China Travel

SECURITY BEST PRACTICES FOR TRAVEL TO CHINA

How to Get It Right

When traveling to China, the standard approach is to provide “burner” laptops and phones, then remove and destroy the drive upon return to the U.S. Agio understands the U.S. Government does not allow  mobile devices and laptops to be used by officials traveling to a number of regions including China. The following recommendations have been compiled by our cybersecurity team and are meant to act as a best practices reference for you and your users.

Phone Considerations
  • Assume all conversations are being intercepted.
  • If in a particularly sensitive meeting, power off phone and remove the battery.
  • Take only the burner phone into the country – do not take your “real” phone.
  • Disable bluetooth and wireless, and leave them off permanently (i.e., no Bluetooth earpieces, etc.)
  • Use a complex password/pin to login to the phone.
  • Do not use a phone purchased in the country.
  • Disable the camera if not needed and/or place a piece of black tape over the lenses when not in use.
  • Remember that commercially available anti-malware applications/programs will not catch nation-state malware.
Laptop Considerations
  • Do not store any sensitive or critical data locally on the machine. Take only the data you need. Keep a backup at home of any data you take with you.
  • Use full disk encryption. (Be advised that there are some export/import restrictions on encryption
    technology).
  • Do not configure auto-connection or automatic login for any applications.
  • Use a host-based firewall and configure it to allow a small set of defined trusted outbound connections.
  • Do not type in usernames or passwords while using the laptop – store them on an encrypted USB drive and copy/paste them into login forms. This will keep key loggers from being able to see your credentials.
  • Update all software before you leave. Do not perform any software updates while traveling. Some malware disguises itself as common software updates.
Admin Credentials
  • Ensure the administrators setting up the laptop use different credentials than their normal admin
    credentials. If physical access to the device is gained, the cached/local admin credentials can be
    compromised.
  • Use a complex password to login to the laptop.
  • Do not configure the laptop to use the same login as your normal laptop or domain.
  • Disable Bluetooth and wireless and leave them off permanently – no bBuetooth keyboards, etc. If
    possible, physically remove the adaptors.
  • Install only necessary applications – keep things to the absolute minimum necessary to conduct
    business.
  • Disable microphone and camera when not needed and place a piece of dark tape over the camera
    lens(s).
  • Remember that commercially available anti-malware applications/programs will not catch nation-state malware.
  • If your users must connect via VPN – have them note connection times to check against VPN logs (Agio would check all access logs for our client’s user upon return).
  • Change all user account credentials when they return.
Other Considerations
  • Consider using a VPN with robust encryption for connection to the Internet; this will ensure your web traffic is appropriately encapsulated and will allow you to circumvent any internet censoring that may be in place. China has recently restricted some VPN software, but several VPN options still work.  Set these up before you leave.
  • China restricts access to many popular sites (Google, Gmail, etc.). Think about work around options before you leave if a site you normally access is unavailable.
  • Do not sign into your accounts on public computers at internet cafes, hotel business centers, or other locations. Do not use colleagues’ devices if you can avoid it. Even if you trust them, you cannot control what happens to their device before or after you’ve used it.
  • Restart your phone before going through customs so a PIN is required to unlock vs. thumbprint or Face ID. If possible, do not allow customs to take the device(s) to a location out of direct view or into another room.
  • Do not leave phone, laptop, or any storage device unattended. If left unattended (even in your hotel room or hotel safe), assume it has been tampered with.
When You Arrive Home
  • Wipe your phone, remove and recycle the battery, and securely dispose of the phone (shred if possible).
  • Do not connect the computer or phone to the corporate (or your home)
  • Treat the laptop as if it’s fully infected with malware – maintain strict isolation, remove/securely dispose of, and/or aggressively wipe the hard drive.

 

Note: Traditional disk sanitization methods do not work for solid state drives. Any SSD should be shredded, magnetic disks may be overwritten using a common utility like DBAN and/or degaussed.