Tag Archives: Border searches

Security News for the Week Ending July 30,2021

Internet Rot Causes Porn on Legit Sites

News sites like New York Magazine and others accidentally displayed porn because they had links to the old and now gone Vidme video sharing site. Vidme went out of business in 2017 and a porn site bought the domain. Since there is no easy way for web site operators to detect that a linked site has been sold and since there are billions of old pages out there, you have the making of an embarrassing disaster. Needless to say, the web sites fixed this little bit of rot, but there are millions of other bits of rot lurking. Credit: Wired

Ex eBay Security Boss Sentenced to 18 Months for Cyber-stalking and Witness Tampering

The former global security manager for eBay was sentenced on Tuesday to 18 months in prison and was ordered to pay a $15,000 fine for his role in the cyber-stalking and harassment of a Massachusetts couple who published a newsletter critical of the internet yard sale. Philip Cooke, a former police captain before joining eBay was the last of 7 charged in a scheme to threaten and silence a couple who wrote a blog that was negative about eBay. eBay executives say that they were not aware of the tactics, but…..really? Credit: The Register

9th Circuit Limits Feds’ Confiscation of Electronics at the Border

The 9th Circuit Court (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, Mariana Islands, Oregon and Washington) ruled that border agents, which until now have had a complete free-for-all with your digital devices, severely limited what a border agent can search for without a warrant. They can ONLY search for digital contraband such as child porn. Under the Trump administration, CBP had a blacklist of reporters, humanitarian workers and lawyers and would regularly seize their phones and laptops under the ruse of Homeland security and copy all of their content. Assume this will wind up at SCOTUS sometime in the next 5-10 years, but in the meantime, this is the law in the western US. Credit The Washington Time

Ransomware Up 93% in Last 6 Months Adding TRIPLE Extortion

In a report, Checkpoint Security says, that overall cyber attacks are up 17% in the US and 36% in EMEA over the first 6 months of the year. But, they say, Ransomware is up 93%, caused by ransomware 3.0. For those not following this, in ransomware 1.0, the crooks just encrypted your data. In ransomware 2.0, they steal it first, then encrypt it and threaten to release it if you have good backups and don’t want to pay. In ransomware 3.0, they steal it and encrypt it, but also try to get your customers, whose data they have stolen, to pay. Credit: Cyber News

DOJ Admits Hackers Got Into Emails of 27 US Attorneys’ Offices

7 months after the SolarWinds Attack was announced, DOJ now says that Russia was able to browse their emails between May and December, including sent, received and stored, and also including attachments. DOJ admits that Russia had access to at least 80% of employees emails in the Eastern, Northern, Southern and Western district of New York. They also got access to emails in California, DC, Florida, Georgia, Kansas, Maryland, Montana, Nevada, New Jersey and 6 other states. Credit: Bleeping Computer

Security News for the Week Ending November 15, 2019

Bugcrowd Paid Over $500,000 in Bug Bounties in Just One Week

Bugcrowd, the crowd-sourced bug bounty management company, paid out over $500,000 in just one week for bugs that researchers found and paid out $1.6 million in October to over 550 hackers, representing 1,800 submissions.  Of those, 327 were categorized as priority 1.  These payouts are an additional way for companies to do software testing beyond what they do internally.   Since only a small percentage of companies pay bug bounties, how many other software platforms still have unfound major bugs because the researchers go where the money is?  Source: Bleeping Computer.


National Privacy Bill Introduced

I may have to eat these words.  But I doubt it will become law.  HR 4978, the Online Privacy Act, has been introduced.

The sponsors says it is to address the appalling lack of digital privacy rights in the U.S. due, they say, to the U.S. being in the pockets of the marketing lobbies that have a vested interest in not protecting your privacy rights because they profit from selling your data.

You, of course, get “free” services because you are the product.

The bill would create a U.S. Digital Privacy Agency and give you rights similar to what Europeans and residents of many other countries already have.  Any bets on whether it becomes law?  Source: The Internet Patrol.


Bug Hunters Earn $195,000 for Hacking TVs, Phones and Routers

White Hat hackers at Pwn2Own Tokyo earned a total of $195,000 in just the first day of the event.   They successfully hacked a Sony TV, an Amazon Echo, a Samsung TV and other “IoT” devices.  Just shows that IoT devices are not so secure.  Source: Security Week


Court Rules The Fourth Amendment Applies, Even to the Government

A Massachusetts court  has ruled Customs and ICE Need “reasonable suspicion” before searching a citizen’s computer or phone at the border.  This is, over course, the complete opposite of what Customers and ICE currently do, which is that they can search anything, any time for any reason.  The case is likely to be appealed to the Supremes, so stay tuned.  Source:  The Register


Trusted Platform Module (TPM) Fails with TPM-Fail Attack

The TPM is supposed to be a vault that protects your encryption keys, but researchers have found two new vulnerabilities that allow attackers to gain access to those keys. Practical attacks show that they have been able to recover encryption keys from the TPM in as little as 3 minutes, depending on the key type.  Not only does this affect computers, but it also affects many IoT devices that have security.  There are patches available from the TPM vendors.  Source: Bleeping Computer.

DHS Issues New Rules For Searching Electronic Devices

In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent.  That is a pretty small number.

In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year.  Still it is a very small number.

In the first half of FY 2017 14,993 travelers had their devices searched.   Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched.  That will be about 350% of the 2015 numbers.

Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.

One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched.  With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines.  Far from rules, but better than what was known before.

The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices.  If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.

In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.

And, they can also search your device when you leave the country, but I suspect that is much less frequent.

The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband.  Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.

Under the new rules, agents can search information stored ON the device, using the software on the device.  This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is.  The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.

Unless they have reasonable suspicion – whatever that means.  Then they can use advanced search techniques – which I assume means that they can use forensic tools.

They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).

The document also says that agents should take care not to make changes to the device.  I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted.  Advanced searches should be done in the presence of a supervisor, if available.  Searches should also be done in the presence of device owner unless there are reasons not to allow this.

If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information.  Prior to searching  those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed.  While they will still search that information, they will segregate it so that it might, possibly, be better protected.

At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.

All of this process needs to be documented on specific CBP forms.  That alone will probably discourage agents from poking around.  Filling out government forms is no fun.

Business confidential and trade secret information needs to be protected as well.

All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.

If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later.  Another reason not to reuse passwords.

If the device owner will not unlock the device, CBP can try to break into it.

Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.

If CBP keeps your device, they need to give you a receipt.

If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.

So what should you do?

That kind of depends on your level of paranoia and what is stored on your device.

In general, try to avoid taking sensitive or embarrassing information across the border.  For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think).  Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.

If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.

Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.

Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy.  This is not because they are evil, but because they are part of a large bureaucracy.  Large scale operations have some benefits, but privacy is not one of them.

Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.

Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.

Information for this post came from CBP and CNN.

General Kelly Admits US Citizens Risk Having Their Cell Phones Seized At The Border

Back in April, General Kelly, Secretary of the Department of Homeland Security, in Congressional hearings said that non-citizens might be detained or denied entry to the US if they didn’t let Homeland Security rummage through their electronic devices and maybe even make copies of them at the border.  He seemed to indicate that this wasn’t true for citizens.

This week General Kelly was back on Capitol Hill in front of the Homeland Security Committee and under intense questioning from Senator Rand Paul (R-KY), he had to admit that it really didn’t matter whether you were a citizen or non-citizen, DHS reserved the right to detain you and rummage through, make copies of or even seize your electronics at the border.

While DHS had asked for access to cell phones for years, the concern is that it has been scaled up and U.S. citizens are getting caught in the situation.

Kelly said that less than 1 percent of the people coming through customs every day get their phones searched.  At a million people coming through customs on an average day, that means that as many as 10,000 of them might get their phones snagged.  That is still a pretty big number.

When Senator Paul tried to pin down General Kelly about what circumstances might cause someone like the NASA engineer returning home from a vacation in Chile in January to be detained in Houston, General Kelly did a bit of a dance.  Senator Paul called the search arbitrary which General Kelly didn’t like at all.  He said they had to have a reason, but he couldn’t explain what that might be.

Senator Paul said that unless there were rules – rules that someone could look at   – then the search was arbitrary.

Senator Paul and Senator Wyden have introduced legislation that would require a search warrant before searching someone’s electronics.  A warrant would require DHS to convince a judge that there is probable cause.  This has always been the standard for law enforcement, just not for DHS.  DHS says that searching your phone is no different than searching your suitcase, but other people say that there is a difference in opening your suitcase and looking for, say, drugs.  After all, unlocking your phone and having DHS look through your email will not likely score a big illegal stash of drugs.

My guess is that the legislation will go no where, but you never know.

In the mean time, IF you are concerned, there are some simple things that you can do.

First of all, if DHS does ask to look at your phone and you opt to not agree, they can seize your phone.  If the phone (or laptop) you take across the border is burner phone – a cheap, throwaway phone that only has minimal information, then you probably don’t care if DHS keeps it.  Consider taking a cheap Chromebook instead of your laptop.  That way there is no data stored on the laptop at all and as long as you don’t automatically log your Chromebook into those cloud services, your data is private.

Note that they will give the phone or laptop or whatever back to you eventually, however, if the do take it away from you, I would never, ever use it again because you have no clue what they might have done to the software or even to the hardware.

If you took pictures abroad and you want to make sure that you don’t lose them, upload them to the cloud before you start your return trip home.

And, DHS isn’t your only worry.  People leave thousands of laptops at airport security.  According to the WSJ, 12,000 laptops are left at airports every week and 70% of them are never reclaimed.  Not having anything important on that device has new meaning given those statistics.

If, however, if you are, like the NASA engineer above, taking a work phone across the border, the situation is different.  The NASA engineer tried to explain to DHS that they didn’t have a clearance to see the information on the phone (it was NOT classified, but it was sensitive), but they didn’t seem to care.

If the phone or laptop is encrypted, it is unlikely that DHS is going to spend the effort to try and break in, but could they insert a keystroke logger in it before they give it back to you in order to capture the password?  Don’t know, but the technology exists to do that and it isn’t that expensive.

Depending on your level of paranoia, if you unlock it and they take it out of your sight (you do NOT have a right to watch them while they search your device), that is really no different than them taking it and keeping it for a while.  That phone should be considered compromised.

When that NASA engineer returned to work after being detained in Houston and unlocking his phone for DHS, NASA treated the phone as compromised.  They took it away from the engineer and gave him new toys – just too risky to keep using the ones that DHS had access to.

Think about what might be on your electronic device – it might be logged on to GMail or Facebook.  There is nothing to stop DHS from friending themselves, for example or just looking at your posts or all of your mail.

IF you have your computer or phone set up to automatically log you in to all those cloud services, you might want to logout and tell it not to automatically log you in.

Again, all of this is a function of your level of paranoia.  If you don’t have nude selfies of yourself and your significant other on your device and you don’t have your passwords to all of your other accounts in your contacts, well, then, maybe you don’t care.

What is clear is that likely some number of thousands of people every day have to make a split second choice and having thought about what you would do under the circumstances is probably a good idea.  Based on those thoughts you can decide what electronics you want to take and not take.

Information for this post came from Newsweek.