Schneier on Security
A blog covering security and security technology.
« Changing Surveillance Techniques for Changed Communications Technologies |
| High-Quality Fake IDs from China »
June 12, 2012
Israel Demanding Passwords at the Border
There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice.
This is the first story I've seen of a country doing this at its borders. The country is Israel, and they're asking for passwords to e-mail accounts.
Posted on June 12, 2012 at 5:09 AM
• 69 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hummm, totally useless, you just create a second account and give that !
Now there's an argument for two-factor authentication, if ever there was one.
If stopped and searched on that level, I would likely say something like this:
"As a business professional, I regularly have email through even personal accounts of a protected nature, which I have a legal and ethical responsibility to keep confidential. Your faulty assumption that refusal to violate business ethics is tantamount to terrorism is based on a flawed premise that the innocent have no right to personal space. I resent your insulting remarks and their implications, and intend to take this up with your supervisor, with the added note that any further mistreatment will be taken up through official channels and you personally will be named for the rather enduring shame that only the internet can provide."
I'm pretty damn sure I'd be on the next plane home anyway, but at least I'd be principled and honest, and I really would do everything possible to make that person infamous...
@ Victor Engmark: And how exactly will two-factor authentication help here? The email search will be done live at the border, I assume.
According to the article in the Australian (the link to haaretz gives me a 404), airport security demanded that the people log in on airport computers.
from the WSJ:
JERUSALEM — When Sandra Tamari arrived at Israel's international airport, she received an unusual request: A security agent pushed a computer screen in front of her, connected to Gmail and told her to "log in."
So if the airport computer has any spyware (either placed deliberately or run of the mill malware infection), this is a GREAT argument for two-factor authentication.
firstname.lastname@example.org, or if you have your own domain, set up an account there.
Before you go, comment widely to attract some spambots. sign up for a bunch of mailing lists. Auto forward the spam to other disposable accounts. Fill all in and outboxes with spam and travel related emails. On departure kill the account and never use it again.
Thanks for the heads up though. I may have to set this up, to go along with my employer friendly facebook account. ;)
@ari Now if we knew what OS and browser they were using... what a great way to PLACE malware on the machine ;-)
Paranoia does strange things to people and countries.
Given that some terrorists favour communications within gaming domains such as WoW it can only be a small step to people having to login to their gaming sites before being allowed in to Israel...
well, just don't go to israel. ignorance is a good sign.
If going to Israel... Use POP3 =)
2-factor would depend on which 2 factors. What you know and what you are can usually be recorded. What you have could help if it uses a challenge-response system. Which could also be done with "know" and "are" but is less practical.
You could remember multiple pass-phrases or use multiple biometrics...
At Hack in the Box Amsterdam it wasn't my phone!!!! It was the guy in front of me, he just reminded me to check if my phone was on vibrate only... ;-)
seems like the link is broken.
Just remove the trailing quotation-mark.
@Richard If you don't bring your physical token with you it becomes easier to refuse on the grounds that you are unable.
I'm a little concerned at the naïveté of some of the comments.
1. If you offer any excuse as to why you won't give them the info, you are sent back to your home country.
2. It's trivial to tell a fake email account full of spam from one you use day to day. They already know who you are, through searches they already have an idea of who you may be talking to, they'll look for evidence of that in your account.
3. From what I can tell for the two cases I heard of, they were probably already going to reject the person. In any case, they used the email search to gather names and contacts which almost certainly will be added to their watch list.
I do wonder how two factor is going to work. Will they even allow you to use your cell phone there? Will it even function? the thought of entering my password on security's computer is pretty appalling. Once they are in, I can't keep URL from continuing to explore after they send me away. What good is two-factor security when they already logged in?
1. Do not go to Israel
2. Or, delete your gmail account(s) first (and any others with remote access).
3. Use discardable accounts for the duration.
4. See 1.
Interesting that the page cited now comes up with a 404 error...
Thats a big BS, the story is a false story and haters will hate
Just remove the trailing quotation-mark.
Notice neither stories have asked the Israeli authorities for comment. I seriously doubt this is official policy as above all it's pretty damn ineffective.
It's worth noting, however, that the U.S. immigration services ask for quite a lot of personal information from Israeli tourists wishing to obtain a visa. Those who fail to produce recent salary slips, employment history, etc. often are denied a visitor's visa. Giving a fake email account is much easier than getting out of disclosing those personal and financial details.
In general the answer to all the uproar regarding such policies is - if you don't like it, don't travel there. Each country has the right to make up its own ridiculous rules about who may visit it. e.g. several Arab countries disallow entry to Israeli Jews as a general policy. You don't see many Israelis whining about that. The ones who really want to travel to those (often hostile) countries usually use foreign passports, btw.
"If you don't bring your physical token with you it becomes easier to refuse on the grounds that you are unable."
Only if you still can't log in under torture. Why should they believe you when you say that your login requires a physical token?
And really, I'd be in serious trouble in that situation, because I don't know any of my mail account passwords. Various pieces of software are fetching mail to my home server, and if that's down, unreachable, or off limits, I'm simply without access for the duration. (The passwords are not terribly memorable, and I don't make a practice of carrying them, even on my encrypted USB stick.)
Caught on Archbishop Morton's fork: If I maintain security that's tight enough to keep the government out, I must be a terrorist bent on hiding something. And if I maintain security that's loose enough to let evildoers in, and they do something evil with my resources, I must be either criminally negligent or else in league with them. I'm not sure that a lawful intermediate level of security even exists.
It was nothing to do with terrorism - they were checking for pro-Palestinian visitors.
I imagine the US will do the same. Next to the little box on the form about not intending to overthrow the government of the US, there will be a box to put your blockbuster membership number to check you haven't watched any Michael Moore films
It would be interesting to learn whether they would allow you to login to your account(s) on your own device, or if they're requiring you to login on their device.
(Obviously, with governmental level support there are all sorts of man-in-the-middle games they can play with capturing credentials even on your own device, but at least it's a modicum less problematic than actually typing your credentials on their system.)
No problem, we can go through the google password reset screen with you...
It's not a "problem", you just aren't going to be allowed in.
1. Create email account for porn sites and all things offensive to the predominant religion of [insert country here] that aren't illegal.
2. Surrender that to the border guards.
I've certainly heard of this for US entrants.
US Custom ask me for my passwords evey time I enter the US. They threatened me to deny my access if I don't comply.
This is few years before Israel even started this practice.
If I was on holiday and didn't have my laptop (which I don't take with on holiday - because it's a holiday) then I wouldn't have access to my email. Would this mean I would be denied entry? That's barmy. I can't be the only person in the world without webmail.
That would be the most beneficial thing DHS has accomplished.
Bruce, not sure what you base that Israel asks for passwords statement from, is it personal experience or?
Actually Bruce, the practice is fairly old...
Iran has been randomly demanding social network & email passwords for a number of years, even before the more recent election issues of 2009.
I was personally asked for the password of my yahoo account back in 2008.
another common practice is to ask about your "friends" and contacts, how you know them, etc.
I'm curious about that...any further details? What nationality are you? What do they look for? Do you log in on your own device?
This is bad and not sure it brings much value, but I think the logic behind this is that some activist groups came to Israel this year and last year to create disorders and non organized/violent demonstrations... maybe they try to make it unpleasant for any potential visitors that fit the profile...
I migrated to US almost a decade ago. Originally from ME. I don't know what they are looking for. They ask for any password to any electronic device I carry with me. Last question I did not get what you mean, sorry. US CBP takes everything I have (papers, electronics, business cards, wallet, etc.) except money. Later (can be several min to an hour) they come back asking for passwords.
All the sources in the article are admittedly anti-Israel, so it's fairly safe to assume this is NOT a common practice, but something that might happen in very specific cases.
This doesn't mean it's OK, but it's probably not a reason to worry.
So, what are they trying to find out?
You can have an e-mail address for your normal dealings, and another e-mail address for your 'criminal' dealings.
In fact, and as usual, this type of 'security' only filters out people who are incompetent to successfully carry out an attack.
Any professional, well trained, well funded criminal/terrorist will have worked out the details of this particular problem well before it even becomes an issue.
Even if this were legal - in whatever country - I believe it would be appropriate that visitors applying for a visa or booking a flight receive fair warning in the form of some manual/leaflet what they can expect from customs and immigration in the country they intend to visit. If the conditions set forward therein are not to their liking, they can either cancel their trip or in some way should be able to appeal against them.
Failure to do so IMHO constitutes coercion and entitles the party refusing to comply to a full refund from airliner or visa issueing authority for all costs made, including but not limited to damages incurred as a result of admission refusal. This is especially true for nationals from countries where letters and email are legally protected from warrantless disclosure to 3rd parties.
- grin - As for myself, I am as from this morning hosting my mailbox at confessione.nuvola.va . - grin -
FWIW, Israeli attorney Jonathan Klinger says the practice is basically illegal under Israeli law.
Of course, much of what Israel does *is* illegal under its laws - and its government regularly and blatantly ignores decisions and injunctions by Israel's High Court (kind of like their Supreme Court); as do settlers and other such organized groups. But under the existing and basically unenforced framework, warrantless searches of that nature are probably not legal.
"1. If you offer any excuse as to why you won't give them the info, you are sent back to your home country."
"3. From what I can tell for the two cases I heard of, they were probably already going to reject the person. In any case, they used the email search to gather names and contacts which almost certainly will be added to their watch list."
So, your point #1 is both irrelevant and dangerous: by your reasoning the traveller is set to be denied entry regardless and so, should politely tell the officer to get knotted.
If the traveller does give up her genuine passwords to the authorities (Israeli, or any other) in the scenario that you have constructed then she has now permitted said authorities to consider all of her contacts to be guilty [of whatever she herself is suspected of] by association.
Giving details of a throwaway account may also be fraught: unless you are comfortable and competent with proxies, TOR and other tricks, there's a fair chance that a good intelligence agency can link it back to you one way or another, and you (and your contacts) are then as stuffed as if you have handed over your real passwords, except that there is now an additional marker that you tried to actively deceive them.
Whether or not this is true, I can just imagine John Pistole reading about it and drooling over this great idea for a new "layer" to add to his security theatre. Since he and his agency define "security" entirely in terms of continually increasing intrusion and invasion of privacy, something this intrusive and invasive would be irresistible. He may even have called Blogger Bob about writing a propaganda post to start getting travelers ready for this new "enhancement."
I can tell you my password, it will be good for the next 30s. Good luck.
I have a lot of mail accounts for different purposes but mostly to compartmentalize me from spam, my finances and my online relationships from each other and the occasional special project
How can the agent know they've got
a) the right one
b) all of them
D. Give us your facebook account password.
Ans. I don't have a facebook account.
How would they prove that I did? (well there is the app on the cellphone and tablet and the shortcut on browser...I guess that's a give away)
Can a person have less than zero interest in visiting a country?
This is mostly a move by the border authority to just turn you around back to home after detention.
They already have your email account. All your base belong to them. They want to self-incrimination factor so they can detain you for a really long time.
Congrats, you win the Humor Award.
What if you legitimately do not have an email account? Are you "hiding" something? I know someone (who I admire for his/her discipline) who does not carry a cell phone on his/her person.
All this security theatre is truly becoming a Troll's Paradise. The possibilities are endless. How will they with any confidence know if you're giving them all your true accounts? Anybody heard of dummy traffic? Stop giving trolls a stage for their antics.
Wow, and I used to respect Israel. Whats next, they make you sew a cloth crescent on your shirt and wear it at all times?
Remember to change your password before heading to these places to something like "IamAterrorist!" or "BombOnBoard!"
That should give the sniffing software something to get excited over.
The article mentions they found the e-mail address in her papers. So creating a false account probably won't work.
If it is a company account, maybe the IT team should block all access from foreign addresses.
What is this "email" thing of which you speak?
Reality check is that there is no way I can memorize my passwords. I do not use a software solution for my passwords. They are changed as often as I change my socks.
Only takes me seconds when at my home base to log in with simple copy and paste.
This was yesterday's password for one of many email accounts.
I'd be surprised if they could rifle through several gigs of email in any meaningful way in any reasonable time frame. They'd be better off checking my underpants for explosive residues.
But its a brilliant policy for scaring off tourists and alienating foreigners from their cause.
"I'd be surprised if they could rifle through several gigs of email in any meaningful way in any reasonable time frame. "
They have until you get back off the plane in whatever country they return you to, make it through customs and get to a trusted terminal to change your password.
In that time they can
- forward all emails
- set up BCC, IMAP, POP ... (and hope you don't notice)
- search for 'account activation' emails, log onto those services and get a "password recovery" email sent
- export your address book
- try the same username/password on other services (just in case you recycle bits)
- change your avatar image to one with a web-bug in it
- add an email signature with a web-bug
- send "My account has been compromised, please send all future emails to .... " emails (hey, they're not lying :-)
The headline is misleading. No one asks everyone for passwords. Suspects are asked to log in to their emails account w\o revealing the passwords This is something else. The Israel Security is using profiling to identify potential terrorist. During the long search in the suspect belonging his email account is searched too. The problem is the profiling itself not the search in the email.
There's effectively no difference.
How would they do even half of these things with my POP password?!
@David, if I were them, I'd have a keystroke logger scrape all the passwords and send them to the SIGINT people, then do whatever I was going to do with the visitor anyway.
"I'm sorry, I keep that password written down next to my computer at home."
I'm ye olde phart. I don't to that interwebs stuff.
Or just give them garbage. Like the testers in the Pi contest, are they going to check? If they do, "oops, I guess I got it wrong. Lemme try again" until they get a $5 wrench.
And this is, again, why I want to start the 'Random Data Email Exchange'. If you regularly send lots of people totally random data with completely unrelated random subject lines, and that well-encrypted data is indistinguishable from random, you can tell them "There is no password".
Not that it'll help the $5 wrench brigade.
Okay so maybe I'm a bit paranoid but my Gmail password is I believe 24 random characters. I don't have it memorized and without my keychain which I'm not going to travel with, even I couldn't login to my email. So what does security do then?
I couldn't use their (or anyone else's PC) even if I wanted.
My passwords are random 60+ characters. I don't know them and will not "discover" them under legal force.
Our email cannot be accessed without an OpenVPN tunnel, which works only on a VM running from inside an encrypted partition. If I'm on vacation, I don't bring a laptop with those capabilities.
I have a gmail account - don't really use it and don't know the credentials for it either. Again 60+ character passwords. When I need a temporary email address, I use hushmail ... but since they turned over data to the government, I've let that account expire.
I doubt this story is true for everyone. It must be for selected people or from specific countries? I dunno.
Can't use cell phone as a 2nd factor either. No SMS on my plan.
I never wanted to travel to Israel too much before, but if this is true, I won't even bother. On a recent trip to Europe, I saw something about France being able to demand files be decrypted. To avoid that, just didn't bring the keepass DBs with me. Call me paranoid.
As a Canadian security researcher who drives through the US border all the time, yes they also require passwords to everything. One even wanted me to log into my gmail account and confirm my email for a conference I was attending. I said no and was sent back.
Obviously they don't do this for everybody but if you're flagged somehow or they find a bunch of encrypted laptops then you're going to get full scrutiny.
pointless, you get almost the same entropy with a sentence for a password.
I have checked it is not Wall Street Journal it is Israeli edition of Haaretz. I did't find it in Hebrew edition. The article refering to few tourists. We don't know the reason why they were refused to enter Israel it is not mentioned in the article. Millions are coming to Israel. I have never heard any one been asked for there passwords. Please use common sense. Now one needs it. You give a false one. Please find something with real truth, real problems real abuses.
pass-phrases as suggested by Derka may be good, but when you have accounts for many diverse systems and web-sites, it's just as hard to remember what pass-phrase I used for a given resource as it is to try and remember some long random string. I still need the password db anyway. You can avoid that problem by using the same pass-phrase everywhere and create a different vulnerability. Randomly generated strings also can't be forced out of me by any means.
Well, I use long non-sentence passphrases with a few extra characters memorably related to whatever site I have the password on. Better than just one passphrase, but still not very secure I guess.
If that is really what trapspam.honeypot's passwords look like, it would take quite a sentence to match it for entropy. Assuming that there are 80 typeable characters (on the low end, but a reasonable swag), the 62-character password posted is one of 80^62 = 10^118 possibilities.
Going with the 11 bits per word estimate of your xkcd comic, you would need a 36-word sentence to get the same entropy.
And besides, there are only ~10^92 particles in the universe, so if every one of them was working for an attacker, each checking 10^16 passwords a second, it would still take around 150 years on average to crack.
US Customs has been occasionally dumping laptop files to their own storage for at least ten years. Michigan State Police were the first to be sued for grabbing cellphone data during traffic stops (Cellebrite and other companies sell hardware for this). Recently, news articles about employers or schools demanding passwords and account information.
It would suck to find out about this at the border, several thousand dollars into a trip, but realistically, just about any "official" group seems to feel it has the right to your passwords and personal data nowadays.
I keep a "sock puppet" email address and web page that maintain a truthful but heavily censored online identity. I started it some years ago, when I first learned of employers and data collectors using the web for background checks. I have carefully maintained a firewall between this and my "real" online identity. It's not secure at the Google/NSA/local ISP user tracking level, but it's good enough to hide from ordinary web searching.
You'd be lucky to be on the first plane out fo the country. More likely you'd spend a few days in some prison-like detention center with the US Embassy unable or unwilling to do anything for you.
See this woman's story as another example.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.