Data Protection while Traveling
(A practical-on-the-verge-of-paranoia-they’re-out-to-get-me article on making sure your data remains secure)
Do you carry electronic components while traveling, such as a laptop, phone, or mp3 player? What would you lose if one or all just stopped? What if a device was lost or stolen, ending up in the wrong hands? I’m won’t rehash the million articles that one can find about protecting yourself physically while traveling but instead focus on something just as valuable - your data.
Data is a collection of facts, such as values or measurements. It can be numbers, words, measurements, observations or even just descriptions of things. To a computer, data is a collection of just 1’s and 0’s. With processing, these 1’s and 0’s turn into a digital picture of your favorite moment on a bike, a private diary entry, the password to your online banking, or a sample of music that you particularly enjoy. Anything you do with your computer stores some set of data related to what you are doing – this is your own personal data. At home, there are things you don’t mind leaving out in the open, while other things that you’d like to keep private. Some things can just be put out of sight in a nightstand table but if you’re really concerned you get a safe and lock it up tight. With your data, you may wish to let people see your photos, but want to keep them out of your private correspondence to your family.
Travel shortens the life expectancy of electronic devices and opens up new consequences for if you leave valuable information unprotected. Physical devices will be more exposed to the elements, more rigorous wear and tear, and accidents when traveling. This can result in data
loss and corruption, or a device that just does not work. Having electronics with you on tour could also bring unwanted attention, opening you up to the risk of theft, extortion, kidnapping, etc.
When traveling across borders, you may be subject to a search of your laptop . If there is content on your computer that is banned or offensive or plain out just don’t agree with, this could cause causing unnecessary hassles, question periods, and a risk of seizure of your components. For example, if you’ve got songs on your Mp3 player, can you prove that they are not downloaded illegally?
While traveling you will probably want to play music on your Mp3 Player, upload photos, accessing social networking sites, and check your email. For a skilled thief these tasks leave a trail of information that can be used to assume your identity, by means of emailing people in your contact lists requesting help or money since they are all aware you are traveling and could in theory could legitimately need assistance. The risk of thieves gaining access to your banking information to be transfer your hard earned money out of your accounts into their own ranks up there as something someone never would want to experience.
Now, a lot of this many come across as mild paranoia, but after working in the computer security industry for many years, I tend to err on the side of caution to ensure that my data is private from prying eyes. Not to be a entirely doom & gloom, I’m offering some steps you can take to keep your data secure at home or on the road that I have found that have worked for me. Before I headed out on the road, I regularly performed assessments of client’s infrastructure and data, to develop recommendations on how they could reduce their risk to various threats, following the principles of ARC. What is ARC?
- Availbility -Make your data is accessible, in the event of hardware component failure or theft. Will you have a backup if you lose one of these devices?
- Reliability -Make sure the data you are accessing is the same data that you originally put in. How can you be sure someone has not modified your information without your approval?
- Confidentiality – Keep your data safe from prying eyes by controlling who has access to it.
Let’s go into detail of these three segments of ARC and finally talk about how all three can work together:
The goal here is to ensure that in the event of a catastrophic failure of your device, or all out theft of the unit you can still put together the pieces with minimal impact to your data and memories. Losing data sucks. Really – Once its gone, it’s gone forever, and you can never get it back. There are things that I have inadvertently lost over the years that I can only wish that I had a copy of today, hopelessly living a pipe dream with the memory alone, unable to share it with friends, family or acquaintances.
External Hard Disks – There is no excuse to not have a secondary copy
of your data available with you should your laptop decide to fail on the road. You can find portable external hard disks everywhere, that are large enough to back up your entire system and then some. You can use the included backup tools that come with your Windows or Apple computer to create a snapshot of the system should the hard disk fail that can bring your system back up to the way you had it with all of your customizations intact. However with this method, you can’t access the files easily whereas you could try a different method by copying the folders and files you like onto the device on a regular basis. Tools exist that allow you to synchronize folders (such as your music, photos, videos) to the hard disk should you wish to plug this removable storage device into another computer. For simplicity’s sake, look for a device that only requires one cable to operate; some have to plugged into a wall outlet to power the device, in addition to the cord to connect with your laptop.
Of course, physical devices can always be lost and stolen with your laptop leaving you with no data.
USB Sticks – Also known as Flash Drives, or Jump Drives – these are little devices that can be used to store small amounts of files. They fit in your pocket or can be hidden in your handlebars, and don’t require anything but a computer with an available USB port to access the files stored on it. They have no moving parts, which makes them more resilient to wear and tear than harddrives. While the don’t hold as much data as an external hard disk, advances in memory storage occur daily and one can currently find sizes from 1GB – 32GB readily.
While easy to use, USB drives are also easy to lose – generally they don’t survive being soaked with water should you forget to check your pockets when washing your clothes in the sink.
Your Phone/Media Player – These may have buttons, a screen, and a fancy interface, but behind it all they are glorified USB Sticks. They can be used as a backup storage mechanism for important files should your computer fail. Typically plugging in the device into a computer will allow you to read and write files to it, however you are limited by the storage capacity of the device, which share capacities similar to USB sticks, smaller than most computer hard disks. Some devices attempt to limit you from storing anything else but media on the device like the Apple IPhone, so using a tool such as Phone Disk will lift this restriction. You might even have spare space on that GPS device you are using.
One drawback is that these may not be as compact as other options and may attract unwanted attention from thieves.
Embracing the cloud – What is the cloud? Well, the internet of course! You already know it is a series of connected computers that exist in every single country around the world, and you can use this to your advantage by storing your files on the internet. Fee based services such as Mozy, and LiveDrive allow you to automatically backup your entire system to the internet in a secured, private area so that if your device ever gets lost, stolen, or stops working you can download the entire contents onto a new device at your leisure. If you’ve just got a need for a small amount of data you could use Dropbox to synchronize a folder to their network for free up to 2GB (or more if you refer your friends to the service!). Photo’s and videos can be uploaded to one of the many sites available such as Flickr, SmugMug, or Picasa. so that you could share them with friends and family, or download them back onto your device if you want the originals. You can control whether this data can be viewed by the public, if they can download copies for their own usage, and create licensing agreements that dictate if the photo can be used on other people’s websites.
Using this option however assumes you have a good solid internet connection to upload your data on a regular basis – just having access alone is not enough as it must have enough bandwidth to support the upload and download of files in short amounts of time.
Making sure your personal data is indeed reliable, where the data you input matches its output. This segment relies on successful password management, and restriction to who has access to what on your device. It’s amazing how one string of characters can let you login to your computer, give you access to your banking information, to communicate with your friends on Facebook, or to purchase products from your favorite bookseller, so this is an important step in the overall process.
I’m sure you aren’t one of the 73% of computer users who use the same password for everything, and definitely you aren’t one of the people who uses “password“, “iloveyou“, “123456” so we don’t need to talk about successful password management, other than the fact that within a short amount of time of you and I conversing, I’d have enough information to hack your passwords on various sites that you frequent without you even realizing that you had fallen victim to social engineering. In sum, no one, seriously no one has any business knowing your passwords to your critical information.
Passwords can be setup at various stages of computer usage:
Boot Time Security - Most computers and laptops have an option to set a password upon power on, known as a BIOS Password. This will limit access to your computer before it boots into the operating system, so that your files cannot be tampered, unless someone pulls the hard disk out of the device and reads it using another computer, or bypasses the password by shorting out the laptops motherboard with a paperclip.
Operating System Based - Your computer typically allows you to choose a username and password before allowing access to your desktop and files, when you don’t want someone using your stored credentials or seeing what you have on your hard disk. Not all that glitters is gold however, because this password can be easily changed by a reboot of the computer.
Application Based - Some of the programs you use may require a password to protect access to its proprietary data, such as personal finance programs. However the protection on these programs is notoriously weak and can be program by programs readily available on the internet.
Internet Websites: Services such as LastPass allow you to store your credentials on their server should you not remember the dozens of passwords you may be using, which requires you to once login to their website and install software onto the computer you wish to use the service on. An alternative way of would be to use “PasswordMaker” which creates unique, secure passwords that are very easy for you to retrieve but no one else. Nothing is stored anywhere, anytime, so there’s nothing to be hacked, lost, or stolen.
Even though you are using randomly generated passwords you could have your entire security system compromised by downloading a program inadvertently onto your computer, or not follow through with updating the applications installed on your computer, or fall victim to a fake website that could steal your credentials resulting in your identity being impersonated online. Let’s not even get into the fact that when using a public computer someone could monitor your keystrokes. Keyloggers are difficult to beat, but using a virtual on-screen keyboard can help eliminate someone intercepting your passwords, and employing the usage of one time passwords ensure that your credentials are never used by a snoop.
The solution to this age-old problem of using static passwords is to rotate them regularly, and make sure they use combinations of different numbers, letters, case, and symbols. There are many articles which discuss how to come up with proper passwords, do beware that a password can be broken with brute force dictionary tools relatively quickly, so having a long random password helps confuse these programs.
Passwords are great for specific purposes, however due to available tools can be circumvented easily enough allowing someone full access to your system. Enter the next phase of security – Encryption.
Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. In order to easily recover the contents of an encrypted signal, the correct decryption key is required. A key could be a password, or contents of a file which undoes the work of the encryption algorithm. Some people would argue that if you have a need for encryption you are self incriminating yourself. My stance of the whole situation is that it is perfectly acceptable for someone to obfuscate their private data from those other than themselves. If your laptop or hard disk was lost or stolen, a thief would have full unrestricted access to every program, document, and personal bits of information you have stored allowing them to move forward in assuming your identity.
However, employing the usage of encryption is not without its risks. If kidnapped, an adversary could force you to reveal your password to gain access to your data by threatening to harm you physically, allowing access to all of your data. In the event of being searched at a country’s border, you could be detained for hours while they question you as to the reasons why you have encryption, and request you allow them access to the device. In the United States of America one is protected by the Fifth Amendment relating to self-incrimination however laws differ in many countries where basic human rights are not regarded. For example, in the United Kingdom, a youth was jailed for refusal to provide a password to encrypted data. For these purposes, it is best to employ a technique known as Plausible Deniability, creating an additional hidden encrypted segment inside your ‘outer’ encrypted data. It is impossible for someone to tell if there is an additional encrypted set of data, and should satisfy the requests of anyone forcing you to handover your password to view the ‘decoy data’. I’m not advocating that you lie, especially to a guard at a border which can carry significant jail time, but simply providing options that are available to you. It may sound like this comes straight out of Spy Vs Spy, or something out of an espionage crime novel, but these methods truly exist and thankfully, can be had for your computer or devices for free.
TrueCrypt is a software application used for on-the-fly encryption. It is distributed without cost and the source code is available meaning that independent security researchers around the world can analyze the contents of this application to ensure no ‘backdoors’ are present ensuring full data confidentiality. The only way that it can be broken is by brute force processing with multiple computers for long amounts of time. In July 2008, several TrueCrypt-secured hard drives were seized from a Brazilian banker Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried for five months (without success) to obtain access to TrueCrypt-protected disks owned by banker, after which they enlisted the help of the FBI. The FBI used dictionary attacks against Dantas’ disks for over 12 months, but were still unable to decrypt them.
Truecrypt can create virtual containers on your computer that mount as drives containing encrypted data. They can be copied from computer to computer, stored on removable USB disks, online backup services such as Dropbox, or other forms of removable media. Truecrypt can also encrypt entire hard disks, so that if someone had broken password based mechanisms previously mentioned, they would have to know the key to decrypt the entire contents of the disk. Additional encryption ciphers can be used, so that if in the future with cryptography advances a cipher is broken, it still has another cipher to bypass. Whew!
Don’t forget your password however, otherwise you could be locked out of your data forever. You can reset your passwords if you ever forget a newer password by means of a rescue disk, which could defeat the purpose of what you are trying to achieve, however this method could work well for those working in a corporate environment and are managing employees company-owned laptops. Make sure you fully understand what you are getting yourself into when employing strong encryption as the risk for data loss can be great if you don’t know what you are doing!
Combining the ARC methodology for traveling
I take the possession of my data seriously, just like one would value a filing cabinet and bookshelf full of photo albums and want to ensure I have a proper set of protection while traveling, so I’ve combined the three elements to create ARC to ensure that I’m not caught in a situation where I have to suffer from data loss, or revealing information that should remain private to me. I don’t want to be too paranoid, but I also don’t want to be caught exposed, so I’ve balanced practicality and paranoia, to use these techniques. Perhaps this might work out well for you too?
- I employ system wide encryption on my laptop to prevent unauthorized viewing. (click for how-to)
- I use an Operating System password that locks if the device is ever left in public. Because a user would have to power cycle the computer to attempt to read the contents of the hard disk using password reset tools, they would then be presented by the requirement to enter the password to the protected system wide container in #1. (click here for how-to)
- I utilize an external hard disk which employs the usage of whole disk encryption which is used to back up my entire laptop in the event of system failure, and separate copies of media like photos, music and video so that I can read them without having to modify my “snapshot” based backup.
- All photos are uploaded to the Flickr photo sharing service for additional backup and to allow the public to see what I am up to – See, I’ve got nothing to hide!
- All videos are uploaded to YouTube for additional backup copies. Not all videos are available to the public, and the raw uncompressed videos are sent to another server for safekeeping.
- An Encrypted Container is synchronized across the internet to various cloud storage providers containing personal information (ID numbers, Passport and Drivers License Scans in the event I be robbed) that can be downloaded from anywhere in the world using services such as Dropbox, Mozy, and LiveDrive.
- I store a copy of the encrypted container stored in #6 on every bit of portable media I own, since it doesn’t take much space I can store it on camera SD cards, my phone, mp3 player, whatever.
- I employ the usage of strong password selection, and prevention of tracking/sniffing of my communcations with my internet browser Mozilla Firefox using extensions HTTPS-Everywhere, Passwordmaker, and Ghostery.
- I regularly take the time to scan my system for malware using free products like Microsoft Security Essentials & Malwarebytes AntiMalware.
- I trust no one.
While this certainly doesn’t cover the whole gamut of options, Hopefully this information can assist you in your own travels to ensure that your data can remain safe and secure from prying eyes, as the first rule to protection is awareness of the threats that exist. The next article will focus on a more compact mobile solution that can be used on anyone’s computer to ensure your data and activities are properly protected!