Cyber Security Tips for Traveling Abroad with Mobile Electronic Devices
Note: This web page is intended to outline steps, tips, and guidelines that you can use to protect yourself, your information, and your mobile devices when you travel abroad.
To maintain contact with work, family, and friends, most persons, when traveling abroad prefer to use a mobile electronic communication device(s). Mobile electronic devices such as laptops, cell phones, and tablets, when taken abroad, may be successfully attacked with malware and automated attack tools. These devices, even when kept current with security software, may not be able to thwart such an attack.
As part of a renowned research university, NDSU's faculty, scholars, and staff often travel abroad for research, collaboration, continued study, or to present at national gatherings. When traveling to certain countries where there is strong scientific competition, the country is not on friendly terms with the United States, there is civil unrest or political discord, or where violence and crime ar prevalent, they may become victims of cyber-attacks, cybercrime, monitoring or surveillance. This is particularly true if the individual is engaged in classified or proprietary research in a STEM (science, technology, engineering and mathematics) program. Institutional leaders who ar politically or religiously active, fluent speakers of the language, and individual tourists may also be actively targeted.
Credit and appreciation given to Joe St. Sauver, Manager for Internet 2 Nationwide Security Programs and the InCommon Certificate program, for allowing the use of large excerpts from his articles "Travel to Destinations other Than China or the Russian Federation," and Cyber Security and Travel to China or the Russian Federation," March, 2012.
Frequently Asked Questions
What can happen to my mobile electronic devices when I travel abroad?
Depending on where you plan to travel to, electronic communication devices, when taken abroad, may be subject to involuntary official govermental review and possible duplication of the hard drive's contents.
NDSU and University System policies require that any hard drive which contains personally identifiable information, financial, proprietary, or intellectual property be encrypted. Use of encryption to protect information may be forbidden in some countries. And, if your encryption product allows you to "hide" information, those "hidden" areas can be detected, and you could be subject to criminal charges by the country's government. Becaue it is difficulty to monitor encrypted traffic, use of secure ("https") websites and/or use of virtual private networks (VPNs) may be blocked by some countries.
Attempts to circumvent national censorship of certain websites, such as some mainstream western social media sites, is discouraged. If you are found to be using a product to circumvent the blocking of censored websites, you may be warned, have your electronic devices confiscated, or you may become subject to criminal charges.
Personal privacy may not be respected. Even private spaces such as hotel rooms, rental cars, and taxis may be subject to video, audio, or other monitoring. This type of surveillance may be able to track your whereabouts, what you may be doing, what's on your electronic device, and what you may be entering into it. Conversations either in person or on a phone may be monitored. Local colleagues may be required to report any conversations held with foreigners.
What can I do to protect myself, my electronic devices, and my information when I am traveling abroad?
The guidelines and recommendations listed below outline and define steps you can take to protect yourself, your information, and your electronic devices.
- If possible, do not take your work or personal devices with you. Use a temporary device, such as an inexpensive laptop and/or a prepaid "throw away" cell phone purchased specifically for travel.
- If you must take your electronic device(s) with you, only include information that you will need for your travel.
- Be sure that any device with an operating system and software is fully patched and up-to-date with all institutional recommended security software.
- When not in use, turn off the device(s). Do allow them to be in "sleep" or "hibernation" mode when they are not in active use.
- Be sure to password or passcode protect the device. Do not use the same passwords/passcodes that you use on your work and personal devices. The password/passcode should be long and complex.
- Minimize the data contained on the device. This is particularly true of logins and passwords, credit card information, your social security number, passport number, etc.
- Assume that anything you do on the device, particularly over the Internet, will be intercepted. In some cases, encrypted data may be decrypted.
- Never use shared computers in cyber cafes, public areas, hotel business centers, or devices belonging to other travelers, colleagues, or friends.
- Keep the device(s) with you at all times during your travel. Do not assume they will be safe in your hotel room or in a hotel safe.
- Upon returning from your travels, immediately discontinue use of the device(s). The hard drive of the devices should be reformatted, and the operating system and other related software reinstalled, or the device properly disposed of.
- Change any and all passwords you may have used abroad.
Are there additional tips and guidelines that I can use when I travel to countries that are less than friendly or there is civil unrest, or where crime and violence are prevalent?
Before you travel:
- Tape over any integrated laptop cameras, or disable them.
- Physically diconnect any integrated laptop microphones
- Install a privacy screen on your laptop to discourage "shoulder surfing."
- Disable all file sharing.
- Disable all unnecessary network protocols (e.g., WiFi, Bluetooth, infrared, etc.)
- Backup any data you may have stored on the device.
- Leave unneeded car keys, house keys, smart cards, credit cards, swipe cards, or fobs you would use to access your work place, or other areas, and any other access control devices you may have at home.
- Clean out your purse or wallet of any financial information such as bank account numbers, logins and passwords, any RFID cards (including U.S. Government Nexus "trusted traveler" cards) should be carried inside an RF-shielded cover.
- If you need to send and receive email while traveling, create a temporary "throw away" account on Microsoft Outlook or a similar service before you travel.
Additional smart tips for traveling abroad in less than friendly countries:
- Do not send any sensitive messages via email.
- Limit or avoid making or receiving voice calls, using voice mail, instant messaging, text messaging, or sending and/or receiving faxes.
Are there other resources where I can find information on the country(s) that I am planning to travel to?
There are several good resources to review when planning to travel abroad. They include:
- An informative brochure published by the FBI that covers information and suggestions for business trave abroad. Click here to read the brochure.
- The U.S. has a website where you can check the safety and security level of the country(s) you are planning to travel to. Click here to go to the link.
Many governments track international conditions and provide advice and information for those considering travel. Note that countries view risks differently, or have different levels of insight into particular regions. It might be in your best interest to review all of the recommended websites below for current conditions relating to the country or countries to which you're planning travel.
April 15, 2014
The Internet was stunned to learn of a significant vulnerabilty to security this last weekend. OpenSSL, an application that is used by software and services throughout the Internet for authorization of legitimate websites was found to have a core flaw. Essentially anyone from anywhere could send a specially crafted packet to a service or site using OpenSSL, asking if the server is still accepting communications and the server would return up to 64 Kilobytes of what was in its memory at the time of request. This return could be username and passwords, or documents, or even security certificates. The OpenSSL foundation responded and fixed the core code of OpenSSL, but there are still hundreds of thousands devices, or services that still are running the old version of the software. Please check for updates on your devices, and change any passwords for sites you maybe concerned about. However, only change those passwords after a site has patched their services, and revoked their old security certificate and created a new one.
December 5, 2013
Over 2 Million passwords to popular webpages discovered.
In Mid June, Trustwave Spiderlabs researchers were able to view information in the Pony Botnet controller that indicated that there were over 650,000 website credentials that had been harvested by this particular botnet, which, is fairly widespread. On Tuesday they announced that upon a more detailed look that over 2 million passwords have been harvested by this botnet. Many of these services have now been notified and they are taking corrective action on those accounts that have been compromised.