Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA to Contractors - Encrypt Your Laptops

Posted by Zonk on from the probably-a-good-idea dept.

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

9 of 132 comments (clear)

  1. Many have been told to backup... by psychicsword · · Score: 2, Insightful

    Though many never do, will this be the same?
    I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.

  2. It's always sad by techpawn · · Score: 2, Insightful

    That these kind of measures are retroactive instead of proactive.

    --
    Ask not what you can do for your country. Ask what your country did to you
    1. Re:It's always sad by mlts · · Score: 3, Insightful

      I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

      If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

      Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

      A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

      By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.

  3. You can't believe how sad... by WED+Fan · · Score: 3, Insightful

    That these kind of measures are retroactive instead of proactive.

    Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

    Uh, dude, I think you mean "reactive".

    --
    Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
  4. Re:Encrypting Personal Information by beavis88 · · Score: 2, Insightful

    Is there anything to say besides "Duh"?

    Yeah - "Don't write your encryption passphrase on a sticky note and attach it to your laptop"

    Because you just know that'll be the next TSA directive.

  5. Now that got me thinking by suv4x4 · · Score: 3, Insightful

    So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

    The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

    Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

  6. Effective solutions? by WPIDalamar · · Score: 3, Insightful

    Are there any real-world effective laptop encryption solutions?

    Encryption requiring a simple password:
        They key space will be limited making for easy cracking.

    Encryption requiring a sufficiently complex password to avoid above:
        The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

    Encryption requiring an external device to supply complex key:
        This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

    I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

    1. Re:Effective solutions? by cadeon · · Score: 2, Insightful
      Are there any real-world effective laptop encryption solutions?

      Are there any real-world effective encryption solutions, period?
      Encryption, overall, is a slippery slope of hate and doom. The only way (currently) to encrypt something is to use a key that's long enough to take a 'really really long time' to guess. Unfortunately, 'really really long time' shortens with growing processor power.

      It wasn't all that long ago that we were using 40bit encryption for online banking. . . now that's unthinkable, we're using longer keys . . . with longer keys comes more overhead, and we're not any closer to a real solution to the encryption problem.

      Expoential systems cannot exist in perpetuity. We need to come up with a new system for encryption or have fewer secrets, I'm a fan of the latter.

  7. Re:"Only a small chance"? by RobertB-DC · · Score: 2, Insightful

    You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

    You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance. They couldn't undelete a file to save their life.

    If someone has the wherewithal to undelete files and sell the contents to the Russian Mafia, they're not going around stealing random laptops.

    And if it's a targeted hit, then they're probably smart enough to guess that your password is "18wh33ler".

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.