Mitigating Over-Enthusiastic Airport Security

January 7, 2015 mitch tanenbaum

Katie Moussouris, formerly an executive at Microsoft and Symantec and now an executive at HackerOne, which as best as I can tell manages bug coordination with third parties for very large, well respected companies, tells a story about an over enthusiastic security person at Charles de Gaulle airport in Paris. She was tapped for secondary screening as her flight was boarding and the security agent asked her to turn on her laptop. While this request is unusual, it is a standard security procedure to reduce the odds that your laptop case is not just a container for a bunch of high explosives. This is a result of the 2010 actual bombs that were sent from Yemen, one found in the UK, the other in Dubai, both safely defused, thankfully.

What came next was the unusual part. The security agent asked Katie to log in to her laptop. According to Katie, customer’s very sensitive bug information was now exposed. How exposed is unclear, but there are many things that you can do to mitigate this, depending on your level of paranoia.

The first and easiest thing to do is to create a guest login on your laptop with no privileges and no access to other data on the laptop. Likely, this very simple solution would have protected Katie’s customer information since the laptop remained in her control and possession.

Next, especially when traveling internationally, consider how much information you really need to travel with and remove (and overwrite) unneeded information. You can put it back when you return.

Another option is to use a program like Truecrypt, Veracrypt or ciphershed or some similar program that allows you to create additional encrypted volumes after you login. These require an additional step of mounting an extra drive letter after you log in, but they keep your stuff isolated. Depending on your needs, you could create more than one volume for different purposes and only mount what you need when you need it. A couple of notes here. The three programs above are in different states of maturity and there are other programs that allow you to create secure containers, so these are just examples. Also, make sure that you SHUTDOWN your computer before you head for the airport and not just sleep or hibernate it; otherwise, when you turn the computer back on, those secret volumes will still be mounted.

Depending on your requirements, you may opt to make some trips without your laptop at all and just take your phone and/or tablet. What you don’t have can’t be compromised.

Finally, for the especially sensitive and paranoid among us, some large companies have travel laptops that they give people that their IT staffs load with just the minimum amount of software and data when they are traveling to certain countries. These laptops are wiped on return and if they have been out of the executives control in certain countries, they are crushed after being wiped. Like I said – depends on your level of paranoia.

Obviously, the same issues go for phones and tablets these days.

The important point is that this should be part of your risk management program and you should consciously review your policies and practices for employee’s use of electronic toys and mobile data.

Mitch