Devices & Data Security
Juice jacking is a method of retrieving data from a smartphone when the owner plugs it in to charge the battery using the USB cables provided at a free charging station. By connecting to the charging station through a USB connection the owner is unknowingly connecting to a malicious computer hidden inside that then automatically downloads as much information from the phone as possible.
To prevent this, always be sure to use the supplied power cord and plug directly into a standard electrical outlet.
Electronic Surveillance and Eavesdropping
In many countries outside the United States, individuals have no expectation of privacy when in places like hotels, office buildings, Internet cafes, airports, or public spaces. Travelers should assume that if they have information that may be valuable to another government or company, that information will be intercepted and retained. This is especially true when utilizing wireless communications. Travelers also need to be aware that foreign intelligence services and criminals have the ability to track your movements through your cell phone. They may also be able to activate your device’s microphone even when you think it is turned off.
The Federal Bureau of Investigations shares helpful advice for securing yourself, devices and data here.
Phishing and Other Forms of Social Engineering
Foreign intelligence officers and criminals are often well-versed in pretending to be someone trustworthy in order to obtain personal or sensitive information. Travelers should avoid revealing information about the nature of their work or other personal information to individuals they do not know. This information may be solicited through a series of seemingly innocent, but probing questions.
Device Theft, Loss, or Tampering
Criminals, in addition to foreign intelligence services, often employ numerous tactics to steal and/or tamper with electronic devices brought in by travelers. Among these may be pickpocketing and the use of a distraction, which is meant to pull a traveler’s attention away from their devices long enough for an accomplice to grab the devices. In some cases, theft and tampering have been known to occur when devices are left in an unattended hotel room.
Social media is a powerful tool for staying connected, not just with friends and family, but with world events. It is also a powerful tool for sharing what’s going on in your world. Unfortunately, terrorists have also discovered the power of social media for coordinating attacks, communicating with members, and even spreading propaganda to recruit new members. As a result, the potential exists that individuals traveling to certain countries may be asked to unlock their social media accounts for inspection by local customs or law enforcement officials before being granted entry into the country. Travelers should keep in mind that many border entry points are considered areas where certain civil rights do not apply to non-citizens until entry is granted into that country. Because of this, travelers should be ready to comply with these requests or, perhaps a more desirable solution, delete all social media applications and any history of their existence from the device(s) before traveling. Typically these applications can be accessed through a web browser while traveling. Then, once back in the U.S., the mobile applications can be reinstalled on the device(s).
Familiarize yourself with your destination(s).
The U.S. State Department can provide travelers with detailed, current information about any country around the world. This information includes, but is not limited to, current travel alerts and warnings, vaccinations required for travel, the locations of American Embassies and Consulates within the country, local laws and special circumstances, and current safety and security concerns such as criminal activity.
Check with your wireless providers to ensure coverage.
Not all cellular plans will cover the use of the phone or mobile device outside the U.S. without incurring hefty fees. In advance of traveling, be sure to check with your provider to see whether your current plan will meet your needs while abroad or if you will need to alter your plan or take any other actions to help avoid a larger-than-expected bill when you get home.
Below are the links to the international travel pages for some of the U.S.’s major cellular providers. Please be aware that other options may also exist so do your research prior to traveling.
Sanitize and backup the electronic devices you will be traveling with.
You should travel with only the data and applications that you absolutely need access to while traveling. Also be aware that certain types of data and applications may be export-controlled and have federal regulations restricting them from being shared with, accessed in, or transported to certain foreign countries. For more information on export-controlled materials please visit the Export Compliance Office website.
Configure devices to maximize security while abroad.
If not already done, make sure all mobile devices have been configured to require a password, code, or other security mechanism to access the device. Passwords should follow accepted complexity recommendations, such as those given by the university’s Division of IT. If a mobile device makes use of a numeric access code, be sure to enable the longest code possible. For example, the iPhone gives users the choice between a 4-digit access code or a 6-digit code. The 6-digit code should be used because this gives a far greater amount of possible number combinations rendering it extremely difficult, or more likely impossible, to guess.
Mobile devices should also have any included security features enabled. These features may include anti-virus software, firewall, and automatic or remote wipe capabilities. Automatic and remote wipe capabilities will allow a device’s hard drive to be completely erased in the event a password or passcode is entered incorrectly a specified number of times or the device’s owner discovers it is missing and activates the wipe function from another device, respectively.
Protect data by enabling whole disk encryption and/or making use of cloud-based storage solutions.
Mobile devices often come with a feature that allows the user to fully encrypt the device’s hard drive. In many cases, this is as simple as turning the feature on. In some cases, however, full disk encryption may require the use of third-party software. Once the hard drive is encrypted all data stored within the drive will be protected from anyone trying to gain access without the proper decryption key or password. Fully encrypted hard drives are even protected in the event the hard drive is removed from the device itself, a tactic often used to attempt to bypass password protection at the operating system level. This method of encryption is more reliable than encrypting individual files because it ensures that all necessary files are encrypted so there is no need for the user to have to remember to encrypt individual files.
Users may also consider storing sensitive or critical files within a cloud-based storage solution, such as Google Drive or Box. Using this method ensures that all files remain protected from unauthorized access and that all files are available as long as the user has an Internet connection. Please be aware, however, that certain restrictions may apply when using a cloud-based solution. Some federal standards require data to be stored on servers located within the U.S. and not all cloud providers meet this requirement (i.e., they may store data on servers located in data centers in other countries).
Update your systems.
Make sure that the operating systems and any software or applications installed on the devices you are traveling with have the latest security updates and patches installed. This is especially important for security software and applications like firewalls and antivirus programs. If possible, enable the automatic update feature that is built into most software and applications and allows all updates to be downloaded and installed as soon as they are released publicly.
Do not leave your devices unattended.
Always keep devices on your person or in your carry-on luggage rather than packing them in your checked bags. Never walk away from devices for any length of time while in a public place, even if someone offers to watch them.
Keep devices in interior jacket pockets or other hard-to-reach places.
If storing devices in a backpack or other bag consider using a small luggage lock or even something as simple as a twist tie to secure zippered pockets. When sitting or standing with a bag containing your devices try and position it so you can block access to the bag and prevent the bag from being stolen.
Avoid free Wi-Fi networks and internet cafes.
Cybercriminals and foreign intelligence agencies may use these networks to spy on users’ activities and steal login credentials, credit card numbers, banking information, or other types of personal information.
Use a VPN to connect to university resources.
A VPN provides a secure connection directly to the resources you are trying to access. Similar to a tunnel, it protects your communications from outside threats found across the Internet.
Please note that due to the ever-changing political landscape around the world, some countries may place restrictions on the use of a VPN or ban the use of VPNs outright. As part of any traveler’s initial research into the region(s) they plan to travel to, special attention should be given to any existing technological restrictions that may be in place. In some cases, failure to abide by these restrictions has the potential to carry fines upwards of $500,000.
Clear your Internet browser after each use.
Delete all history files, caches, cookies, and temporary Internet files. These could be used to track your online activities or for more malicious purposes. Many web browsers and even devices now allow users to browse the Internet in a private or incognito mode, which may automatically resolve this. When utilizing this type of browsing, websites are unable to leave cookies on your device and your browsing history won’t be recorded in any way. On some websites, using a private or incognito mode may even prevent the website itself from collecting and sharing information about you, although this certainly is not the case on all sites. Please note also that the use of a private or incognito browsing mode will not protect against malware infection.
Do not allow foreign electronic storage devices to be connected to your computer or phone.
These may contain malware or may be configured in a way that allows them to automatically copy any data stored on your devices.
Do not loan your cell phone or mobile devices to anyone.
Someone may use this as an opportunity to steal your phone or they may even create a distraction that takes your attention away from your device long enough for them to steal data from it or install something on the device that allows them to track your movements and activities. Alternatively, the person may just place a phone call that is out of your service area causing you to incur a large long-distance charge.
Beware of phishing or other social engineering attempts.
While this is true any time you use technology, it may be even more prevalent when traveling abroad. These attempts may occur via email communications, telephone calls, or even in person. If it seems like someone is probing you for answers, they might be.
Disable broadcasting services on devices.
Most devices now include Bluetooth, Wi-Fi, and GPS capabilities. These services can be used by attackers to gain access to your devices or track your movements. When not actively using these services, make sure they are turned off.
Avoid accessing sensitive personal information online while abroad.
If at all possible, do not access banking or other financial websites. Try not to access other sites containing personal information you would want to remain private.
Change your passwords.
This applies not just to online accounts you accessed while abroad, but also to the devices themselves. If you checked voicemail while traveling then also be sure to change that password or access code.
Run a full system antivirus scan.
Make sure your antivirus software is up to date and then run a full scan of your device.
Monitor your accounts for suspicious activity.
This will include banking accounts as well as online accounts. Hopefully, by following the guidance above, this will prove to be quite uneventful.
If a device containing university data is lost or stolen while traveling abroad please report it immediately as you would a potential data breach. Please refer to the guidance provided by the Division of Information Technology’s IT Security Office on how to handle and report security incidents if you are not familiar with this process. Additionally, if a device is stolen, contact the local U.S. Embassy or Consulate to report the theft.
If a personal device known to not contain university data is stolen, report it immediately to the local U.S. Embassy or Consulate.