Version 3.0
Last Updated May 5th, 2023

The WHY

Over the past decade there have been a number of high-profile news stories about the insecure state of our Internet and mobile device communications. From data breaches at well known retailers, to USB and firmware attacks on computers, to our intelligence agencies requiring providers to use less secure versions of encryption, to Eric Snowden's revelations about the NSA's and the UK's Government Communications Headquarters (GCHQ) bulk data gathering with Stingray and Tempora, to vendors required to use proprietary state-approved standards (like WAPI in China), never before has our private data been more vulnerable or come under such risk of compromise by unknown parties.

With many vendors releasing new technologies before they can be thoroughly tested for security, the onus has fallen on users to be aware of the risks they take using the new technologies and to take the appropriate actions to protect themselves. Fortunately there are steps every user can take to mitigate and minimize the risks.

The WHO

It is up to each traveler to assess the level of risk and take whichever steps make the most sense for their situation. There is not a one-size-fits-all solution to data protection or a security solution that will provide an invincible shield short of not using any computer technology at all.

The WHAT: Recommended Best Practices

Computers

1) We do not recommend anyone take work or personal laptops overseas.  If possible, use of separate travel laptops that only have files and applications you absolutely need.

2) If you expect to travel to the Middle East, China, Russia, Eastern Europe, or the Korean peninsula (henceforth referred to as MECREEK), we recommend you do not bring any personal or work related devices with you. You should expect that these devices will come under hostile cyber attack the moment you land in these regions.

            a) You should assume all internet connections in these regions are hostile with hackers monitoring the network looking to steal your credentials or data.

3) You should avoid on-line banking, bill pay, or any other confidential/monetary activity while travelling. The exception is if you are using 2-factor authentication to access your accounts.

4) You should always be using MIT's VPN (Virtual Private Network) when connecting to the Internet. What this does is encrypt all traffic to and from your computer via MIT. However, be aware that this does slow down your online Internet speeds but bolsters your data security.  Information about MIT's VPN and how to set it up can be found at https://ist.mit.edu/vpn

5) Though people may love Apple Mail or Microsoft Outlook email client programs, it is absolutely more secure to use webmail at https://owa.mit.edu (MIT Exchange Email) or https://outlook.office.com (MIT MS O365 Email) to check email instead. This prevents a flaw in the email client enabling attacks that could steal your data.

6) If you HAVE to bring your personal or work laptop on a trip, make sure:

  1. Firewall is turned on.
  2. Guest user is turned off.
  3. Make sure remote file sharing to your machine is turned off.
  4. Do not use the Internet. We cannot guarantee the security of any machine that has entered MECREEK unless the Internet on the computer stays off. Turn the WiFi off, do not plug an Ethernet cable into the laptop.
  5. Do not let anyone plug usb flash drives into your computer. If someone needs to give you a legitimate file, have them email the file to you.
  6. If at all possible, copy all the files you will need to work on or use for presentations onto an external USB Flash drive and work exclusively off of this external USB flash drive. Do not plug this flash drive in any other machine except yours.
  7. As of 2023 we are recommending users NOT connect to cloud services like Dropbox when traveling in MECREEK countries. Your account and the contents in the cloud services could become compromised if your machine is hacked, infected by malware, or remotely compromised by bad actors on the hostile network environment.
  8. Use only non-administrator accounts. If your account currently has administrator level access or privileges, create a new administrator account, log into that account, and remove administrator access from your main account. This way if your account is compromised, the attacker has no rights to start installing things willy-nilly.
  9. If suddenly your computer is asking you for permission to install something that you didn't tell it or expect to install, you should say no. This is a trick used by bad actors to try to get you to install bad stuff that steals your data.
  10. All MIT machines should already have Sophos installed. Crowdstrike is strongly recommended as a second level of protection. Both programs can be downloaded from the links provided or the IS&T Software Downloads Page.
  11. When you are not using your machine, turn it off. A sleeping machine can be hacked. A computer that is turned off (shut down) cannot be hacked.
  12. Do not do system or applications upDATES or upGRADES while you are traveling. The risk is too high that something can and will go wrong.
  13. If you are thinking of getting a new computer for a trip, give yourself a minimum of 2 weeks before travel to set it up, install applications, install updates, and work out all the bugs. In our experience there is a 99% chance of encountering problems, some potentially serious, when you first migrate to a new machine. Give yourself sufficient time to work out all of the bugs well in advance BEFORE the trip.

Mobile Devices

Just how vulnerable mobile devices can be is shown by the following news stories:

60 Minutes Segment on hacking your phone(4/17/16)
http://www.cbsnews.com/news/60-minutes-hacking-your-phone/
Video: https://vimeo.com/502350195

How Strangers can hack the phone in your pocket(4/17/16)
http://www.cbsnews.com/news/60-minutes-overtime-how-strangers-can-hack-the-phone-in-your-pocket/

How Smartphones are hacked (Nov 2, 2021)
https://www.csoonline.com/article/2112407/how-to-hack-a-phone.html


1) You should assume that all baseband communications (GSM and CDMA) on any cellphone is not secure. This includes all voice cell phone calls and text messaging.  Hostile nation states, corporate spies, foreign intelligence agencies, and some police departments have the technology to intercept, decrypt, listen/read, and store all of these types of communications. They also have the capability to dump all of your contacts, emails, text messages, and stored passwords to their servers.

2) We recommend all users who travel overseas either leave their U.S.-based cellphones at home, or if you must bring them with you, leave them turned off.

3) If you require cellphone communications while overseas, buy a local disposable cellphone with pre-paid minutes and texting plan. For convenience you can have your calls to your normal cellphone forwarded to the new cellphone number.

4) On your new overseas cellphone, or if you HAVE to bring your mobile device from the U.S. beware of malware and ransomware that could be sent to your mobile device. Suspicious emails or shares/posts via social media you receive on your phone should be treated as cautiously as those received on your computer.

5) Do not open any unknown or unexpected attachments or installers on your mobile device. Delete them immediately.

6) Never access any banking sites on your mobile device while you are overseas. If you must, make sure the MIT VPN is on and make a note to change your passwords for any account you had to access overseas after you return to the U.S.

7) If you're on an iPhone, make sure you are using iOS 9.3 or later. iOS 8 and earlier can be cracked in minutes with cracking kits for sale on eBay for less than $100.

8) If you suspect your phone has been compromised, please contact your IT support professionals for assistance. If you're using an iPhone and have a recent backup in iTunes, you can perform a "restore" in iTunes which will return iPhone to factory settings, reinstall the current newest version of the iOS and restore the data and from backup. This should remove any unsolicited malicious installations.

9) If you have to use your own smart device(s) while you are traveling do not perform any updates to the operating system or applications while you are traveling. The chance that something will go wrong is 90%.

10) If you are planning to acquire a new mobile device to replace your present mobile device, allow yourself a minimum of 2 weeks before travel for set up, data migration, and troubleshooting. In our experience there is a 99% chance of encountering a variety of problems, some serious, during this 2 week period with all new mobile devices.

 

Consumer Protection

1) When abroad, use cash, pre-paid money cards, or traveler's checks rather than credit cards.

2) If you have to use a credit card overseas, use one that has a chip and is a card you don't normally use. Designating a credit card for travel use only will also work. The goal here is to allow you to easily identify suspicious charges.

3) Use RFID shielded carrying cases and wallets for carrying items that contain RFID chips or bluetooth enabled devices like smartphones, tablets, passports, transit cards, keyless car entry/start fobs, and newer chipped credit cards.

4) Carry wallets in front pockets or in concealed securely zipped pockets if possible.

5) Wear shoulder bags across your body with your bag always on the side away from the road. Do not walk too close to the edge of sidewalks next to roads.

6) Never give out private information like your U.S. social security number or home address to any commercial retail vendor who claims they need it. They don't.

 

For Further Reference

1) Safe Computing at MIT

2) Department of Homeland Security: Cyber Infrastructure Unit

3) US State Department Travel Advisories

 

 

  • No labels