Recently, the New York Times wrote an article titled “Traveling Light in a Time of Digital Thievery.” The article focused on China, and the precautions that some executives take when traveling to that country. When I was approached to speak to the reporter for this story, I told her that I didn’t think it was fair to vilify China, as there are many nations have an interest in capturing data at borders, and that travelers need to take precautions no matter where they go.
In the article, I was quoted (paraphrased actually) as saying “that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever.” The only problem is that’s not exactly what I said, and certainly not what I was trying to convey.
What I said was that if your laptop is taken from you at a border crossing – any border crossing in any country — and leaves your sight, you should consider it untrustworthy, and never connect it to a corporate network again. That is just sound security advice, as you never know what could be installed when a device is out of your possession.
The same is true if you were to leave your laptop unattended in a hotel room for the day – the “evil maid” attack strategy is valid regardless of where the laptop is – it just has to be tampered with and returned to you without your knowledge. The attack relies on you thinking your machine is safe and trustworthy, which, after being out of your sight, it may not be.
Obviously, some of us are more at risk than others, and it’s up to each to decide how much risk they are prepared to take on – my advice though is that if you suspect your laptop was tampered with, or are not sure, consider it untrustworthy until you can prove otherwise.
It is unfair to single out one country for this article or for this issue. As security experts, it our job to take strong precautions no matter where we travel, and I encourage the New York Times to provide the global view of this complex and insidious issue in future stories.
Please feel free to tweet me, Simon Hunt, @CTOGoneWild