Tag Archives: CBP

Security News for the Week Ending October 1, 2021

Women, Minorities are Hacked More Than Others

A new report, released this week, says that lower income and vulnerable populations are disproportionately affected by cyber crime. Shockingly (not), the report says that those with lower incomes, lower education and minority groups are more likely to fall victim to cyber crime. While the gap is not huge, it is consistent from question to question. Credit: Threatpost

Leaked Apple Training Video Shows It Trains Repair Partners to Disparage Third Party Repairs

Leaked videos show that Apple trains its authorized repair partners to disparage third party repair shops. While at one level this is not a surprise, at another level, as a dominant player in the market, they are going to take some serious heat over the videos. According to Motherboard, who reviewed the videos, it appears that some of the claims made are suspect. Bottom line, users need to review different choices and make an educated decision. Credit: Motherboard

Customs and Border Protection Uses Encrypted App Wickr As FBI Goes Dark

CBP is deploying encrypted messaging app Wickr enterprise wide. While the FBI lobbies Congress to ban end-to-end encryption, another executive branch department thinks encryption is pretty useful. They spent $900,000 to renew their Wickr software licenses (which is pretty reasonable for the size of the organization). Wickr is now owned by Amazon and they do have an enterprise version that can log message traffic as is required by law for CBP. It is unclear what version they are using, but it is likely that version. Credit: Vice

IKEA Admitted to Placing Surveillance Cameras in Warehouse Bathrooms

IKEA has now removed these cameras that were placed in men’s and women’s bathrooms and discovered in a warehouse in England. It is not clear whether cameras exist in other IKEA bathrooms, but the privacy commissioner’s office is likely not happy. IKEA admitted the cameras had been in place since 2015. Credit: The Register

Driverless Cars Could Generate 100 GB of Data Per Second

While predictions of driverless cars by 2020 only materialized in limited situations, driverless cars are coming and they will generate a ton of data. Test vehicles are generating between 20 and 40 Terabytes of data a day. Estimates say the average self-driving car will generate between 1 and 15 TB a day and a robotaxi might generate 450 TB. If most cars are driverless by 2030, that will create an amazing amount of data and I am sure that it will all be secure and private. Remember that these cars are collecting data of everything that it drives past – cars, buildings, roads, people, so just because YOU don’t drive a self-driving car, that doesn’t mean that one of those cars won’t catch you in a place where you should not be, doing something that you should not be doing. Credit: Cybernews

Security News for the Week Ending July 30,2021

Internet Rot Causes Porn on Legit Sites

News sites like New York Magazine and others accidentally displayed porn because they had links to the old and now gone Vidme video sharing site. Vidme went out of business in 2017 and a porn site bought the domain. Since there is no easy way for web site operators to detect that a linked site has been sold and since there are billions of old pages out there, you have the making of an embarrassing disaster. Needless to say, the web sites fixed this little bit of rot, but there are millions of other bits of rot lurking. Credit: Wired

Ex eBay Security Boss Sentenced to 18 Months for Cyber-stalking and Witness Tampering

The former global security manager for eBay was sentenced on Tuesday to 18 months in prison and was ordered to pay a $15,000 fine for his role in the cyber-stalking and harassment of a Massachusetts couple who published a newsletter critical of the internet yard sale. Philip Cooke, a former police captain before joining eBay was the last of 7 charged in a scheme to threaten and silence a couple who wrote a blog that was negative about eBay. eBay executives say that they were not aware of the tactics, but…..really? Credit: The Register

9th Circuit Limits Feds’ Confiscation of Electronics at the Border

The 9th Circuit Court (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, Montana, Nevada, Mariana Islands, Oregon and Washington) ruled that border agents, which until now have had a complete free-for-all with your digital devices, severely limited what a border agent can search for without a warrant. They can ONLY search for digital contraband such as child porn. Under the Trump administration, CBP had a blacklist of reporters, humanitarian workers and lawyers and would regularly seize their phones and laptops under the ruse of Homeland security and copy all of their content. Assume this will wind up at SCOTUS sometime in the next 5-10 years, but in the meantime, this is the law in the western US. Credit The Washington Time

Ransomware Up 93% in Last 6 Months Adding TRIPLE Extortion

In a report, Checkpoint Security says, that overall cyber attacks are up 17% in the US and 36% in EMEA over the first 6 months of the year. But, they say, Ransomware is up 93%, caused by ransomware 3.0. For those not following this, in ransomware 1.0, the crooks just encrypted your data. In ransomware 2.0, they steal it first, then encrypt it and threaten to release it if you have good backups and don’t want to pay. In ransomware 3.0, they steal it and encrypt it, but also try to get your customers, whose data they have stolen, to pay. Credit: Cyber News

DOJ Admits Hackers Got Into Emails of 27 US Attorneys’ Offices

7 months after the SolarWinds Attack was announced, DOJ now says that Russia was able to browse their emails between May and December, including sent, received and stored, and also including attachments. DOJ admits that Russia had access to at least 80% of employees emails in the Eastern, Northern, Southern and Western district of New York. They also got access to emails in California, DC, Florida, Georgia, Kansas, Maryland, Montana, Nevada, New Jersey and 6 other states. Credit: Bleeping Computer

DHS Issues New Rules For Searching Electronic Devices

In 2015 some 380 million international travelers arrived in the U.S. and only 8,503 of those travelers had their electronic devices searched – only .002 percent.  That is a pretty small number.

In 2016 there were 390 million international arrivals and CBP examined the devices of 19,033 of them – a little more than double the number from the prior year.  Still it is a very small number.

In the first half of FY 2017 14,993 travelers had their devices searched.   Assuming the second half of the year matches the first half, just about 30,000 travelers will have their devices searched.  That will be about 350% of the 2015 numbers.

Of course there is no way to extrapolate what that means for 2018, but if the trend continues, it will likely increase.

One of the complaints that people have expressed is that there are no obvious rules governing whether a device can be searched.  With all kinds of personal and sometimes embarrassing content on people’s phones and computers, DHS has decided to publish some general guidelines.  Far from rules, but better than what was known before.

The Supremes have ruled in the past that Customs does not need either a warrant or reasonable cause to search your devices.  If you are a U.S. citizen you can’t be denied entry into the country if you refuse to unlock your device, but if you NOT a citizen, they could send you back to from where you came.

In both cases they can detain you for a while – no definite time, which may encourage you to cooperate.

And, they can also search your device when you leave the country, but I suspect that is much less frequent.

The right to their arbitrary searches is rooted in the Constitution and was based on the concept of looking through your luggage for contraband.  Extending that to your phone seems like a bit of a stretch, but the Supremes have weighed in and said it is OK.

Under the new rules, agents can search information stored ON the device, using the software on the device.  This, in theory, says that they can’t read your GMail by opening your Mail app since that is not stored on your phone – or maybe it is.  The way they have decided to deal with that is either CBP agents will ask you to put the phone in Airplane mode or if they don’t trust you to do that, they will do it for you.

Unless they have reasonable suspicion – whatever that means.  Then they can use advanced search techniques – which I assume means that they can use forensic tools.

They can ask you for your passcode and detain a device that is encrypted (and, I assume, that you won’t decrypt).

The document also says that agents should take care not to make changes to the device.  I assume that the first thing someone would say if CBP claims they found something incriminating is that it was planted.  Advanced searches should be done in the presence of a supervisor, if available.  Searches should also be done in the presence of device owner unless there are reasons not to allow this.

If the device owner says that information on the devices is protected by attorney-client privilege, the agent is supposed to ask for clarification as to what specific files or folders contain that information.  Prior to searching  those folders, the agent has to contact the CBP assistant chief counsel, who will coordinate with the U.S. Attorney’s Office on how to proceed.  While they will still search that information, they will segregate it so that it might, possibly, be better protected.

At the completion of the CBP review, any copies of information will be destroyed unless they need to be preserved in accordance with a litigation hold.

All of this process needs to be documented on specific CBP forms.  That alone will probably discourage agents from poking around.  Filling out government forms is no fun.

Business confidential and trade secret information needs to be protected as well.

All of that information can still be shared with other agencies as long as they have processes in place to protect it – undefined processes.

If they ask for your passcode and you give it to them, they may keep those passcodes in case they need them later.  Another reason not to reuse passwords.

If the device owner will not unlock the device, CBP can try to break into it.

Officers may detain devices and/or information on them for a reasonable period, usually 5 days, but that can be extended for a week at a time with approval, if needed.

If CBP keeps your device, they need to give you a receipt.

If CBP needs to get assistance from another agency for breaking into the device or evaluating the information on it, they need to get a supervisor’s approval and they need to tell the owner unless the purpose for sharing is counter-terrorism related.

So what should you do?

That kind of depends on your level of paranoia and what is stored on your device.

In general, try to avoid taking sensitive or embarrassing information across the border.  For many companies, that means issuing burner phones and burner laptops (this is actually a more common practice than you might think).  Upload encrypted data to the cloud before crossing the border in any direction and wipe and overwrite the files off the local device.

If CBP retains the device or takes it out of your sight, depending on your level of paranoia and the sensitivity of your mission, assume the device is compromised or bugged and treat it accordingly.

Mostly, it depends on your view of what is on the device and how much you trust or distrust the government.

Given the government’s inability to keep much of anything confidential, I would not assume that the government should be counted on to protect anything that they observe or copy.  This is not because they are evil, but because they are part of a large bureaucracy.  Large scale operations have some benefits, but privacy is not one of them.

Overall, it is a good, small, step forward that they have documented these rules, but there are a lot of loopholes in them.

Remember that this coming from someone is who way more paranoid than the average bear, so take that into consideration.

Information for this post came from CBP and CNN.

Can Border Agents Search Your Phone?

Bloomberg published a brief on the issue of border searches that was written for them by the international law firm of Morrison Foerster on the subject of border searches.

Given that lawyers wrote the piece, their concern is about protecting attorney-client confidential information at the border, but the subject applies to everyone.

According to Customs and Border Protection (CBP), they searched 4,444 cell phones in 2015 and 23,877 phones in 2016.  We don’t know if the shape of that curve will continue, but if it does, that would forecast over 100,000 phone searches in 2017.

Even if that curve is correct, that still is a tiny percentage of all of the people (and phones) that enter the U.S. in any given year, so the odds of you being chosen would seem to be very low.

Border agents searching phones is certainly not limited to the U.S. but statistics for other countries are not available.

According to Morrison Foerster, courts have held that, under U.S, law, CBP and Immigration and Customs Enforcement (ICE) agents may ask to search electronic devices at the border and may request individuals to disclose their password so they can conduct the search.  My definition of request includes the ability to decline.  I do not think their definition of request includes that option.

The courts have further said that they can conduct a manual search of any electronic device without a warrant and without reasonable suspicion.

If they want to conduct a forensic investigation (meaning using specialized software to look in the nooks and crannies of that electronic device, they must have “reasonable suspicion”.  That is defined to mean “a particularized and objective basis for suspecting the particular person stopped of criminal activity”.    This definition is not exactly crystal clear and the Supremes have not yet had the opportunity to rule on this subject.

Homeland Security, the department of which CBP and ICE are a part, did a privacy impact assessment for border searches of electronic devices in 2009 – a long time ago in tech years.

If the traveler claims that a device contains privileged material, either attorney-client or otherwise, the CBP agent must consult with either the Associate/Assistant Chief Counsel or the U.S. Attorney’s Office before doing the search.  How that helps is not really clear to me, but I would guess that it is a check and balance to make sure that they follow the rules.

ICE says that a claim of privilege doesn’t preclude a search, but that for some types of information including attorney-client privileged, proprietary business and medical information they have to use special handling – an undefined term.  Under certain limited situations, ICE policy requires the agent to contact the local ICE Chief Counsel’s office or local U.S. attorney before continuing the search.

Whether that will change anything or not is unclear and you will likely be detained until they get an answer back, which could be hours.  It is not likely to be days.

People have said that they have been detained for hours and not allowed to use their phone (which of course, if ICE or CBP took the phone would be hard anyway).

If you are one of those select few people that are asked to hand over your phone, know what your plan is.  You can decline to turn over the password knowing that you will likely be detained and eventually likely brought before a judge where you will have a chance to make your case, but understand that it is unlikely to go in your favor.

Here   is what the law firm of Morrison Foerster suggests – which is not a whole lot different than what I would suggest.

  1. If you are travelling internationally, consider taking a clean smartphone and/or laptop with no sensitive data on it.  That way they can look to their hearts content and you don’t care.
  2. If all sensitive data cannot be removed, remove as much sensitive data as possible from your phone or laptop and then overwrite the deleted files.  There is lots of software to do that.
  3. Inventory all sensitive data contained on any electronic devices that will be taken across a border.  This is a recommendation that I hadn’t thought about.  That way, if the device is searched or taken and copied, at least you know what has been compromised.
  4. Fully power down all electronic devices before passing through customs (U.S or any other country).  This makes it much less likely that technical software will be able to snoop on the device once they power it back up.
  5. If CBP or ICE requests to search your devices, let them know if there is privileged or business sensitive information on the devices.

I might suggest a few more ideas.

A.  For extremely sensitive information consider encryption and I don’t mean transparent encryption like Microsoft Bitlocker.  Transparent encryption will hand over the data with no other restriction once they log onto the device.  There are many forms of non-transparent encryption which will not reveal data to casual observers  without additional effort.  The trade-off is that non-transparent encryption means more work for you.

B. Store data in the cloud and don’t store it locally.  If you use this, make sure that you understand the security (and insecurity) features of the software and enable features that may not be enabled by default.  Understand what controls the cloud service provider may have.  An example of how NOT to do that is to use Dropbox since Dropbox, by default, caches names and in many cases the actual files, on the computer, defeating the whole objective.

C. Talk to a computer security expert [like me 🙂 ] before you go to understand your options and the implications.  The general trade off will be security or convenience, pick one.

D. If the agent takes your computer or phone away – out of your sight – you can assume the device is now compromised.  Big companies understand this and employees are instructed to contact the security office.  Power down the device when you get it back and do not turn it back on. Hand it to corporate security as soon as possible.  Most large companies already have a plan to deal with this and will issue you new devices.  Just because you don’t see any changes does not mean there are no changes.

All of this, of course, depends on your level of paranoia.  If there is protected information on the device, you now need to decide if you have a security breach and if that breach is reportable under state laws.  Talk about a catch-22.  Contact legal counsel to help you  make this decision.  I suspect that if you talk to two lawyers about this subject, you will get three opinions – at least.

Clearly, the easiest answer is to minimize the amount of data and devices that you take across the border.

If you are worried about data being DELETED in this process, then definitely securely upload the data in real time (as close to the point of creation as possible). For example, if you are an investigative journalist and are worried about you data and sources, this would be my recommendation no matter what.  If the data is encrypted prior to unload, you control the encryption key and that key is not stored on the device, then this will provide the maximum protection.

Welcome to today’s world – not always simple.

Still, the odds of you having to fork over your device are low.  Unless you are that person who gets picked.

Information for this post came from MoFo’s web site.