Insights For Success

Strategy, Innovation, Leadership and Security

business

Operational security tips to safeguard your privacy when crossing a border

GeneralEdward Kiledjian1 Comment
barbed-wire-1899854.jpg

Every week I read about another traveller that is hassled at the border to turn over his laptop, tablet or smartphone and their associated passwords. Knowing that a stranger has gone through your personal “stuff” feels dirty (similar to being robbed).

A question I get asked often by readers, friends and colleagues is “How do I travel through international borders without worrying that my life will be put on show for some stranger with a badge?”. You don’t believe that this can happen; here are some interesting articles:

Operational Security 101

The work of physical security and digital (cyber) security are merging fast and you cannot have one without the other. So what is a traveler to do?

  1. Identify your sensitive data. Before travelling, conduct an extensive analysis of the data you will be crossing the border with. This doesn’t just include intellectual property or employee information but remember that once authorities have access to your email, without you present, they can figure out what social media accounts you have, they can reset your password for any site, they can build a social graph of all your contacts (using your email, instant messages and contacts), etc.

  2. Prepare a lists of vulnerabilities you are subject to? You should consider everything from device theft to authorities riffling through your personal data with no regard for privacy.

  3. Determine your risk level for each vulnerability. As long as you back up your data and your device is encrypted, then your risk after a theft is limited to the cost of replacing your device or scrambling to buy a new one while in transit. You will realize your risk level quickly rises when you consider the exponentially increasing risk of having your device analyzed at the border.

  4. Design your countermeasure plan. For each vulnerability, design a mitigation or risk minimization plan. This is what the rest of the article will talk about.

Countermeasures

Like a broken record, I will now extol the virtues of the Chromebooks and why many security professionals rely solely on these devices when security is essential. I know many of you will email me to explain why Google is evil and shouldn’t be trusted. I respect everyone’s opinion, and if you believe using Google products and services doesn’t meet your security requirements, then, by all means, choose something else.

A Chromebook is designed to be reinitialized anytime and to restore its state very quickly. Log into a device connected to a respectable network, and within minutes, you are back up and running with your apps, extensions, bookmarks and settings. Your data is stored in the cloud, and local device storage is encrypted.

Theft

If some numskull steals your device, you will have to buy a new one but at least your data is safely stored in the cloud, and there is no unencrypted data locally to expose you. I have had my device stolen on a train in Europe (on my way to speak at a conference). At my destination, I bought a Chromebook, used the store's WIFI to restore my device, and I was up and running within 30 minutes.

Border inspection

Border inspection is a different beast because they have the authority to force you to turn over your passwords. In this case, the only protection strategy is trickery.

For people crossing the border with sensitive information, I recommend that you use a Chromebook and sync everything to the cloud. Before travelling, you Powerwash the Chromebook (aka set it back to factory default) and then log into it with a dummy Google account.

This Google account should have some emails, contacts, favourites, files stored on your Google drive, etc. It should look like it is an authentic and genuine account. When your device is inspected, it will have nothing of interest, and you will not endanger your “real” data.

Once you cross the border, find a WIFI network, Powerwash your device and log in with your “real” account.

What about your smartphone

I trust the Chromebook Powerwash process enough to reuse a Chromebook that was inspected by border security but not a smartphone. Smartphones (iPhone or Android) do not have the excellent backup and recovery properties of the Chromebook. In most cases, I travel with a real fully loaded smartphone and will destroy it if it is ever taken from me. I will immediately change all my passwords and implement honeypot style detection tools to see if they attempt to exploit me.

What are these detection techniques I am talking about? Well one example is to use the Free Canary Tokens to generate different honeypots in your work environment.

Screenshot 2019-05-25 at 9.32.34 PM.png

As an example, you create an easy to find (weaponized) Word or PDF file (stored in your Google drive) and phone that sends out a beacon when it is opened. Think of these tools as motion sensors warning you that your digital being is at risk and that you need to take extraordinary measures to protect yourself.

Conclusion

An article about traveller airport border crossing security (OPSEC) can be very long, but I wanted to give you a gentle introduction. If you are a journalist, politician or senior executive at risk, hire a good security consultant to guide you. The most expensive advice is free advice.

If you are a journalist with a reputable organization working on high-risk reporting and need security advice, I am always available to provide free guidance. I believe free and open journalism is a pillar of our modern democracy.


9 most important questions to determine if a project is worthwhile

GeneralEdward KiledjianComment

George H Heilmeier was a DARPA director and developed 9 questions to help the agency determine the worthiness of project being submitted to it for funding. These 9 powerful questions as referred to as the "Heilmeier Catechism" and have become a core operating paradigm for DARPA [Defense Advance Research Projects Activity] And IARPA [Intelligence Advance Research Project Activity].

These questions are so powerful, they are used in the business world day in and day out. I first learned about these questions while having lunch with a VC in San Francisco. He explained that many of his peers also use these questions when determining the funding worthiness of a proposal.

There have been variations to the questions but I recommended sticking with the original 9:

  1. What are you trying to do? Articulate your objectives using absolutely no jargon.  What is the problem?  Why is it hard?
  2. How is it done today, and what are the limits of current practice?
  3. What's new in your approach and why do you think it will be successful?
  4. Who cares?
  5. If you're successful, what difference will it make?   What impact will success have?  How will it be measured?
  6. What are the risks and the payoffs?
  7. How much will it cost?
  8. How long will it take?
  9. What are the midterm and final "exams" to check for success?  How will progress be measured?

This is a variation on the journalists who, what, where, when, why and how strategy. Obviously answering these questions will not change the world or guarantee the success of a project. They will greatly reduce the risks you take by ensuring the key concepts are thought off and understood

Free WIFI next time you're in an Airport

GeneralEdward KiledjianComment

If you are lucky enough to travel business class then you know how how wonderful free airport WIFI is. It is a chance to download content and update social media before your flight. What if you are not travelling business? You can spend between $9.99 - $59.99 for a daypass.

Anil Polat, traveller and Computer engineer, created a simple website and smartphone app that shows an interactive map with passwords for hundreds of different airport lounges around the world.

You click on an airport and are presented with the important information (WIFI password, location to use it, etc)

This is crowdsourced so feel free to send him any passwords you come by.

You can also download the mobile phone versions:

Clean water for travel and survival (Steripen & Aquamira)

GeneralEdward KiledjianComment
Image by  Tom Hal  used under creative commons license 

Image by Tom Hal used under creative commons license 

November 2012, I wrote an article about the Steripen. The Steripen is still part of my travel kit and something I rely on regularly. If you have't read it, you should.

Why do I need to clean my own water?

The question I get asked most often is why? If you are someone that stays in nice hotels and buys expensive bottled water, you shouldn't have any issues? Wrong! Many years ago I lead a technical team undertaking a massive global IT deployment and everyone in my team got sick at the same time in Thailand. They were staying in 5 star hotels and were instructed to drink bottled water purchased from the hotel.

We enlisted the help hotel security to determine what had happened and after 2 weeks, we found the culprit. 

Hotel staff were draining the clean water from the bottles through a tiny pin prick on the bottom and replacing it with tap water.

How did my employees not notice, they snapped the water bottles open, so no one would suspect foul play. If you look under your standard 500ml water bottle, you will notice a little clump of plastic in the centre. They basically made a hole there, replaced the water and then used superglue to seal it back up.

So the moral of the story is, I don't trust bottled water anywhere. Everywhere I go, my Steripen is used to sterilize and give me peace of mind. 

Everything in 2s.

The first rule of survival is everything in 2s. You should plan to have at least a backup for every critical function. So how do you backup water sanitization? You certainly won't carry a second Steripen with you. One option is water sterilization tablets.  These are standard issue even in military survival kits because they are cheap, portable and easy to use.

Review of the Aquamira water purifier tablets

Having talked to a dozen survival experts, read hundreds of comments on various forums and product review sites and tried out a handful myself in the field, the best water sanitization tablets are the Aquamira ones (I chose tablets because the liquid version isn't travel friendly). The tablets provide the benefits of liquid chlorine dioxide in an easy to carry format.

Each tablet can purify 1 liter of water and each tablet is individually sealed. Using them is super simple:

  • Fill a canteen with 1L of water
  • wipe off excess water from rim and the outside
  • drop in a tablet
  • wait the prescribed time

Each pack provides enough tabs to purify the recommended amount of water for 1 person for 5 days. The water will have a small taste but nothing too dramatic.

If you can boil water, that is still the preferred route (rolling boil for at least a minute) but that is typically not possible during a disaster or in a hotel room.

Other tabs like Potable Aqua, MSR Aquatabs and Katadyn Micropur are as effective but the Aquamira is small but not too small and therefore easier to use and carry. 

Some survivalists recommend the use of household bleach, but bleach is messy, heavy and not practical for travel. Using pre-measured tablets is my first choice. Additionally many bleach products sold in retail are not pure and using bleach for extended periods of time is not healthy.

Over the last 2 years, I have had the honor of training with some of North America's best survival teachers and every single one of them recommended Aquamira when tablets were discussed. 

Do you use a Steripen and Aquamira?

The answer is no. My primary method of water disinfection is the Steripen. It is fast, easy and doesn't change the taste. If my Steripen fails, the tablets are my backup plan. 

Remember that neither of these will remove contaminants from water such as fuel, metal or chemicals. You have to make sure your water doesn't contain these types of contaminants otherwise you will have to use a water filter (article coming in a couple of weeks).