Month: March 2017

A Guide to Getting Past Customs With Your Digital Privacy Intact

A Guide to Getting Past Customs With Your Digital Privacy Intact

WHEN RYAN LACKEY travels to a country like Russia or China, he takes certain precautions: Instead of his usual gear, the Seattle-based security researcher and founder of a stealth security startup brings a locked-down Chromebook and an iPhone SE that’s set up to sync with a separate, non-sensitive Apple account. He wipes both before every trip, and loads only the minimum data he’ll need. Lackey goes so far as to keep separate travel sets for each country, so that he can forensically analyze the devices when he gets home to check for signs of each country’s tampering.

Now, Lackey says, the countries that warrant that paranoid approach to travel might include not just Russia and China, but the United States, too—if not for Americans like him, than for anyone with a foreign passport who might come under the increasingly draconian and unpredictable scrutiny of the US Customs and Border Protection agency. “All of this applies to America more than it has in the past,” says Lackey. “If I thought I were likely to be a targeted person, I would go through this same level of protection.”

In the weeks since President Trump’s executive order ratcheted up the vetting of travelers from majority Muslim countries, or even people with Muslim-sounding names, passengers have experienced what appears from limited data to be a “spike” in cases of their devices being seized by customs officials. American Civil Liberties Union attorney Nathan Wessler says the group has heard scattered reports of customs agents demanding passwords to those devices, and even social media accounts. And newly sworn-in Department of Homeland Security Secretary John Kelly told Congress earlier this week that the agency is considering requiring foreign travelers from seven Muslim-majority countries to hand over their social media passwords or be refused entry.

“Requesting passwords is just beyond the pale,” says Wessler. He points out that the practice doesn’t just affect individual travelers, but everyone they’ve communicated with, potentially reducing the overall trust and security of social media in general. “If this were to go forward, it would risk really wreaking havoc with tourism and business travel to the US. What traveler is going to want to lay bare every intimate detail of their social media history, exposing years of their lives?”

In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.

As those intrusions become more common and aggressive in the Trump era, WIRED has assembled the following advice from legal and security experts to preserve your digital privacy while crossing American borders. But take all of these strategies with caution: Given CBP’s unpredictable and in many areas undocumented practices, none of the experts WIRED spoke to claimed to have a privacy panacea for the American border.

Lock Down Devices

If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too, since it requires a PIN rather than a fingerprint when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with a finger instead of a PIN—a real concern given that green card holders are required to offer their fingerprints with every border crossing.

Keep Passwords Secret

This is the tricky part. American citizens can’t be deported for refusing to give up an encryption or social media password, says the ACLU’s Wessler. That means if you stand your ground and don’t reveal passwords or PINs, you may be detained and your devices confiscated—even sent off to a forensic facility—but you’ll eventually get through with your privacy far more intact than if you divulge secrets. “They can seize your device, even for months while they try to break into it,” says Wessler. “But you’re going to get home.”

Be warned, however, that denying customs officials access can at the very least lead to hours of uncertain detention in a bleak, windowless CBP office. And for visa and even green card holders, the right to enter the US is far less clear. “If they truly want to come into America, then they’ll cooperate,” DHS secretary Kelly told Congress last Tuesday. “If not, you know, next in line.” If the DHS does adopt that hardline policy of privacy invasion, it could leave non-citizens without easy answers.

Phone Home

Before going into customs, alert a lawyer or a loved one who can contact a lawyer, and contact them again when you get out. If you are detained, you may not be able to access your devices or otherwise have the opportunity to reach the outside world. And in the worst case scenario of a lengthy detention, you’ll want someone advocating for your release and legal representation.

Make a Travel Kit

For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.

Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.

Deny Yourself Access

Better than telling customs officials that you won’t offer access to your accounts, says security researcher and forensics expert Jonathan Zdziarski, is to tell them you can’t. One somewhat extreme method he suggests is to set up two-factor authentication for your sensitive accounts, so that accessing them requires entering not only a password but a code sent to your phone via text message. Then, before you cross the border, make sure you don’t have the SIM card that allows you—or customs officials—to receive that text message, essentially denying yourself the ability to cooperate with agents even if you wanted to. Zdziarski suggests mailing yourself the SIM card, or destroying it and then recovering the accounts with backup codes you leave at home (for American residents) or keep in an encrypted account online. “If you ditch your SIM before you approach the border, you can give them any password you want and they won’t be able to get access,” Zdziarski says. He cautions, however, that he’s never tested that know-nothing strategy in the face of angry CBP agents.

Those more involved subversion techniques, warns University of California at Davis law professor Elizabeth Joh, also create the risk that you’ll also arouse more suspicion, making CBP agents all the more likely to detain you or deny entrance to the country. But she has no better answer. “There’s not that much you can do when you cross the border in terms of the government’s power,” she admits.

In fact, the issue of privacy rights for digital devices at the border remains troublingly unsettled, Joh says. While the Supreme Court decision in Riley vs. California in 2014declared warrantless searches of devices at the time of arrest unconstitutional, no case has set such a precedent for the American border—much less for non-Americans seeking those same privacy rights.

Until such a precedent is set, that border zone will remain in a kind of legal limbo. The government has the power to open bags crossing into its territory or even dismantle cars to search for contraband, she points out. “What does that mean in an age when people bring their digital devices across borders? The Supreme Court hasn’t spoken to that issue,” Joh says. “The real problem here is there’s still no good set of protections for a portal into your private life.”

Security News This Week: An IoT Teddy Bear Leaked Millions of Parent and Child Voice Recordings

Security News This Week: An IoT Teddy Bear Leaked Millions of Parent and Child Voice Recordings

IT WAS A week of could have beens and still coulds in security. We took a long look at a plan to stop rogue drones that might work great, if it’s ever legal. We looked at how Trump should spend that extra $54 billion on defense, if he insists. And we looked at Google’s end-to-end encryptionhopes for Gmail, which appear to have faded over the last three years. Oh, also, some rogue stuffed bears made a great case against the Internet of Toys.

Elsewhere, Amazon’s defending Alexa’s right to privacy in court, while the Army hopes to defend against China’s naval build-up by converting an existing weapons system into a ship-killing missile. Mass spying isn’t nearly as effective as law enforcement hypes it up to be. As for your nightmare fuel, a Slack bug could have turned into everyone’s worst nightmare, medical devices are the next big security nightmare, as is email. As, again, are a bunch of adorable, internet-connected stuffed animals.

But wait! There’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Millions of Internet-Connected Teddy Bears Leaked Kids’ Recordings

The internet of things’ gaping insecurities were bad enough when they applied to security cameras and connected cars. Now we’re inflicting them on our children. Motherboard reported this week that toy company Spiral Toys left two million messages recorded by its digital teddy bear brand Cloudpets exposed in a vulnerable online database, such that anyone could find the messages with the IoT search engine Shodan and listen to the messages. Worse still, the breach also included 800,000 of the devices’ credentials, like emails and passwords, not all of which were strongly hashed, according to security researcher Troy Hunt. Researchers who spoke to Motherboard also believe the data may have been accessed by malicious hackers, given that it had been overwritten twice—a sign that it might have been locked up by ransomware to extort the company. Next Christmas, maybe stick with the kind of teddy bear that doesn’t have an IP address.

Google Reveals a Severe Flaw in Microsoft’s Edge Browser

It’s been a busy month for Google’s Project Zero. Not only did Google elite team of security researchers reveal a Cloudflare flaw that nearly broke the internet last week, but they’ve now dropped a zero day in Microsoft’s Edge Browser and Internet Explorer—before Microsoft has had a chance to patch it. On Monday, Project Zero researcher Ivan Fratric published a “high severity” flaw in the browsers that in some instances would allow an attacker to run malicious code on a user’s machine when they visited a carefully crafted website, though Fratric was careful not to describe exactly the conditions necessary to exploit the flaw. The browser bug marks the second time in two weeks that Project Zero has outed a Microsoft zero day, following a Windows flaw one of its researchers revealed a week before. Google promises to give companies 90 days to fix the vulnerabilities its Project Zero team finds, but in both cases Microsoft failed to patch its bugs within that three-month window.

Peter Thiel’s Palantir Will Help Enable Trump’s Immigrant Deportations

Silicon Valley investor Peter Thiel’s cozy relationship with President Trump is more than ideological. Now software created by Palantir, the data-mining firm Thiel co-founded, will be used by Immigrations and Customs Enforcement to help round up the millions of undocumented immigrants Trump has promised to deport. The Intercept revealedThursday that ICE in 2014 gave Palantir a $41 million contract to create and maintain an intelligence system it calls Investigative Case Management or ICM. That tool, set to go into use in September, is designed to connect the dots in a vast collection of personal data collected about potential deportation targets, according to the Intercept. Government funding records describe Palantir’s software as “mission-critical” for ICE. Although Palantir’s deal to create ICM precedes Thiel’s public support for Trump’s presidency—which has included seven-figure donations and speaking on his behalf at the Republican National Convention—it nonetheless demonstrates how Thiel may also personally profit from Trump’s election.

Police Body Cameras Aren’t Just For Transparency Anymore

While police body cameras have been valuable tools to verify police accounts of incidents, FastCo takes a look at the ways in which they’re also evolving in ways that could undermine privacy. The latest in body cam tech includes features like face recognition and even artificial intelligence. While they’re implemented in the name of safety, they raise questions about whether body cams are in the service of the communities they monitor, or are just another way to surveil them.

Go Back to Top. Skip To: Start of Article.

Trump’s Cybersecurity Chief Could Be a ‘Voice of Reason’

Trump’s Cybersecurity Chief Could Be a ‘Voice of Reason’



Google’s security researchers disclosed details of an unpatched Microsoft vulnerability in Windows’ GDI library that allows attackers to steal sensitive data from program memory. The flaw was first addressed by Microsoft last June, but Google said the patch was incomplete. As part of its 90-day disclosure deadline policy Google Project Zero publicly disclosed the the bug Monday.

“As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we’ve discovered that not all of the DIB-related problems are gone,” wrote Google engineer Mateusz Jurczyk in a technical description of the vulnerability.

Despite notification of the bug, the soonest Microsoft might release a patch for the flaw is in March; Microsoft decided to delay its monthly February security bulletins until next month.

The flaw is tied to Windows’ GDI library (gdi32.dll), Jurczyk said. In a proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space.”

“It is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” Jurczyk said. “I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.”

Google Project Zero, the internet giant’s bug hunting team, privately disclosed the vulnerability to Microsoft on Nov. 16. As part of Project Zero’s policy, it will notify parties of a vulnerability and after 90 days elapses the vulnerabilities become public – whether or not they have been patched by the company in question.

Microsoft did not reply to requests for comment.

Microsoft originally issued a patch classified as “important” in June to address the vulnerability. At the time, Microsoft described it as a bug that could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

According to MITRE’s Common Vulnerabilities and Exposure database, the flaw (CVE-2017-0038) is a result of “an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.”  According to the CVE ID, impacted are Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016.

“It is strongly advised to perform a careful audit of all EMF record handlers responsible for dealing with DIBs, in order to make sure that each of them correctly enforces all four conditions necessary to prevent invalid memory access (and subsequent memory disclosure) while processing the bitmaps,” Jurczyk wrote.