Data Inspections at the Border
I'm spending a little extra care in preparing for SANS Security 504 in Calgary, AB. Recently, there have been more stories about scary inspections. Essentially, some rulings are in favor of US border inspections (that is, it does not violate an expectation of privacy with no warrant needed) while some rulings support such searches in case of a suspicion.
Not that I'm against finding the dirt on the bad guys, but let's say your USB key or cell phone is duplicated so they can analyze it. Even if you wait while they examine it, how do you know the copy being analyzed is properly sanitized--that data may have been very sensitive and now you have no longer any control over that copy.
What kind of things can we do as individuals to protect ourselves?
The best solution is to simply do not take sensitive material with you.
Merely encrypting storage probably will not be sufficient. It will probably only aggravate the authorities and make the process timely and legally painful for yourself. That is not to say you shouldn't encrypt, but be prepared to deal with the consequences (such as logging on for the authorities so they can see your browsing history). The recent release of Truecrypt 5.0 or a Microsoft Vista installation protected by Bitlocker is just a start.
If you must bring something you would consider sensitive, you may want to use a steganographic technique. This isn't as useful if you are trying to hide large files, and there still is the possibility of pulling your sensitive data from swap files and derelict slack space in the file system.
You also might consider using EFS to encrypt folders instead of the whole partition. Then and inspection turns up regular information at a glance, and they might ignore the unknowns.
What do I plan to do?
First, I'm going to clean up my machine. I tend to visit a lot of "interesting" places that might trigger interest. I'll also not bring sensitive material on the machine itself--I will depend on the ability to use a VPN to download anything I require from my trusted network.
But to clean my machine, I'll delete cruft and old material, then use a few utilities to sanitize the empty space. Recent browsers try to help ease the pain of clearing cookies, cache, history, passwords, etc. I prefer never to save the passwords in the browser--I resort to keeping a PGP copy of a spreadsheet with the passwords/passphrases in case I can't remember. I keep a copy on my Bitlocker drive and on a USB key that has it's own AES-128 protection. Between having a couple of protections there--I tolerate what little risk is left.
If you are concerned about privacy on the filesystem--you may want to try bcwipe. Historically, these utilities have had issues with missing items in NTFS, but the only way to be sure is to test it for yourself with a forensically sound process. For most folks concerned about privacy, such a tools is sufficient.
I'm also thinking of keeping a clean bootable partition around just so I have something to show on request. I'll keep a bootable CD-ROM in the drive until I get around to that I'll probably also put a bootable CD-ROM in the drive so I can click around and show them a browser history without a lot of accidental issues.
I used to also disable page swaping, reboot, wipe freespace, defrag, wipe freespace again, re-enable paging, then reboot. I just felt safer knowing that in the worst case, it would take a professional forensic investigation instead of a cursory glance at some potentially misleading websites. I tend to do this less on my primary PC now that I use specialized virtual machines to do most everything, and do it on the virtual machines as I get around to it. :)
Recent Washington Post Article
Another Article with specifics and from page 2
"the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant"
Not that I'm against finding the dirt on the bad guys, but let's say your USB key or cell phone is duplicated so they can analyze it. Even if you wait while they examine it, how do you know the copy being analyzed is properly sanitized--that data may have been very sensitive and now you have no longer any control over that copy.
What kind of things can we do as individuals to protect ourselves?
The best solution is to simply do not take sensitive material with you.
Merely encrypting storage probably will not be sufficient. It will probably only aggravate the authorities and make the process timely and legally painful for yourself. That is not to say you shouldn't encrypt, but be prepared to deal with the consequences (such as logging on for the authorities so they can see your browsing history). The recent release of Truecrypt 5.0 or a Microsoft Vista installation protected by Bitlocker is just a start.
If you must bring something you would consider sensitive, you may want to use a steganographic technique. This isn't as useful if you are trying to hide large files, and there still is the possibility of pulling your sensitive data from swap files and derelict slack space in the file system.
You also might consider using EFS to encrypt folders instead of the whole partition. Then and inspection turns up regular information at a glance, and they might ignore the unknowns.
What do I plan to do?
First, I'm going to clean up my machine. I tend to visit a lot of "interesting" places that might trigger interest. I'll also not bring sensitive material on the machine itself--I will depend on the ability to use a VPN to download anything I require from my trusted network.
But to clean my machine, I'll delete cruft and old material, then use a few utilities to sanitize the empty space. Recent browsers try to help ease the pain of clearing cookies, cache, history, passwords, etc. I prefer never to save the passwords in the browser--I resort to keeping a PGP copy of a spreadsheet with the passwords/passphrases in case I can't remember. I keep a copy on my Bitlocker drive and on a USB key that has it's own AES-128 protection. Between having a couple of protections there--I tolerate what little risk is left.
If you are concerned about privacy on the filesystem--you may want to try bcwipe. Historically, these utilities have had issues with missing items in NTFS, but the only way to be sure is to test it for yourself with a forensically sound process. For most folks concerned about privacy, such a tools is sufficient.
I'm also thinking of keeping a clean bootable partition around just so I have something to show on request. I'll keep a bootable CD-ROM in the drive until I get around to that I'll probably also put a bootable CD-ROM in the drive so I can click around and show them a browser history without a lot of accidental issues.
I used to also disable page swaping, reboot, wipe freespace, defrag, wipe freespace again, re-enable paging, then reboot. I just felt safer knowing that in the worst case, it would take a professional forensic investigation instead of a cursory glance at some potentially misleading websites. I tend to do this less on my primary PC now that I use specialized virtual machines to do most everything, and do it on the virtual machines as I get around to it. :)
Recent Washington Post Article
Another Article with specifics and from page 2
"the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant"
posted by James Shewmaker at
5:59 PM
0 Comments
