Stolen VA Laptop Recovered

lancejjj writes "Remember how the VA was pinning the theft of 26.5 million veterans' personal records on a hard working-but-renegade employee whose laptop was stolen? Surprise! It turns out that the employee had written permission to bring the sensitive data home. Fortunately, the laptop has been recovered. It is still unclear how the laptop was recovered, or if any of the veterans' personal data was leaked."

Yeah, Fooooound

[Goblez]

Or a copy of it for publicity sake.

Nothing taken

[paganizer]

I believe it said on the FBI's report that it looked like the data had not been looked at.

Re:Nothing taken

[treeves]

I for one am relieved that the data was not accessed, since I am a veteran who received a letter saying that I might be subject to identity theft as a result of this incident.
They gave us all a years worth of ID theft tracking service at a cost to the gov't of $(several millions?).
If a class action law suit against the VA for this debacle is successful it will cost them a lot more than that.

I am more than a little annoyed that they gave the guy permission to take the data home, and now they are firing him for having done so.
In spite of my feelings, I hope such a lawsuit fails, since it will only hurt those who rely on the VA's funding for their health care, etc.
The people who allowed this to happen certainly aren't going to give themselves a cut in pay!

Re:Nothing taken

[hazem]

Do you really believe them when they say the data was not accessed? Ignoring the fact that the data can be accessed with no evidence left on the drive. You're a veteran, and you still believe what the government tells you when it's good news for them?

The real fault lies with the credit reporting/monitoring companies.

They have created a system where it's easy for anyone to get credit in another person's name. Their solution, of course, is to pay them to monitor your credit in case someone tries to do it.

The data is not very valuable for most ID theives if they cannot open up instant credit. So, the "solution" is to for the VA to pay the very companies that make it easy to get instant credit for monitoring services.

What a racket.

The easiest first step is to require those agencies to allow every person to put a credit freeze on their credit records. This would stop the instant credit and at the same time would stop a vast majority of the ID theft going on.

Those very same companies have lobbyist to prevent this, of course.

Re:Nothing taken

[TubeSteak]

Do you really believe them when they say the data was not accessed?

FBI Analysis:
Start ---> Documents ---> Recent Documets

FBI Analyst #1: Doesn't seem like anyone looked at the file.
FBI Analyst #2: I concur

FBI Official: We are pleased to announce that it does not seem that anyone accessed the records in question.

Re:Nothing taken

[nolife]

What forensic tools is that?
Is there any way in hell to determine when a read head moves over a piece of data? If there is (which I do not see how), how could it determine with any resolution of when that head passed over the data? One week, one month, one hour ago etc.. What ever magical thing they messure would have to decay away over time with some consistancy to determine WHEN it was last read.

On that note, boot up with Knoppix, mount hda1 read only (which is the default), mount a network share through lin neighborhood and copy \mnt\hda1 to \home\user\mounts\server\share. Shut off laptop and remove Knoppix cd. You can do that whole process in minutes and all with a gui if you'd like! We do that exact process at least once a week from tanked XP laptops that we need data from.

To get back to reality, if Joe random stole that laptop and was playing with it, he would probably not have the desire and knowledge to do the Knoppix thing or really even care about the actual data on the laptop at all. Someone specifically targetting this VA employee and that data could easily do it.

Data Wasn't Accessed

[Shadow+Wrought]

According to the FBI as reported by Reuters. The FBI said that the DB hadn't been accessed since the date it was stolen. Keep in mind, too that laptop thefts are no different than any other and the vast bulk are crimes of opportunity. So it most likely that the laptop was just at the worng place at the wrong time and the tweaker responsible had no idea as to its value.

Re:Data Wasn't Accessed

[ewhac]

The data probably wasn't accessed. If the thief knew what they had, and was at all clever, they could have pulled the drive, performed a raw sector copy, and put it back. Poof! No date changes. I'm sure the FBI forensics team will be checking for this possibility.

Schwab

Re:Data Wasn't Accessed

[neonprimetime]

You trust Microsoft Windows "Last Accessed Date" on files, right? I mean there's absolutely positivity without a doubt no way no how no possible method of changing that "Last Accessed Date".

Re:Data Wasn't Accessed

[bcat24]

Or using a system that doesn't even touch the last accessed date in the first place.

Re:Data Wasn't Accessed

[hazem]

You don't even have to pull the drive.

Just boot with knoppix, or some other bootable linux on a cd and do something like:

dd if=/dev/hda |gzip -9 |ssh -l someuser somemachine.com "dd of=stolendrivebackup.gz"

Re:Data Wasn't Accessed

[pluther]

I think it unlikely that the VA depended on the "Last Accessed Date" when they made their claim that the data hadn't been stolen.

Given what we've seen so far in the case, it's more likely that they carefully scanned it, determined the data was still there, and therefore must not have been stolen.

I'm sure it's safe

[jeffmeden]

There is no way the thief who had it thought to himself "Hmm all these VA logos, some huge files with a bunch of names and 9 digit numbers. I obviously have nothing important here, I should just return this to the rightful owner." I mean it's not like this was all over the news or anything. Where would he get an idea like 'steal the identities of 26 million veterans'??? I know I can sleep a little easier (mostly because I was never in the armed services). On a more serious note, why aren't the headlines reading "VA wrongly accused employee of negligence, prepared to take full blame"? That seems to be the gist of this event.

The US just needs data privacy laws

[bunions]

Seriously. Attention any/all US federal legislators reading this: just mimic the EU on this one. It's a no-brainer and will win you the all-important geek vote.

How it got recovered?

[88NoSoup4U88]

It is still unclear how the laptop was recovered

They probably just put up a blog. ;)

TrueCrypt

[Spy+der+Mann]

After discovering truecrypt, I realized how easy it is to have your sensitive data secured. Provided that the laptop doesn't contain spyware, only the person with password to the truecrypt volume can read it. After it's turned off, nobody else can.

And the hidden volumes feature in truecrypt makes it much harder to steal the data (not only you'd need the normal volume password, you'd also need the hidden volume password - IF there is a hidden volume, which you don't know).

Re:TrueCrypt

[VertigoAce]

That isn't the purpose of the hidden volume. You only need the hidden volume password to access that volume. The actual purpose is so that if you are compelled to give access to the encrypted data you can just give out the outer volume's password. Used properly, there's no way to tell if there is a hidden volume or not, so no one can compel you to give the password for that volume. So basically, store some semi-sensitive data in the outer volume and your very sensitive data in the hidden volume. Maybe also create some volumes without hidden sections so you have plausible deniability.

Re:TrueCrypt

[e40]

Problem is that if the hidden volume is mounted and the laptop suspended... does Truecrypt unmount in this case? (In other words, does the user have to remount of resume?) If not, it's the same as not having any encryption at all.

Re:TrueCrypt

[citizenklaw]

Disagree. On the preferences, TrueCrypt enables you to Auto-Dismount the encrypted partition when a user logs off, when the screen saver is launched, the computer enters power saving mode, if no data is read written for x amount of time, etc. You can even tell the program to force a dismount even if the volume contains open files/directories

My settings are simple: dismount when I log off and when the computer goes into power saving mode. I like this little app.

Why real data?

[JayDot]

One of the articles quoted the permission granting documents, saying that the analyst needed real SSNs for his work. I don't understand why that would be the case. Couldn't they have generated a fake list, verified that no two numbers were alike, and assigned a bunch of random names? It seems like the whole issue could have been eliminated from the start by doing this. Also, it's just shameful the way a bunch of middle-management types are trying to shaft the analyst when he's had written permission for ~4 years.

Oh it matters!

[jeffmeden]

Because one method involves Chuck Norris and immediate death for the thief. The other involves Charlie Sheen and about two hours of pouty looks and deadpan humor. We owe it to history to properly document this event!

Re:If he keeps his job

[JayDot]

Why? He had at least three written memos given express permission for him to do what he did. The problem here wasn't with the worker, it's with the policies and directors that signed the memos.

Bah...

[citizenklaw]

Nothing appeared to be copied? Bah. What's keeping a would be data thief to boot up with a Linux distro, copy at will and shutdown the computer

.

I use a utility called TrueCrypt on my computer. I don't use a Mac (I would if I had the money), but I think the Mac has a utility (built in to the OS to boot) that let's you encrypt the contents of your home folder. This utility (TrueCrypt) enables me to reserve a chunk of space on my HD and encrypt it. I'm pretty confident that if my laptop gets stolen, the data will be *reasonably* safe.

This is just a mix of bad infosec policies and worse OS.

Re:If he keeps his job

[955301]

Oh no, the best thing they could do is let him keep the job. He's the least likely person in the US to do this again. It would be different if he stole it himself.

Another whacked summary

[HardCase]

The employee had permission to access social security numbers. The employee had permission to take a laptop home. The employee had permission to use database software at home.

The VA still contends that the employee did not have permission to put the social security numbers on the computer and take it home.

Look at the timeline. He gets permission to access SSNs in February. He gets permission to take a laptop home in September. Sometime during the year he got permission to use a database program at home. It still sounds to me like he took a little personal initiative to take the SSN database home.

Still, the whole affair was handled pretty damn poorly, particularly the delay in reporting it, among other things.

-h-

Re:Yeah - laws that let the gov't have all access

[bunions]

Data privacy laws aren't there to keep the gov't from snooping into your stuff, it's to keep companies from trading your private data, or even keeping it on file in many instances.

Ethical Hacking Rule no.1

[Frightening]

Never, EVER steal a piece of hardware for info without returning it(after taking the info).

It will be interesting to see the public's reaction when 26.5 million SSN are posted tommorow on a blog.

That's how cargo theft works

[Kadin2048]

Actually you don't have to have your tinfoil hat on too tight to believe that.

The situation you describe is not at all unlike how the mafia cargo-theft operations run (or used to run...the people I know are all ex-OCTF types). Basically they'd find some truck driver who had a gambling problem, and make him a deal: he parks his truck at a certain rest area on a certain night, and goes into the restaurant to have dinner. When he gets out, his truck is missing. Sometimes they'd even arrange it so that the cargo in question that night would be particularly high-value (load of VCRs, whatever), or easy to fence merchandise.

The key question in the data-theft is whether or not U.S. organized crime is really involved in large-scale identity theft, to the point where they would have wanted to get their hands on a laptop full of data that badly. If you think that they are, then the whole scenario doesn't seem totally implausible.

I'm fairly confident, however, that the FBI is probably looking down this angle -- it's not really that hard a thing to imagine, so I expect that they're going through the employee's finances and everything else, seeing if there's some way he could have been compromised.

I smell a fish...

[indigence_is_best]

My data just happened to be on that hard drive, so I am a little upset about it to say the least. We in the armed forces have been told that the individual was definitely NOT supposed to take that data home. It even says so on the VA website reguarding this incident. http://www.firstgov.gov/veteransinfo.shtml If he had written authorization to do so, then that is a completely different story, and all of us that were affected should be even more angry. There are procedures in place for bringing ANY government property home; whether it be DATA or PHYSICAL media. Especially privacy act information.

So which is it? He was or he wasn't allowed to? It is a bit too convenient for my taste that the laptop was recovered so magically and with the data intact.

This kind of back-and-forth "truth" on these kinds of issues gets very old very fast.

Smells fishy...

Load of tinfoil.

[ScentCone]

It sounds like a coverup to me. They never found that laptop, and if they did, it wasn't the one that was missing

Does your specially-formed tinfoil apparel help you to know these facts? The scoop is that someone turned it into the Baltimore FBI office, and they're keeping it quiet because the $50k reward was part of the picture. Their forensics people were the first ones to look at the machine, and that's what they do all day.

More likely whatever ever idiot looted the house and took the portable fencables really didn't know what to do with it, and probably saw the government markings on the machine later. Not something you can put on eBay or take to a pawn shop. And people like that are in the habit of asking their equally ass-hattish what friends to do with something like that. Obviously one of the more enterprising ones is looking to turn it into $50k.