Securing Information from Legal Intruders
I ran across an interesting blog post over at http://www.crunchgear.com/2008/05/05/locking-down-laptops-from-the-tsa/ which refers to ways to protect information on a laptop that might be examined by custom's agents. As you might know, as a US citizen, your Constitutional Rights do not apply when you're going through customs. No, this has nothing to do with the Patriot Act, or George Bush or anything you might want to think it's due to -- it's always been this way.
While the blog post is more focused on how criminals can hide their illegal data from the authorities, there's a more important question to be concerned with here. Suppose you carry a laptop for your business, and you and your company have clearance to access classified government information. You keep some of that information on your laptop. The customs agent asks to view the contents of your laptop. What should you do? The customs agent does not have your clearance level and therefore must not see that information.
You could try to explain your situation, but that's not likely to help and most likely would raise the agent's attention and make him even more interested in the data on your hard disk. Now you're truly between a rock and a hard place -- you'll net nailed for not cooperating with the customs agent, and you're going to get nailed by the Federal Agency that you're working with by exposing classified information to someone without the required clearance.
The same is true even if you're not working with the government. You could be working in the financial services sector and have information that will impact millions or billions of dollars in the markets. If that information is on your laptop and the agent inspects the contents of your laptop, that agent now has information that can be sold on the gray or black markets that could put your company, and many other's, at risk.
What should you do? My best advice for you is to never put sensitive information on a laptop. That's what I do. Laptops are lost and stolen too frequently to make it worth taking a chance on sensitive information being lost due to misplacing my laptop.
However, there are other ways to gain access to sensitive information other than just looking at file contents on the laptop. How about your mail account? I'm sure you saved your user name and password in Outlook so that you won't have to enter it every time. Now the agent has access to your email account and all the private data contain therein.
Also, you might have a VPN connectoid configured to save your user name and password. Now the agent has access to your entire network and any data that you're authorized to access there. Now, that can become a very interesting situation.
The VPN and email solutions are easy. Don't save your passwords. It always shocks me when security admins give in and allow users to save their email passwords locally on a laptop. But too often ease of use (laziness) trumpts security.
For those of you who don't want to type passwords, there is a solution. For your laptop, just allow the base operating system to be installed. Then, create a virtual machine and place it on a high capacity SD card or USB key. Install all of your applications and files on the virtual machine. Then install VMware or Virtual PC on the laptop. Place the removable media into the laptop, start the virtual machine, and go to town! All data and passwords and other information is saved to the VM. When you shut down the VM and pull the media, no trace is left on the laptop.
Since customs is only interested in your laptop, all they're going to see is Windows XP or Vista in an out of the box configuration.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)