Slashdot Mirror
Handling Corporate Laptop Theft Gracefully
Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."
Then there's no data loss, and thus no ethical or legal obligation to tell anyone, and thus no need to handle getting caught with your pants down gracefully.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
Tip 2: If you encounter security or other obstacles, aim for the biscuits.
Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
Tip 4: The password is usually the username with 123 at the end or the their children's ages.
Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.
I think we all know that the real question here is, in a straight, clean fight, who wins, Airwolf or Bluethunder?. Now I know what your thinking? What chance does stright to video star Jan-Michael Vincent have against HAL chess playing, shark killing, SeaQuest DSV commanding Roy Scheider? Well to you I say, don't forget that Airwolf co-pilot was none other than Poseidon surviving, Gattaca acting, SpongeBob SquarePants Mermaid Man (I shit you not) Ernest Borgnine. Yeah people. Not so easy now is it?
-- "Can't sleep, clowns will eat me!"
Just claim that Osama himself came out of the sewer pipes and swiped your computer. Then demand that the government do something to protect the helpless citizens. That should earn you some brownie points from the government at least, and if they say they you're right, anyone who argues might just find themselves taking a nice long vacation to cuba.
Sure, encryption would help.
But, first I have to ask: why on earth is this data on a laptop?
I mean, really! This is health-care data for top military officials! Who needs to take that data on the road with them? Encrypt, stick it in a secure database, on a server in some closet in HQ. At least make it take effort to get at, no?
Resign with thank you cards, smiles all around and a wonderfully inspiring anecdote about how much you had accomplished in your career up until that day.
He who knows best knows how little he knows. - Thomas Jefferson
I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole disk. Just do it all. Any thoughts?
You mean they handled the situation (and the laptop) with a single three-fingered hand? That is quite impressive.
Creepy though.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I don't have any idea what "existing state and federal laws protecting consumers from identity theft had been surpassed by the individuals perpetrating the crimes" means.
But it seems that "so I made 'identity theft' my fight," means "I pushed for changes in the laws".
Sooooo..... "When the data was stolen
And the FA says nothing about changes to their policy of storing personal information in an un-encrypted format. But now we have some more laws. And laws will stop people from "stealing" identities. Yes. Right.
This post is currently moderated as "Flamebait"
/. moderators smoking?
WTH are
Humorless sig goes here.
ARGH. This is the second time this has been done. NPR does not produce or distribute Marketplace. NPR has nothing to do with Marketplace. It's produced by American Public Media. Please get it right. You're even LINKING TO APM!
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
Macs (including laptops) come with Filevault built in. If the laptop is stolen, all the data in that users folder is useless without the password. It is dirt simple to turn on, seamless, highly secure and barely noticeable when it is working.
All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.
...
Not to stop the criminals.
For the entertainment value
"My God...it's full of trolls!"
shouldn't be stored locally on a laptop. This would include passords, etc. Put it on the company server and work it from there. Might be kind of slow, but it seems like good insurance.
What?
Bah, some corporate whore-org commends some member cuz they managed to pull the wool over everyone's eyes. That's like satan giving george bush a cookie.
From the PRSA website;
Chartered in 1947, PRSA's primary objectives are to advance the standards of the public relations profession and to provide members with professional development opportunities through continuing education programs, information exchange forums and research projects conducted on the national and local levels.
"You sure managed to make a positive spin on screwing the public and armed forces, good show chaps!"
So... like the retired officers club gives an award to the army for "blowed that up good", or maybe the United Tattoo Artists Association giving awards to Jesse James for pointing out his tats on TV.
Capitalists know that PR is cheaper than security. Never trust them.
--
make install -not war
FYI, this story was a followup to a longer story about laptop and identity theft. The original story did indeed focus a lot on data encryption.
From the original article:
"This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it."
Way to declare this the "worst article ever" in the same post you brazenly declare you didn't read it, by the way. A bold move, even by Slashdot standards.
This isn't about laptop theft, it's about how the company handled potential identity theft and loss of sensitive data. The hardware is irrelevant.
But for individual workstations/laptops with single users where there is no protection of the data from multiple users, whole disk works well (except for /boot with the kernel and an initrd with dm-crypt tools). I have / and swap encrypted and don't have to worry about theft much with respect to private data.
Individual directory/file encryption is important for multi-user workstations/servers, where you have to worry about other users getting the files when owner is not logged in. encfs and the like provide some additional protection against this, but not much meaningful. It can protect the contents of data on a fileserver from even the administrator though, as I have seen encfs used to translate data from an nfs server to a local workstation mountpoint... I believe the built in windows file encryption mechanism has similar benefit from shared fileservers.
XML is like violence. If it doesn't solve the problem, use more.
/quote /quote
If he gets his way, even possessing the kind of information that the thieves stole from his ca, and from his company, will be a crime someday
so what he's saying is that if he gets his way, all the credit bureaus, banks, insurance companies, everyone doing credit checks and your own accountant will be criminals. even his company
i'm sure that will work out JUST RIGHT.
remember kids, when you make it a crime to possess credit informations, only criminals will have that data
I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.
Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).
The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.
Breaking into an office and stealing two hard drives, which contains all that data may point to a sophisticated, targeted hit, maybe using hired pros.
The drives in Tri-West's case was inside a locked building, not on a laptop.
There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.
For example:
With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.
--MarkusQ
i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?
Yeah, trying to read tfa (or whatever it is) was one of the more difficult things I've tried to do recently. I could have listened to the STREAMING AUDIO, but that shit is annoying.
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
Windows 2000 and XP Pro are able to encrypt files and folders out of the box. You could just encrypt your profile in 'Documents and Settings' for essentially the same effect as Filevault on Mac. Setup the Administrator account as a Data Recovery Agent for the same effect as the File Vault master password. This is what we're doing for the Windows users in our department who won't or can't switch to Mac. (We're actually using this as a temporary solution while we look at PGP)
Marketplace is distributed by American Public Media and I think it's produced by Wisconsin Public Radio (maybe a different state), but it is not and National Public Radio joint.
I am curious whether anyone else out there does what my company does. The company I work for has always been paranoid about laptop theft. To address this concern they have taken the following approach:
- All laptop users are issued a external hard drive 80-160GB that is encrypted
- The built-in laptop hard drive is partioned into 2 parts. One part stores the OS and all program files, the second part is used for swap space (virtual memory and temp files)
- Laptop users are instructed to store *ALL* data on the external drives as well as to always secure the drive (via removing it and locking in a drawer, or carrying it with them when leaving the laptop).
The general consensus is that the primary target is the laptop. If it is lost then there is no exposure because no data is stored on it. The existence of data in temporary files is minimized by using the single partition which is constantly re-writing to itself.
Given that these external hard-drives are alot easier to pick-up and walk away with, we still feel that we are more secure. We often find the laptops unattended, but rarely, due to training, do we find an unattended hard-drive.
$t0mp 0ut
In your rush to say something trite, I think you missed the grandparent's point.
Encrypting the disks may be 'good enough' to protect the company from liability for the lost data (assuming the company was not negligent in other regards). However, since encryption is not perfect, customers should still be informed of the loss, because the company will not be able to say with certainty that the data was not accessed.
How about this, instead of putting data on the laptop putting it at risk of theft don't store sensitive data on the laptop at all. Use a VPN or SSH tunnel and have the laptop access a remote server to get access to the information. You can even (and should) have the VPN / SSH server on a seporate server from where the data is located.
To futher secure it, you can setup a static route that says all remote login traffic cant access any other machine on the network except the database server. This way if the laptop is stolen, only the laptop is stolen and the data is safe. If the login server is broken into, there aren't allot of other places on the internal network the attacker can go to, provided of course you can detect / eliminate the threat before the attacker also gains access to the database server.
Well, thats my 2 cents on the topic: BTW: this is only theory, actual implementation would be more complex and thought out.
There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.
Although the loss of the physical assets would be a nuisance, the laptop itself isn't worth much (under $500) and so I'd just replace it and maybe see if my insurance will pay for it.
Compaq and I would assume the other major companies have this as well.
How does encrypting the data work?
Meaning, everytine I wnat to look at a file I need to enter a key?
when I transfer a doc off my computer onto a network, is it encrypted on the network?
The Kruger Dunning explains most post on
What software are you using?
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
The encryption on Windows 2k/XP is tied to the user's login. Once you log in you have access to your files, like on Mac with FileVault. If you copy your document onto another storage device - one of two things will happen: if the destination is using NTFS, your file will still be encrypted. Otherwise, it will lose the encryption. Compare to FileVault, where if you copy a file anywhere outside of your encrypted home directory, it will no longer be encrypted.
Trusted computing would take care of this situation by taking passwords away from users.
The only problem is if your administrator account has master access, then all I have to do is boot your computer off a Linux CD with that cute little Windows Admin password changer and change the Administrator password to get in.
consider Israeli airlines... when was the last time they got hijacked or blown up? The Israelis take security very seriously, and a lot of it is not visible at the airport, it's behind the scenes... such as depressurizing baggage, well trained plain-clothes security on board... it costs a lot of money, much more than a few smartly dressed low-pay security guards at a screening desk.
contrast this with other airlines - it's all about making people feel confident.
similar, corporate employee welfare, security, customer service - it's about perception not reality - the winners are those who make people *think* they are being treated well as an employee, making customer's feel valued & safe.
I second this request, if only to serve as a reminder to myself.
We tested that. That breaks the encryption and access will be denied to encrypted files.
Fortunately I had a recent backup, because the disk had been making suspicious noises the week before. I hope the fence had the decency to format the disk drive to cover his tracks so somebody else didn't have to wade through all my corporate Powerpoint presentations...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Recall the trick used in Neil Stephenson's Cryptonomicon: Wrap several coils of wire around the doors and windows, and during the evening run several amps through them. Anybody stealing a hard drive will be left with a paperweight.
Works of fiction may not offer the best advice, real world meet artistic license. People have tried to erase disks with degausers, bulk video tape erasers, etc without success.
Products from Guardian Edge
:)
http://www.guardianedge.com/
I'm quite pleased with the encryption product itself, but the guys who package their MSIs need shot
Isn't that susceptable to a an attack whereby the encrypted pw is simply replayed from a previous authorisation instance.
... PROFIT
So, break in, disconnect and reconnect network (with packet sniffer in place); steal computer, replay packets, copy decrypted data
???
Hi. GuardianEdge support guy here :-)
Comment removed based on user account deletion
Hardly an appropriate category.
..they'll have to crack AES256 before they can mount /home, or crack Blowfish before they can examine my swap. Any corps that aren't doing something like this, aren't taking their responsibilities seriously.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I remember when this happened. And have worked at the same company twice -- once before the stolen computers (it was 2 whole servers that were carried out the front door) and and then again after. If I remember correctly, there was blurry video tape showing the computers being removed out of the building. It was Christmas time, and there were a lot of holiday parties.
Honestly, I was really shocked when the company was handed the second contract for the 21 state region of TRICARE. General opinion was that the security breach should have cost the award, but government/politics hijinx -- who knows what happened. That's right - this happened BEFORE the expansion to the 21 state contract.
Physical security prior to the theft was IMHO, a joke. Doors were held open for others walking in. One person would "badge" in, then several others would follow through the just opened door.
Afterwards, visitors were signed in, ID checked. Better -- but still a high amount of contract workers.
and I still know some great, highly ethical people that work there.
So, what you get is 100% transparent encryption in change for a performance penalty (which varies from machine to machine).
Directory encryption gives you the flexibility to choose which data you want encrypted, and which not (so performance loss is minimal). But then, you have to manually decrypt the stuff before using it, and sometimes you might forget to encrypt it - which can be a serious problem.
A solution is vritual drive encryption . A program creates a virtual drive which is seen as another drive in the system, any application works with it in a usual fashion (since encryption is transparent and on-the-fly), while you are not forced to copy all your files to that drive, hence you don't waste CPU cycles on encrypting things such as your high-scores in Minesweeper
Look for a program called Private Disk.
The saddest poem
This seems to be happening everywhere! E&Y seems to loss a lot of laptops. The problem is, you can't just use corporate policies, because some people just won't follow it. You need some software to enforce the policy. There are a couple of comapnies out there doing such things - like Softection www.softection.com for example. With all the sensitive data out there - I wonder if cases of identity theft have been on the rise. Anyone know?