Slashdot Mirror
Steps To Protect Oneself From Corporate Espionage?
rhizome asks: "Our CIO had his laptop, along with all media (CDRs and floppies) stolen from his desk last night. Being that there were several other laptops out in the open, it would seem that the thieves knew what they were looking for. Our company enjoys a unique position in our market, and there has been interest by other, larger, companies in absorbing our role. The numbers are adding up nicely, to say the least. Beyond calling the police, who may just take down enough information for our insurance company to replace the hardware, what can be done? How have others dealt with this situation?" Encryption is the best bet for keeping sensitive information on anything that can be picked up and carried out of a secure location (this includes handhelds). If such precautions can't be performed on a specific piece of hardware, then said hardware shouldn't be used for sensitive information. What other precautions should corporations put in place to protect their data?
-- Michael Chermside
Yup, it's trivial to make. Thermite is just aluminum and iron oxide (rust), powdered and mixed. The problem is "How much do you use?" Getting enough heat to ruin the hard drive is easy. Getting enough heat to slag the computer, burn through the floor, and make a puddle of molten iron on a bed of glass is also easy. And heaven help you if you manage to get the cast aluminum hard-drive housings ignited (aluminum burns like magnesium, once you get it started).
-- ;-)
Kuro5hin.org: where the good times never end.
I suggest a complex method of security called "Exec-Cryption". Basically this method consists of shielding all executives from any real information. The philosophy is, protect the data by protecting the exec from data.
Some specific methods include "ambient encryption" which is using language that is sufficiently obfuscated when in the presence of an executive. This guarantees the executive will not gain real information by word-of-mouth. If an executive gains this information, he may decide to record it on his laptop, endangering the data. Use terms the exec cannot possibly understand, and decide upon code words for terms that he MIGHT understand.
Another method is called "email exclusion" which means that any emails that have real information never reach the executives. Therefore it's not on his laptop and can't be stolen.
The most severe form of Exec-Cryption is physical security. In other words, chaining your executives to their desks to ensure that they can't go to meetings and gain information.
I hope this new data security method is useful to you.
-- Mojo Tooth : exploring our world as only an idiot can.
In a Pro (not hacker) data theft situation, the computer is never powered on. The hard drive is removed and copied bit for bit. Then the copy is probed. It is never booted. Check what is out there regarding government VS hackers and captured machines. It always gets the forensics treatment.
The truth shall set you free!
A "Dead Man's Switch" is simply a switch that will change state if the user suddenly disapears. (or dies)
The gas pedal of your car is an example. If you suddenly die or leave you'll probably let up on the gas and the car will come to a stop. (If you die on cruise-controll you're screwed but what do you care anyway?)
Anouther example would be if you had stuff on your computer that you didn't want anyone to see you could write a script that would require you to give a certain command every so many days or it would erase/encrypt your harddrive. (So your next of kin can't look at your porn.)
In this case, though, I think the original poster just ment a switch that would detect if the HD was removed from the computer's case. (who knows how you upgrade the thing!)
-AndyI can't really believe that this would work.
I mean, the first thing I'd do if I were a Data-Thief ist to rip out the Harddisks and put them into another computer. I surely dont want any stupid Autostart programs to delete Data, require Passwords or stuff like that.
Even if the original owner is completely clueless about security, he might just use a program which periodically checks his e-mail in the background, and blam, you're busted.
--------------------------------------
I've worked for 3 different computer repair shops, one of which was a major franchise, and I've never once worked in a shop that calls in serial numbers on hardware.
I think you may be mistaken on this one.
Sigs are awesome huh?
I'd argue that most smaller companies (sub 100 employees) can't afford that kind of security. For very small companies (sub 10 employees) it's right out ridiculous. There's absolutely no way to cover the costs.
May we live long and die out
And they call it an institution of higher learning :)
I think physical security is more important here. And I wouldn't get too paranoid. Lots of professional thieves want the laptop just for the laptop, not the squidgy information inside it.
Never attribute to malice what can be adequately explained by stupidity.
To many of the posters fail to relize what you mentioned here. Security is not some star warsish meltdown of the facility if someone tampers with it. And for sensitive data such as the problem described in the original post deals with. Your only real method of solving the possible breach of security once someone has the hardware is to encrypt it. Otherwise the first thing I would do if I stole it would be to remove the HD seeing as how they probably knew what they were looking for and it wasn't the laptop it was sensitive financial data stored on it. I might even go so far as to disassemble the drive and send the platters off for data recovery. Meanwhile the laptop and drive case are sitting at the local dump or in some salavage electronics store. Lot of good your GPS locator and dead mans switch are now. May I remind you that all this took was maybe an hour or so to disassemble and get what I needed. I think the only solution is as the poster above pointed out awareness throughout the organization coupled with encryption for sensitive information. Any explosives or corrosive materials would be improbable and dangerous to use threatening more the lives of their daily users than the unprobable thief who might come along with the knowhow to circumvent the counter messures entirely.
Yes, I was thinking that the computer wasn't stolen; it just up and left, wanting to be free and all.
Sure, the hardware is a real monetary loss, but as for the corporate info, isn't this what all of us Napster supporters are for? Freedom to acquire others' information without consent or cost.
(using sarcasm, of course)
-----
D. Fischer
ShoutingMan.com
Yea, but his palm pilot is handcuffed to his other hand.
You know why those older SGI machines (think Indigo 2 era) have removeable drivers? SGI had a large contract with the US miltary and the miltary wanted to be (easliy) take the hard drive out at night and lock it in a secure safe.
I know on the older IBM think pads (think 486), it takes 2 seconds to remove the hard drive (a switch on either side of keyboard, pull keyboard up, grab hard drive "bar", pull up on bar, hard drive is removed).
It might be worthwhile to look for easy hard drive removeal for all notebooks that contain senstive data. At night, take the hard drives out and put them in a secure safe that is non-remove-able OR extreme difficult to move the entire safe out of the building.
Also there is notebook "chains" that you can buy, if the user is at their desk, require them to lock down the notebook to the desk so some one can't just pick it up and walk away.
When getting a laptop make sure the "chain hole" goes THOUGH part of the hard drive. If you have a laptop securly fashioned to a desk, but the hard drive can be removed easliy, this is stupid. Those older IBM think pad had the "chain hole" actucally go into part of the hard drive, you could NOT remove the hard drive when it was chained up. If you tried, it would cause ALOT of phyiscal damage to the hard drive (hopefully rendering most of the data unuseable), if you tried to force the laptop from the desk, it would also phyiscally damage the hard drive.
Get a chain that can hook to "most things". If they need to take the notebook off site, make sure they chain it up to a fixed structure at all times.
I haven't seen anything like this, yet. But what would be REALLY NEAT is to have the power supply REQUIRE that the notebook is securly fashioned before power on. That way, users would be more likely to chain it up before using it. (this doesn't help if they have it unchained with the power off (ie. having it just sit on their desk))
Use an encrypted files system, encrypt all important files by hand (with a differant, stronger but slower encryption method and differant key). Use a GPS tracking system. Require that "important" data be backed up on a secure offline server in the office and deleted from the notebook hard drive if the user doesn't need or isn't working on that file. (like if you have 2 projects on your laptop, but project A has already been completed and no longer involved with it, back it up and delete it from laptop)
Also a security guard at the front door could be usefull for on-site theft. Have a list of which items can and can't be taken from the building, and for each item have a list of people that can or can't take the item out of the building. Require ID for anything taken from the building. Require a quick "pat down" when leaving the building (if you have a notebook stuff in your pants, this is quickly revealed to the secuirty guard in 2 seconds with a pat down)
Also require you "check in" you "important" equipment during the day with the security officer on site, so they know exactly where all important hardware is (do this when you first get there, before and after all breaks, bathroom breaks, meetings, lunch, about anything you have to leave the office or anything the equipment leaves you eye sight...)
Be a bastard, lock it down really heavy if you have to, but make sure that "important" equipment doesn't get a chance to leave company eyes...
How much does it cost to get a good physically secure site going? How much does it cost if all your companies trade secerts are posted on slashdot and usenet forums?
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
I assume this is a rogue person because it'd be very hard to organize such a thing...?
Steps To Protect Oneself From Corporate Espionage? #1 - informative
Steps To Protect Oneself From Corporate Espionage? #2 - offtopic
Steps To Protect Oneself From Corporate Espionage? #7 - Insightful (I guess this one might be legit)
Not leaving the laptop lying around...?
kiku wa ittoki no haji kikanu wa matsudai no haji
Steps To Protect Oneself From Corporate Espionage? #26 - troll
Secondly, consider a desktop firewall. Consider a CEO that is on an Ethernet switch along with other employees on the same switched backbone. There is probably zero chance that ...
Finally, I also "honeypot" my system. This is a little esoteric, ...
Steps To Protect Oneself From Corporate Espionage? #34 - informative
--
KEY #1 is have a bad a** Security Policy
KEY #2 enforce it, or it isn't worth anything
KEY #3 enforce it, or it isn't worth anything
KEY #4 call a user up and test your policy, for instance ask them their password, if they give that to you (big NO NO) make then a sacrificial lamb, slaughter them in front of everyone else
KEY #5 did I say if you don't enforce it your nice network policy is crap? I think I did!
The moment one person scrub or CEO or whatever decides not to follow policy that policy is worth crap!
Physical Security is another issue but come on use some common sense people!
---
Example: Yes you remove your encrypted hard drive and put it into a safe, however a cleaning crew put a small device between the computer and the keyboard that logs all your keystrokes. When you power your machine up everything you type, all your passwords, and all e-mail replies will be logged. Next time your office is cleaned all you keystrokes are taken as well. I have seen devices that do this and the are SMALL (you could fit a several of them on a dime!)
Also you need to make sure devices are not added to your organization. Think of what the effects would be if every room was bugged. Every conversation, either in executive's offices, or in the break room was taped and examined.
Either a common thief stole the laptop or an amateur spy. Anyone who knew what they were doing would have copied the information, bugged the device, and would not have been so foolish to make a whole laptop disappear (unless they accidentally damaged the devices and thought this was the best way to cover it up).
BTW If anyone knows of a security company who is looking for someone like me, let me know.
Obviously it was moderated by an idiot who doesn't realize that you can make a highly secure environment by not keeping any top secret information on the clients. If you need to get to the info, you get authenticated onto the server, which is locked up tight in a room. Make it even more secure by removing the floppy & hard drives from the client machines. Can't log in = can't get to the information.
~Bout Time for another tea party.®~
In order for encryption to protect your data, especially on a laptop, you have to do unrealistic things like:
1. Run a script that unencrypts everything you need to work with when you start up.
2. Re-encrypt everything before you shut down.
Now, really, is that a good solution? It may work, but what a tremendous pain. Does anyone actually do this?
Given how much you pay for what you get from Slashdot, it's hard to argue that the cost/benefit is too high. ;)
--
Time is Nature's way of keeping everything from happening at once... the bitch.
Did anyone consider that maybe the CIO just misplaced or lost his laptop and data? C*O's are usually the kind of people who would blame someone else for their own mistakes.
(Having said that, this reminds me of how a senior British MOD staff member had his laptop stolen, during the Gulf War. Complete with battle plans, intelligence information, etc.)
To secure the machine, there needs to be something in the machine which depends on something external to function correctly, and cannot be removed to allow the thief to use/sell the machine to someone else.
What this "something" would be, I don't know. I guess that a soldered-on HET chip, set up to only allow the PCB to function if a particular signal exists on a particular frequency, would be one possibility.
In other words, portable computers and laptops should be capable of the same self-protective measures as a diplomatic briefcase.
Remember, though, whatever device you use needs to be able to recognise and distinguish RELIABLY between FOUR possible cases:
In other words, taking portables carrying vital information by someone authorised to have that information out of an authorised area SHOULD be grounds for the portable to stop operating for that time. On the other hand, it wouldn't be grounds for self-destruction, necessarily. A fire or other disaster can make exceptional actions entirely reasonable.
A thief, though, stealing and using (or selling) the equiptment should not profit from their venture. IMHO, a portable with sensitive stuff on it should be quite capable of detonating the hard drive, if an unauthorised user is detected. Which would reduce the market value quite substantially. Especially for commisioned thefts (which tend to be the name of the game, when it comes to targetted theft)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Shoot, just ROT-13 it. Then sue the pants off them under the anti-circumvention provision of the DMCA!
In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss.
Give me a break I have the necessary ingredients for thermite in my garage. I would suspect that most people with garages have them as well. Anyone with a search engine can make thermite.
Vermifax
Vermifax
Logout
If you want some serious security, get keycards or fingerprinting hardware or retina scanning.
A key can be stolen.
A keycode can be extorted.
A finger can be chopped off.
Even if you chop the head off, the retina scanning will fail.
Anyhow - there is no logging of what goes on with regular keys. If somebody does manage to gain access, it'll be all over your logs. (Which hopefully will be within a room it's REALLY tough to get into).
Two of-courses:
1 - Logging all entries can be said to infringe upon privacy of employees.
2 - This alone is not enough to even deny physical access. This is only enough to make it hard as hell to gain access without triggering alarms.
Anyhow, think about this before you buy those expensive locks you'll need to replace every time a key goes missing.
Stop the brainwash
Hi,
I would love to check this out, (just cause it seems cool)
can you give me a little more directed info than gov't versus hackers (that's what you mean right?)
is there an article somewhere describing the procedures that are used on siezed hardware?
thanks
Have all the sensitive data be saved by employees on network drives, that should greatly reduce physical data theft, but makes electronic data theft easier.
Use the international kernel patch to get
encrypted filesystems, www.kerneli.org
Or use Sentry program if you have Windows.
Thanks
Gaz
Isn't what you say about 128 bit encryption what they used to say a couple of years ago about 32-bit?
Granted, in a couple of years, that very sensitive data might not be as sensitive :)...
One shall speak only if what one has to say is more beautiful than silence
Absolute Software makes such a product. It periodically polls the company's servers with location data (like the phone number you are calling out to the Internet with, or your IP settings). It will even stealthily call out by itself to the Absolute servers by a 1-800 number even if you are not connected! Call-blocking, etc, is all covered, the software will get your phone number.
So when your laptop is stolen, you just contact the company and it will monitor the location of the laptop the next time it is hooked up, contact the cops, etc. A lot of corporations have used this, with recovery success. And the kicker is, the software is installed such that even if you reformat the hard drive, it still works! I don't know how this works but it does.
Check it out.
Sounds like a blessing in disguise to me...I wish my company's source code could be destroyed so the developers would have to write it over again, and do it right this time.
But you raise a good point. Pay your employees well, don't treat them like shit and your security will be much improved. That goes for ALL employees in all industries. In my experience, the cleaning and maintenance staff have better physical access than even security.
I take my laptop into the bathroom with me. And its handcuffed to me, so you just can't grab it.
.sigs??
Seriously, I think everything should be password protected and encrypted (32-bit+ encryption). Especially if it is sensitive info. That's the best you can do.
Being careful is all about paying attention to what you do. Is it imperitive you burn sensitive info to a CD?? Stuff like that...
-- Don't you hate it when people comment on other people's
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Boot passwords (will stip the trivial thief)
Encryption of sensitive data - there are a number of pruducts available - having the HD alone means squat.
Tracking methods. Hook one of these babies up to the internet, it quietly squeals for the police to come pick it up. As some of the current crop of laptops have built in cell modems, just turning it on is probably enough. A bit after the fact, in your case, but suggestions for your remaining laptops ;-)
Why not just have large coil magnets around the exterior doors of the secure areas? Any magnetic media that crosses the boundary gets erased. Cryptonomicron-like. If the laptop needs to be removed from the building, then pass it through the security window where the proper checkout logs are filled out.
Not leaving the laptop lying around...?
kiku wa ittoki no haji kikanu wa matsudai no haji
Client-Server Applications are probably your best bet in a situation like that. A company i used to work for used to use a Client-Server solution made Cyrix that worked really well.
Pretty much all the data layed in a rack of servers in a mag locked temp controlled room. The connections were secure because all the user's computer did was act as a dumb terminal to the server, sending key strokes and mouse movements to it that the server interprited. Any files that were saved were actually saved on teh server and required permission from the sysadmin to be saved outside of the server.
This system is actually a lot more secure than one might think. Because even though it did use the internet to send packets back and forth we were using a VPN to send information back and forth. Logins required a user name a secret password and a PIN created by a card that each user was given.
of course it just depends on how paranoid you are as to how much security you want to use. Cost of the security measure vs. Cost of losing the data.
Sincerly, in most corporate environments, where people know about computers as much they know about typewritters and calculators, you will forcefully find the ill-famous password: "1234". Once, I found it in the admin of the accounting system for a commercial bank. But this is not the worst. The madness was that, in one of the database files, the login & password were there UNENCRYPTED! Side by side... Grab and play Monopolio...
/. is a commercial entity. goto slashdot.com
Dump a chunk of longterm memory and store gigs in your brain like uh...
I think it was the dude who played Ted Theodore Logan in Bill and Ted.
1 power on password
2 hard drive password
my thinkpad does both
Power on password? On theft that's not a solution at all. It's only a hassle to either cut power to your CMOS or change drive to other computer. Besides is not you hard drive password stored on CMOS? If so, that's double insecurity...
Hard Drive passwords? Sincerly I have slightly heard about these. But I have also heard of the dumbiness of some. I am not sure if IBM falls in this category. Some HDD seem to have a possibility to have a password, which can be installed from any computer through special tools. However this password is stored on the disk itself. A careful work with the controller may turn this feature off, by wiping the surface where the password is and make a recovery of the partition table in certain cases. This is not exactly the same as those software tools that "protect" HDD's. In this case it seems that a read/write to the 0 cylinder "triggers" the call on the controller.
There seems also to exist passwords capable of being stored on the controller itself. But well, what barrages an expert from wiping this password with the proper signal? Most chips have a very simple system of basic calls, even in cases when they preform very complex tasks.
In the bad end. You peek the controller and substitute for another one... That is not so rare. Experts call it the "last solution" for burned HDD controllers.
In the very bad end. Pick up the disk itself. The one 99% of you people never see because it is inside of the that black/silver cage. With propper tools, the stuff can be copied...
A SecureID system might be worth a try. A bit late to be asking now. Also seems that their "security conciousness" was a bit lax, especially considering what else was afoot.
Gmhowell is onto our game. She (or he... we haven't discovered which yet) is implementing extensive security schemes. These are pretty much going to rule out plans A and B, so we'll have to go with Plan C.
Plan C should be completely unaffeted by gmhowell's defenses. After all, once the CEO goes home leaving his now-desktop machine behind, we should have no problem picking him up in the parking lot. I'm sure that after a little time with Tiny, he'll be glad to tell us everything we want to know about their business plan. And since he's no longer able to take his laptop with him to give presentations, he'll have put even MORE effort into memorizing the company's numbers.
-- Agent 47
Security doesn't start with encryption or passwords or security guards. Security starts with corporate culture. Do you have a policy that says everyone has to wear a badge? Yes? Ok. Do you have a culture where people -look- for the badge, particularly on people they don't know?
The IT department recommends strong passwords. Do people actually follow the recommendation? How about making a game out of seeing just how obscure you can get?
Does the company use encryption as a matter of course? It's nice to encrypt the sensitive information, but if people encrypted ALL their email as a matter of habit, it woould make encrypting the important things second nature.
That combines a technological solution with a cultural one.
In fact, this one leads to better general security on a number of levels. If you only encrypt the important files, an attacker only has to worry about cracking the encrypted files.
Encrypt the whole drive? Sure. Why not? Other than the performance penalty.
On a pure technology stantpoint, dump ftp and telnet and http in favor of scp, ssh, and https. The list goes on and on. Security is ALL of these issues. Physical, technological, cultural. It's a matter of finding the combination that's right for your environment.
Never attribute to malice what can as easily be the result of incompetence...
My point in saying that is it would *almost* be excusable for a new employee to do something like that, to make stupid assumptions about security.
This is not the way to build a lasting empire.
"A microprocessor... is a terrible thing to waste." --
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
The CIO had all of this sensitive unencrypted material just sitting on his desk... there's this thing I heard about called a SAFE. How hard would that have been? What if the building burns down in the middle of the night? Did that super encryption keep your sensitive data safe from the fire? NOPE. The flood? Riiiight. If it's important, protect it (duh, right?). This means protection from hackers, burglars, and the elements... get a safe and use it. simple.
Further, how many times have you failed typing your password correctly at login time? I know it sometimes takes me 3 attempts to do it, mainly because of the mangling of figures, letters and other "signs".
One shall speak only if what one has to say is more beautiful than silence
I've sat in the lobby and watched people go through the locked door. Each one of them has to flash a badge to the security guard before they enter. That's not one out of ten people, it's every single person. In other buildings there is no security guard, but you can't enter unless you have a key card. Some buildings have a security officer AND a door that requires a keycard.
It seems to work. There have not been any reported problems regarding theft.
Moller
That said, for future reference:
In any case, good luck. You'll need it.
--
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.
1) Keep all sensitive information on servers (you should do this anyway, to back it up properly)
2) Have strict controls as to who can handle backup tapes. Use a bank safe deposit box.
3) Keep server room locked.
4) How about some building security? How did someone gain access to the CEO's office in the first place?
Some good thoughts. Here are a few others, based on my own inner demons.
The notion behind these thoughts is to establish that the concepts and ideas were generated from within the company, before any possible implementation date by the thiefs. If it comes to it, you may have a leg to stand on if you identify the party responsible and pursue legal action. Since this could occur *after* they take a product to market using your ideas, this will help show that you generated them earlier.
- First & foremost: talk to your IP legal counsel and ask how to document IP retroactively for information that isn't properly documented, dated, etc.
- After determining what info was stolen, make sure you have current documentation and/or duplicates of it.
- If not already done, write up the information in a proper lab book, dated, signed by author and knowledgable witness
- Possibly place copies in sealed envelopes with dated forms notarized by lawyer.
- If you have working, but non-public, implementations then photograph (if hardware) or print and date code (if software), etc.
- Perhaps now is the time to file that patent.
- Talk to professional contacts!!! You may have a colleague at the (presumably) offending company who knows about the theft and is willing to provide information. I don't know if it would be considered bribery, but since whistle-blowing can be hazardous to one's career (despite protectionary laws), possibly make an opening in your company as a safety net if someone comes forward and subsequently loses their job.
IANMOA (I am not much of anything), but documentation is always good, even after the fact; and most people view corporate theft as slimy and would rather not be part of it. Use that to your advantage.
-----
D. Fischer
ShoutingMan.com
A large copper Pokemon ball would shield against a magnetic field of any strength, and look cool too. A static magnetic field strong enough to alter a hard drive would be lethal if a pocketknife or other loose iron object got pulled in. True story "a pair of sissors killed a patient in an MRI machine when they flew off a cart" Hard drives are packaged inside aluminum cases for heat dissapation, strength, and yes sheilding from stray AC magnetic fields. It takes a very strong AC field to erase a hard drive. No need for a pokeyman ball. It's built in.
The truth shall set you free!
I've seen crowds come in and (dare I say it :-) slashdot the poor guard. They all flash cards all at once, a big, moving, wiggling mob. There's not a chance he can actually give each card the diligence he should. How about that guy in the back of the crowd who threw his hand up as if, or the other one who didn't even bother? How many times did I come in with someone else and one card was good enough?
Whether or not the guard sees every card, how well does he inspect them? That's the monotony problem. If it even looks remotely close enough, he is so bored that he doesn't pay a lot of attention. Ever been driving, look to the side for a lane change, and do a double take because there was a car you didn't realize was there? Why didn't the first look catch it? -- Because you were bored with such a routine task.
No human guard can pay attention to everybody. Cardlocks are better, but how many times have a bunch of you come back from lunch, one guy does the cardlock, everybody else crowds thru. Now imagine it's a big lunch, 50 people (an awards ceremony, release party, going away party, etc) and some appropriately dressed stranger comes thru at the end, even catches the door and comes thru, or fakes it with a swipe and catches the door? Suppose he's not dressed like a typical engineer in that crowd, but has a fancy suit, briefcase, etc? How many engineers (or secretaries, assembly line people, etc) would actually challenge him?
Happened all the time when I worked in such places. I've been to friends' companies where they let me in, in front of a guard and all.
Happens all the time.
--
Infuriate left and right
Back in '94, I attended the RSA Data Security Conference. Even then, they were pushing the smart card approach to security. Of course, back then, there weren't too many PCMCIA devices available. So, one company came up with a really cool alternative...
They developed a "SmartDisk" (I think that's what it was called), that employed an RSA capable chip inside a floppy-like device. It drew its power from the rotation of the disk spindle and used the drive heads for transferring data. It could provide boot level protection and/or disk encryption. Very slick indeed. Wonder whatever happened to it (They were a UK based company).
Despite the power of encryption, however, there would, invariably, be the person who writes their encryption key down and sticks it to the inside of their desk.
Use encryption (key escrow or secret shared keys for sensitive data) and removable storage devices.
Require the users to check-in/check-out the media at prescribed times.
Use access control to determine access to the work areas and/or media.
Log out when you are not at your machine.
Finally, use common sense and don't leave the stuff laying about where somebody can see or steal it.
"A microprocessor... is a terrible thing to waste." --
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
Back in world war two the Nazi's came up with this ingenious encryption system that the allies couldn't break called Enigma. Go find one of these old enigma devices and encrypt everything you do on it. Then write it down with pencil and paper or type it in an old typewriter. Put this in a bank vault that is locked at night. So if someone does manage to steal teh papers the will ahve to go find another Enigma device to decrypt it!
There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
All I have to do is swipe a card when I enter the building and always have my badge visible. All I do is write code (and I'm only an intern, I'm not going to work for this company because I can't stand the corporate bureacracy, but that's another story) and lock my workstation when I leave. It doesn't impact on conditions at all, truthfully.
Our security policy is just one of many policies. There is also a major safety policy in place that include ergonomics. That basically means that if you want/need an ergonomic mouse/keyboard/chair/anything the company will provide it for you.
Moller
that's why other employees also watch out for unauthorized personnel. You're right, crowds do go in. And I can tell you that I have gone in with crowds where people have had their badges in their pockets. And I watched another employee ask them where their badge was and hold them until they took it out and showed it.
I've also watched security guards stop individuals in a group that didn't have their badge visible. And our security guards are not minimum wage rent-a-cops.
The corporate culture in this company is such that these methods have proven effective. I agree that it isn't foolproof and will not work for every company, but it has for ours.
Moller
- Get a DC power supply, like the one used on a train set. Cut the connector off, seperate the wires, and strip them both.
- Now you need a jar of water with a tablespoon or so of sodium chloride (SALT!) added to it. This makes the water conductive.
- Now insert both wires into the mixture (I am assuming you plugged the convertor in...) and let them sit for five minutes. One of them will start bubbling more than the other. This is the POSITIVE(+) wire. If you do not do this test right, the final product will be the opposite (chemically) of rust, which is RUST ACID. You have no use for this here (although it IS useful!).
- Anyway, put the nail tied to the positive wire into the jar. Now put the negative wire in the other end. Now let it sit overnight and in the morning scrape the rust off of the nail & repeat until you got a bunch of rust on the bottom of the glass. Be generous with your rust collection. If you are going through the trouble of making thermite, you might as well make a lot, right?
- Now remove the excess water and pour the crusty solution onto a cookie sheet. Dry it in the sun for a few hours, or inside overnight. It should be an orange-brown color (although I have seen it in many different colors! Sometimes the color gets f***ed up, what can I say... but it is still iron oxide!)
- Crush the rust into a fine powder and heat it in a cast-iron pot until it is red. Now mix the pure iron oxide with pure alluminum filings which can be bought or filed down by hand from an aluminum tube or bar. The ratio or iron oxide to aluminum is 8 grams to 3 grams.
- Thermite requires a LOT of heat (more than a blow torch!) to ignite. However, a magnesium ribbon (which isn't too hard to find... say you need it for a school experiment if you want) will do the trick. It takes the heat from the burning magnesium to light the thermite.
- You want electrical ignition, so get yourself a 120w lightbulb. These get really hot when on. Carefully break away the glass and wrap the magnesium around the filament, solder two wires on for power and pack the thermite around it.
- Congratulations! You have your very own hard disk destruct tool! Just add electricity.
This, however, would not destroy printed copies or removable media. To do this, go down your local radio shack and get a few solenoids. These are little bars that shoots out of a block when electricity is provided. Now get an equal number of self-defence CS spray canisters. Wedge the solenoids in the CS spray triggers and blue-tack them around your office, by your computer, above the door etc. running wires between them. Wire these into the office alarm, the same as your light-bulb. Now if you get an intruder, they get 15 bottles of CS spray pumped into the office, detering even the most determined thief.
I did something like this for a school project once...
Michael
...another comment from Michael Tandy.
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Ok Ok So it's not a perfect solution, but hell don't you think it's something that could be built upon?
Are YOU listed?
Try explaining that to your CEO some day. Tell him how he's a 'retard' because he doesn't encrypt all his data.
He will promptly fire you because, as the IT guy, it is YOUR job to inform him that he should be encrypting his data, as well as telling him how, or doing it for him.
All of those suggestions that have been posted on /. are good -- however one suggestion that I have not seen is educating your user AND constantly reminding them about it.
This simple, inexpensive practice can go a long.
-- George
Karma stuck at 50? Add 2-5 inches.. err.. 2-5x Karmas Count to your pen1es.. err.. Karma all naturally and private
<I>BTW If anyone knows of a security company who is looking for someone like me, let me know.</I>
<P>
A nameless guy on Slashdot with no email or homepage or resume? Sorry, the market is saturated with guys like that.
<P>
Erik Z
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
or a big bucket of sand
Vermifax
Vermifax
Logout
but continually striven for. Espionage operations have been directed at corporations large and small for 100 years or more. To be successful espionage by its very nature must be clandestine - that is not be discovered by the target. In the case under review it should be possible to reconstruct the content of the laptop and make a Risk Assessment of the damage the information would cause the the business if it were in the hands of its main competitors. The recipient of the information will know that the laptop will be missed and that the owner of the information may (if he knows what he is doing - which does not sound very likely) take 'Counter Compromise' action. This action will depend on the type of information held on the laptop. Some corporate information is Time and Price sensitive - e.g. quarterly or annual financial results for which corporations have a responsibility to amongst others the S.E.C. who take a very dim view of 'incorrect disclosure'. In such a circumstance Counter Compromise action is not possible because the information cannot be changed or denied. In this case the SEC would have to be informed and the reletive information be released to the public domain as quickly as possible. Corporate strategy and plans can always be changed but at a price and that price may be in the short term the difference between market leader and nowhere. This takes us back to the first point of stock price sensitivity! Security as an holistic activity. Encrypting the data on a laptop is not the answer as that data will be stored elsewhere within the enterprise. Having the most sophisticated form of Log-on and authentication to a computer system is useless if the OS is insecure, the computer is connected to the outside world, as 'point to point', WAN, Extranet, etc., the disks or backup tapes are accessible and can be copied. EXAMPLE. In the '60s one of the worlds major airlines devised a software application that would allow any travel agent anywhere in the world to book any flight from any where to anywhere else using a simple ASCII terminal. No other airline was anywhere near a solution and most had not even thought of the idea. Thieves broke into the airline computer centre, connected the computer on-line, dialed into their own computer and dumped the source code. At least one of the thieves was caught and charged with 'Breaking and Entering' (they broke a pane of glass) and the theft of ELECTRICITY. The source code was an intangible not recognized in law and although it was priceless to the airline which developed it, it had no monetary value in law. That was the '60s and the legal situation has changed but what has not changed is THE GREATEST THREAT TO SECURITY. It is not the CIA, the FSB, MI6, BND, NSA or any other combination of letters. The greatest threat to security remains the widely held belief that no threat to security exists. Once the President, Board and CEO are convinced that there is a threat to corporate security and they are willing to allocate 'Land', 'Labour' and 'Capital' (approx 10% of infrastructure projects) and convincingly educate all employees then a security process can be started by asking three questions: 1. What are our valuable assets, (tangible like data centres and intangible like information)? 2. Who wants them? 3. How can they get them? From these thre questions everything else flows. Answers raise more questions and the answeres to those questions raise yet more questions. Security, like any other corporate activity, is dynamic and all the accepted management skills from forcasting to sales apply whether it is securing Personnel, Materiel (buildings, computers, etc) or Information. Security can never be absolute - anything designed by man can be overcome by man given the TIME. Time is what effective security will gain for the defender - time to detect any attack, time to respond to the attack and time to neutralize the attacker. When it works effectively attackers are detered and CFOs invariably say "Why are we spending all this money when there are no attacks" and we have come full circle to the falacy that "There is no threat to security". Regards Gatekeeper (retired) PS. Unless things have recently changed radically in corporate America it is extreamly likely that the CIO had the laptop with the most bells and whistles and how many laptops can a guy covert? Some years ago I had a media client that was loosing one top of the range Compaq portable per week for ten months before we were called in to advise. We placed electronic ID tags in all the replacement portables and covertly monitored their movement in and out of the building. Every day a senior executive left the building at lunch time with a portable. Some days he brought it back to the building and sometimes not. One day he left the building with a portable which had been tagged and as his portable did not have a tag, it was not his portable. When he returned he had no portable. When the portable was not returned by the following day the details were passed to the local law enforcement agency who tailed him to his accomplices and arrested them. He had removed over $160,000 of portable computers because the security guards were looking for a stranger or someone who should not have a portable computer.
Lock it up in the first place. All laptops should be anchored to something immovable as long as you're not walking around carrying it. If you are carrying it, don't let go. Basic principles people. I work for a company that would get fined by the federal government if some of our data got out (probably over privacy violations). Laptops are meant to be taken home. And even then, if its got important stuff, lock it down.
Here's something else to consider:
One of the places I temped at let me go completely out of the blue (long story, not really relevant). I don't know if they bothered to tell the security guard I was gone or not.
If the thief is a former employee, a friendly security guard who knows the person might not have really thought about the person waltzing in.
This depends, of course, on how tight security was to begin with. When I worked in the vault of a bank, that certainly wouldn't have been an option -- the pass I used there had three levels of security coded into it to actually get me to my desk.
There is of course also the possibility that the thief is a current employee -- possibly even one of the security guards. Especially given how precisely targeted the whole things was.
"Somebody exploded a letter-bomb today
...Hey how come my credit card no longer works... Vermi
Vermifax
Vermifax
Logout
One place I worked that had such a scheme suffered a little office mischief... The employees would log in to thier fellow employees workstations. From there they would promptly screen capture and set the screen cap as the background, minimize everything, hide the task bar and move all the icons to a folder. Real silly if not clever gag that happenned at least once a week to someone.
Prospecting Stinks. Stop Wasting Time on Cold Calling.
Put your system files in one partition --enough for the system to boot up and your data files in another one, encrypted by a strong on-the-fly encryptor (I recommend E4M as ScramDisk is stuck on Win9x).
Go through your important applications and make sure they put even less important stuff (like temporary files) into the encrypted partition --Outlook .pst files, and %tempdir% come to mind; you don't want Word leaving whole copies of your business plan on C:/temp. You'll see a slow-down, but it's worth it.
Do not store passwords for anything in non-secure media (i.e. anything short of an encrypted file on a non-networkable machine or a PDA). I use Secret! on my Palm to store passwords and PINs I don't remember.
Go active: write a little hidden app (a batch file should do even) that will 'call home'. If you lose the laptop and the thief is stupid enough to go on the Net, the machine should start giving info about its wherabouts.
Several years ago when I was still practicing as a lawyer one of our partners had his laptop stolen from the back of his car. Since this guy had his clue bit set, he had set the BIOS password. Of course we reported the theft to the police and alsocalled local computer shops. Sure enough, several days later a guy came into one of them and wanted help "fixing the hard drive". The mounties were called, the laptop was recovered and the perp was taken away forthwith. We considered ourselves lucky because there was information on the laptop covering something like 30 cases that our guy was involved with at the time. As a result of that theft we thought about the problem and did the following: (1) Set the BIOS passwords on all laptops; (2) Got copies of Norton "Your Eyes Only" for all laptops [product no longer available, but it basically set up an encrypted partition]; (3) Set up a script to synch the laptop to the network whenever someone logged in at the office; and (4) Bought those cable locks for each laptop. Now, in addition, I would (A) Change to a more secure OS than Windows 98; (B) Consider an encrypted filesystem [Cryptographic File System or Transparent Cryptographic File System, both for Linux]; (C) Buy a Defcon One instead of just a lock; (D) Buy one of those proximity alarmsthat sounds if your bag gets more than 15 or so feet away from you [for airports, etc.]; and (E) Buy one of those backup hard disks with a PC card attached to make backups while on the road.
You forgot about optical media, Cd, Worm, Paper even.
Once he takes the laptop out of the building the security problem is worse. Now he has to leave it in his car or his house when he goes to the movies, dinner, etc. What are the odds his house is more secure than his office?
Now multiply one employee times 100 and consider whether it's better for employees to leave their computers at work or take them to their 100 homes.
Besides, the CIO's floppies and CD-Rs were also stolen. Unless he's going to schlep that stuff home along with his laptop, you're still looking at having data in the office. The office has to be secure or all bets are off.
This post... too accurate for Sandpeople. Only Imperial Stormtroopers are so precise.
Actually a few laptops have been recovered this way through the distributed.net client... which can run silently in the background.
It reports back to servers throughout the world on a regular basis.... without user interaction (normally).
Another way, is place a "backdoor" that uses STRONG encryption, and connects to a remote server (at your company). Like sshd... only REVERSED... sshd that establishes a connection to the outside system... allowing that outside system to gain shell access. (I saw something like this on the _new_ packetstorm recently)
Good luck on recovery.... Usually doing a "backdoor" is better, cause you can login and move information from your stolen system back inside your network.... and then trash the laptop (and then pursue the criminal).
Ever need an online dictionary?
In most financial firms, others as well. The data on the portable pc is exponentially worth more than the machine itself. Portfolio information, Analytics models, contact lists and other data property are very important, especially in the banking world. Things like EFS in windows 2000 work only on a small scale and are very difficult to manage and implement. Encryption like EFS encrypts the files on a per user basis. A key is generated along with a recovery agent (master key) that allows only the specific user to access the encrypted files. The problem, especially in espionage scenarios is that the recovery key, used in the event that the user's account becomes permanently deleted and other scenarios, becomes the single entry point into the entire company's data. In real world espionage scenarios, the attacker or data thief usually will be someone internal to the company who has such access to begin with. This may save users from having lost data in the event of a missing notebook, but the real threat to data loss comes from inside the organization.
One of the scenarios that is commonly used is the idea of self destructing data. Enter the password wrong 3 times in a row, and your notebook becomes useless, and data is wiped from the disk. Mirrored copies of the users data live on a server or on tape and can be restored relatively quickly. This presents a problem for the dial up user, but is a relatively safe way of implementing a process to prevent data loss. It becomes easier to implement with the advent of smartcards, where you keep the crypto certificate on the card instead of on the machine.
-Not even 2 bits.
How does one get into industrial espionage as a career path? It sounds like a fascinating line of work; I wonder how one gets involved. I mean, you never see classified ads for industrial spies.
--G
There are several utilities available that do transparent, on-the-fly robust encryption. Put all your important files on an encrypted partition and you're good to go. Any stealing of the laptop would be inconsequential.
Why on EARTH did your CIO not do this?? Reminds me of that awful blunder by the Qualcomm exec. Stupid, stupid, stupid.
Yup, I'm guessing some people would. In which case you'd just use the ISPs caller ID logs. (They all still maintain those, right? We all did back in '94 and '95, anyhow.)
-Waldo
Kensington or not....
Have you seen any notebooks that took more than three minutes and a small screw driver to liberate the hdd?
Me thinks not.
"A microprocessor... is a terrible thing to waste." --
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
Acer's newest model in the Travelmate 700 series has biometric scanning with fingerprint access. There's a little pad on the wristrest that allows you to use fingerprints instead of passwords. I don't know the extent of BIOS and HD locking, but it's a great (if not ultra-cool for us geeks) start.
Hey, good call, x-empt: Distributed.net Captures Laptop Thief.
-Waldo
All important data on a laptop should be stored in an encrypted loopback filesystem or PGPdisk filesystem with password timeout enabled. Even removable media can be secured via encrypted loopback.
If the unit is left alone too long, it forgets the passphrase and it must be re-entered. If it's powered off or rebooted, it forgets the passphrase. The Windows version of PGP even has a hotkey that will instantly forget all cached passphrases. Without the passphrase, recovering any data from the disk becomes prohibitively computationally expensive.
Internal employees must have less brutal ways to copy the information than stealing laptops, not to mention the CDs. But if it was a low-paid guard or janitor...
I was at a certain computer hardware company yesterday and was able to observe their security at work while I waited in the lobby for the person I was there to see. They had one entrance with an airport-type gate everyone had to walk through. No one could leave without walking through it and being checked with a hand-held device if they set the gate beeping. Also, any employee taking out a laptop or any other type of computer equipment had to sign it out. Yesterday I thought it was rather extreme but after reading this Slashdot entry today I understand now. Of course, not every company can afford this type of setup, but if there is sensitive information to be protected then the company ought to invest just a little more in security, n'est ce pas? Even if it IS a minimum wage guard at the door making sure nobody is walking out with the company's computer equipment without being authorized to do so.
HTTP header ad space for rent! Advertise to thousands of server log readers - only $50 a week per header! 1-800-SURFALOT
As has been previously posted, the first level of security is nothing to do with technology. It's about people. Who has access to the building? What is their security clearance? Are there checks on who can take stuff in and out? (No tech gets out of where I work without a signed chit from our Security team, and yes, someone tried to pass off a company laptop as hers by stuffing it into her own laptop carrier a couple of years ago).
Who has access to where? What types of locks are on the doors? Who has the keys, or knows the combination?
Train your staff. No-one gets a laptop without signing a paper confirming that they have attended a security course and agree to abide by the company rules. Penalties can vary from a slap on the wrist through paying for lost or stolen property to dismissal and going before the judge.
Carry a laptop regularly? Throw away the black plastic bag that says mug me I'm carrying something valuable. Get a lockable case or airline trolley if you insist on carrying everything with it. If you drive, consider a case which locks into a frame fixed to the car and out of sight.
Train your staff to be aware. A while back, some PHBs were having a meeting in a hotel. One hour in, guy in coveralls pokes his head around the door. So sorry, mandatory electrical check, please step outside and help your self to coffee. 10 minutes later, three laptops had gone from the room.
What is your comapny's policy to data storage depending on data classification? Is it one size fits all, or do you differentiate. NB: there are some things which should never be stored on any computer system. Think typewriter, fireproof safe, and a shredder for the carbon paper.
Train your staff. No exceptions. Get your CEO to agree that this applies even to her. Point out that she and the PHBs work on the really interesting stuff and that there are evil asocial scum out there who would love to get their hands on it. Get her to give you the teeth to carry out your policy. In writing.
What data can you afford to lose?
Now for the tech. Up-to date AVS on the desktop and the company firewall. Preferably a different AVS on the firewall: what one misses, the other may catch. No networked PC to have a modem connected to it. All email, web-browsing, etc. through one point. Install evil censorware to stop untrustworthy active code and cow-orkers downloading Back Orifice. Install really evil checkers to stop them installing it on their PCs. Put in writing what users can't do on-line and enforce it. Training comes in handy here.
If you have to store data on a laptop or desktop, what level of encryption do you use on the hard drive? One cow-orker thought he was being smart by boot-protecting his desktop. Took me 20 minutes with a screwdriver, a second PC, and Drive Image Pro to change his mind.
Companies like http://www.intercede.co.uk/ provide what I personally consider to be an adequate level hard drive protection (No, I don't work for them, nor do I have shares: consider them a benchmark.)
YMMV, obviously. What everyone has to do on a regular basis is:
- check what you currently do
- review what you currently do
- do it
Oh, did I mention train your staff?
-- Free Luna!
2) Just a thought, and probably not one to speculate about openly at your workplace, but if the police are brought in and informed that sensitive information is missing, they will certainly entertain the possibility that the culprit is the CIO himself - if he's dumb enough to leave important information lying around overnight waiting to be stolen, he's probably also dumb enough to think he can get away with the theft himself.
3) Updating your CV would be a good move; immediately starting a search for a new job with a company possessing a reasonably full set of clues may well place you under suspicion. Be patient and wait for the worst of this to blow over before making a move.
Good luck.
The company I work for uses Dell's across the board. The latest desktop machines we have been getting are the "Small Form Factor Chassis" H: 3.6" W: 12.5" D: 14.9". They fit quite nicely in a backpack or briefcase.
It's a dirty little secret in the IS department that we lose a laptop every two months. I can't wait until one of these walks away.
Laugh while you can, monkey boy!
I think Kevin Mitnick encrypted the data on his harddrive with Triple DES - although I don't know if that was on startup or if was just specific files. It'd be interesting to find out, to say the least, how he did it.
Anything that will keep you safe from the Feds can keep you safe from corporate espionage - and if you wanted, you could use PGPdisk or PGP to encode your files and decrypt them with your private key when you need them, and wipe them using the wipe feature so no fragments remain on the drive.
PGP - it's not just for email anymore.
RB
----------
ah honey, we're all resplendent - Bill Mallonee
My dad works in security at a large company and they have their laptops configured to dial toll-free into a central computer whenever they are booted up and plugged into an analog line. This 'ping' let's the home office know who they are, and captures the the calling phone number (caller ID).
This has proven very successful because they were able to track down a large 'lost in transit' shipment of laptops. From the one contact, they were able to find and prosecute the culprits and recover most of the hardware.
Doesn't help recover or protect the data, but it was sucessful in this case.
tminator
Once upon a time, I was attending a particular university and had some rather difficult classes. These classes were very lab-work intensive and it was hightly possible that you could not get it all done during the day. Therefore, you could get these special passes that would allow you to gain access to the rooms that you needed. The campus police would check your ID and the pass and unlock the specified rooms for you. This building had lots of expensive equipment in it, but it was locked up. Sounds safe enough, but.... at a certain time in the early morning hours the custodians would enter the building and begin to clean.
The first time I saw this happen I could not believe it, but this is what they did. They went into every room in the whole building, unlocked all the doors, turned on all the lights, and then went to a remote part of the building and listened to music while they took a break. All the expensive equipment was just sitting there, not to mention all the professor's offices in the building were wide open. The building would remain like that for hours until they would slowly take out the trash in each room and vaccume the floor.
So, it's 3am....do you know where your custodians are?
I doubt it happened like that example, but I would not rule out an inside job. Especially since they knew where and what and took nothing else. Lets say that an employee is disgruntled and instead of going 'postal' he sells-out to a competitor. He uses his badge and access to take it or move it.
There is a product like this called Webdetect (http://www.webdetect.com). It supposedly calls a central server whenever a stolen PC is put back on the net and the company tells the police where it is. I've no idea how effective it is and have no affiliation with the company.
The users here (big advertsing company) have no save to disk ability. They want to write data then it goes to the network servers. Logins are set to the usual 3 tries and its dead for 3 hours, 8 chars minimum password which needs resetting every 60 days.
They realise that the data they work on is commercially sensitive, both in the interest of their own competing advertising companies, and also the competitors to their own clients, so we don't get complaints except from new starters and they get into the company operating methodology pretty quickly.
If someone thinks they are going to nick the servers themselves, well I'd like to see them get through 24 hour security staff, security controlled doors on the server room (the guards don't have access - only 4 people have valid tag's) and locked and secured server implementation.
--- This meme is memory intensive
maybe i'm just naysaying, but aside from the design specs for The Next Big Thing, what data on a CEO's machine could be all that important?
is he one of those rare CEO's that can write code?
semantics are everything!
I know this doesn't entirely fix the problem, but I was thinking about this last night. My solution is more "how do I figure out who did this?" and less "how do I prevent this data from being stolen in the first place?"
I set my homepage on Netscape on my PowerBook to my website with a URL that grabs my IP and logs it to a file on my site. I've never had a "homepage" before, and I feel a little stupid using it.
The result is that if somebody were to take my laptop and use the browser on it, I'd have their IP, therefore their ISP, and therefore their identity, or something very close to it.
Like I said, it doesn't prevent the information from being stolen (though I don't think that's possible -- somebody with your computer has all the time that they like to crack your encryption), but it is a possibly useful method of capturing the thief.
-Waldo
keeping your laptop on your person at all times if it contains sensitive information is. That means it goes to the bathroom, bed, order counter to pick up your meal, pub, or you name it. How much is that information worth to someone other than you? would you really leave that amount of money lying on a table? get real people. If your cio had their laptop full of valuable data stolen without being personally threatened, it's as much their fault as any enterprising theif!
Companies should not be surprised that the cleaning crew steals things after they outsourced the work to the lowest bidder, who pays the lowest wages. The same thing applies to security guards.
Mea navis aericumbens anguillis abundat
Keep sensitive material out of the hands of the technologically retarded. If someone doesn't have enough sense to encrypt the data of that high a sensiti level then he doesn't deserve to be given a position where super high level information is passed to him.
"Helping to keep you two steps ahead of the Thought Police!"
Use network drives... and remote means like ftp etc... Never store vital information on laptops.... lessons people will learn repeatly untill they listen. Viewed here onece again
You don't need to prevent swapping to disk. For example OpenBSD2.7 supports encrypting swap space.
Encrypting swap (or filesystem) should be possible also in Linux (see Encryption HOWTO) and Windows (see e.g. SafeGuard Easy).
He must have been aware of competitive interest. As the corporate officer ultimately responsible for information security, he was extremely lax to leave his laptop unsecured on his desk at night, along with his backup media.
Your company's President should have this CIO on the carpet trying to think of reasons why he shouldn't be dismissed.
Don't have any sensetive work being done on publicly accessable parts of your building, and have cards for different areas of the building.
Have laptops locked into hard cabled docking stations while at work or with the person who is responsible for them
As x approaches total apathy I couldn't care less.
Look, I will take the freaking HDD from machine, and read it on another machine. If filesystem is encrypted, then I will break this BIOS like program, which had to be written in Asm or C due to memory constraints, and thus is an easy prey (not much bollox code around). Your solution is good only against primitive theifs who only want to resell your laptop, this discussion is however about Industrial Espionage, where people know what they do.
What do I do when I pee on my laptop?
kc.
kc.
"You'll have to speak up, I'm wearing a towel." - Homer J. Simpson
It's almost a "social" form of protecting data: Don't leave your laptop laying around.
Would this guy's laptop have been stolen if he'd put it into his briefcase and taken it home with him after work? If this company was a small startup, they probably don't have the building security features that they'd like to have protecting their hardware. Thus, leaving nothing at work seems prudent.. depending on how important it is to the guy.
Of course, I suppose someone could have mugged him at night and taken the briefcase, but by that point, I think the scenario would have become a James Bond movie.
Encrypting data is one obvious method of protection; prevention of hardware theft itself is a lot more basic, and a tad more simple to implement.
For what it's worth, the CAPSTONE chip implements the Skipjack algorithm. So in addition to being publicly untested, it implements key escrow for law enforcement...
Of course, other measures are taken as well, such as file encryption and regular back ups to a secure server. That way the data is much harder to retrieve and when it is lost because the CIO can't remember his fourth wifes name(nice password choice) most of his data can be restored.
Unfortunately, there really isn't that much you can do when it comes to getting management to prtotect IP from corporate espionage. If some teenager hacks it they are darn sure going to sue but most aren't willing to take the time to perform a little encryption and do regular backups to keep things safe. Some even laugh at the thought of physically securing the servers. I know of a company that spent over $100k on implementing all sorts of security solutions on their pc's and laptops to leave the servers sitting on a bench in the tech room, near an exterior window. Now that's secure! Good luck, this is an area where there are no easy solutions and only harder implementation and enforcement.
I feel for you. Where I currently work there are only 15 of us in a satellite office. So we all know each other and know who should be in the building. You have to have a card key to get in and yet if someone walks in without one nobody bothers to do anything. When I first started here I was astonished at seeing people walk right in (yes, there's a problem with our door sensor, something the company refuses to address) and wander around before anyone would bother to say anything to them. I have since found that I am the only one willing to approach people who obviously don't belong here.
Go figure.
Putting all your data specifically defeats the purpose of Laptops (namely that you can take it with you and work at home or in a plane or whereever)
Backing up your data from laptops is the best solution to making sure you dont lose any data in the event of theft, but if you want to make sure noone gets a competitive advantage by stealing your computers, theres nothing else than oldfashioned hardware-based 128bit-encryption.
Now just don't ask me where you could find a card which would exactly do that, because I really have no clue (and I'd admire any tips as to where to acquire such a card, I'd certainly be willing to pay a 100-200 bucks for an encrypting disk-controller (IDEA or AES or some comparable standard) )
--------------------------------------
1 power on password
2 hard drive password
my thinkpad does both
and oh yeah - lock and key. If someone is determined to take what you have there is little you can do to stop them so if encryption and safe storage don't seem safe enough for you then you should consider not putting sensitive information out in the open and auditing EVERYONE under threat of instant termination to comply. If that's not enough then don't permit local storage at all and give everyone a dumb -err - thin terminal.
Audit everyone anyway. Establish a clear security policy and stick to it. Compartmentalize your security so that it is not hierarchical. This avoids the problem of giving the most sensitive information to the alpha monkey.
Log everything.
Have a building property pass or something to slow someone down when they're walking out the door late at night with a couple of laptops under their arm and a car waiting at the curb.
Install docking stations and tethers for laptops. Install trip alarm cards in your desktop machines and keylock the cabinets and keep the keys under seperate lock and key.
There is a Swiss company that makes exploding CDROM disks. That's right they can be programmed to self destruct.
Remove all hard drives from desktop machines..
Remove all floppy drives and tape drives from desktop machines. Remove all CDROMs, CDRs CDRW's DVD's from all machines. Outlaw bringing any equipment onto the site that didn't orginate there.
No cameras no recording devices or any kind. No briefcases in or out and everybody gets searched in both directions.
You get the picture. Do whatever it takes to protect your stuff as long as the cost of that is less than the value of the information or the equipment.
Hell, I once worked in a site where we had to shred everything daily including diskettes and they were reshredded and burned. Printer platens and ribbons were removed and destroyed weekly. An armed guard was in visual contact at all times. Do you want to go that far?
A sample reference for comparison: http://www.textfiles.com/ana rch y/JOLLYROGER/010.jrc
I store quite a few of my ideas on and work related information, as well as other minor information like bank account numbers, building codes and passwords on my Visor. I use Cryptopad to encrypt the sensitive notes. It looks and feels the same as MemoPad, to the point where I've remapped the memopad button to launch Cyptopad instead. Plus, I don't worry about someone getting this info if I loose my visor or is someone steals it.
-no broken link
I don't even remember the impetus for doing so, but the person who stole it was foolish enough to change the laptop's network settings and actually connect it up to the net again. When server logs start showing someone checking my mail from outside of the company as well as some other network monitoring tools I use kicking in, it doesn't take too long to track them down. The police had a field day with that one, to say the least. The laptop didn't have anything on it of too much importance and wasn't really worth encrypting, but it's a nice two grand to have dropped back into your lap. Needless to say, greater precautions were taken after that.
Interested in open source engine management for your Subaru?
I know it sounds drastic, but the FBI's internet team just LOVE this sort of thing.
;-(
I had been cracked by a former employee who treatened to email sensitive data to one of our former clients. Even then the local cops didn't know what to do, but the DA suggested talking to the local FBI. Now _they_ knew what to do.
They had us make a dd copy of all our servers, photocopied our network layout, and listened to our leads. We pinpointed who it was within a day and the FBI handled the rest.
They really knew what to do and how to handle everyone. Our CIO was agas about how the FBI "talks" to the local cops. It's like the cops were dogs to be given orders to (and boy did they listen!) and we had our problem "solved" within a week.
Also, they had some great suggestions for locking things down as well as some interesting thoughts on log files (i.e. Keeping logfiles on internet connected production servers is "useless" unless they are mirrored offsite or piped to a line printer. Hell, we even had an old line printer sitting right next to the hacked box too!
A. Don't leave your laptops lying around where the cleaning person can get them. B. Try a lock on the door. C. Try a safe
It is said that the number one place laptops are stolen from is the dining room table. This may be an exageration, but the point is valid. A laptop is probably more likely to be stolen from an employee's home or car then the workplace.
Lock the laptop up in a good safe and invest in a actively monitored security system.
Cryptonomicon: They all had laptops with cameras. If the user left the view of the camera, the password had to be reentered.
They do, and you can read more here: http://commerce.www.ibm.com/cgi-bin/ncommerce/Prod uctDisplay?prmenbr=1&cntrfnbr=1&prnbr=33 L5021&cntry=124&lang=en_US
Thanks alot Cliff. Now what the hell are the rest of us Slashdot mongers going to do, if we can't give advice?
Where's the next DeCSS story?
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
And it isn't only computer information, a good spy can use social engineering better than most hackers, knows when to go garbage diving, and what records that you'd normally consider insensitive actually reveal critical inside information.
Read the book if you care about security, and if you don't... read the book and you will :-)
I don't think that simply not having anything sensative on a laptop or other portable type machine is the key at all. However - beyond encryption, boot passwords, other passwords and they like, physical security of the machine is *extremely* (read: criticaly) important. Personally when ever i leave my office or residence and I'm not taking my laptop with me it gets locked up... there are too many stupid room-mates and easily fooled cleaning ladies.
-neil
"Now you see that evil will always triumph because good is dumb."
I really do believe that you should have any data that is saved on a laptop or any other portable device (includeing hard disks) should be manufactured with a specialized dead man's switch that will activate thermite or some highly corrosive acid upon theft of the data or being removed from the area in which it is housed.
Respond to s
If you really are in a "unique position" in your market, and there really are large companies trying to take that position from you that you suspect are trying to rob you, then you really should be hiring a security consulting firm to help you out here... public forums are rarely the place to find serious, professional quality help.
Secondly, consider a desktop firewall. Consider a CEO that is on an Ethernet switch along with other employees on the same switched backbone. There is probably zero chance that remote exploits against the desktop will ever be monitored. Many companies put armor around servers but leave such desktops wide-open. An amazing number of corporate desktops have File and Print Sharing enabled or can easily be compromised by a Trojan.
Finally, I also "honeypot" my system. This is a little esoteric, but I've configured Outlook to check a number of e-mail accounts. One of those accounts I've saved the password in the registry and it goes of to check a POP account on a special system. That system is triggered to notify me when anybody but me logs in to read mail. (The password is saved in exactly a location that many Trojans will look for). This is a little esoteric for most people, though.
(Disclaimer: the company I work for makes a popular remotely-managed desktop firewall/IDS combo).
If you had an infinite number of infinitely smart resources you could approach but not reach perfect secrity. But it is in fact asymtotic. So what's it worth to you.
Give you an example - I used to work in an office that had a scanner that could tell if a source document had been previously photocopied so that you could make a guess about whether the 'x' of 'y' mark on the doc was accurate. You have to decide:
what is this information worth to you
what do you do once you have it.
Of course you could reverse engineer the drive controller. It would easier still to pull the platters out altogether and mount them into some clean room prototype device and have at them in a controlled enviroment where you scan the platters with an electron microscope, subject it to magnetic flux testing, etc etc. etc. but again - what is it worth to you.
I am assuming, for a moment, that your CIO is running Windows on that box. There is a product named PC-DACS that is really tough to crack. It encrypts the disc and does an on-the-fly patch into the BIOS (similar to EasyBIOS). You cannot read the drive without entering the password. If you try to use a floppy, you still can't do it. It actually encrypts it down to the FAT level, so you can't use FDISK to change the partition type and read the drive again. I do not work for whoever it is who make that product. We use it where I work, and it is quite powerful.
Of course, for the truly paranoid, there's always surplus TEMPEST equipment available for a price...
Freedom: "I won't!"
1) Is the crypto card normally kept with the machine? If it is, the thief would make off with the card too. This eliminates the "what you have".
2) How is the "activating" password processed? I'm not familiar with the details of the FORTEZZA card, but one would hope the application that gathers the password takes care that it won't appear in the disk swap file, or anywhere else for that matter.
3) Is the encryption done on or off the card? Most smartcard/token solutions only keep the keys on the card, since the chip is too slow for bulk encryption. The original FORTEZZA card did the cryptography itself (part of the reason the government liked it, they did not have to let the algorithm be available in software). This turned out to be pretty expensive (one of the reasons contributing to the FORTEZZA failure).
4) Assuming they get the FORTEZZA card, and it contains all the keys needed to decrypt the disk, you won't be safe from well funded opponents. Any hardware can be broken; given enough money and resources... it is just amazing what a good chip lab can do these days. As usual you have to take into account the value and lifetime of what you are protecting.
All in all, I suspect the FORTEZZA card is a good solution, but check out the details. The crypto algorithm (as mentioned elsewhere) is relatively untested, but I'll take a poorly inspected NSA algorithm over most other people's algorithms almost every time (unless I'm trying to hide something from the NSA :-)
My Laptop had a BIOS hard disk password set, it won't boot up from that hard disk if the password is set. I don't know whether this is a sophistiacated system or not.
:-)) Then again, maybe you haven't got the security in your Datacentre quite up to speed - perhaps (perish the thought!) you don't have a Datacentre....
I also use NT, so you can't to the operating system login without a valid password.
One or both of these methods can be circumnavigated by connecting the hard disk to a secondary hard disk controller and booting via an Operating system on the primary controller. As long as the operating system on the primary controller can access the partition on the secondary controller then you're in no problem, the drive will appear data and all once you view/mount it.
Our rule is:
If you hold confidential information then store it centrally on a server, it's unlikely that a thief is going to be able to walk out with your Raid array (even if it's OK for them to forget one of the drives
I advise, if you hold data locally on mobile equipment, and it is confidential or sensitive in any way that you employ some kind of key reliant encryption... then you only have to guard the processes that guard the keys.... Whether your encryption is on a file basis or on a sophisticated encrypted file system it doesn't matter, just protect your data the only way you really know how!!!
You'll never get fully secure, armed with enough data, and having full access to a hard drive for an indefinite period of time - enough time, that is, to brute force the easy password that your CIO will set, "emily" for instance.
Also, generally this information can be gained quite easily:
Call to your CIO: "Hi CIO [got his name from his username], This is Paul Smith from the [local law enforcement department], we've seem to have come across a laptop that could be the one you reported stolen, it was left on a train!!"
CIO: "Wow!!! That's great, you know I was really worried!!!!"
Caller: "We just need to verify that it is indeed your Laptop, I've turned the thing on and it's asking me for a password, could you tell me what I should type?"
CIO: "If it's my laptop then you should type EMILY"
Caller: "Thanks" *click*
Silly boy!!!
that's the question you should be asking. I work for a major corporation, and our building is locked down, and I mean tight. Naturally, you have to have your badge displayed at all times, and you need a key card to enter the building. Security is always walking around, and most employees are good about asking someone who is not displaying a badge who they are looking for.
At other buildings in this company I work for every door has a security officer. That's right, every...single...door. And the only way to enter that door is to have a key card or to have the security guard buzz you in. And the security guard will only buzz you in if someone with a valid company ID can vouch for you.
There are security personnel in our buildings 24/7. Even with this there is a clean desk policy in place, and all employees are required to lock everything up if they are away from their desk for more than 2 hours. All employees are also required to have two passwords on their machines, boot-level and system level. You may scoff at these 'rules' and say that no one follows them, but the majority of people do. It's the double edged sword of a bureacracy, you have to follow the process if you want to do anything, but if you want to do something there is a set process for you to follow.
Moller
But I think another problem may rise with such a tool as the crypto door swings in both directions :
if you loose any of the three you may have a serious problem (if you don't have a secured non-encrypted backup of your data...)
fyi: SeNTry is a program for WinNT/2k which creates crypted virtual volumes
ps: no, I'm NOT promoting it, I'm just using it and I really like it
Well, seems to me any suggestion as to encryption has to meet the following standards:
1. it must be easy to use - because otherwise the PHBs won't use it.
2. it must prevent swapping to disk - because otherwise, you can encrypt all you like, but the data is still fairly easy to recover.
3. it must be fairly quick - because otherwise the PHBs won't use it.
Frequently, CIOs make a policy statement and get the managers to enforce it, but avoid the security and encryption protocols themselves and allow the managers to avoid it too. Which makes it an annoyance for those who actually follow it, while protecting nothing.
In my training (used to have a Secret Clearance), I learned that Confidential material or even unclassified material, gathered in reports and summaries, can have a higher rating. Cost center budgets for one cost center usually don't tell you much, but a spreadsheet of cost centers for the entire corporation tells you a lot, especially with historical data as might be found on a manager's report.
--- Will in Seattle - What are you doing to fight the War?
Im sure i found this link on /. a few weeks ago but for the life of me i cant find the story it was in. Anyhow the link is here and basically is a paper discussing the secure deletion of data, it goes into a little detail on erasure of information using magnetic fields and according to the paper it is currently not possible to completely erase most magnetic media using current degaussing equipment. Naturally if someone was wanting to read your data after it had been through this process as outlined in the paper they would have to go to considerable trouble but still i guess it depends on what stands to be gained from getting access to the data.
:)
The paper also has an interesting bit on recovering data from RAM after power has been removed.
Anyways food for thought
Most laptops stolen at home would just be pawned - not likely to have their information stolen - but if a laptop is stolen at work, whoever stole it at least KNOWS there is work-related information on it, and at worst was looking for the work-related information.
The Rainbow Mykotronx FORTEZZA Crypto Card implements cutting-edge cryptographic security and authentication methods in a PCMCIA hardware token for Government and commercial applications. Self-contained, standardized, and easily integrated, the Card provides the ultimate in portable security, together with on-board storage of user credentials, keys, and digital certificates.
Fully FORTEZZA compliant, the card incorporates the National Security Agency-certified CAPSTONE RISC-based cryptographic processor. It is the hardware crypto token chosen to secure the Defense Messaging System (DMS).
More info on the card we're looking at can be found here. (IANAF - I am not a flack).
A good example is the company who's project I've recently been assigned. At the moment they are particularly concerned with security as they have a high profile product quality problem (really high profile) and they are worried about keeping information 'in' as much as they are keeping people out. It is maddening to try to get these people to understand that they won't secure their data by getting everyone together and trying to work out a best fit solution. Their most recent decision was to require everyone to change their network passwords so that the string contained at least one non-alpha and one capital letter. I attempted to make the point that, since they were an NT shop, the passwords could be fairly easily cracked (L0phtcrack) regardless but the solution caused too many hardships.
Many times the benefit of security isn't realized until something catastrophic happens. Managers don;t want to spend the money, devote the resources, or make the kinds of sacrifices required to maintain really good security. Convenience is far more important to them.
That said, I suppose that the particular situation in the example could be remedied by some better physical security. Things like alarm systems, cameras, etc. As for the laptop itself I guess it depends on the operating system and by the time I submit this I'm sure many will have already suggested using BSD's ability to encrypt data. Maybe even something as simple as PGP would have helped in this case.
Icebox
I work for a major e-commerce company making crypto for banks and other paranoid people, and the single biggest thing with screams at me here is "inside job." What makes you think the perp was after the data? Why not the laptop for the hardware? The fire alarm went off the other dya at work, and I had 30 grand of hardware crypto cards lying on my desk. (FIPS level 4, PCI) The first thing I did was pile them in the secure file cabinet and lock it. No one wants these things cause they know what they are, they only want them because the "look cool." I worry much more about someone taking an unethical personal interest in the hardware, and "borrowing" them, than stealing it for secrets. The other possibility is revenge. What better way to stick it to the boss? If someone took my laptop, the financial pain would be minor, but the loss of my kernel would hurt a lot. (Took forever to get PCMCIA just happy...)
I work in a software company of over a 1000 people and most of us use laptops. The lastest build of our software is often sitting on our machine along with everything else. Most people take care of their machines but every week at least 1 is usually stolen. (ie. some weeks 4, other none but it averages out).
You can't force everyone to keep data on a central server because they often are traveling, working from home or other locations where they can't access their data. They all use totally different programs, dev tools etc for their work.
The only possible solution I see would be a system level encryption tool but it would require that everyone use it correctly. Even then it would probably annoy enough people that a certain percentage would just uninstall it.
Anyone have any other possible ideas that everyone (or close to everyone) could accept and some method to encorage the use (let along the correct use) of the solution?
How about a boot up password that will overwrite sensitive data if given the wrong password more than once, then boot up like normal.. You set it to a certain directory (~/myjunk/secret/*) Whoever has acquired your hardware asumes they have guessed correctly but have lost any chance of finding anything of value.
Are YOU listed?
Locks won't stop too many thieves usually. All you have to do is to get a blow torch or acid or explosives and you have access to the whole cache. Maybe adding an armed guard to the door would be a good idea.
Respond to s
I had thought of this idea previously and was intrigued when I read Cryptonomicon. Basically, you have a gate consisting of a high strength magnetic field. Any magnetic medium would be nuked as soon as it broached the gateway. Apply this, along with other standard security measures, and I imagine things would be pretty secure.
Has anyone ever tried to rig one of these up, and see how much data corruption occurs when data is passed through it?
Pax Digitalia
To that, Dilbert hugged his laptop and said, "Stop it. You're scaring them."
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Damn, the cleaning crew is aptly named as they cleaned us out of about 14k in equipment. Maintenance seems to be maintaining some of our equipment somewhere else too. The problem is, the whole lot of them are in on it, so if you talk to the supervisor, he does nothing because he is probably getting a nice cut.
The key is really not to leave equipment like that anywhere where anyone can just walk in and take it. Take your laptops and other portables home, at the very least lock them in a cabinet where one can't see them at first glance.
Most of the time the people that steal hardware are looking just to get the hardware and could care less about the data.
You need to invest in good locks (there are specific ones made for laptops) and learn how to use them properly. Wherever there is sensetive material or potential access to sensetive material, you need to have security cameras and a security service that is available 24/7. People are designing computer systems to run 24/7, but often forget to ensure that the security is available for the same time frame.
Do background checks on employees - inside jobs are killer.
In the end, be sure you don't leave things laying around.. get a shredder.. and never give something to someone unless they need it for their job.
Whatver tho.. if security is your problem, deal with it.
Price, Quality, Time. Pick none. What, you thought you had a choice?
As obvious as it is, there is no substitute for physical security.
Silly slashdot, sigs are for kids!
if the device get's say stolen then you could send a radio signal or something like that or in the case of the "switch" you simply don't have input from your computer in some fashion for a while before it will simple do the specified action.
It's not literally a "switch".
Another idea would be to take a GPS beacon embedded into the device and then track the stolen goods (with the police in tow) and nab the guys.
Respond to s
As with computer security don't just lock the front door, look at other methods of entry. How big of a gap is there under the door, could a agent put a tool under the door to unlock the door from the other side (hint, hint). Are there windows? What about an alarm? A good locksmith can take you through all these steps.
Second if you are serious about protecting your corporate secrets look into Technical Surveillance Counter Measures (TSCM). A good starting point is www.tscm.com. After your are comfortable that your site is secure look into ways of keeping it that way.
James Bond had a good solution that could be adapted to a computer.
He had this Car Thief Protection System in one of his movies. The sticker on the window read: Warning, car thief protection on. And when the bad guy broke in, the car just blew up in a thousand pieces.
Just imagine your laptop suddenly exploding if you don't give the right password in 3 tries >:-)))
~~~Please pass the salt, I hate unsalted MD5s
First, put everything on the network. (You can force this to happen on ANY operating system that you might be running. If you can't, you are running the wrong OS) Disable the floppies on every machine. Then lock the BIOS. (Getting ready to do this myself). Then, lock up the network drives. Steel door with dead-bolts.
Then lock down the servers. Lock them to each other, and lock them to a stud in the wall (you're not secure unless you get drywall dust on you).
Put a security cam in the server room, and probably in the chief's office.
Use a cable lock to lock the laptops to a desk. Better still: since he didn't take it home, he doesn't need a laptop. Make him use a desktop. Lock that to the desk.
Encrypt drives. You can do this in WinXX and Linux (and probably mac and everything else). There are also products for Windows that will call a specified site or phone number if plugged into a modem or 'net connection.
Register the hardware when you buy it. If the drives are encrypted or otherwise won't boot, criminals will often take them to white box shops to get them 'fixed'. Most shops will call the maker (in the case of some Dells, they HAVE to call them, depending on what is broken) and then it can be tracked. Oh, yeah, call the laptop manufacturer and let them know it was stolen.
Finally, if you can patent/trademark it, do it. If all of the above fails, you need to have 'first dibs'.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
This just happened to some ex-employees from my company that all went to work for another company. They had 7 laptops stolen from their office. Not only did they lose the laptops, but they lost all the source code to an entire application that will have to be rewritten from scratch.
For developers out there, I can't stress the need to use a version control system for your source code enough. Ours gets backed up every day.
For this reason, we also keep all of our documentation (proposals, product documentation, development documents, etc) in a version control system as well. Not really necessary other than it ensures that we'll always have it (we keep a regular rotation of backups off-site).
As for protecting the data, our company didn't have any real policies on passwords before I came. I've helped to change that a lot.
Password protect your stuff. If it's really sensitive, encrypt. It doesn't get much simpler than that. Do it, because it's the right thing to do.
Oh laptop! You have served me well!
I regret that you were stolen, sent to black market hell,
For your data was unecrypted, and your secrets they will sell.
There were steps I didn't take,
PGP could have solved this mistake,
And distributed.net would have sealed their fate
Alas my laptop was born,
If only it was equipped with a loud horn
Cuz now the thieves have all my porn!
Don't hurt me. It's my first try at laptop poetry.
This is not about privacy, but about stolen intellectual property. Given slashdot's and most of its readers' stance on copyright and IP, I really wonder what this story is doing here. Is it meant to make us rejoice at the sight of this "liberation" of information?
First, how can someone just walk into the building and get at an executive laptop? That's just plain dumb. First line of defense is physical security.
;)
.doc over 56k? Don't think so...
Now, I've seen a lot of posts saying "keep it on the server". That doesn't really work for a lot of situations. I know, because we have that at our company (which a lot of other companies would like to displace or get info from
Think about it, why do you want a laptop? To take it on the road. When you're on the road, you won't always have a network connection. Especially if it's through a private intranet. Even if you do have dial-up access, you wanna work on that 4MB Word
(To make matter worse, the NT servers we use aren't that reliable. I'm hammering away at my work, while the other guys are stuck twiddling their thumbs waiting for the server to come back up)
And yes, no kidding, get yerself a Thinkpad. You can password these hard drives. It's fairly secure, because if you forget your password, not even IBM can help you recover it. (They provide a big, fat warning about that). The only way to get at the data is to dismantle the disk drive and pull out the platters and plunk it into another drive mechanism....
Of course with linux it is easy to set up encrypted partitions, but implementing this efficiently would protect the data irrespective of the operating system. Cost is completely another matter though :-/
2. surveillance cameras
3. locking file cabinets
4. computers that are physically secured
5. passwords
6. firewalls
7. encrypted file systems
8. access logs
9. an alert, competent MIS staff
10. pinging, "lojack"-style laptop software (several exist, I don't know them by name)
this is just off the top of my head, but i imagine that if all 10 of these were implemented well, then most security issues would be solved.
Here's an idea that I should have thought of for the stupid patent competition.
Use a LoJack type-transponder in the laptop. When it's reported stolen, the transponder kicks off a magnetic pulse that scrambles the drive.
But seriously folks, the risk of physical theft of a system is a good argument for encrypted filesystems.
-dwd-
I wouldn't put it past mp3.com.....
The thing is - if you're into corporate espionage - then you can idenatify encrypted data and start attempts at brute forcing it. The NSA admits that plenty of commercial encryption systems have mathematical holes hiwhc permit cryptanalytic attack.
6 months ago mp3.com had enough money to build a reasonable brute force machine (now thye've spent all that money on record company deals)
Anyway - the traick is to not only encrypt the data but Hide the data using something like Steganography - I believe there is a filesystem for linux which permits filesystems to be mouted inside each other to hide the very existence of encrypted data.
OTOH - it also hides this data from legal attack - something mp3.com definately could have taken advantage of.
The tone of the responses seemed to be directed at preventing something like this from happening again, but the question was directed at dealing with the situation as it exists, namely:
Someone has sensitive data, and that someone may well be the competition.
First off, make sure you know exactly what was on the media which was stolen. If possible, grill the CIO and make sure you can identify as much of the data as possible. If it's confidential, and this data begins to appear elsewhere, then you'll have a pretty good clue who took it.
Second, assume that the company which can do you the most possible damage has your information. At this point, you need to develop a strategy to counter their use of this information. It may be something as simple as changing any password you think they may have gotten (or, to be safe, every single one of them), to doing things like changing your business plan and internal strategies. The competition now knows many of your most intimate intimates, and you have to make sure that they can't use them well at all.
The next thing is to look over your security. Data security and site security can be approached at the same time. The suggestions posted here (encryption, secured servers to house data, etc) are all excellent. confer with a security consultant, preferably one who has experience working with the Federal Government, which, in most cases, has some of the tightest security around. A security consultant can do both data and physical security.
For site security, you're going to have to do things like replacing door locks with more secure models (or with electronic card locks, if you want to spend the money) and replacing doors and door jambs with more sturdy material (i.e. something that can't easily be kicked in). Make sure, if you have a drop ceiling, that the tiles can't be lifted up, which might let someone just climb up and over the door, through the ceiling (yeah, I've seen it happen...). Other than that, hip everyone who works there about security...the small things that everyone can do to make sure their information and offices are secure.
-Jimmie
Feel free to steal this idea if you think it has merit.....disregard if you think it's BS. I want to develop a tamper-proof computer case, complete with a 12v (capacitor backup) electromagnet that would fit, between existing drives, in a 5 ¼ inch drive bay. Intra and interlocks would prevent the machine from being turned on or disassembled. Tampering would result in immediate loss of data via electromagnetic burst. I could see this unit complete with an exterior panic button, and remote dial-up capability (maybe even pager equipped). "Hello Agent Jones, you need to confiscate my computer? Well let me just set down my coffee/call my lawyer......ooops!" This could of course be used in a laptop (I don't want to get totally Offtopic).
Starting from encryption is not the best way to secure information. Personally I think that the first measure of security is time. Sincerly I consider that this is mostly the only measure of real security.
Do you have an confidential agreement to be signed tomorrow? Hold it in a place that does not give a chance to anyone to see it before being signed.
Do you have an highly confidential database? Calculate the potential of a break-in and for how long the base should be confidential until you process countermeasures.
Never consider information "eternally" confidential. There is not such thing in Nature.
Maybe people will never know 100% what you know. But surely they will get something out of you. Your problem is to qualify information, and secure it in the propper way. Some information is needed to use in the laptop. but you don't need the whole client database on it. It's better to loose two contracts than to have all your company naked in front of the concurrency.
Encryption is good. But encryption can be broken. In fact encryption should only be considered as an element that "delays" access to information but it does not secure it forever. The stronger the encryption the longer it will be taken to broke it. But, there is a big "BUT here.
The most fundamental of all is that, no matter what you do with information, the time X is not broken. Several people use to encrypt their E-mails, documents, filesystems. but they forget that still there is memory, EM emissions, swap files. Specially I noted that many people forget to look over their shoulders when dealing with information. Someone is typing his "honey123" password and you are standing back and looking.
How about implementing a secure citrix enviorment where no senditive data is stored on the laptop? This would still allow exec's to work remotely, but leave the information secure.
Dirty Pirate Hooker
I can't believe you didn't have a cable-lock on the laptop. You left a laptop with confidential information unsecured *overnight*?????
These thieves targetted the CIO's machine. It makes no difference if that machine is laptop or a desktop. They would still have taken it. The difference is irrelevant to a determined thief. I've only worked at one place where the computers were physically bolted down to the desk... and that was at a university.
Let's see. You put your company's soul into a little box. It's really important stuff, and you don't want the bad guys to get it. So, what's a good place to store it?
A) Stick it right dead center on the desk of one of the fanciest offices in the building, which is clearly marked on the door as "Guy Who Has Great Information to Steal".
B) Get a good, solid safe, bolt it into the building, and keep your treasured secrets in it.
This isn't a technological problem. As far as laptops go, sure, good crypto can help you, but not all sensitive data lives on a laptop. You need a plan to deal with data - generically - to protect it.
If your data is really valuable, here are some more tips off the top of my mind:
Good solid locks on the doors of the office
Security cameras monitoring the areas where sensitive information lives
A night-shift security guard. (Is it worth $35k/year to have a guy camp your building at night, to save this lifeblood of your company from being stolen?
It's just common sense, guys. You don't need whiz-bang software to fix this problem.
--Kai
--slashsuckATvegaDOTfurDOTcom
Take for instance the RIP bill recently introduced by the British goverment. All this will do is scare people from using encryption, further fueling corporate espionage.
Perhaps that is the aim?
PS Call me a skeptic, but I wonder how much you'd have to pay someone in the government to "obtain" a key anyway, once the bill is passed.
Bluvenom.com offers a great security tool that is relatively cheap (and very painful to the ears). Worth checking out.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Trains had them and hence they got their name from being able to stop the train if the conductor became incapacitated in some manner.
In general a dead man's switch is based on the concept of lack of input from the user to *not* do an action. For example suppose I have a shell script that checks for a certain program to be running if I am at my computer logged into my account. Now suppose that the program will start calculating the number of seconds that I was away from the computer and say saving news headlines from slashdot since that date. It's just based on the principle of inaction.
Respond to s
My experience is that human nature has problems with encryption unless it is so totally automatic as to be available to the person who steals your laptop :)
The _only_ security you can have is to arrange the CIO's activities such that he has a secure channel log in to a server where the data resides.
For windows I would suggest something like Citrix win client. Its slick, it works and as a bonus your execs can log in from all over the world and use the data. True you have questions of password protection and line snooping. Passwords changes can be inforced at a regular interval and line taps would only get relative instructions to the desktop (ie.. move mouse 3 inches etc..).
The beauty of the system is that all your important hardware can be locked down and watched with security cameras if need be.
Removing the data means you dont have to defend it from decryption.
I wish I worked in a place that had as much excitement as espianoge (sp?) going on. :)
Does the name Pavlov ring a bell?
Or as some astute Slashdot reader wrote once, "Information is like manure, hoarding it just makes it smell bad", or something to that effect.
Remember in the immortal words of RMS: "Keeping information to yourself? You're just being immoral and parasitic".
And now, while you're thinking about how stupid you were for not sharing your information before, we will be celebrating the liberation of said information.
Huzzah.
Je ne parle pas francais.
First thing I would ever do if I had a stolen laptop would be to make sure that I got a boot disk and booted cleanly off that before I ever looked into the machine type. From the disk I could determine what OS it was on and most likely a way to boot that OS to bypass any other OS security measures.
Respond to s
Sometimes lack of foresight prevents safety. This needs to be taken into consideration when purchasing.
Some of the newer laptop models are moving the Kensington hole (the one where you fasten the wire to secure the machine to an immovable object) into awkward positions. The hole should really be somewhere in the back, where the ports are, so that it can be locked at all times.
Take Dell Inspiron 5000e as an example with its hold to the far right cornere, so that any attached wire would be in the way of an external mouse.
I have seen many occasions of people removing any physical security devices because of this.
That there is a 10,000$ bounty up for ANY fortune 1000 company? Doesn't matter what's on it, desktop or laptop doesn't matter either. There is a website on the WWW that has the information on it. You mail them the computer, they mail you a check for 10 grand.
Learned this from a friend of mine at General Motors, he had to take a "new emploie" class and one of the speakers was a security consultant. He said the person running the site is known and he has paid for over 800 computer so far.
Don't know what they havn't busted him yet.. probably trying to find out who he is selling the computers too first.
But to get back to the question above, only one way to keep your computer with you safe at all times from theft. Take the HD out and keep that with you. There is no way you are going to lug a notebook with you everywhere you go when you are out traveling on business.
The HD is the ONLY component of the computer they really want, so take it out, it is small enough to keep with you. The notebook theft will be covered by the insurance.
It never ceases to amaze me that companies will spend millions on network security, firewalls, antivirus software, and then leave a laptop sitting on a desk where any bozo can snatch it.
Then there are companies that have a security officer at every door, photo ID badges, physical bag checks, and let their employees connect modems to their desktops and connect from remote using PCAnywhere or the like.
Without a combination of physical *and* network/IS security, *nothing* in the building is "safe."
Specialization is for insects. - R.A.H.
Most rent-a-cops get near minimum wage. How motivated do you think they are?
Furthermore, doing the same thing all the time numbs one to exceptions. If one out of ten visitors needs some kind of personal attention, the guards would be much more alert in general. When days on end go by with nothing to break the monotony, they get complacent, and it doesn't take much to fool them.
You yourself say "You may scoff at these 'rules' and say that no one follows them, but the majority of people do."
Security isn't a democracy; majority does *not* rule. It only takes one crook getting by to steal that laptop.
--
Infuriate left and right
First problem was that the CEO had a laptop and left it on his desk. I imagine he saw his buddies at a golf outing with one and decided he had to have one also. Laptops are meant to be carried with you or locked away. If its going to sit on his desk all nite get him a desktop. Or at least one of those laptop locking cables. Secondly, everyone should know that if you want all the information about a company you dont steal the CEO's laptop you get his secretaries!!!
"...your future, make it a reality, all you have to do is fight for me"
http://www.boysstuff.co.uk/pages /to rch_card.asp
I real "dead man's switch" is a large button (usually red for effect) used in heavy industrial operations like a lumber mill or train yard where losing a limb would be very easy. You have to actively hold down the button to make the machinery work, not just flip a switch to the "on" position. The theory is that if you or your buddy are injured or about to be injured, you would let go of the button and everything comes to a halt. In reality, by the time you let go of the button someone has probably lost a limb already, but it's a good theory anyway.
Yeah, it's off topic, but he asked and I knew.
-B
Ban private email. Ban surfing. Ban games. Ban any transport of any data storage media into or out of the building. Search employees hard drives regularly for stuff that shouldn't be there. Require exployees to list on a weekly report each and every file on their hard drive, its purpose, date of creation, justification for its presence, and ultimate disposition. Require daily activity and accomplishment logs from all IT staff, especially programmers. Track net activity by user. Sort visited sites in order of bandwidth usage. Require net usage logs to explain all internet site acces. Any violations should be firing offences. Offer additional vacation days for turning in your fellow co workers for their violations of the rules. Always know what's going on and your business will be safe.
This seems to work for our national secrets, how about corporate ones : As far as networks are concerned, have a physically seperate network for sharing of sensitive data. Use strong encryption of all files and use removeable hard drives. Lock the drives and other documents in GSA approved safes. Laptops can be stored in the same way, in the safe. Use sign in sheets for asset tracking and for when the safe is opened. Install keypads on doors to secured rooms. You could even go so far as do background checks on your employees before you allow them access to sensitive material. the list really does go on and on.
"sex on tv is bad, you might fall off..."
I lost my concept of community when my community lost all concept of me.
I simply write all my docs with inverted reality. If my research has shown that the speed of object x is fourteen furlongs per fortnight, I document that the speed is NOT fourteen fpf. Bwaaaaahahahaaa !
Z
enough is too much
If your laptop runs OS/2, you can install ZipStream Secure by Carbon Based Software. ZSS uses OS/2's installable file system (IFS) capabilities to create an encrypted and/or compressed partition, which is perfect for laptops. I won't go into details, but it's a very good implementation of this technology, and it offers several levels of encryption and compression.
--
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
The best solution for keeping a laptop secure is, of course, to simply place said laptop into a secure room or vault. In this case, being a CIO, I would think that he/she would have some type of encryption program on his/her machine. All the other ideas that have been posted thus far (programs to log their IP, LoJack-style systems, etc.) would also work. On a higher level, though... keeping an entire network secure would become much more difficult. One answer would be to have a completely seperate network set up to handle confidential information only. This would work exceptionally well in a smaller area network (i.e. one that in all in one area, no dial ups, everything in walking distance). But let's face it, no matter how well the system is designed, the minute it hits TCP/IP, it's vunerable. The only solution at that point would be keep all the small, secure networks seperate and transfer the data via courier, perhaps.
our management-group has as a policy to never leave laptops & stuff that can be stolen easily at the office
I've always been a big proponent of security through obscurity. That's why my desk is piled a foot deep with papers and junk. Since you can barely see the laptop through the clutter, it's perfectly safe!
It's also important to make sure the sensitive design documents are on individual sheets of paper seeded throughout the mess on your desk and not in one place, like a binder!
--GnrcMan--
Needless to say we don't have much worry about theft.
Just three more hours seapeople and you can finally take me away from this crappy God Damned planet full of hippies
A lot of these points have been stated in part, however, I think they need to be tied together. First, it is not likley that this is a case of break-in. Hiring a goon squad to break into a compeditor is usually not the way these things happen.
In most cases a disgruntled/greedy employee has offered his services, or believes he can cash in by stealing something.
Data encryption is great, but once the theif has the goods the game is already over. You've been hurt, and there is at least a 50-50 chance that there is something left behind that is a clue to what the pass word is.
And what about the network. The network admin, or even helpdesk people, have wide control over what they can view on a network file system. You can encrypt all you want, but in mid size companies the person who is god on the file server is probally god on the CA server.
Beyond that, swiping some actual paper out of the desk is just as good. Most CEO's are old, let's face it. They REALLY LIKE paper. There's probally tons of good stuff they can get their hands on.
These are some of the key items:
* Physical security is key. If you would be alarmed to see someone in your office during the middle of the night you should lock it. Keys, Puchcode, Prox cards all work well. Digital Biometrics work best.
* If you're going to store the secret stuff get a file server just for your department. Get a specific IT person to administer it. Make sure the normal IT group doesn't have access. As the business side of the house you'll never know when an IT person is snooping your directory. You'll never know if someone in IT is PO'd with work because they don't work for you. This is what will cost you your files.
* If you impliment a corporate encryption package make sure the employee who administers the CA server is not the same person who administers the file server. Seperating the two out helps with lone wolf problems.
* Impliment rotating passcode systems such as secure ID. Even if the end user comes up with a crappy password (which they will), the would be thief will need to have the dongle in order to get in. As always, the person who administers the server should not be affiliated with the other systems.
* Assume that information theft is an internal problem (because it usually is) but make sure you protect for both internal and external sources.
What about an AM radio burst system? Or something that uses a small ammount of power?
But I digress. It could be possible to have a smart card reader installed as a means of accessing your laptop to read and decode a magnetic stric. Or maybe a cuecat.
Respond to s
Most corporations don't have any secrets worth keeping secret anyway. All the focus on secrecy is really misplaced effort.
The eternal problem is that most of such thefts are internal.
Someone payed a 'trusted' employee, with neccessary badges and clearances to scarf the stuff for them.
It's clean, it's simple, it's fairly safe for the primary party and. . .
It's virtually unstopable.
The first step is to realize that EVERYONE in the company cannot be trusted and put a cop in everyone's pocket.
Of course, the cops are no emplyees and need a cop in THEIR pocket as well. . . ad infinitum.
Contraban is readily available in high security prisons. It's often the guards who supply it.
Theft and how to prevent it has been gone over by the combined minds of all humanity back to Australopithicus and no solution has been found as yet. There is more secure and less secure, but there is no such thing as secure.
The only things that will not be stolen are those things not worth stealing.
Even then, The Secret Service is continually amazed by the fact that many counterfiters could have made more money applying their skills in the open market than they ever garnered from counterfiting.
Face it, for some people stealing is as much a 'leisure activity' as it is a monetary one. They get off on the rush.
Rich people are arrested for stealing trivial items every year.
We are a smallish company who just moved into a new building. We have keycards for street-level perimeter entrance and glass-break sensors and contacts on the doors, but no motion-detectors. The entrance point was in a courtyard on the second floor, which required intruders to climb over entire buildings for access. It's a typical dot-com startup situation. Now, it's possible that street people around know ways of getting around the rooftops, and an extenuating coincidence is that the CIO's desk just happened to be the closest one to the window. I would think that it could be a street burglar, except for the fact that they went through his desk and snatched all of his floppies (!) and CDR's. There is expensive software laying around everywhere, as may be common in a development area, so it's odd that the grabbing was so specific. Anyway, there are many many companies who are more in this position than to have 24/7 security personnel. The undercurrent of my inquiry was that there is definitely a mercenary business envrionment out there, and lots of undersecured companies.
When I was a kid, we only had one Darth.
I have seen this (or sim) in a few of the places I have worked or consulted for:Employee Name: Cranial A. Rectosis
Logon: CARectosis
Password: cjr Scary no? I know you've seen it and freaked out, so did I...
Prospecting Stinks. Stop Wasting Time on Cold Calling.
there was a posting awhile back about how several
t ml
stolen laptops were returned to their previous
owners because the perpetrators had neglected to
turn the clients off.
http://slashdot.org/articles/99/08/26/112245.sh