Access features, news and views from the latest issue and from our chemistry archives.

Dec 2017/Jan 2018

Cyber security for travelling researchers

By Daniel Winson

Losing digital research data when travelling is much more than an inconvenience. There are many compelling reasons to protect your data.

When a laptop owned by the University of Sydney containing information about students – including names, dates of birth, contact details and medical details – was lost in 2016, the outcry was understandably significant. The university declined to comment on whether the files or the disk were encrypted. A message sent to the students said the computer was password-protected, and that ‘this does not absolutely guarantee the security of the information [stored on the device]’.The importance of protecting research data from cyber-attacks cannot be overstated. Ethical obligations, organisational policy and privacy laws all compel researchers to take this issue seriously. Also, researchers should be motivated by self-interest to avoid the hassle that comes with losing research data and the exposure that comes with research data falling into the wrong hands.

While working from the relative security of a campus or other location managed by your organisation’s IT department, it is easy to forget about these obligations. Although researchers still have a role to play in securing data at home, it’s when travelling that their behaviour has the biggest impact.

Researchers who are travelling need to be particularly aware of the relevant threats and take steps to avoid being the victim of a cyber security breach.

In February 2018, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 is expected to come into operation. This new law will apply to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988. Under this law, organisations must notify eligible data breaches to the Office of the Australian Information Commissioner and affected individuals as soon as practicable after the applicable entity becomes aware that ‘there are reasonable grounds to believe that there has been an eligible data breach of the entity’ (section 26WK of the Bill).

Research data stored on any type of portable device is at risk of being lost or stolen. While many organisations do an excellent job of securing their corporate notebook computers, the same is not always true for employee-supplied devices or for tablets, phones and USB storage devices. If an unsecured device containing research data is lost or stolen, it is at risk of being accessed by unauthorised people and there may be an obligation under new mandatory reporting legislation to report the loss to any person whose privacy may have been affected.

Lost or stolen devices aren’t the only threat to research data – government officials in several countries, including the US, have the right to demand travellers unlock digital devices for examination (see box p. 20). Travelling researchers are not exempt from this. If you have research data on a device you are bringing into another country, that device may be legally examined and you can be forced to hand over passwords so data can be examined and even copied by officials of that country.

While travelling, your device may need to connect to third-party networks; these networks may not be secured to an adequate standard and there is additional risk of data sent or received using these networks being intercepted or modified.

The root cause of these problems is the same: any data stored on any device in the possession of a researcher is at risk of loss or disclosure to unauthorised people. In solving this problem, the first option that must be considered is leaving the data at home. Do you really need a copy of the whole project folder? If not, leave it on the department share drive where it belongs.

If you need a computer at all, ideally it should be a ‘burner’ device that contains no sensitive information. This device can be used to securely access your organisation’s network remotely as and when research data needs to be accessed or updated. This should be the default solution whenever possible and researchers should encourage their IT departments to explore options for secure remote access via virtual private networks (VPNs) to remote desktop or virtual applications that leave no data cached on the remote device.

If remote access to your organisation’s network is impossible, you can take steps to provide a multilayer approach to security (see box). It reduces but cannot eliminate risk.

In addition to these technical controls, researchers must take all possible steps to ensure the physical security of their devices. Keeping your devices with you or locking them in a safe is a good idea. If you are travelling to a country where border officials have the legal right to access your data, you are left with a real problem. Again, the best solution is not having the data on your device at all. Even if you can’t manage this as a permanent solution while travelling, you may be able to cross the border without the data on your device and then copy it via your VPN to the device from your destination. If this isn’t possible, the only alternative is using a courier service to transport the device.

Too hard? Maybe … and even with all the controls we’ve listed here, there is a risk that you’ll have your data stolen. Talk to your IT department – if they can set up a secure remote access solution for you, it will save everyone a lot of grief.


Daniel Winson is a cyber-security specialist at Think Technology.

Digital data: a multilayered security approach

 

  • Enable full disk encryption on all devices that contain research data. If you lose or someone steals your computer and you aren’t using full disk encryption, anyone can steal all your files. Unfortunately your password won’t help – an attacker who has physical access to the device can easily bypass your password or they can simply remove your hard disk and put it in a different computer to get access to your files. High-quality full-disk encryption options are available for Windows, MacOS, IOS and Android – the exact steps needed to enable full disk encryption are different for each device, but there are plenty of good guides available to walk you through the process.
  • Use file level encryption on all sensitive files. In addition to encrypting your full disk, you should consider individually encrypting files. A good starting point is making use of the encryption options built into Microsoft Office. Simply navigate to File/Info/Protect Document and select ‘Encrypt with Password’. Once you’ve finished encrypting the files, you should run the Disk Cleanup tool to ensure unencrypted temporary files have been removed.
  • Use remote management software to remotely wipe a device if it is lost or stolen. If you use an iPhone or iPad and your device is lost or stolen, you should use iCloud.com to remotely wipe your device to ensure data can’t be accessed. A similar tool is available through Android Device manager for Android devices. A range of third-party applications offer the same feature on Windows and MacOS.
  • Patch your devices. Malware with the potential to steal, delete or encrypt your data generally makes use of known vulnerabilities. Software vendors are constantly releasing patches to fix these bugs and you should ensure you take an active approach to applying these patches. At your organisation, this is usually managed by your IT department; if you’re travelling, you need to make sure that the patches still get applied.
  • A virtual private network (VPN) should be used to create an encrypted tunnel to a secure location before accessing any corporate resources or the internet. (Note: President Putin has recently passed legislation that makes the use of VPNs in Russia illegal). While there is a range of low-cost consumer-oriented VPN services you could use, a better option would be working with your IT department to create a private tunnel back to your organisation – not only will this provide you with increased security and privacy while browsing, it will provide you with access to files and programs hosted on the corporate network, which should reduce the need to store sensitive information on your local device.
  • Make secure back-ups of all data that is created or modified while travelling. Ideally these will be back-ups to a secure remote location via a VPN. If the only option available is USB back-ups, these should be encrypted and stored in a separate location to the primary device. If you are using cloud-based storage services such as Google Drive or Dropbox, you rely on their encryption, but you should take the extra steps needed to enable two-step verification, which requires an extra code that is texted to your phone to access the account.
The root cause of these problems is the same: any data stored on any device in the possession of a researcher is at risk of loss or disclosure to unauthorised people.
If you need a computer at all, ideally it should be a ‘burner’ device that contains no sensitive information.

How to protect your private data when you travel to the United States

On 30 January 2017 – three days after US President Donald Trump signed an executive order restricting immigration from several predominantly Muslim countries – an American scientist employed by NASA was detained at the US border until he relinquished his phone and PIN to border agents. Travellers are also reporting border agents reviewing their Facebook feeds, while the Department of Homeland Security considers requiring social media passwords as a condition of entry.

Intimidating travellers into revealing passwords is a much greater invasion of privacy than inspecting their belongings for contraband.

Technology pundits have already recommended steps to prevent privacy intrusion at the US border, including leaving your phone at home, encrypting your hard drive and enabling two-factor authentication. However, these steps only apply to US citizens. Visitors need a totally different strategy to protect their private information.

The problem

Giving border agents access to your devices and accounts is problematic for three reasons.

  1. It violates the privacy of not only you but also your friends, family, colleagues and anyone else who has shared private messages, pictures, videos or data with you.
  2. Doctors, lawyers, scientists, government officials and many business people’s devices contain sensitive data. For example, your lawyer might be carrying documents subject to attorney–client privilege. Providing such privileged information to border agents may be illegal.
  3. In the wake of revelations from Chelsea Manning and Edward Snowden, we have good reason to distrust the US government’s intentions for our data.

This problem cannot be solved through normal cybersecurity countermeasures.

Encryption, passwords and two-factor authentication are useless if someone intimidates you into revealing your passwords. Leaving your devices at home or securely wiping them before travelling is ineffective if all of your data is in the cloud and accessible from any device. What do you do if border agents simply ask for your Facebook password?

And leaving your phone at home, wiping your devices and deactivating your social media will only increase suspicion.

What you can do

First, recognise that lying to a border agent (including giving them fake accounts) or obstructing their investigation will land you in serious trouble, and that agents have sweeping power to deny entry to the US. So you need a strategy where you can fully cooperate without disclosing private data or acting suspicious.

Second, recognise that there are two distinct threats:

  1. border agents extracting private or sensitive data from devices (phone, tablet, laptop, camera, USB drive, SIM card etc.) that you are carrying
  2. border agents compelling you to disclose your passwords, or extracting your passwords from your devices.

Protecting your devices

To protect your privacy when travelling, here’s what you can do.

First, use a cloud-based service such as Dropbox, Google Drive, OneDrive or Box.com to back up all of your data. Use another service like Boxcryptor, Cryptomator or Sookasa to protect your data so that neither the storage provider nor government agencies can read it. While these services are not foolproof, they significantly increase the difficulty of accessing your data.

Next, cross the border with no or clean devices. Legally purchased entertainment should be fine, but do not sync your contacts, calendar, email, social media apps or anything that requires a password.

If a border agent asks you to unlock your device, simply do so and hand it over. There should be nothing for them to find. You can access your data from the cloud at your destination.

Protecting your cloud data

However, border agents do not need your device to access your online accounts. What happens if they simply demand your login credentials? Protecting your cloud data requires a more sophisticated strategy.

First, add all of your passwords to a password manager such as LastPass, KeePass or Dashlane. While you’re at it, change any passwords that are easy to guess, easy to remember or duplicates.

Before leaving home, generate a new master password for your password manager that is difficult to guess and difficult to remember. Give the password to a trusted third party such as your spouse or IT manager. Instruct him or her not to provide the password until you call from your destination. (Don’t forget to memorise their phone number!)

If asked, you can now honestly say that you don’t know or have access to any of your passwords. If pressed, you can explain that your passwords are stored in a password vault precisely so that you cannot be compelled to divulge them, if, for example, you were abducted while travelling.

This may sound pretty suspicious, but we’re not done.

Raise the issue at your workplace. Emphasise the risks of leaking trade secrets or sensitive, protected or legally privileged data about customers, employees, strategy or research while travelling.

Encourage your organisation to develop a policy of holding passwords for travelling employees and lending out secure travel-only devices. Make the policy official, print it and bring it with you when you travel.

Now if border agents demand passwords, you don’t know them, and if they demand you explain how you cannot know your own passwords, you can show them your organisation’s policy.

This may all seem like an instruction manual for criminals, but actual criminals will likely just create fake accounts. Rather, I believe it’s important to provide this advice to those who have done nothing illegal but who value their privacy in the face of intrusive government security measures.

Paul Ralph, Senior Lecturer in Computer Science, University of Auckland. First published at www.theconversation.com.

Book and software reviews

To offer your services as a book or software reviewer for Chemistry in Australia, please contact Damien Blackwell at damo34@internode.on.net