TSA to Contractors - Encrypt Your Laptops

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

The norm for govt.

[Nick+Driver]

As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer from such moronism, but we sure see a lot of it when we have to come in and finish or repair a system implementation that a prior contractor botched up.

"Only a small chance"?

[Opportunist]

Be serious here!

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

And yes, those people exist...

Re:"Only a small chance"?

[mlts]

Thieves are getting smarter though. Its on the news often how the data stolen on a laptop was worth millions. Even the local "swipe and run" guy at the university prowling the library for people who briefly leave their laptops unattended are becoming aware that the data on the laptop is just as valuable if not more than the hardware itself, so they will be more likely to find a partner in crime to extract the data from it for either selling to someone else for ID theft, or just outright extortion. If a thief can't use the info, there are people who they can sell it to who can.

Even if its a personal laptop with nothing more sensitive than Facebook cookies, that is still valuable info to a thief.

I strongly urge anyone with a laptop to spend the $100 or so and buy a decent WDE (whole disk encryption) program. There are a number of good programs out there to choose from. I personally use (on different machines, of course) PGP, Jetico's BestCrypt, and MySecureDoc, and found them all to be pretty much install and forget (other than providing the passphrase at boot.) PGP and Jetico both offer eToken support for added security, so someone stealing the laptop would have to have the eToken, the laptop, and the password of the eToken to obtain any useful info.

One feature of Jetico's offering I like is the fact that you can install it on a BartPE CD, which makes recovery of a damaged, encrypted filesystem a lot easier. You do not need to decrypt the volume completely, just mount it, and do the repairs needed.

As a Government Contractor

I have to say that everybody is all for encrypting your laptop until you realize what that means. For us we are running Pointsec (or as some people call it, PointSuck) on every laptop in the company. It's annoying because Pointsec is a dog to install and about 1 in 10 people who do end up having it crash before it reaches the magical 1% and have to rebuild their machine from scratch. They say it doesn't affect disk performance, but it is yet another layer of overhead that makes the Core2Duo based Laptops we use now take 10 minutes to boot up (10 minutes until the disk dies down and it's usable at least, thanks to Symantic, ZoneAlarm, Patch Checker, Radia, etc...) and not feel any faster than the previous generation laptops.

It has been especially annoying for my department because we have lots of older hardware (like Sony Vaio Picturebooks that are really nice for portable testing, and Sharp Zaurus SL-C7xx series linux boxes that we really have no way of encrypting, and must plant clear instead, even though they'll never have any kind of vital information on them). Not to mention all of the people who are in to dual booting (we now use VMware a lot instead, although VMware has several issues that make it annoying, the most basic of which is the clock drift). It's also been a pain for our laptop re-imaging system (which is basically dead now)

In the end I'll be glad if my main work machine is stolen since I'm pretty sure Outlook doesn't encrypt anything and I have confidental information on it, but the cost is a lot higher than the price of one copy of Pointsec.

Re:Not Enough

An idea might be to put a VMWare Virtual Machine inside a TrueCrypt volume.
This way your entire OS will be encrypted.

Easy encryption, but not with Windows

[RobertB-DC]

The latest versions of Puppy Linux have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.

Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.

Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.

Ch-ching!

[bug]

The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.

Truecrypt!

[NitroWolf]

I use Truecrypt to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

Re:Truecrypt!

[mlts]

TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

Re:Effective solutions?

[jandrese]

Most of the military is going towards the CAC Card, which is good because since it is your badge you have to take it with you when you go somewhere (you can't just leave it plugged into your workstation when you stand up to go somewhere, because eventually a guard will stop you and ask why you're not wearing your ID, and then you're in trouble).

Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.

Re:Not Enough

[ic3scrap3r]

Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

FDE works too..

[rickb928]

Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.

My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.

Without it, they would have to throw out the drive and buy a new one.

And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.

Honestly, this is not that hard.

Re:FDE works too..

[rickb928]

My understanding (and we grilled our supervisor on this one - he was good) is that flashing the drive would REQUIRE the password. But even if it didn't, the data is encrypted. If the password is on the drive firmware, flashing it would lose the password and woops, no data.

This is the hardware encryption scheme - supposedly, even if you put the drive in another Thinkpad, that chip has a different hardware key and even the right password won't decrypt. So it encrypts data onto the drive.

Yes, you could send it out to be extracted. Then go about breaking the key. We didn't get much guidance on the password, but mine was 8 characters and included upper/lower and symbols. It would be nontrivial to extract the drive and decrypt.

Re:It's always sad

[Sancho]

Many companies have policies that state that machines must be password protected--BitLocker, OS X, etc. handle encryption seamlessly if this is the case. There is no convenience reason not to use it on company laptops if they're managing sensitive data.

Re:Contractors

This would surprise me, as I know at least in my division of Lockheed all laptops have mandatory full disk encryption. Posted as anonymous for obvious reasons.

Bitlocker?

Wouldn't a laptop with a TPMv1.2 chipset and Bitlocker fix this? Can't crack the password db since it's encrypted. Only two ways in: stonewall the 40 number recovery key in vitro or guess the luser's password in vivo. Both a tough nut to crack.