Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Olympics Part II InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Olympics Part II

Published: 2008-06-18
Last Updated: 2008-06-18 13:34:25 UTC
by Marcus Sachs (Version: 2)
0 comment(s)

On June 16th we published a short diary asking for comments about the dangers of bringing laptops, PDAs, cell phones, etc. to China if you are planning to attend the Olympics in August.  We've received a number of interesting comments and I want to share two of them with our readers.  I have not made any changes, these are cut/paste right out of the emails we received.  If you have any comments, you can use the comment button at the bottom of the diary entry or send us your notes via our contact page.

One reader wanting to remain anonymous said:

We are recommending our users be very aware of the devices they take with them.  We have recommended leaving all but essential electronic communications and storage devices behind, to include cellular phones with any storage capability.  Users should be aware of the presence of their equipment at all times, not leaving personal or professional equipment unattended, in a hotel room, or locker for any amount of time, and be ultimately suspicious of any portable storage device purchased, received, or given to/from another party while travelling.  This includes USB, CD, SD (other variations) or any other flash media.  I am particularly concerned with the custom trojan infections coming back through flash-based medias from traveling parties, whether through their personal computers cross-contaminating professional assets, or on media that they bring into the workplace.  These trojan variants typically evade AV for up to three months, are very slow to spread, and present deep, slow infiltration into the machine whose backchannels can lead to data loss and lateral control of other machines.

Protecting the enclave from those that return to the workplace with such an infection relies on strong program whitelists ('gold disks'), standard images, and possibly mandated reimaging on return with all returning data stored to CD media, scanned, and manually reviewed for autorun.inf infection vectors prior to reintroduction.  Support for strong policy enforcement from the highest levels with crystal clear consequences is essential to prevent the enticement of easy work-arounds for returning workers.  Returning expats should have an in-briefing meeting and sign a statement indicating that they have reviewed the policy, are aware of its meaning, and have not brought back any non-company media to the best of their knowledge.  At that time, they are given a one-time opportunity  for amnesty to provide anything they may have forgotten to leave behind.

This may seem harsh, but how valuable is control of company assets, core data, proprietary secrets, etc?  If you don't protect it, China has made it very clear that 'no holds barred' is fair game and they WILL take it to their full advantage.

Another anonymous reader had this to say:

I think it might be even more useful to turn the question posed completely around... 

What do we observe foreign nationals doing when they visit/meet with us in an official capacity on our soil? 

The "us" and "our" being the USA and "official" meaning rubber-meets-the-road business/corporate critical meetings (often times under muti-party/muti-lateral NDA-s, to protect real intellectual property, representing tangible products, resulting from millions of name-that-currency spent on R&D). 

Having participated in a few of these meetings, of late, I can say that senior scientists and engineers employed by great Asian nations have not been bringing any laptops/notebooks/gadgets to said meetings. 

When they carry cel phones/PDAs, these are all scrupiously powered off and tucked out of sight, prior to entering "foreign" (to them) corporate campuses.  It is a parking lot ritual of sorts that I have personally witnessed. 

All notes they take are written on paper.  (As are mine, which I review and flesh out from memory as soon as the last goodbye-s are exchanged.) 

Any electronic presentations they bring are on hardware write-protected USB solid state storage and the meeting's host is expected to provide the computer that will run the presentation (either PowerPoint or PDF). 

Sometimes there are only printed handouts, which may or may not be collected at the conclusion of the meeting.  (Usually handouts that are to be re-collected are uniquely marked in advanced.)

Of course, every one of "us" (myself excluded) attends these same meetings with our laptop/notebook/tablet, cel phone, PDA powered on *and* wireless enabled. 

Many of the latest gee-whiz compute/communicate devices that our Asian counterparts are using day-to-day these days are not for sale on our shores.  We are often times disappointed when we do not get to see these trinkets on display at these meetings. 

What many of us fail to realize is that our auspicious visitors/guests are voluntarily abiding by a scrupulous electronic quarantine, in specific situations, while on our soil. 

Whereas, too many of us tend to be electronic cowboys, with our "rigs" fully exposed, whether or not we happen to be travelling abroad. 

Food for thought???... 

The same anonymous reader had these additional comments:

For "Mark," even if his crew is using terminal services on as-is off-the-shelf stock, what about keystroke loggers and/or rootkits, on the terminal services client machine, that could be planted over-the-wire(less) and need not persist beyond a single snoop session??? 

I am a firm believer in hardening all portable compute devices, as much as they can be, whether or not they're to be taken abroad. 

As-is, from the manufacturer, all my Vista notebooks have had crap like Bluetooth and Firewire services enabled, whether or not there is an internal Bluetooth device or even a Firewire port, by default. 

Presumably, these services are pre-enabled just in case I (or anyone else) decides to plug in an USB-bridged and/or PCMCIA Bluetooth or Firewire device. 

How convenient for me...  and all of my would-be attackers. 

Why should every physical port present (or not) on a mobile compute platform be permitted to become a potentially illicit port of entry/leakage??? 

I prefer to disable everything I don't need for the job and selectively enable what do I need, as much as possible, for only while I need to use it. 

Seriously consider fully supporting (Vista) BitLocker or some other full disk encryption on business critical mobile compute platforms, as well as on removable storage.  MS does not encrypt the pagefile (although I've been told that MacOS does) and some terminal services session data will likely persist for a while in a large pagefile. 

At the very least, I say make the BadGuys(TM) work for pwnership. 

UPDATES

Another anonymous reader (nobody wants their name in these stories....interesting...) wrote to remind us that the issue is not just virtual but physical too.  Hotel rooms are great places for theft, regardless of the country you are in.  The reader said:

Physical threats also include social engineering, the pumping of you for information while you're traveling and in an unfamiliar place. At a recent InfraGard meeting the FBI speaker put it very succinctly - "If you go to a bar in the US and you're totally ignored, and then you go to a bar in another country and suddenly you're a "chick magnet", something is wrong!"

Either that, or you look like chicken feed.

Another reader (again, wishing to remain anonymous) pointed out that export control laws might get a traveler in trouble.  So if you bring anything with you to another country, be mindful of your home country's laws on the exportation of cryptographic materials or other "sensitive" technologies:

The word on the street is that no one is to take anything company related to China...EVER. When we do site visits in China we leave everything behind. We are expected to use assets located at our sites for whatever we may need or if we have to take a laptop for whatever reason, it's a reimaged machine with nothing on it. Any files that we might need are forwarded to the site via secure file transfers and will be waiting when we arrive on site. We are very VERY serious about export controls/compliance and possible data leakage either by accident, hook or crook.

Another reader had some other good advice - separate your personal and business travel.  If you are going to the Olympics to conduct business, that's one thing.  But if you are going as a tourist, leave all of your gadgets at home and enjoy everything that China has to offer without being tethered to your electronic leashes.  China is a beautiful country, why spoil the fun by dragging around several bags of devices?

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives