Traveling With Technology

Traveling Internationally for Work

The U.S. State Department regularly issues alerts and warnings about high-risk countries. You should also review the FBI Travel Brief. The only truly secure choice is not to travel internationally with your mobile device. If you don’t need it, don’t take it with you. When traveling internationally for work-related purposes, your travel authorization will include Export Compliance questions. One of those question will be “Export Controls: Will you be traveling with a University-owned laptop computer, PDA, or Cell Phone?” If you answer “Yes” to that question, then there are steps you need to consider.

With few exceptions, NCSU faculty and staff traveling out of the country with a university-owned computer and software may utilize the Temporary Export License Exception to the Export Administration Regulations. This exception permits the export of controlled commodities (such as computers) and software as “tools of trade” for use by employees of the university. The tools of trade must remain under the “effective control” of the employee while out of the country and must be used in a lawful enterprise or undertaking of the university. This exception is good for international trips for up to 12 months.

Software used as a tool of trade must be protected against unauthorized access. Examples of security precautions to help prevent unauthorized access include but are not limited to the following:

• Use of secure connections, such as Virtual Private Network connections, when accessing IT networks for activities that involve the transmission and use of the software authorized under this license exception;
• Use of password systems on electronic devices that store the software authorized under this license exception; and
• Use of personal firewalls on electronic devices that store the software authorized under this license exception.

This exception may not be used for any travel to Iran, Syria, Sudan, North Korea, the Crimea Region of Ukraine, and Cuba (however since the normalization of relations with Cuba, there is another exception which permits carrying a computer to Cuba).

It is critically important to remember that research data stored on the computer may also be controlled for export or contain information that is proprietary to either the university, our research sponsors, or both. Before leaving on any trip, any sensitive data stored on the computer should be digitally wiped (not just erased) from the computer.

International Academic Travel and U.S. Export Controls
Export Controls Travel Briefing
In China, business travelers take extreme precautions to avoid cyber-espionage
FBI Warning on Hotel Internet Connections
US State Department Issues Worldwide Travel Caution

Personal Travel

If you are travelling internationally for personal reasons, you should not take your university-owned mobile device if at all possible. All of the university policies and data security rules all still apply to the device no matter the reason for travel. In many cases, staff and faculty are intending to work remotely while traveling and need to take the same precautions as if it was a work trip.

Traveling to China or Other High-Risk Countries

When traveling many people are primarily concerned with theft or loss of their device, but when travelling to high-risk countries (primarily China and Russia), there are further concerns, and may include things up to and including when passing through local customs:

• Copying data off of the device
• Installing malware or trojans on devices that activate once you return
• Requests for you to login so they may review the content of the device
• Persistent attacks by filtering and tampering with web traffic

For travel to High-Risk countries we would like staff and faculty to follow the following procedure:

1. Contact textiles@help.ncsu.edu at least 1 week before travel for consultation.
2. If at all possible, do not take any computing device with you. If you are making a presentation, carry a USB stick with just the materials needed for the presentation.
3. If you must take a device, TCTS can prepare a loaner laptop for you that will be encrypted, secured, and can be wiped when you return to campus.
4. If at all possible, refrain from use of campus resources (including Gmail), even over a VPN.
5. If you must have access to Email, Create a Yahoo email account, several days before you travel, and forward gmail to that account (Yahoo, so far, is not blocked). Be sure to test before your travel.

Recommendations for Laptops

Some helpful starters are:

• Do not have any export controlled data on your device. This could have ramifications far beyond the hassle of losing the data. There could be legal and financial issues as well.
• Don’t have any files stored locally. Move all of your files off of your desktop, documents, etc. to Google Drive or one of the appropriate shared drives (H,L,T). The only exception to this would be a second copy to a talk or paper you are presenting. You should also have another copy on Google Drive and a flash drive.
• If possible, use VPN (vpn.ncsu.edu) whenever you are connecting to the internet. This is a good idea whether you are connecting back to NC State or not. Setup VPN before you leave the office to make sure it works properly.
• As a precaution, you may also want to have a local account created on your laptop in case you cannot connect to wireless or a network. In some cases this would mean you cannot get into your computer until you return. To test whether you can get in or not, switch your wireless off and then try to login again.

For a great set of guidelines and checklists to go through, please also review the recommendations from OIT that were put together by security and compliance.

OIT Guidelines on Traveling with a Laptop

Recommendations for Mobile Devices (Phones, Tablets)

There are a few key items you need to take into consideration when traveling with your mobile devices

• Make sure you have a secure passcode on your phone. A six digit passcode or complicated phrase if your phone allows it is preferable. A fingerprint is great as well.
• Make sure you have a tracking software installed in case it gets lost or stolen. iPhones have a built-in app called Find My iPhone. Google/Android have options as well. Get yourself familiar with these before you leave.
• Make sure you take a screenshot of your “About” page that has your serial number etc. on it and send it to yourself in an email.
• Make sure you don’t have any export controlled data on your phone.
• Make sure you have 2-step turned on for your university email account
• Go to the OIT page for more suggestions and requirements.

OIT Mobile Requirements and Recommendations

Phone

If your phone was stolen, you need to report it to TCTS and your phone carrier immediately and change your university password immediately. Changing your university password will limit the amount of data access and damage that can be done with the mobile device.

Phone Carrier

• The phone carrier may be able to track the phone for law enforcement or recovery
• Depending on the OS version, they may have the ability to remote wipe the device
• They can stop SMS messages that could be used for 2 Factor logins

TCTS, working with OIT Security

• Will remove the phone as a valid Duo 2 Factor device
• Will issue you a Yubi Key to use for 2 Factor while you don’t have a phone
• Assuming your university Google account was being used on the device:
  • Will work with you on reviewing your Google account to ensure that
    • App Passwords for the device are revoked
    • No nefarious data sharing or email forwarding was setup
  • Will work with you on remote wiping the device
    • iPhone
    • Android
    • OIT Security may be able to remote wipe the device as well
• Issue a report with you regarding the data that was on the device:
  • https://oit.ncsu.edu/it-security/reporting/

It will also be important to change the passwords on your personal email accounts, since those are often used for “Forgot Your Password?” recovery for other account types including banking, utilities, and online purchasing. TCTS will assist with this if needed.

Wallet or Purse

If your wallet or purse was stolen, you need to report it to TCTS immediately in addition to a number of other actions:

TCTS, working with OIT Security

• Will put a hold with the OIT Helpdesk to disallow use of your Student/Employee ID to be used for remote password and 2 Factor resets.

There are multiple steps you should take to protect yourself from identity theft and fraud:

• Call your banks and freeze the credit/debit cards
• Put a hold on your credit so people cannot sign up for things on your behalf
• Get new Drivers License
• Consider signing up for Credit Monitoring service
• For more information on how to take these steps, start with the following sites:
  • https://www.thebalance.com/my-wallet-purse-was-stolen-now-what-1947532
  • https://www.wisebread.com/10-things-you-should-do-immediately-after-losing-your-wallet

Laptop

If your laptop is stolen, whether personally owned or university owned, a number of steps must be done:

• Change your university password immediately
• Change your passwords on personal email accounts, since those are often used for “Forgot Your Password?” recovery for other account types including banking, utilities, and online purchasing. TCTS will assist with this if needed.
• Work with TCTS to review the device configuration for likelihood of data being accessible on the device.
• Work with TCTS to issue a report regarding the data that was on the device:
  • https://oit.ncsu.edu/it-security/reporting/