Leaked Homeland Security doc warns of data threats

Tom Espiner ZDNet.co.uk | September 16, 2008 5:09 AM PDT

Summary

A memo from the US Department of Homeland Security has recommended that corporate and government leaders do not travel with mobile equipment carrying sensitive information.

Topics

Document, Mobile, Homeland Security, Spokesperson, Tom Espiner ZDNet.co.uk, security, travel

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

A document emphasizing mobile-data security threats has appeared online after being leaked from the US Department of Homeland Security.

The document, entitled Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities was posted to the whistleblower website WikiLeaks on Friday. It gives advice to corporate and government travelers on how to stop data falling into criminal or foreign-government hands.

A spokesperson for the US Department of Homeland Security (US-DHS) confirmed that a memo with that title had been circulated to US-DHS employees in June.

"We did have a memo of that title which was for official use only," the spokesperson told ZDNet.co.uk on Monday. "We're still a relatively young department, five years old. As we mature we can expect to see more employment-awareness documents."

The memo, prepared by the critical infrastructure-threat analysis division of US-DHS, outlines the threat of information theft to "corporate and government leaders" when travelling, and also when returning home with potentially compromised equipment.

"Intelligence collection activities and information theft likely will be conducted in a non-threatening and unobtrusive manner," said the document. "Victims may not realize they have been targeted until after their information is compromised."

The document details basic security practices including using a designated "travel laptop" and not connecting mobile devices and storage media directly back into networks without first scanning them for malicious software. The document also warns against storing sensitive information on mobile devices.

When asked whether more comprehensive security advice, such as using virtual private networks to encrypt communications through a thin client, would be circulated to government employees, the US-DHS spokesperson said that the document "showed the kinds of practices which were already in place" across the US government. More detailed information will be prepared and circulated to government employees in due course, the spokesperson added.

Andy Buss, senior IT security analyst at Canalys, told ZDNet.co.uk that the document mostly contained "common sense" data precautions. "Your company or organization could be under surveillance, and this document tries to recognize the limits of current security architectures," said Buss.

However, the document's assertion that "the best strategy to protect electronic devices when traveling is to leave them at home" may not be practical in all circumstances, said Buss.

"This has usefulness for security, but if it gets in the way of work, then what's the point of your going?" asked Buss, who added that some of the other advice sacrificed usability for security.

"Having a dedicated travel laptop is a lot of hassle--you have to transfer the data and securely wipe the information off it every time you come back and go away," said Buss. "It's much nicer to have a secure [virtualized] travel image."

Buss said that using a virtual private network to hook up to a secured back-end server would mean people would have no need to travel with sensitive information. Other security experts agreed with Buss's assessment of the document. One senior chief information security officer, who wished to remain anonymous, said the document was "basic good security advice". "Don't put any data more at risk than you need to do your job," the security officer said. "So whether that is carrying your entire laptop with 10 years of accumulated data to China simply to be able to send the odd email, or downloading an entire database of people's information onto a memory stick, then the principle holds."

Peter Wood, chief of operations for penetration-testing company First Base Technologies, told ZDNet.co.uk that, while the measures in the document appeared to be draconian, "most people are not [sufficiently] competent to ensure that their mobile devices don't get infected or stolen".

"For phones and PDAs, I would say there's little choice but to assume that they will be compromised if they are stolen," wrote Wood via email. "We would give similar advice, and recommend that people use 'disposable' phones whilst abroad, or else store nothing sensitive (including address books, emails etc) on their phones. PDAs and smartphones are obvious targets and very difficult to protect against a determined attacker."

Wood added that, while laptops can be protected by full disk encryption with an adequately strong boot-time passphrase, they will still be vulnerable when connected to any network or if left in standby or hibernate mode.

Talkback Most Recent of 5 Talkback(s)

Follow via:: RSS; Email Alert

Big growth market for forensic consulting

But is it all legitimate? Probably not, if recent events are any indication. We have a number of foreign organizations using US-based forensics consultants to engage in espionage, both commercial and government. After all, why hire and train your own analysts when there are dozens of US companies who will do it fast, at low cost, and using the latest technologies? All a foreign agent has to do is get physical access to a target laptop for a few minutes, to duplicate the hard drive, then pack it up and send it to a US firm who will cheerfully decrypt it (if needed), analyse it, index it, and send it back all in a nice neat package for less than a grand!

Seriously, up to now a million people have been walking around with untold BILLIONS of dollars worth of sensitive data without much protection. People worry about getting their laptops stolen, but more as an inconvenience rather than as a catastrophic security breach. Now that US Customs agents have started seizing electronic devices to copy and examine the data contents, you can be assured that other governments will start doing the same thing.
terry flores
16th Sep 2008
- Reply to
- Flag
DHS is a waste of money

First thing I'd do as President would be to dissolve the position and department.

Keep the requirement for other intelligence and law enforcement agencies to communicate with each other. Route the results, reports, and alerts through the NSA.
Dr_Zinj
17th Sep 2008
- Reply to
- Flag
If you're desperate...

How bout you encrypt your data with a sufficiently
strong encryption (i.e. one time pad), send the data
CD in the mail to your destination and carry the key
with you.

That way even if you're subpoenaed to reveal the
contents of the CD you're carrying it's still just a
key.

Edit: Was supposed to be a reply to the story.
Kazabet
17th Sep 2008
- Reply to
- Flag
RE: Leaked Homeland Security doc warns of data threats

you so secure in your attempt..never take long for any
opportunity...be aware your DOG.....
mar la
21st Sep 2008
- Reply to
- Flag
Oxymoron [def.]

"Leaked Homeland Security doc warns of data threats..."
mhagin@...
22nd Sep 2008
- Reply to
- Flag