Slashdot Mirror
Handling Corporate Laptop Theft Gracefully
Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."
Then there's no data loss, and thus no ethical or legal obligation to tell anyone, and thus no need to handle getting caught with your pants down gracefully.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
Tip 2: If you encounter security or other obstacles, aim for the biscuits.
Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
Tip 4: The password is usually the username with 123 at the end or the their children's ages.
Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.
Resign with thank you cards, smiles all around and a wonderfully inspiring anecdote about how much you had accomplished in your career up until that day.
He who knows best knows how little he knows. - Thomas Jefferson
I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole disk. Just do it all. Any thoughts?
You mean they handled the situation (and the laptop) with a single three-fingered hand? That is quite impressive.
Creepy though.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
ARGH. This is the second time this has been done. NPR does not produce or distribute Marketplace. NPR has nothing to do with Marketplace. It's produced by American Public Media. Please get it right. You're even LINKING TO APM!
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.
...
Not to stop the criminals.
For the entertainment value
"My God...it's full of trolls!"
Capitalists know that PR is cheaper than security. Never trust them.
--
make install -not war
FYI, this story was a followup to a longer story about laptop and identity theft. The original story did indeed focus a lot on data encryption.
From the original article:
"This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it."
Way to declare this the "worst article ever" in the same post you brazenly declare you didn't read it, by the way. A bold move, even by Slashdot standards.
This isn't about laptop theft, it's about how the company handled potential identity theft and loss of sensitive data. The hardware is irrelevant.
I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.
Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).
The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.
Breaking into an office and stealing two hard drives, which contains all that data may point to a sophisticated, targeted hit, maybe using hired pros.
There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.
For example:
With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.
--MarkusQ
I think we all know that the real question here is, in a straight, clean fight, who wins, Airwolf or Bluethunder?.
Remember kids
Red Dawn + Bluethunder = Purple Rain
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?
Windows 2000 and XP Pro are able to encrypt files and folders out of the box. You could just encrypt your profile in 'Documents and Settings' for essentially the same effect as Filevault on Mac. Setup the Administrator account as a Data Recovery Agent for the same effect as the File Vault master password. This is what we're doing for the Windows users in our department who won't or can't switch to Mac. (We're actually using this as a temporary solution while we look at PGP)
There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.
Products from Guardian Edge
:)
http://www.guardianedge.com/
I'm quite pleased with the encryption product itself, but the guys who package their MSIs need shot
Given that these external hard-drives are alot easier to pick-up and walk away with
Isn't that exactly why the external hard-drives are more prone ot being stolen?
but rarely, due to training, do we find an unattended hard-drive
If your training works, why not just train them not to leave laptops unattended?
Your post raises another interesting point, though: what if people use internal hard drives, encrypted, but a user brings in their own external drive? That seems like a potential security flaw waiting to happen.
________________________________________________
suwain_2
Why not take it further and have 5 locations using VPN and set the physically seperate location up like RAID 5 so no location actually has the data. If any hard drive gets stolen it has a maximum of every 4th chunk of data (4 chunks and a check chunk = 5 locations). A thief would need to break into all locations at the same time to get the data. If one location is broken into the data can still be recovered using the check chunks but the thief cannot recover any data. Encryption can easily be broken but a thief cannot see what he does not have.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.