This came in as a question from a reader:
This is an excellent site, and thank you for the blog articles. I was wondering what you would steps you take to secure your digital footprint and devices when traveling abroad, or domestically Do you have concerns about data being stolen, or surreptitious surveillance when traveling? One of your blog articles mentioned not posting anything on social media during a visit, or streaming live, but what about photos, data, work documents, etc. when traveling? Do you recommend secure programs or do you not generally worry about it with the amount of digital presence in the world? Is there a way to make yourself a harder target? I realize that most people don't worry about such things, or don't consider them, but it is always something I keep in mind whenever I travel along with personal security considerations."
General Security Mindset
The best way to prevent compromise of digital assets is not to travel with them. If you do, try to have them wiped clean of sensitive data (or data important to you) before you go, and if you go to certain countries, like China and Russia, bring burner devices. Try not to access your data remotely, if possible, and certainly, do not connect to things like your bank.
Be aware of where you are, and always secure your belongings. Do not leave them unattended. Be aware also of the capabilities of certain people and governments. Capabilities exist which allow malicious actors to:
- identify and target mobile devices, more specifically smartphones and laptops
- deliver malicious code to the device
- use device network connections (e.g. cellular networks, wireless, Bluetooth, etc.) for their own purposes
- leverage the device as a means of spreading malware and malicious code beyond your device
- access the device as a means to track your location (e.g. GPS)
- activate the microphone on a device and turn it into a listening device
- intercept communications that are sent electronically
In some countries, hotel business centers and phone networks are monitored and in some locations, rooms may even be searched. As a general guideline, assume that there is no expectation of privacy in offices, hotels, bars or other public areas.
- Always use a password on your device
- Never leave your device unattended
- Always lock the screen, or turn off the device when walked away from it (e.g on a corporate office in another country)
- Some devices have an option that will erase all data if the password is entered incorrectly 10 times. Enable this option.
- Disable your wireless (Wi-Fi) connection as well as Bluetooth when you are not using your device.
- Avoid charging your phone on computers or devices that you do not control, such as hotel docking stations. Malicious software could be stored on devices that could be transferred when your device is connected. Use your personal computer or a direct-to-wall-socket charging port to charge your phone.
- Never connect an unknown USB flash drive to your tablet or laptop. Any device that connects to a USB port can be considered a storage device and may contain malicious software (mp3 players, smartphones, external hard drives etc.).
- Avoid using unknown storage media such as CDs, DVDs or USB thumb drives in your computer. They may contain malicious software that automatically reads the contents of storage media or drives. You do not need to click on a malicious file for your computer to be infected.
The most effective means of protecting yourself and your property is the liberal use of common sense reinforced with a high state of security awareness. Do not give anyone the opportunity to exploit vulnerabilities. Stay alert and exercise good judgment. Avoid giving unnecessary personal details to anyone.
- Do NOT publicize your travel plans, but limit that knowledge to those who need to know. Leave a full itinerary of your travel schedule, hotel phone numbers and business appointments with your office and with a family member or friend.
- If possible make photocopies of your passports, driving licenses and credit cards, and leave them with your family or at the office. These will be used in case the real ones get stolen and a copy needs to be sent to an embassy or police station. Do not take any expensive jewelry or “flashy” items that will draw attention to you so you do not increase your chance of being a victim of a crime.
- Take any medication in their original medicine bottles and obtain a copy of the prescription from your physician. Check the CDC (https://www.cdc.gov/) and/or WHO (http://www.who.int/en/) websites for any mandatory or recommended vaccinations for that country.
- It is recommended to enroll in the State Department’s Smart Traveler Enrollment Program (STEP). By doing this, you can receive alerts from the State Department should events, either natural or manmade, occur which may impact your travel and safety.
Do NOT pack sensitive or proprietary information, or important things in your checked luggage. Hand carry it with you. Be sure that your luggage is tagged with covered tags that protect your address from open observation. Put your name and address inside each piece of luggage and be sure that all luggage is locked or secured in some fashion.
To diminish the risks of becoming a victim of an attack and reduce your exposure to the criminal threat, especially as you arrive at the airport, there are a number of things that you should remember when checking into an airport.
- In the event of a disturbance of any kind, go in the opposite direction. DO NOT GET INVOLVED!
- Plan to check in early for your flight to avoid long lines at the ticket counter.
- Go directly to the gate or secure area after checking your luggage. (Secure Zone — Area between security/immigration and the departure gate.) Avoid waiting rooms and shopping areas outside the secure areas.
- Stay away from glass wall areas and airport coffee shops which are open to the concourse or public waiting areas.
- From the time you pack your luggage until you check it with the carrier at the airport, maintain positive control of all items, both hand carried and checked.
- At many airports security personnel, following protocol, will ask you questions about control of your luggage. Know what items you are carrying and be able to describe any/all electrical items.
- When arriving at or departing from an airport it is a good idea not to be exchanging items between bags while waiting in line for security screening or immigration/customs processing. Complete all packing before entering such areas.
- Consider being transported to/from the airport by a hotel vehicle.
- NEVER leave your luggage unattended, even while checking in or once in the secure zone. In some countries, the police or security forces assume that an unattended bag is a bomb, and your luggage could be forcefully opened or even destroyed.
At the Hotel
- Be vigilant.
- When possible, request a room that does not have a door to an adjoining room.
- Learn your environment so you recognize people and objects that are out of place.
- Be alert to strangers who are at the hotel for no apparent reason. Do not accept unexpected deliveries and visitors. Call hotel desk to confirm identities of hotel employees.
- Do not open doors to strangers.
- Changes in local conditions, a decrease in activity by local citizens, and repetitious activities can be a sign that something might happen. Local citizens might hear rumors of violence and may change routines to maintain personal safety. Pay attention.
- Make your room look occupied when you are out. Keep TV and lights on; put “do not disturb” sign on door.
- Report suspicious persons or activities near the hotel or your room; provide a complete description of the person and/or vehicle to security officials at your office, or when nothing else work, on the Embassy.
- Let someone else that you trust know when you are leaving the hotel or the office, and where you are going.
On Public Places
- Do not be an easy target.
- Vary daily routines, such as departure times and routes to and from work/vacation place.
- Remain low key and do not draw attention to yourself.
- When possible, travel with a friend or in a small group.
- Refuse to meet with strangers.
- Select places with security measures appropriate for the local threat.
- Avoid places of high criminal activity, google that shit!
- Reduce exposure to crime by avoiding isolated, poorly lit areas and by concealing high value personal property.
- Travel in conservative clothing; do not wear distinct American items such as sports shirts, caps, or flashy clothing.
- Do not wear US identified items such as cowboy hats or boots, baseball caps, American logo T-shirts, jackets, or sweatshirts.
- Let someone else that you trust know when you are leaving the hotel or the office, and where you are going.
- Report suspicious persons or activities near the hotel or your office; provide a complete description of the person and/or vehicle to security officials at your office, or when nothing else work, on the Embassy.
- Update your software before traveling. This includes OS, applications installed and security software monitoring the device.
- Install a firewall (when applicable) on your device, if not already installed.
- Ensure you have all the software and hardware you need so that you don’t have to buy any in another country or install it off the internet while traveling.
- Do not let your devices out of your sight. Don’t leave your phone charging in a public conference room while you go for lunch or lend your phone to a stranger who needs to make a call.
- Lock up valuable and sensitive electronic equipment when it is not in use.
- Do not leave valuable or sensitive electronic equipment lying around your hotel room.
- Just as you wouldn’t wear expensive jewelry in a dangerous area, do not flash your expensive devices.
- Do not rely on “good hiding spots” within a hotel room to secure your equipment. This may be the first time you have seen the room but it is not the first time someone else has seen it.
- When traveling, keep your electronic equipment in your carry-on baggage to avoid potential in-flight loss or damage.
Wireless Access Points and Networks
It is recommended not to connect your smartphone, laptop or tablet to the Internet at open and free wireless access points, common at coffee shops, in hotels or at airports during your travels. These are highly insecure and are accessible to everyone. These networks are usually used by malicious actors to gain access to corporate assets and both extract data and spread malware.
The attackers may establish a free Internet access point that are made to look trustworthy, naming the access point or Wi-Fi network anything to simulate a legitimate network. When you connect to their system you open your devices up to attack.
It is advised that you connect only to password protected networks provided by either the hotel or customer you are staying / visiting. And even then, the use of VPN is a must to surf the internet.
Any information that you send over an unknown network could be intercepted. Never transmit information that you wouldn’t want disclosed to an undesired or unauthorized party.
Shared or Public Computers
There are many ways bad actors can steal personal information. Keyloggers (a covert software applications or physical devices attached to computers that capture any information that is entered into the device), remote access (where they can monitor what another use is doing, capturing anything he or she does) are just a few examples .
It is not recommended the use of shared or public computers or other devices to access ANY data, including emails, travel schedule or printing boarding passes. Always be sceptical of the security of an unfamiliar network or device; always treat public devices with the assumption that any information you enter could be seen by an unauthorized third party.
Be cautious when allowing access to your devices via Bluetooth and in how you manage your device’s Bluetooth connections. It is recommended not to use Bluetooth devices while traveling. It also recommended Bluetooth be completely disable (turned off) on the devices. This will prevent devices that allow for automatic connection to accept malicious requests, and to prevent any connection snooping by a third party. So, disable your Bluetooth networking while you are traveling to prevent unwanted connection attempts.
- Place tape over any integrated laptop cameras.
- If possible, have any integrated laptop microphones physically disconnected.
- Disable all file sharing in the OS.
- Disable all unnecessary network protocols (such as WiFi, Bluetooth or infrared). Enable them only if necessary.
- Be sure to clean out your purse or wallet. Any RFID cards should be carried inside an RF-shielded cover.
- If you need to send or receive email while traveling, create a temporary “throw away” account on Gmail or a similar service before you travel.
- Do not use your regular email account. Do not send any sensitive messages via email
- Avoid making or receiving voice calls, using voice mail, using IM or SMS.
- Any/all CDs, DVDs, thumb drives, attachments, links and “QR” cell phone barcodes must be considered to be potentially hostile and malware infected.
- Do not use USB-based public battery charging stations; the USB interface to your device may allow the charging station to do more than just provide power.
- Do not purchase new hardware while traveling.
- Do not purchase or download any new software while traveling.
- Do not have any of your electronic devices “repaired” or “worked-on” while abroad.
- Keep all papers and notes. Any discarded items (such as notes, documents, diskettes/CDs/DVDs) may be retrieved, analyzed and potentially exploited.
- Guides, drivers, and interpreters may report on your activities. Be mindful.
- Beware of attempts to put you in embarrassing or compromising positions. You may be getting targeted for eventual extortion.
- While abroad, register with the nearest U.S. Embassy or Consulate and please report any suspicious incidents you experience to them.
- If arrested, taken into custody, or interrogated, do not make any statements or sign any documents, particularly if they are written in a language you don’t know. Ask to have the U.S. Embassy or Consulate notified of your detention at once. Depending on the country, the officials may have up to seventy-two hours before the embassy is required to be contacted.
- Remember, you do not have any “rights” while in this country which you may enjoy in your country (Ex. - US - Miranda Rights do not exist)
- At the hotel, select a room on floors two through six, if possible and closer to a fire exit. Fire equipment is unable to reach rooms above this level from the exterior
- Pack a portable door stop in your suitcase to help secure your door when you are in the room.