[SecurityRatty] tag: customs

Credit Card Protections Abroad

Fri, 10 Oct 2008 06:59:08 +0000

When you pay by credit card in a restaurant, have you ever wondered what they do with your card when they take it from you to collect payment? Although you may trust the restaurant, there’s still the possibility the waiters can write your credit card and verification number down and sell the info later.

Apparently in the UK and other European areas, this is not the case. Ira Winkler at the RSA blog recently wrote about an experience traveling and noticing other credit card customs and security -

If you are at a restaurant and pay with a credit card, they bring over a system and swipe your card in front of you. Additionally, all the credit card readers I came in contact with assumed that credit cards were smart cards with readable chips. This adds another level of security, and PINs were required as well. When I was in The Netherlands a few months ago, I couldn’t even use my American credit card on the ticket machines for their train system.

With all of the credit card fraud going on, I wonder when the US will finally get its act together and follow the European credit card security measures.

Read the full article here.

Change Your Name and Avoid the TSA Watchlist

Mon, 15 Sep 2008 09:25:21 +0000

Shhhh. Don't tell the terrorists:

The U.S. Department of Homeland Security wrote a letter to Labbé in 2004, saying he had been placed on their watch list after falling victim to identity theft. At the time, the department said there was no way for his name to be removed.
Although Labbé wrote letters to the U.S. department, his efforts were in vain, prompting him to legally change his name.

"So now, my official name is François Mario Labbé," he said.

"Then you have to change everything: driver's license, social insurance, medicare, credit card -- everything."

Although it's not a big change from Mario Labbé, he said it's been enough to foil the U.S. customs computers.

595 immigrants arrested at electronics plant

Tue, 26 Aug 2008 20:00:00 +0000

Special agents with U.S. Immigration and Customs Enforcement (ICE) have arrested approximately 595 people suspected of being illegal aliens in the U.S., some with alleged ties to identity theft, at an electronics manufacturing plant in Laurel, Mississippi.

Privacy group: US border-crossing database raises concerns

Mon, 25 Aug 2008 20:00:00 +0000

A plan by U.S. Customs and Border Protection (CBP) to collect personal information on every traveler coming into the country and keep that information in a database for 15 years could have huge privacy implications for U.S. residents, one privacy group said.

Wee-Fi: Houston-Fi, ASCII WPA Passphrases, Green Wi-Fi

Tue, 19 Aug 2008 06:26:25 +0000

Houston flips switch on free downtown Wi-Fi: Dwight Silverman of the Houston Chronicle accidentally discovers the soft launch of the network funded by EarthLink's $5m default fee. (The fee was paid when they missed a milestone, and the firm later walked away.) The downtown area now has a limited pilot project that's free; the real effort in Houston is supposed to be at 10 housing projects and in parks where service would be used to bridge the digital divide and improve the quality of life. How, exactly, is part of what's being tested.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

Don't put your foot in it, Mr. President

Fri, 15 Aug 2008 16:57:00 +0000

Watching the beginning of the Olympics, I was surprised to see the way President Bush was sitting.

The First Lady was on one side of him (thankfully) and a Chinese looking gentleman was on the other side. The President had his right foot resting on his left knee, thereby exposing his shoe sole. That is a huge "no no" in Asia and the Middle East.

As I said, thankfully the First Lady, Laura Bush was the recipient of the President's sole-waving but it made me wonder if he changed legs at a later stage and "flashed" the Chinese official. I figure it was a high ranking official or else he would hardly be sat next to the President of the United States.

What has this to do with security? It is one of the topics we teach to our budding bodyguards during our intensive Executive Protection course in the United States and abroad. You could have a very successful business meeting or trip, either overseas or at home, but ruin it by insulting (albeit unintentionally)a foreign guest. It is very important for those wroking around forein nationals to be aware of their customs and traditions.

This is not that difficult these days with all of the materials available. One of the best books I have found is; "Kiss, Bow or Shake Hands". This book and others like it, will advise the reader on the correct course of action to take when dealing with people from a host of different countries. Not that I expect the President to read the book, afterall, he must have Protocol officers to keep an eye on him. My question is, were they brought to China?

For the rest of us who are not lucky enough to have our own Protocol officers to keep us out of trouble, we'll just have to read the book.

Again, On Laptops and US Borders

Tue, 12 Aug 2008 07:00:00 +0000

"According to the U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) officers can confiscate and detain travelers' laptops at the U.S. border without suspicion of wrongdoing. Laptops can be taken to an off-site location for an undisclosed period of time, during which officials may examine the computer's contents and share copies of files with other agencies. This policy applies to any other form of digital or analog storage device, including iPods, cell phones, flash drives, hard drives, and tapes." (source)

"The key to the above paragraph, of course, is "without suspicion of wrongdoing." Indeed, in the policy (PDF), DHS says (emphasis mine), "In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States."" (source)

Fun question that was brought by someone on a security mailing list: if your employer-owned laptop is "captured" by DHS, TSA or Customs AND it has regulated information on it (CCs, SSNs, PHUI, etc), do you have to report it as "data loss"? The chances of that info being lost are definitely much, much higher now AND the control over such data is clearly not in your hands anymore... Niiiiice.

Homeland Security: We Can Hold Laptops Indefinitely!!!

Sat, 02 Aug 2008 04:50:02 +0000

The U.S. Department of Homeland Security has concocted a remarkable new policy: It reserves the right to seize for an indefinite period of time laptops taken across the border.A pair of DHS policies from last month say that Customs agents can routinely -- as a matter of course

Frequent Flyers Have More to Fear than Terrorists

Fri, 01 Aug 2008 11:12:37 +0000

The last international flight I took, I was frisked carefully when the security realized I had a laptop with me. At the time I was a student on a 6-month trip for foreign study. Today I’m taking another flight but it’s only down to LA for a friend’s wedding. I’ve been researching how much luggage I can take on board, and it’s not much, considering I regularly carry a few heavy items everywhere with me - my laptop, and my dslr camera, and naturally a book and purse.

I also came across this tidbit online — the government has granted themselves the right to take any traveler’s laptops away on international flights, even if they have no reason for suspicion. Apparently this has been in place a while but they’re finally publicizing it.

Federal agents may take a traveler’s laptop computer or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed.

Also, officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement.

Read the full article here.

U.S. Government Policy for Seizing Laptops at Borders

Fri, 01 Aug 2008 08:21:25 +0000

Amazing. The U.S. government has published its policy: they can take you laptop anywhere they want, for as long as they want, and share the information with anyone they want.

Here's the actual policy:

Federal agents may take a traveler's laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies the Department of Homeland Security recently disclosed. Also, officials may share copies of the laptop's contents with other agencies and private entities for language translation, data decryption, or other reasons, according to the policies, dated July 16 and issued by two DHS agencies, US Customs and Border Protection and US Immigration and Customs Enforcement... DHS officials said that the newly disclosed policies — which apply to anyone entering the country, including US citizens — are reasonable and necessary to prevent terrorism... The policies cover 'any device capable of storing information in digital or analog form,' including hard drives, flash drives, cell phones, iPods, pagers, beepers, and video and audio tapes. They also cover 'all papers and other written documentation,' including books, pamphlets and 'written materials commonly referred to as "pocket trash..."

It's not the policy that's amazing; it's the fact that the government has actually made it public.

Slashdot thread. My previous essay on crossing borders with laptops, and how to protect yourself.

Although honestly, the best thing is probably to keep your encrypted archives on some network drive somewhere, and download what you need after you cross the border.