In a move that highlights the level of suspicion that still exists between Americans and our Chinese counterparts, or at least between our respective governments, the NCIX (Office of the National Counterintelligence Executive) has issued a new set of best practices for U.S. citizens traveling abroad with their electronic devices.
And while the NCIX in no way directly cites the large numbers of Americans travelling to China for the ongoing Olympics as the impetus for releasing its advisory, many observers (including myself and researchers with SANs Institute) are interpreting the decree as aimed at those individuals in particular.
The timing just seems too coincidental for there to be no connection between the two events, and NCIX officials did mention China specifically, among other places, in making their general announcement of the tips.
With the escalating cyber-intelligence activities carried out between the two countries in recent years being played out publicly in the news (and the sky above China), there’s no question that the two world powers are very wary of each other’s ability to infiltrate their respective government, military and business networks to gain some sort of advantage.
But now it would seem that the U.S government is telling everyday consumers that they need to worry as well, though the tips the NCIX offers are really just suggesting the same types of habits that security-conscious users have likely been practicing for ages on their own.
At the end of the day, hacked consumer devices could lead to major data leaks at the organizations where the affected people work or go to school, so in that sense the government is likely just trying to do itself a favor by educating the masses.
Either way, the suggested policies seem worth noting, as most people are likely far too lax in protecting themselves.
Enjoy!
NCIX tips:
-In most countries you have no expectation of privacy in Internet cafes, hotels, offices or public places.
-Hotel business centers and phone networks are regularly monitored in many countries. In some countries, hotel rooms are often searched.
-All information you send electronically by fax machine, personal digital assistant (PDA), computer, or telephone – can be intercepted. Wireless devices are especially vulnerable.
-Security services and criminals can track your movements using your mobile phone or PDA and can turn on the microphone in your device even when you think it’s off. To prevent this, remove the battery.
-Security services and criminals can also insert malicious software into your device through any connection they control. They can also do it wirelessly if your device is enabled for wireless.
-Malware can also be transferred to your device through thumb drives (USB sticks), computer disks, and other “gifts.”
-Transmitting sensitive government, personal, or proprietary information from abroad is therefore risky.
-Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.
-Foreign security services and criminals are adept at “phishing” – that is, pretending to be someone you trust in order to obtain personal or sensitive information.
-If a customs official demands to examine your device, or if your hotel room is searched while the device is in the room and you’re not, you should assume the device’s hard drive has been copied.
For more tips on device security best practices to be followed before, during and after you travel, click here. (PDF)
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.