Image of the glider from the Game of Life by John Conway
Skip to content

How Travelers Can Protect Their Data

I used to travel quite extensively around the country, and even had the opportunity to leave the country and go abroad. My laptop was always with me. As a result, I was very concerned for the integrity and safety of my data. As such, I took the necessary precautions that travelers can take when their laptops are with them. This post is hopefully informational should you decide to travel with your faithful friend (I call my laptop "Kratos"- the Greek God who always did Zeus' will and bidding).

First, a disclaimer. This post is not meant to be a sure method for defeating attackers. Rule number one in computer security is that if an attacker has physical access to your machine, all bets as to data integrity and physical safety are off. However, than doesn't mean that you can make the process so tedious and time consuming for the attacker, that he will likely not bother and move to another victim. This post is about those methods. If they're going to attack you, why not at least make it challenging for them?

If you have the ability, this post requires wiping your disk by starting from scratch. So, if you have data on that disk, you should probably back that up first. If it's a new laptop, and you're not invested into the operating system, then maybe you don't need to worry about it. Just realize, that from this point on, if you decide to "follow along" with your own equipment, this will wipe your data, and if you didn't back up your data first, you're the moron, not me.

Okay, with that out of the way, shall we continue?

Step One: Prepare your hard drive.
The goal of this step is to install an encrypted filesystem. So, before we do that, we need to do some preparation. In order to get to that point, you will need to write random or pseudorandom data to the entire disk. This will take some time. My experience has show that laptop drives usually operate around 30MBps, so if you have a 300GB drive, this will take you just under 3 hours. The reason for doing this is to confuse the attacker just exactly where the encrypted filesystems reside. If the entire disk is underlined with random or pseudorandom data (it doesn't necessarily need to be cryptographically secure here), then when looking at the drive level, it will be practically improbable to determine where the encrypted filesystem starts and where it ends. If you skip this step, then it's quite obvious, and rather than wast his time on the entire disk, the attacker can focus his efforts on just the obvious encrypted portions of the disk.

Now, some tools for installing encrypted filesystems will already have this step built in, such as the Debian installer, but some won't. You'll need to discover your vendor's documentation to see if this is the case. I would say it doesn't hurt to be safe, and take this step anyway, but it's up to you.

There are many utilities for writing random or pseudorandom data to the drive. Probably the best tool will be DBAN, or Derik's Boot and Nuke. This utility is generally used for destroying data, but in this case, we'll use it for preparing data. Download the live CD, burn it, and reboot your machine. I would recommend selecting the "PRNG Stream" from the menu. This will normally write pseudorandom data to the disk 4 times. However, it shows a progress report on the number of passes, so after it completes its first pass, you can reboot. It's important to note that selecting "Quick Erase" will do a single pass of zeros. This isn't what we want. We're trying to deter attackers by not giving them the boundaries of our encrypted filesystems. If you choose "Quick Erase", then you'll be clearly showing them where those boundaries exist. As tempting as it may be, don't select it.

If you're familiar with Linux live CDs, you can boot into a live environment, such as KNOPPIX, pull up a terminal and run the following, assuming the drive you're preparing is "/dev/sda":

dd if=/dev/urandom of=/dev/sda

The point is getting random or pseudorandom data down on the entire disk. However you accomplish that, is up to you.

After a few hours pass (depending on the size of your drive, and if you cancel the operation after a single pass of PRNG Stream), you are now ready to reboot into your operating system installer if it provides the ability to encrypt the filesystems, or into a separate utility for doing so.

Step Two: Set up volumes or partitions and encrypt
With the Debian installer, and most GNU/Linux installers, you can set up your partitions or logical volumes, then tell the installer to encrypt them, even with some options on the cryptography. When you've defined your filesystem boundaries (I'm not going to cover that here), and you're ready to encrypt, you'll inevitably be required to type in a username and passphrase. Some encryption utilities will use this passphrase as a seed for the encryption algorithm, so the stronger the passphrase, the stronger the seed, and this the more unlikely an attack will be successful on the filesystem. So, choose wisely and choose securely.

Step Three: Install the operating system
Whether it be Windows, Mac, Linux or whatever operating system that supports encrypted filesystems, you're now ready to install it. Follow the operating system's installer to the end, reebot, and make any additional final preparations to your computer before putting down the data. You should at this point be able to boot the computer, provide the necessary username and passphrase, and use your operating system as normal. If not, you'll need to spend some time with your operating system's documentation or encrypted filesystem documentation to get to that point. This post isn't about that, so Google might be your friend here.

Okay, so now we have a usable operating system running on top of a fully encrypted drive. If we were to stop here, we wouldn't make things very challenging for the attacker. We want to do that. So, we're going to start adding some hurdles along the way. If the attacker has the stamina, then so be it. I'm guess that most attackers, when faced with each of these hurdles, likely won't bother, and move to their next victim, rather than waste time trying to figure out how to get from Point A to Point B.

Step Four: Password protect your BIOS
This will vary widely on hardware, so consult your vendor's documentation on how to boot into your laptop BIOS and set an administrator password. However, this functionality should be provided on most modern BIOSes. When found, go ahead and set the password. It can be whatever you want. I would recommend making it hard to guess, but it doesn't really need to be on the same level as the encryption passphrase you provided earlier. Just don't make it successful to a dictionary attack, and you should be good. Don't reboot. Stay in your BIOS for the next step.

Step Five: Change your boot order to boot off the hard drive first
The reason for setting the administrator password in the BIOS was so we can tell the BIOS that we always want it booting from the hard drive first, rather than from the floppy, CDROM, network or USB. This step is necessary to hopefully avoid the Evil Maid attack, something I've already blogged about here. In summary, the Evil Maid attack is booting your computer from a USB or CDROM, replacing your bootloader by installing a custom bootloader with a keylogger, and powering down. Then, when you boot your machine, and enter the encryption passphrase, it gets stored on disk, or sent over the network to a remote server. After you leave your laptop a second time, the attacker comes back to your computer, boots off the hard drive, provides the newly discovered encryption credentials, and steals your data.

So, if your laptop is BIOS password protected to only boot from the hard drive, this is a good deterrent. Why? Well, in order to remove the password off the BIOS, so the attacker can boot from some other medium, they will need to disassemble the laptop to get to the motherboard, and flash the BIOS. This is easier said than done on laptops. Have you ever taken your laptop apart? I have. I've take apart both my old HP Pavilion and my current ThinkPad T61. They're a royal pain, and extremely time consuming.

A good attacker will be paranoid for time. They don't want to get caught. If it means spending 3 hours disassembling a laptop just to flash the BIOS, so they can install their custom bootloader and keylogger, chances are high he'll move on to another victim. Now, that's not to say that every attacker can't do this, or they know they have the time, and your data is that valuable to them. Maybe the attacker is skilled at disassembling Dell, Lenovo and HP laptops, so it's only a 30 minute inconvenience that he knows he can make. But, maybe not. At least this is a moderately challenging task, and I'd be willing to bet most attackers won't bother.

Step Six: Physically lock down your laptop or take it with you
Again, just another deterrent, but locking your laptop down to a secure location could provide enough of a challenge to deter physical theft, should all efforts being made at getting to your data fail. After all, there is value in the hardware itself. EBAY is probably making a killing of such scenarios without knowing specifics. This doesn't mean the attacker isn't skilled at lock picking or doesn't have a strong set of bolt cutters with them. However, if the time it takes to remove the laptop from the premises is a challenging effort, the attacker likely won't bother, and move on.

With that said, I had my car broken into once. They were after my stereo. Thankfully, they were caught in the act, and found guilty in court of seven counts of theft and property damage, among other things. However, in the car before mine, they couldn't successfully remove the deck from the dash. It was bolted down. So, out of frustration, they physically destroyed the deck and the dash. Not out of failing to remove it, but out of anger for not succeeding. Your laptop may fall victim to such physical damage.

So, if you can carry it with you, you probably should. When I was on the road, I took my laptop with me everywhere I went for fear of physical damage or theft. I would take it with me to dinner. I would take it with me to events. I would take it with me sight seeing. I was paranoid. Sure, I run the risk of damage while traveling with it, but I know how to treat my bag carrying the laptop. At least then I'm somewhat in control. Further, an attacker can't attack what isn't there. But, when I couldn't take it with me, I would lock it down securely, and hope it remained in tact when I returned.

Step Seven: Remove the data and/or encrypt it a second time
Many operating systems support encrypting directories and files on top of the filesystem itself. This means you can have an encrypted directory in your home folder, where the valuable data resides. Should the attacker successfully get access to your encrypted filesystem, if you chose a different passphrase for your encrypted directory, hopefully, they won't get access to that.

But, keeping that sort of sensitive data on the drive might not be wise, even if it is encrypted. So, it would be best to have that data on an encrypted USB disk. Your only concern should be making sure you don't lose that drive. Even if it's not stolen data, lost data still sucks. Backups here help.

At my place of employment, we're developing a virtualization solution where all the developers will have virtual desktops in our datacenter. The idea is to keep the data off of the developer's laptop. So, when they login to their laptop, they then must login to the VPN, then use RDP or SPICE (yeah, we're deploying RHEV) to login to their remote desktop, and work from there. At this point, the laptop becomes a mere dummy terminal, not storing a single piece of data- even email. There are concerns, like if the developer doesn't have Internet access, or if the datacenter is compromised, but from a traveling perspective, keeping the data off of the traveling laptop is a net win. Some hotels might have crappy WIFI, but at least security has come first, and the data is safe.

Appendix A: Learn how to remove and restore your bootloader
This is a crucial skill, I think. It doesn't really fit into the above steps per se, so I've added it as an appendix. The idea is simple. When traveling from another country to the United States, the Department of Homeland Security thinks it's fun to ignore the Constitution, and seize and search your laptop without a warrant. Bruce Scheier has covered this extensively, so I'll let you read up on his posts about the topic. If you're running an encrypted filesystem, they can detain you until you provide them with the passphrase, at which point they can then image your drive, keeping your data. This is wrong on so many levels, but you have a good deterrent- wipe your bootloader before landing.

When I traveled to Canada for training, I was already aware of the DHS doing this at customs. So, before being required to turn off my laptop during landing, I wiped the bootloader, and prepared a script in my mind should the DHS want my to power on my laptop. I was resolved that I wouldn't lie, as that would be perjury, but I would dance around the issue as best I could. The script would go something like this:

Agent: Can you power on your laptop please?
Me: Sure, but while on the road, something happened, and it will no longer boot. It says it's missing an operating system. I'm hoping to get it fixed when I get back to the office.
Agent: Will you power it on anyway please?
Me: Sure.
(I power on the computer, at which point, it behaves exactly as described.)
Agent: Okay, thank you. Carry on.

When I was returning from my Canada trip, and passing through customs, the agent asked me to remove the laptop from my bag and open it. I was already prepared with a removed bootloader, and my heart was racing to go through the script. When I opened the laptop, we proceeded to swipe it looking for traces of explosives. When he was satisfied, he said thank you, I put the laptop back in my bag, and was on my way. I was a bit bummed that I didn't get to defeat the DHS at their own game, but was relieved at the same time that I didn't miss my flight home.

After I was on US soil, I boot off a rescue CD, and restored my bootloader, and was able to boot back into my Debian install without trouble. This takes some practice and know-how, but I think it's really quite worth it should that scenario ever present itself. Of course, who knows what would happen? Maybe I would be detained until they could fix the problem with my laptop, at which point, I would still be required to turn over the passphrase, and they image the disk. Who knows? Still worth a shot, and it's easy to do, if you know what you're doing. Just don't lie.

Appendix B: Stay with your belongings through metal detectors
Again, this is something that doesn't really fit in the steps above, so it's in the appendix as well. When you are entering an airport, and your belongings have to go through XRAY, there is an attack to steal laptops that is rather trivial and easy to setup. All it requires is three people- two attackers and the victim.

The attackers find a victim with a laptop (or bag obviously carrying a laptop) they want. They both position themselves immediately in front of the victim when standing in line to go through security. By the time the first attacker reaches the metal detector, the victim has likely placed their personal belongings on the belt to go through the XRAY machine. The first attacker goes through the metal detector without a problem. He waits at the end of the conveyor belt to get his belongings as well as snatch the laptop. The second attacker, however, causes problems going through. Every time he attempts to go through, something in his pockets, or otherwise, causes the detector to go off. Now, generally, it only takes 2 or 3 attempts before the agent will just get his magic want, and swipe him down from head to foot. But, two to three attempts is all the time that is needed for the victim's bag or laptop to go through XRAY, at which point the first attacker takes the computer, and disappears into the crowd before the victim even had an opportunity to get through. It's sneaky, it's effective, it's fast and it's clean. Further, TSA isn't keeping track of who's belongings belong to who. For all they know, that was their laptop, not yours.

How do you avoid this attack? When I traveled, I stood at the XRAY machine with my hand on my laptop bin, and I sent it through the same time I went through. I never gave it a chance to get ahead of me. This would slow down the line a bit sometimes. In fact, I would let people go ahead of me while I waited. I took no chances. I'll go through metal detection faster than my laptop will go through XRAY, so I can wait for it to come down the belt right into my own hands. It requires a bit of patience and stubbornness, but I think it's worth it. You'll likely not bump into the cranky people behind you again, so no biggie.

So, there you have it. Those are the procedures and steps I would take when traveling with my laptop. I would recommend the same to you. Really, it boils down to determination, knowledge and a bit of luck. You can avoid the worst if you are sufficiently paranoid. There's nothing wrong with taking the extra precautions to protect your data and your laptop from theft or damage. Of course, these steps aren't bullet proof, and everything comes at a cost. There might be a slight inconvenience to the traveler to jump through some of these hoops. But, what is it worth? If the cost of the inconvenience outweighs the cost of the data, then some or all of these steps might not be necessary. If the cost of the data outweighs the cost of the inconvenience, then I would say stick to each step religiously. That's just me.

{ 16 } Comments

  1. Roger | January 3, 2010 at 11:20 am | Permalink

    One step you missed out is that many BIOS let you set a hard drive password. That password is stored in the drive itself and is part of the IDE/ATA specification. The password has to be provided to the drive on power on no matter where the drive is plugged in.

    Without this step the bad guy doesn't have to crack your BIOS password - they can just pull your drive out (trivial on most laptops), plug it into another machine, clone the drive contents, put the drive back and you'd be none the wiser while they can take as long as needed to crack your passphrase on the duplicate drive.

    This will provide yet another hurdle to any bad guy. (You may remember that this was something the original XBox used to do so hackers had to keep the drive powered on moving it between the Xbox and their systems.)

    Something else that may be useful is to have an automated script that emails a gmail account/twitters or something similar every hour with IP address+traceroute and similar details. This won't prevent the machine from being stolen, but if it is and they manage to boot into it then you'll at least know that has happened and may have sufficient information to track them down.

  2. Tony Yarusso | January 3, 2010 at 3:40 pm | Permalink

    Minor point: It's not perjury to lie to a customs officer, as you are not under oath. It is still illegal; just not perjury. (Although it's unlikely that you would be prosecuted for this without some other, larger charge first, but it's still better to refuse to answer than to give a false answer.)

  3. YaManicKill | January 3, 2010 at 4:35 pm | Permalink

    Just a quick thing about the evil maid attack. If they do manage to open up your laptop and flash the bios to get the firmware on that...would you not realise when you boot it up and don't have to type in your bios password?

    So having a bios password would get rid of the evil maid attack.

  4. Aaron | January 3, 2010 at 8:17 pm | Permalink

    @Roger Ah yes, the hard drive password. I forgot about that. I should add that as an update to the post. Definitely worth mentioning.

    @Tony Yarusso Tomato tomahto. ๐Ÿ™‚

    @YaManicKill Well, that depends on the BIOS. Some passwords won't prevent the system from booting, others only prevent modifications to the BIOS or boot order. So, it may or may not get rid of the evil maid attack depending on your BIOS configuration.

  5. Janne | January 3, 2010 at 9:54 pm | Permalink

    A perhaps better way is to save your old laptop when you get a new one, or get an old one cheap from some second-hand source.

    Put a new but cheap drive in it, install the default os, and then only add the public data (your presentation for instance) that you need for the trip. No personal info, no passwords, no confidential or non-public data of any kind.

    Then leave it password unprotected, with no encryption or anything. Completely open, easily accessible, but without any data of any value whatsoever. And since it's an old, crufty piece of semi-junk, it doesn't even matter if someone is daft enough to steal it since the hardware is worthless and easy to replace anyhow.

    Anything non-public you need to get access on the road, you do through ssh or similar to your real machine safe at home. And if you lose the old laptop, you have an otherwise clean memory stick with the public data you need with you (for presentations, bring it in odb, ppt and pdf formats, and any movie clips as separate files), something you should have in any case.

    Make sure you really have nothing at all to hide, and nobody can argue with you when they come away empty-handed.

  6. Tony Yarusso | January 4, 2010 at 12:27 am | Permalink

    @Aaron Hey, if I stopped being pedantic people might start to worry. ๐Ÿ˜‰

    @Janne That was basically Schneier's suggestion.

  7. Martin | January 4, 2010 at 2:51 am | Permalink

    Instead of wiping the boot loader so that the laptop does not boot, thereby attracting attention, would it not be better to be stealthy by setting the machine to boot into an ordinary-looking Windows system from a separate non-encrypted partition?

  8. Aaron | January 4, 2010 at 5:22 am | Permalink

    @Janne That's the points with developing in a virtual desktop behind your work VPN. If there's nothing on your laptop, there is nothing that is lost if the laptop is stolen or the drive is imaged. I think more and more companies will be taking this route with their employees and virtualization farms become more and more commonplace.

    @Martin How would you modify the bootloader, so it boots into an unused operating system by default without attracting the attention that another operating system could be installed? I've tried this with GRUB, but have failed at every pass.

  9. | January 4, 2010 at 6:02 am | Permalink

    Maybe you could keep a relatively plain windows install and simply restore its bootloader when going through customs and then restore GRUB when you're through.

  10. Aaron | January 4, 2010 at 6:40 am | Permalink That's not a bad idea, but then you're right back to wiping and installing bootloaders, and you might as well just wipe it entirely to keep the OS from booting at all.

  11. | January 4, 2010 at 8:09 am | Permalink

    @Aaron I suppose you could combine it with data security while away by putting your bootloader on a usb stick (and keeping a backup maybe available via ssh so you can make a new usb boot drive from within your "cover" os if your usb gets stolen while away) and having an innocent windows install boot up if you don't use your USB.
    Of course this does leave you open to the cover bootloaded being altered because you have to boot off USB.

  12. Fargle | January 4, 2010 at 9:53 am | Permalink

    Here's a better way I discovered to be able to properly boot up your computer when asked.

    I set up my partitions with dm-crypt root partition, a swap partition that's randomly encrypted using /dev/urandom in /etc/fstab, a home partition for my "real" user account, and the rest of the drive is mounted when I want it with TrueCrypt.

    When I set up the system, I create a first account that has its home directory on the root partition, with the password the same as the boot-up dm-crypt password on the root. Then, I put some "normal" files in that account's Documents folder, and use it to set up my "real" account, which auto-mounts its separate partition (using pam-mount) as its home directory, and give it a much stronger password. Then I wipe the bash_history for the "fake" account. I also shut off the default account list on the GDM login screen. Finally I change /tmp to be a RAM disk that gets recreated every boot cycle.

    So now, if I'm asked to boot, I put in the root partition dm-crypt password and choose the "fake" account to log in with, using the same password. The system comes up and the only thing mounted is the root partition with my "fake account" files in its home directory. Looks fine to anything but the most detailed examination, which you won't get from a TSA agent with no clue, he just wants to see the system up and running.

    I think this is much better than saying "my laptop is broken", which is more likely to arouse suspicion. It hasn't been put to the test as yet, though, because I don't really travel internationally any more. If you're REALLY worried, I would use the "fake" account occasionally to surf so there's some Web history for the agent to look at.

    All this is a far cry from back in 1995 when I traveled the world with a gym bag full of computer tapes that had to be hand-inspected and nobody ever said boo about, though! Pretty sad world we live in these days.

  13. Russ | January 4, 2010 at 5:47 pm | Permalink

    I would say that utilizing a USB boot would add another layer of difficulty for any maid attacker, and another layer of simplicity for you. The system can be configured to not boot at all, or to boot into some type of honey pot OS as many have suggested.

    When traveling, keep the USB stick on your person. If you are worried about going through customs, just back it up securely online. Don't bring it with you through customs. Either bring a brand new stick in its packaging, or buy one when you arrive. Boot to a live CD (or honey pot OS) and recreate the bootable USB stick.

    The USB stick would contain an encrypted copy of the key that encrypts your hard disk. An attacker would not only need a keylogger to get the password that decrypts your key, but sniff the USB traffic to obtain a copy of the encrypted key. (You would be more vulnerable while recreating the USB stick since you would be entering the passwords in order to download the copy of the encrypted USB stick, insert one time pad here for the truly paranoid).

  14. Russ | January 4, 2010 at 6:09 pm | Permalink

    I would say that utilizing a USB boot would add another layer of difficulty for any maid attacker, and another layer of simplicity for you. The system can be configured to not boot at all, or to boot into some type of honey pot OS as many have suggested.

    When traveling, keep the USB stick on your person. If you are worried about going through customs, just back it up securely online. Don't bring it with you through customs. Either bring a brand new stick in its packaging, or buy one when you arrive. Boot to a live CD (or honey pot OS) and recreate the bootable USB stick.

    The USB stick would contain an encrypted copy of the key that encrypts your hard disk. An attacker would not only need a keylogger to get the password that decrypts your key, but sniff the USB traffic to obtain a copy of the encrypted key. (You would be more vulnerable while recreating the USB stick since you would be entering the passwords in order to download the copy of the encrypted USB stick, insert one time pad here for the truly paranoid).

  15. Telco Security Dweeb | January 6, 2010 at 8:27 am | Permalink

    Aaron :

    Great posting, two quick comments :

    (1.) Canadian Border Services is just as bad - if not worse than - DHS, in terms of the "you have no rights, we can inspect every last bit and byte of the data on your laptop and there's nothing you can do to stop us".

    The average Canadian is just as apathetic and ignorant about privacy and security as is the average American, they all will happily believe the old lie "if you don't have anything to hide, you have nothing to worry about, when we image your laptop", if this is told to them by an authority figure (like Bush, Obama or Canadian Prime Minister Stephen Harper).

    The point is, make sure that you secure your laptop before you enter Canada, as well as when you leave it.

    (2.) Although your measures are excellent, remember that some border guards will automatically assume that "you're trying to hide something" if you can't fire up your laptop and log in to it, for them. So I would recommend an alternate approach : simply set up a "dummy" account on your laptop that has nothing but recipes, documents named like "WHY I LOVE THE DHS.DOC" and so on, in its "home" (or "My Documents") folder... then log in to that account when the Border Gestapo demand it.

    Meanwhile, of course, your REAL account's data is robustly encrypted. Sure, the Border Gestapo could theoretically image it, but they could do that anyway, with your whole hard drive. Besides, most border guards are idiots, they have no idea that you can have multiple accounts on the PC (you may have to find a way to hide the account names from the GNOME login screen), and even if they do detect these, you can simply say, "sorry these are for other people, I don't even know the password for them". (Why not create a few dummy accounts and then forget the passwords for these? That way it's not a lie.)

    Know your enemy. They're on a power trip "because they can", but they're stupid. Play to their weaknesses, not their strengths.

  16. James | January 9, 2010 at 2:02 pm | Permalink

    @Aaron (10): But booting into a functional operating system without any fuss looks a lot less suspicious than a machine that won't boot at all.

    I mean, a machine that doesn't boot has a much higher chance of striking someone as suspicious than a machine that boots into a generic looking Windows install. The former wouldn't even require a functional hard drive. If I were an airport inspector, the first thing I'd do with a machine that didn't boot past BIOS boot would be to rip out the hard drive and make sure it wasn't a bomb.

    The goal is for your machine to look as completely normal as possible. Attracting any attention at all is bad.

{ 2 } Trackbacks

  1. [...] How Travelers Can Protect Their Data [...]

  2. [...] Traveling? Protect your data and sanity: [...]

Post a Comment

Your email is never published nor shared.