Tips for the security minded traveler - and others
Tags: Cryptography, Security
A lot of business travelers have at one point or another sensitive information on their laptops. This information could come in the form of a corporate document, an email, or that PowerPoint you decided to finish on that transatlantic flight. It could also be credit card and bank information, social security numbers, or even just a list of customers or contact persons. Loss of this kind of sensitive information seems to happen all the time...
Communication with the headquarters once the traveler reaches his or her destination will often also be of a sensitive nature. When that particular laptop then gets stolen or even confiscated, there will be a very real possibility that sensitive information gets in the wrong hands. To mitigate this risk, a concise security policy has to be implemented and followed. Smaller companies often don't have such a policy in place, but should still take security seriously. The tips collected below are some I recommend as a starting point, but they are by no means a complete list and are not a step by step howto. Some of them might seem a little paranoid, but it's better to take security seriously from the beginning.
Regarding passwords. Generate random, mixed, 20 character or more passwords for each of your sensitive password needs. I realize of course that people won't be able to just memorize these. Instead, you can write them down. What!?! Write them down?! Yes - see my next point. Keep a paper version of these passwords somewhere safe (i.e., a safe at home or company, or a safe deposit box if you have one).
Keep all of these passwords and any other sensitive information in an secure TrueCrypt folder. Use an encrypted folder with two passwords: one real, and one fake, and populate the fake one with real looking data. Of course, these two passwords you do have to memorize, and also make sure they are strong. This gives you both secure storage for your sensitive information, but also gives you plausible deniability - just in case you ever need it.
If you are travelling to sensitive places and countries, and you want to make sure your data isn't being intercepted or sniffed (e.g., public WiFi) and you have to access sensitive sites on the company server, use a Tor Browser besides the VPN your company uses. It's slow, but it works to get around possible blocked sites and anonimizes your network activity. Put the browser in the Truecrypt folder just in case. If you or your company don't have a VPN, you could tunnel all your network traffic through SSH as an alternative. There are plenty of tutorials online that tell you how to do this.
Which brings me to: don't put sensitive information on your laptop in the first place. If you need access to the material once you reach your destination, use a VPN or tunnel to your company servers and get the information this way. Afterwards when traveling again, or just when you don't need it anymore, delete it from your device. You could even take this one step further and not bring a laptop at all. Just buy a cheap one on the spot, and properly discard it before you leave again. Best tool to eliminate all data on the harddrive or flash drive you want to discard of? This:
If you don't want to do this, run your computer off of a Live CD, and remove the hard drive from your laptop. Use a USB flash drive (encrypted of course) for storage on the spot, and again use a hammer (or a couple of rocks) to discard of it once you leave. The LiveCD might have to be customized so you have all your needed tools available - which I realize not everyone will be able to do... What you can do is use virtualization with e.g., VirtualBox. You can store the virtual machine inside a TrueCrypt folder. That way, your host operating system remains clean and no sensitive data should exists there - it's all on the virtual machine.
Finally, use common sense. Don't check your email on that PC at the bar. Don't do some quick banking at that StarBucks WiFi. But also, don't talk too loud on the phone in your hotel room (walls are thin...). Don't leave electronics with sensitive information on it in your room, or even at an office of a company you visit. For calls, leave your fancy smart phone at home and use a no frills phone to make calls. This will make sure no malware can be installed on your phone. Your contacts reside in the TrueCrypt folder of course and not on the phone.
The above selection of tips is not complete and will require time and effort (and know how) to implement properly and correctly. If you have people at your company that know about some of the measures mentioned - talk to them. Let them help you get started. If you have some monetary resources available, hire a security consultant or expert who can help you with this. No one said it's going to be easy, cheap, or fast, but security should nonetheless be taken very serious...