China Travel

SECURITY BEST PRACTICES FOR TRAVEL TO CHINA

How to Get It Right

When travelling to China, the standard approach is to provide “burner” laptops and remove and destroy the drive upon return to the U.S. Agio understands the US Government doesn’t allow (every day use) mobile devices and laptops to be used by officials traveling to a number of regions including China. The following recommendations have been compiled by our Security team, and are meant to act as a best practices reference for you and your users.

Phone Considerations

  • Assume all conversations are being intercepted.
  • If in a particularly sensitive meeting, power off phone and remove the battery.
  • Take only the burner phone into the country – do not take your “real” phone.
  • Disable bluetooth and wireless, and leave them off permanently (i.e. no bluetooth earpieces etc.)
  • Use a complex password/pin to login to the phone.
  • Do not use a phone purchased in the country.
  • Disable the camera if not needed and/or place a piece of black tape over the lenses when not in use.
  • Remember that commercially available anti-malware applications/programs will not catch nation-state malware.

Laptop Considerations

  • Do not store any sensitive or critical data locally on the machine.
  • Use full disk encryption (be advised that there are some export/import restrictions on encryption
    technology).
  • Do not configure auto-connection or automatic login for any applications.
  • Use a host-based firewall and configure it to allow a small set of defined trusted outbound connections.
  • Do not type in usernames or passwords while using the laptop – store them on an encrypted USB drive and copy/paste them into login forms. This will keep key loggers from being able to see your credentials.

Admin Credentials

  • Ensure the administrators setting up the laptop use different credentials than their normal admin
    credentials. If physical access to the device is gained, the cached/local admin credentials can be
    compromised.
  • Use a complex password to login to the laptop.
  • Do not configure the laptop to use the same login as your normal laptop or domain.
  • Disable bluetooth and wireless and leave them off permanently – no bluetooth keyboards etc. If
    possible, physically remove the adaptors.
  • Install only necessary applications – keep things to the absolute minimum necessary to conduct
    business.
  • Disable microphone and camera when not needed and place a piece of dark tape over the camera
    lens(s).
  • Remember that commercially available anti-malware applications/programs will not catch nation-state malware.
  • If your users must connect via VPN – have them note connection times to check against VPN logs (Agio would check all access logs for our client’s user upon return).
  • Change all user account credentials when they return.

Other Considerations

  • If possible, do not allow customs to take the device(s) to a location out of direct view or into another room.
  • Consider using a VPN with robust encryption for connection to the Internet – this will ensure your web traffic is appropriately encapsulated and will allow you to circumvent any internet censoring that may be in place.
  • Do not leave phone, laptop or any storage device unattended.
  • If left unattended (even in your hotel room), assume it has been tampered with.

When You Arrive Home

  • Wipe phone, remove and recycle the battery, and securely dispose of the phone (shred if possible).
  • Do not connect the computer or phone to the corporate (or your home) network.
  • Treat the laptop based on the assumption that it is fully infected with malware – maintain strict
    isolation, remove/securely dispose and/or aggressively wipe the hard drive.

Note: Traditional disk sanitization methods do not work for solid state drives. Any SSD should
be shredded, magnetic disks may be overwritten using a common utility like DBAN and/or
degaussed.