Slashdot Mirror

← Back to Stories (view on slashdot.org)

Handling Corporate Laptop Theft Gracefully

Posted by ryuzaki0 on from the it-hurts dept.

Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."

14 of 197 comments (clear)

  1. Encrypt the disks. by base3 · · Score: 4, Informative

    Then there's no data loss, and thus no ethical or legal obligation to tell anyone, and thus no need to handle getting caught with your pants down gracefully.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    1. Re:Encrypt the disks. by hazem · · Score: 5, Insightful

      If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?

      Yes. Because the thief may be able to decrypt the data because they also copied down the password/key that was on a post-it note hidden under the keyboard of the computer. Or they might exploit a flaw in the encryption. Or they manage to socially-engineer access to the key needed to decrypt the data. Or they might have installed a key-logger to get the key and then came back a week later to get the drives too.

    2. Re:Encrypt the disks. by shawn(at)fsu · · Score: 4, Insightful

      I think you missed the a 3rd scenario.

      Do not store sensitive data on a laptop.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
    3. Re:Encrypt the disks. by cmacb · · Score: 4, Insightful

      "I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

      You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

      Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed."

      I know what world you live it. It is the world of video games and powerpoint presentations with cute little pie charts.

      In the 60s (the 40s and 50s were before my time) we got access to sensitive data by going to the office, passing an armed guard, signing in and sometimes using several keys or typing in combinations to get into certain rooms. Yes, you could take notebooks (paper ones) and pens and pencils with you in your car. You might also take a printout or so with sensitive data from one place to another, but that was pretty rare. There were telecommunications back then and you could even get to your data over those links, which were a lot more secure than todays WiFi and dial-up.

      What changed is that computers became toys, and many of the people using them now know nothing about the underlying technology other than it's easier than using an adding machine. Ninety nine percent of the problem is that the boobs entrusted with these toys didn't take even common sense precautions with the physical security of the devices. Given the mindset of such people, there is zero hope that they would know enough to take the proper electronic precautions.

      I maintain that if the data is REALLY important, and that includes all the examples given above, the the proper way to use a laptop is as a dumb terminal with a highly encrypted communications link back to the actual data. Such a link can happen over the Internet, or via a satellite link. There is really no excuse for carrying such data around, in the past, now, or in the future.

  2. Handling Corporate Laptop Theft Gracefully by suso · · Score: 5, Funny


    Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
    Tip 2: If you encounter security or other obstacles, aim for the biscuits.
    Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
    Tip 4: The password is usually the username with 123 at the end or the their children's ages.
    Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
    Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.

  3. Explosives by Infernal+Device · · Score: 4, Funny

    All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.

    Not to stop the criminals.

    For the entertainment value ...

    --
    "My God...it's full of trolls!"
  4. Conscientious Capitalism by Doc+Ruby · · Score: 4, Insightful

    Capitalists know that PR is cheaper than security. Never trust them.

    --

    --
    make install -not war

  5. Re:Worst. Article. Ever. by ZombieRoboNinja · · Score: 4, Informative

    FYI, this story was a followup to a longer story about laptop and identity theft. The original story did indeed focus a lot on data encryption.

    From the original article:
    "This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it."

    Way to declare this the "worst article ever" in the same post you brazenly declare you didn't read it, by the way. A bold move, even by Slashdot standards.

  6. Encryption? Priceless. by mythosaz · · Score: 5, Interesting

    I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.

    Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).

    The software: Millions of dollars.
    Support: Millions of dollars.
    Not being sued in California for losing PHI: Priceless.

  7. Corporate policies needed by MarkusQ · · Score: 5, Funny

    There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.

    For example:

    • Have policies that make corrupting corporate data easy, but correcting it tedious/impossible.
    • Give different departments "ownership" of different data and encourage them to distribute it to people who need it via e-mail (hand copied from the application), screen shots, or exported spreadsheets that do not correctly propagate column names.
    • Encourage employees to edit the e-mails to produce versions of the data that they think are more accurate, and distribute them with names like "New (revised) revision of Q4 draft data dump--updated, with corrections by MQR for some of the errors introduced by BC in Q3"
    • Have data retention policies that assure that every laptop has at least twenty such interpretations of any key data on it at any time.
    • Prevent the addition of new columns to databases, and instead encourage users to reuse existing columns (Title, Address_line_2, Retirement_date, ROI_projection, Collateral_damage, NSA_contact_name etc.) that are otherwise underutilized.
    • Make test data by permuting fields (and words/digits within fields) between rows of live data. Do not clearly distinguish live data from test data, to assure that some of these will end up on laptops as well.

    With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.

    --MarkusQ

  8. Re:Wrong, wrong, wrong... by zakezuke · · Score: 4, Funny

    I think we all know that the real question here is, in a straight, clean fight, who wins, Airwolf or Bluethunder?.

    Remember kids

    Red Dawn + Bluethunder = Purple Rain

    --
    There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
  9. why is computer-theft still an issue? by schweini · · Score: 5, Interesting

    i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
    all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
    if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
    if i came up with this, surely the admins of REALLY important data can?

  10. Foreign Intelligence Operation? by CodeBuster · · Score: 4, Interesting

    There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.

  11. Re:Why store data on latop at all? by Zemran · · Score: 4, Interesting

    Why not take it further and have 5 locations using VPN and set the physically seperate location up like RAID 5 so no location actually has the data. If any hard drive gets stolen it has a maximum of every 4th chunk of data (4 chunks and a check chunk = 5 locations). A thief would need to break into all locations at the same time to get the data. If one location is broken into the data can still be recovered using the check chunks but the thief cannot recover any data. Encryption can easily be broken but a thief cannot see what he does not have.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.