zlacker

[parent] [thread] 8 comments
1. erdo+(OP)[view] [source] 2019-07-02 16:34:44
Given China's expansive attitude to industrial espionage (all foreign companies are fair game), if I were in charge of security for a large multinational, what's my security policy going to be for my employees who travel to China for meetings? Does this change anything? or is behaviour like this from China or indeed anyone else, already priced in?
replies(1): >>brayth+t1
2. brayth+t1[view] [source] 2019-07-02 16:42:43
>>erdo+(OP)
Others can chime in, but I believe that most serious companies doing business with China have a burner-device policy for employees travelling to China.

Your devices will all be hacked with industrial espionage malware, and just in case you don't have anything on those devices, you will be given devices as "gifts"—like flash drives and WiFi-equipped smart home devices--that will exploit any devices you didn't bring with you.

INAE, but I believe the usual policy is to accept the gifts but discard them at the first opportunity.

replies(3): >>schoen+J4 >>seanmc+6a >>NamTaf+AC1
◧◩
3. schoen+J4[view] [source] [discussion] 2019-07-02 17:01:10
>>brayth+t1
I'm always confused when I hear this about why malware researchers don't obtain a huge trove of malware samples (and/or zero-day exploits) by obtaining some of these "gifts" and then connecting them to honeypot devices. If all you have to do to receive one is travel to China as an employee of a major U.S. company, they must be quite easy to get ahold of.
replies(3): >>yazan9+Hh >>codedo+Dz >>komali+FB
◧◩
4. seanmc+6a[view] [source] [discussion] 2019-07-02 17:32:43
>>brayth+t1
Microsoft did not have such a policy, but we also had huge development resources already based in China.
◧◩◪
5. yazan9+Hh[view] [source] [discussion] 2019-07-02 18:17:42
>>schoen+J4
I imagine the average Joe working at MSFT/AAPL/GOOG/etc. doesn't get such gifts unless they are worth hacking - in which case I imagine the gift-givers would have done their due diligence. Also corporate policies can be pretty specific and strict regarding gifts to eliminate potential conflicts of interests.
replies(1): >>schoen+ql
◧◩◪◨
6. schoen+ql[view] [source] [discussion] 2019-07-02 18:37:38
>>yazan9+Hh
Due diligence about whether the gift recipient is likely to to use it personally rather than passing it along to a malware researcher?
◧◩◪
7. codedo+Dz[view] [source] [discussion] 2019-07-02 20:08:55
>>schoen+J4
Someone must have a lot of free time to do this instead of work.
◧◩◪
8. komali+FB[view] [source] [discussion] 2019-07-02 20:23:06
>>schoen+J4
It is not a fun idea to travel to China as a malware researcher. You might get arrested for being involved in encryption at all, which to China means you were smuggling in anti-Party materials. Or, you might be arrested so you can be used as a pawn in a political game:

https://www.scmp.com/news/china/diplomacy/article/2189605/us...

◧◩
9. NamTaf+AC1[view] [source] [discussion] 2019-07-03 10:03:24
>>brayth+t1
The company I work for (small on the world scale, but reasonably big in my country) forbids our standard issue laptops from going, instead giving us special travel laptops. These are blocked from the corporate wifi and do not have any VPN connection back to the corporate network. We do all email through webmail. We hand them back upon returning and they get wiped with a fresh install of the OS.
[go to top]