Summer travel and cybersecurity concerns

With summer break quickly approaching, whether it's for business or pleasure many of us will take advantage of the warmer weather and hit the road. Inevitably, we'll bring our electronics along: laptops, smartphones, USB drives, and possibly many others. Traveling domestically and even outside the U.S. or its territories with electronic devices presents risks, including:

1. Loss, theft, or seizure of devices, data, and login credentials
2. Device infiltration or malware compromising sensitive information
3. Violations of federal regulations.

We have gathered some information on keeping you and your devices safe while traveling:

Personal Safety

• Register with STEP: https://step.state.gov/step/ 
  • The Smart Traveler Enrollment Program (STEP) is a free service to allow U.S. citizens and nationals traveling and living abroad to enroll their trip with the nearest U.S. Embassy or Consulate.
• Register your travels with UArizona, The UA International Travel Registry provides a centralized system for international travel information and registration​​​​​.
  • https://ua-risk.terradotta.com/
• As a first step in planning any trip abroad, check the Travel Advisories for your intended destination.
  • https://travel.state.gov/content/travel/en/traveladvisories/traveladviso...
• Be Aware
  • Safety really begins with awareness – awareness of your surroundings, but also awareness of yourself and your behavior in a public place.
• Be Vigilant
  • Be vigilant – establish boundaries, observe your environment, be aware of people around you, trust your intuition
• Blend in
  • Don’t wear/carry flashy jewelry or expensive electronics.
  • Wearing your College of Medicine gear will make you stick out as a foreigner and a college student.
• Don't do it alone
  • Do not go out alone at night, and don’t leave your friends alone. Travel in groups of 3-5 people.

Device Safety

To reduce the potential for data and identity theft, the University recommends that individuals traveling abroad take a loaner or “clean” laptop/device, and ensure that other devices do not carry university data or login information to access that data.

Before your trip:

• Travel light:  Don't need it? Leave it at home!  This includes laptops, tablets, cell phones, USB thumb drives, and cameras with flash media capability.
• Get a loaner:  Take a loaner laptop with you on your trip, if your department can provide this, and request that it be encrypted.
• Travel with "clean" devices:   You should not travel with restricted data unless it is absolutely required.  To remove the sensitive data:  
  • Backup the data to a secure location (consult with your local IT support).
  • Remove sensitive data completely and securely from your device (consult with COM-IT support https://comhelp.arizona.edu on methods for secure data removal).
• Erase history, including, browser history, especially saved passwords. 
• Use strong passwords and device timeouts:  Set up strong passwords for all accounts, and set your device to "time out" when idle.
• Set up a wipe: Consider setting the device to “wipe” the device’s content after 10 incorrect login attempts. 
• Go disposable:  If you require a cell phone while overseas, consider purchasing a “burner” or disposable phone in the destination country. 
• Clean other mobile devices, too:  If you must take your cell phone or tablet with you, securely erase all sensitive data, including stored passwords.  
• Encrypt devices:  All devices, whether University-owned, personal, or “loaners,” should be encrypted.  
  • Consult with your local IT support for appropriate encryption applications.  
  • Contact your cell phone provider for encryption options.
• Install Antivirus Software and keep it up-to-date on all devices.  
• Update all operating systems and applications. If you no longer need an application, uninstall it.  
• Use the UA Virtual Private Network (VPN):  UA’s AnyConnect VPN provides a secure connection, and can bee Internet.  The VPN can be used on Windows, Mac and Linux platforms, and mobile devices.
• If available, use eduroam for wireless service:  eduroam is a consortium of institutions from the international education and research community that allow members to use each other's secured wireless networks by logging in with their home institution ID. The University of Arizona is a member of this consortium.  
  • Configure your device for eduroam access while on the UA campus, then test eduroam access before departing.  
  • Check the eduroam international map for availability.
• Use 2-Factor authentication for any account where it is available. 
• PLAN AHEAD TO USE UA's NETID+ DURING YOUR TRAVELS: There are several ways that you can use two-factor authentication while traveling (especially internationally) that won't break your bank with roaming charges, or put your mobile device at risk, but it requires some action prior to traveling.  Recommended methods for NetID+ when traveling are:
  • Use Bypass Codes:  The easiest and most cost-efficient (free) 2nd factor method is to generate and use bypass codes.  You can download Bypass Codes in groups of 10 at a time.  Store these in a secure place while you're traveling.  When you are up to the 9th bypass code, login to your NetID+ Management Console again, and generate 10 more codes.  Instructions for generating and using bypass codes can be found on UA's IT website. 
  • Purchase a Yubikey hardware token:  Yubikeys plug into USB ports on your computer, and can generate a code for your second factor of authentication.  You will need to configure your Yubikey prior to logging in with it.  NOTE:  Yubikey 4, Yubikey 4 Nano and Yubikey Neo will all work with NetID+. 

During your trip:

• Use the lowest possible privilege level:  While traveling, do not use an administrator account as your primary account.  Running as a non-administrative user will defeat a significant number of malware and browser exploits, because your computer is less likely to allow software, including malware, to be installed without you (1) clicking "install" and (2) typing your administrative password.  
• “Opt out” of automatic connections:  In most countries, you have no expectation of privacy in Internet cafes, hotels, airplanes, offices, or public spaces.  All information you send electronically can be intercepted, especially wireless communications.
  • Turn off “join wireless networks automatically” on all of your mobile devices (computers, tablets, mobile phones, etc.).
  • Always manually select the specific network you want to join, only after confirming its name and origin with the provider. 
  • Turn off wireless and Bluetooth, when not actively being used.
• Use care when using a “public” device:  Do not log into sensitive accounts (e.g., bank accounts) when using publicly available computers.  Be aware that keyloggers, “shoulder surfing” and cameras pointed toward keyboards are common ways that credentials are compromised.
• Keep track of what credentials you use while traveling:  Whether you sign into personal or University accounts while traveling, keep track of the services you've accessed. If you are on an extended trip, change your credentials periodically, and only while connected to a secure network (e.g., eduroam, UA VPN).  Never use the same password for multiple services.
• Keep your technology with you:  Do not leave electronic devices unattended. All items should be stored in your carry-on luggage, and within reach at all times.  Conceal your devices when they are not with you.  
• Clear your Internet browser after each use:  Delete history files, caches, cookies, and temporary internet files. 
• Report when something goes wrong:  If your phone or laptop is stolen, report the theft immediately to the following:  
  • The local US Embassy or Consulate
  • Your department head
  • COM-IT support  

For up to date and detailed information please visit: https://security.arizona.edu/content/security-guidelines-international-t... "Information Security Guidelines for International Travel"

Technology Restrictions (Encryption)

Several countries including China, Israel, and Russia restrict the import of encrypted devices and software and in some cases, the export of encryption software requires U.S. government authorization. Consult with export@arizona.edu(link sends e-mail) well in advance of your trip if you are planning to take University equipment, data, or technology outside of the United States. There are special rules for bringing electronic equipment, research, and intellectual property.

Need a loaner?

If you are planning a business trip let us know through https://comhelp.arizona.edu and let us know that you would like to see if a loaner is right for you. 

Resources:

• Information Security Office: Security Guidelines for International Travel
  • https://security.arizona.edu/content/security-guidelines-international-t...
• International Travel UArizona
  • https://global.arizona.edu/travel
• Financial Services Travel UArizona
  • https://www.fso.arizona.edu/travel
• Research,Innovation, &Impact Travel 
  • https://research.arizona.edu/administration/build-budget/budget-categori...