Re: Recent experience traveling China

["Rajewski, Jonathan" <rajewski () CHAMPLAIN EDU>]

It's all about your comfort level of risk. What can you try to stop/detect
- hardware implants vs malicious software etc. The former is far more
difficult to detect without physical inspection pre/post trip.



Encrypt anything that is going over there using proven security
technologies. Laptops/phones/removable media. Use UEFI secure boot. Patch
everything etc. The harder you make it to compromise the better.


I agree with those that said to bring new technology with them that can be
disposed of when they return. While the people traveling abroad may or not
be high value targets, those back at your college may be - so a motivated
attacker would compromise the low hanging fruit systems abroad only to use
them as a mechanism to then attack your home network when they plug back in
state side. The fear is you may or may not have the tools to detect this
when they get back. The concept of issuing 40 new devices may not be
practical, so the next best thing could be to tell those going abroad that
you will be wiping / reinstalling the machine when they return (if it's a
college asset). If you choose that route, I would ensure you have a plan in
place to really do this. logistics etc.



Another option (depending on your comfort level) is install agents on the
machines you are sending to China that would detect system changes - so I'm
thinking carbon black/bit 9 and or cylance etc. I would also advise
grabbing a forensic image before they leave, and another when then when
they return. A good analyst should be able to detect changes that would
indicate malware was/is on the machine.



Using a prepositioned trusted vpn with proper user training is also a must.
The issue is if they leave an unencrypted laptop at the hotel, vpn creds
can be taken and a keystroke logger could easily be installed. Also when
they vpn back to the college, ensure you are logging netflow and anything
else that you can use to detect a compromise from abroad (see the
presentation from NSA's TAO at USENIX conference on why this is important
https://www.youtube.com/watch?v=bDJb8WOJYdA)– ensure you have that traffic
segmented and not on a flat connection into the enterprise.



That all said, it really comes down to your comfort level of risk. Please
let me know if you have any questions.

On Thu, Mar 3, 2016 at 3:36 PM, Don M. Blumenthal <dmb () donblumenthal com>
wrote:

> Sorry. I clicked Send when moving my cursor to edit what I had written.
>
> ================
>
>
> From what I understand, security and access issues will vary by where
> someone is in China. I had no problem with VPN in Beijing, but that was a
> couple of years ago.
>
>
> As long as Shawn mentioned them, based on experience, direct or from
> others in a organization that I work with, the State Department warnings
> are legitimate. Some of the physical surveillance was comically obvious
> (guy with a telephoto lens behind a potted something or other plant),  so I
> assume that other more subtle activities were going on. A colleague caught
> two men in his hotel apparently checking his computer for files.
>
>
> My company told employees to leave Macs at home and issued 7" notebooks
> that we were to keep with us at all times. That was a failure (and the
> colleague above ignored "keep it with you.")  I scrubbed an ancient (10+
> years} laptop and put Linux on it. All security savvy people that I spotted
> had Chromebooks or PCs with Linux. All data was on portable storage, with
> any auto backups directed to the those drives or disabled.
>
>
> Branching into personal safety of kind, travelers should have at least
> surgical or gardening masks to give some protection from air pollution in
> the major cities. It was brutal in Beijing. I know that this point is way
> beyond the scope of the question, but the thread skated past VPNs awhile
> back. :)
>
>
> Don
>
>
>
> ​
>
> ​
>
>
> *From:* Shawn Merdinger
> *Received:* 3/3/2016 1:14:03 PM -05:00
> *To:* SECURITY () listserv educause edu
> Clearly a challenging environment.
>
> A few US Gov't resources...not that anything official will provide
> clear answers or solutions.
>
> http://travel.state.gov/content/passports/en/country/china.html
>
> "Surveillance and Monitoring: Security personnel carefully watch
> foreign visitors and may place you under surveillance. Hotel rooms
> (including meeting rooms), offices, cars, taxis, telephones, Internet
> usage, and fax machines may be monitored onsite or remotely, and
> personal possessions in hotel rooms, including computers, may be
> searched without your consent or knowledge. Security personnel have
> been known to detain and deport U.S. citizens sending private
> electronic messages critical of the Chinese government."
>
>
> https://www.fbi.gov/about-us/investigate/counterintelligence/student-brochure
>
> Several tips, but imho the most important:
>
> "n most countries, you have no expectation of privacy in Internet
> cafes, hotels, airplanes, offices, or public spaces. All information
> you send electronically (fax, computer, telephone) can be intercepted,
> especially wireless communications. If information might be valuable
> to another government, company or group, you should assume that it
> will be intercepted and retained. Security services and criminals can
> track your movements using your mobile phone and can turn on the
> microphone in your device even when you think it is turned off."
>
> Cheers,
> --scm
>
> On 3/3/16, Nasir Hakeem wrote:
> > Our group has 2 options, one is the open DNS client that is tied to
> umbrella
> > (uses our approved DNS ips anywhere reachable) and second we have our
> > standard Cisco vpn service. Have not had any reported issues with users
> > outside the US. This includes China and Middle East.
> >
> > Nasir Hakeem | Sr. Systems and Network Administrator
> >
> > Sent via a mobile device
> >
> >
> > On Mar 3, 2016, at 8:56 AM, Hudson, Edward
> > <>> wrote:
> >
> > Tread carefully. We have had experiences with university personnel
> traveling
> > to China and using "purchased" VPN clients which are malware laden.
> > We tend to encourage taking a loaner device, stripped down to bare
> > essentials and no sensitive data. Also there are potential ITAR issues
> with
> > encryption.
> >
> > Ed Hudson, CISM
> > Director, Information Security
> > California State University
> > Office of the Chancellor
> >
> > 401 Golden Shore
> > Long Beach, CA 90802
> > Tel 562-951-8431
> > ehudson () calstate edu
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 3/3/16, 8:40 AM, "The EDUCAUSE Security Constituent Group Listserv on
> > behalf of Emily Harris"
> > <> on
> > behalf of emharris () VASSAR EDU> wrote:
> >
> > All:
> >
> > Vassar has about 40 people taking a trip to China and we are attempting
> to
> > advise them on a number of issues, including maintaining a safe and
> secure
> > computing posture while abroad.
> >
> > We are a Google school, and as you know, China blocks access to Google
> > applications. I am wondering if anyone on the list has recent experience
> > traveling to China and using their own institutional VPN. An article I
> read
> > recently indicated that China is cracking down on corporate VPNs and
> many of
> > them do not work. Can anyone speak to experience in this realm? We are
> > weighing our options for recommendations to these 40+ people. Thank you!
> >
> > --
> > Emily Harris
> > Interim Information Security Officer, CIS
> > Vassar College
> > 845-437-7221



-- 

Jonathan T. Rajewski, MS, CCE, EnCe, CISSP, CFE
Assistant Professor, Digital Forensics, Champlain College
Director/Principal Investigator, Senator Patrick Leahy Center for Digital
Investigation (LCDI)
Digital Forensic Examiner, Vermont Internet Crimes Task Force

Champlain College
163 South Willard Street
Burlington, VT 05401
Office: +1 802-865-5460
Google Voice - +1 802-318-4804
@jtrajewski

Rajewski () champlain edu
Jonathan.rajewski () leo gov

PGP Public Key: Located on keyserver.pgp.com