. In countries like China, "these are not places where employees should be working on sensitive information or connecting and sending private or company restricted information via email or other forms of social media," says McDonald's Akibia.
If possible, work on networks that you trust, such as those in your own facilities or those operated by trusted business partners.
In addition, if you're planning to travel internationally, you should change all passwords on systems before leaving, to make sure that passwords on devices are not the same as any other passwords you have on personal or corporate systems back home. Also, use totally different passwords than normal, so a password stolen overseas doesn't help the cyber thief figure out your everyday passwords.
"If possible, IT departments should disable access to systems while they are abroad, so if [identity] or passwords are compromised, nothing can be accessed," Irvine says.
If wireless communication is necessary, all communications via mobile devices should use strong encryption and be limited where there is a concern that any potential adversary has significant cryptologic capabilities, says Timothy Ryan, a managing director at Kroll Advisory Solutions. Consider using VPNs with two-factor authentication. "If sensitive matters must be discussed, blend out-of-band communications such as voice and chat to increase the difficulty of your adversary monitoring your communications," he says.
6. Make sure your systems are up to date with antivirus software.
Failing to keep antivirus definitions current is virtually a guaranteed path to system compromise.
"Individuals engaging in the theft of proprietary information use malware, and morphed attacks via ports and services that cannot be blocked from the Internet," McDonald says. "These types of attacks take advantage of systems that are unpatched and behind on antivirus" updates.
Don't assume that antivirus tools are the only defense you need, says the National Cyber Security Council's Martinez says. They are a first line of defense, but not a complete defense. To combat the hidden malware increasingly inserted into apps, websites, and other venues, he expects that companies will soon routinely collect intelligence about compromised assets containing malware that now regularly slip through networks and their traditional defenses.
7. Don't broadcast your whereabouts.
Location-based tools are rapidly growing in popularity, thanks in part to the pinpoint accuracy of geolocation technology in today's mobile devices.
These services can provide useful information on places to eat or other local services, but keep in mind that there are downsides to this technology. When users check in on a location-savvy social network, they effectively broadcast to the world vital information about their whereabouts, which might provide useful information to a competitor.
A seemingly harmless check-in at an airport near a customer's headquarters could be all a savvy competitor or intelligence agency needs to plan its spying strategy, Ryan says.
When you travel overseas, you're a target
Clearly, if you're a business executive planning to travel overseas, you're a potential target for corporate and government spies. Take every precaution you can to protect corporate systems and data.
That's a discomfiting reality you may be tempted to laugh off as paranoia or "it won't happen to me."
Really, you shouldn't.