This Week in Security: Border Searches, Insecure Journalists, and Quantum Computers

CBP Updates Electronic Device Search Guidelines

The U.S. Department of Customs and Border Protection (CBP), charged with border inspections and other duties, have released updated guidelines on searches of traveler’s devices when crossing the U.S. border. While the border itself is notorious for being a place where the Fourth Amendment doesn’t fully apply, the sheer magnitude of data available on electronics subject to search has brought increased scrutiny to border searches.

The updated guidelines describe some specific practices and limitations of border searches involving electronic devices. For example, “Basic” searches may be conducted with or without suspicion, and must be done in view of the device’s owner. Basic searches are described as not involving external devices being connected to the device being searched, and only involving information that would be normally accessible manually interacting with the phone. Meanwhile, “Advanced” searches involve using devices external to the phone to access and copy information.

The policy also clarifies that searches should be limited in scope only to information resident on the device itself, rather than anything stored in a cloud service accessible from the phone. Regarding passwords, screen locks, encryption and other privacy-preserving tools, the searching agent may ask the traveler for assistance in unlocking the device. If an officer is “unable to complete an inspection of an electronic device” due to such a security measure, then the device may be detained.

While this may seem like a “reigning in” of border searches to some, the reality is that the CBP itself reports a 59% increase in searches of electronic devices from 2016 to 2017, with a total of 30,220 electronic device searches in 2017. It seems likelier that these guidelines are more about streamlining the searching process rather than limiting its privacy impact, and that the CBP foresees electronic device searches becoming a much more common activity.

While much has been speculated about the best way to maintain your digital privacy at the border, it’s a complicated issue. The short and incomplete recommendation we can give is to simply not have sensitive information resident on any devices you cross the border with. This could mean downloading files from cloud storage only once past the border, or perhaps having separate devices just for traveling.

Journalists Still Lacking in Digital Security

Effective digital security training is no easy task, but safely using technology is an increasingly crucial skill for journalists. Journalists handle all kinds of digital information when researching stories, and often need to preserve confidentiality of both the material they have, as well as their sources who may be placing themselves in extreme danger for simply speaking to journalists.

With extensive documentation of digital attacks on journalists, as well as the non-digital threats journalists face, digital security is quickly becoming a mandatory skill for all journalists.

In response, many schools have begun incorporating digital security training into their programs. However, there is still much left to be desired. Many schools do not offer any digital security training, and even fewer make it mandatory. Of the schools that do offer digital security training, most devote fewer than two hours to it, meaning actual retention of the material is unlikely. However, many of the schools that do offer training integrate it into their usual coursework, rather than as a separate workshop, moving towards holistically educating in digital security skills.

This a great way to normalize digital security concepts as core to journalistic work, rather than as an extra elective course the especially nerdy students take.

WPA3 is On the Way!

Wi-Fi Protected Access II (WPA2) has been the standard for secure WiFi for years, but it has finally begun showing some weakness with the KRACK attack. To address the weaknesses of WPA2, and provide improved features, the WiFi Alliance has announced the latest version of the WPA standard, WPA3.

Expected to be available mid-2018, WPA3 brings some new features to WiFi. For example, many wireless internet of things (IoT) devices don’t have a display, making initial network configuration a bit awkward. WPA3 adds support for configuring these devices wirelessly with another WiFi-connected device, streamlining this step.

For security, WPA3 vastly improves open WiFi security, providing Individual Data Encryption for clients. This way, even networks that aren’t access-controlled with a passphrase can enjoy encrypted communications, preventing easy WiFi sniffing attacks. There are also changes to mitigate brute-force attacks, and provide more security for even short passphrases. Keep an eye out for WPA3-compliant hardware and software!

Actually, 49 is a Pretty Big Number

Intel unveiled at CES that they have a functional 49-qubit quantum test processor. But what does that mean beyond being a milestone to hype in a keynote? Most people are aware by now that the fundamentally different mechanics quantum computers use mean they can tackle certain problems so complex that classical computers aren’t worth using to solve them. For example, cryptographic schemes whose security relies on the difficulty of factoring integers on classical computers are vulnerable to quantum computers.

First, this solidifies Intel as a serious competitor in the quantum computing game. Second, this number of qubits is around the threshold for when simulations of quantum computers on classical computers are unreasonable, meaning you need an actual quantum computer.

While the chip is impressive, the biggest contribution is likely the techniques involved in the construction and operation of the chip, rather than the computations the chip itself can perform. However, this is quickly approaching hardware that would be useful for niche research purposes, like simulating chemical interactions.

As for cryptography, some highly technical work suggests that it will require a quantum computer with thousands of physical qubits before even the weakest vulnerable schemes are broken. Nothing to lose sleep over, but a good motivator to continue work on post-quantum cryptographic schemes. Once these computers can crack something like RSA-1024, we’ll want to have multiple secure post-quantum schemes, and implementations of them, that are as adopted and mature as RSA is now. Until then, you can experiment with a quantum computer IBM makes freely available on the web!