Leaked Homeland Security doc warns of data threats

A memo from the US Department of Homeland Security has recommended that corporate and government leaders do not travel with mobile equipment carrying sensitive information.
Written by Tom Espiner, Contributor
A document emphasizing mobile-data security threats has appeared online after being leaked from the US Department of Homeland Security.

The document, entitled Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities was posted to the whistleblower website WikiLeaks on Friday. It gives advice to corporate and government travelers on how to stop data falling into criminal or foreign-government hands.

A spokesperson for the US Department of Homeland Security (US-DHS) confirmed that a memo with that title had been circulated to US-DHS employees in June.

"We did have a memo of that title which was for official use only," the spokesperson told ZDNet.co.uk on Monday. "We're still a relatively young department, five years old. As we mature we can expect to see more employment-awareness documents."

The memo, prepared by the critical infrastructure-threat analysis division of US-DHS, outlines the threat of information theft to "corporate and government leaders" when travelling, and also when returning home with potentially compromised equipment.

"Intelligence collection activities and information theft likely will be conducted in a non-threatening and unobtrusive manner," said the document. "Victims may not realize they have been targeted until after their information is compromised."

The document details basic security practices including using a designated "travel laptop" and not connecting mobile devices and storage media directly back into networks without first scanning them for malicious software. The document also warns against storing sensitive information on mobile devices.

When asked whether more comprehensive security advice, such as using virtual private networks to encrypt communications through a thin client, would be circulated to government employees, the US-DHS spokesperson said that the document "showed the kinds of practices which were already in place" across the US government. More detailed information will be prepared and circulated to government employees in due course, the spokesperson added.

Andy Buss, senior IT security analyst at Canalys, told ZDNet.co.uk that the document mostly contained "common sense" data precautions. "Your company or organization could be under surveillance, and this document tries to recognize the limits of current security architectures," said Buss.

However, the document's assertion that "the best strategy to protect electronic devices when traveling is to leave them at home" may not be practical in all circumstances, said Buss.

"This has usefulness for security, but if it gets in the way of work, then what's the point of your going?" asked Buss, who added that some of the other advice sacrificed usability for security.

"Having a dedicated travel laptop is a lot of hassle--you have to transfer the data and securely wipe the information off it every time you come back and go away," said Buss. "It's much nicer to have a secure [virtualized] travel image."

Buss said that using a virtual private network to hook up to a secured back-end server would mean people would have no need to travel with sensitive information. Other security experts agreed with Buss's assessment of the document. One senior chief information security officer, who wished to remain anonymous, said the document was "basic good security advice". "Don't put any data more at risk than you need to do your job," the security officer said. "So whether that is carrying your entire laptop with 10 years of accumulated data to China simply to be able to send the odd email, or downloading an entire database of people's information onto a memory stick, then the principle holds."

Peter Wood, chief of operations for penetration-testing company First Base Technologies, told ZDNet.co.uk that, while the measures in the document appeared to be draconian, "most people are not [sufficiently] competent to ensure that their mobile devices don't get infected or stolen".

"For phones and PDAs, I would say there's little choice but to assume that they will be compromised if they are stolen," wrote Wood via email. "We would give similar advice, and recommend that people use 'disposable' phones whilst abroad, or else store nothing sensitive (including address books, emails etc) on their phones. PDAs and smartphones are obvious targets and very difficult to protect against a determined attacker."

Wood added that, while laptops can be protected by full disk encryption with an adequately strong boot-time passphrase, they will still be vulnerable when connected to any network or if left in standby or hibernate mode.

Editorial standards