Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA to Contractors - Encrypt Your Laptops

Posted by Zonk on from the probably-a-good-idea dept.

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

32 of 132 comments (clear)

  1. Overheard conversation by postbigbang · · Score: 5, Funny

    "No, not the keys to the truck and trailer, I need the damn keys to the laptop!"

    --
    ---- Teach Peace. It's Cheaper Than War.
    1. Re:Overheard conversation by TechwoIf · · Score: 3, Interesting

      That would be funny if it did not actually happen to me. I drive a truck and cross the boarder to Canada and back to the USA. I was literally asked for the keys to the laptop by customs.

  2. Many have been told to backup... by psychicsword · · Score: 2, Insightful

    Though many never do, will this be the same?
    I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.

  3. It's always sad by techpawn · · Score: 2, Insightful

    That these kind of measures are retroactive instead of proactive.

    --
    Ask not what you can do for your country. Ask what your country did to you
    1. Re:It's always sad by Volante3192 · · Score: 3, Interesting

      "Reactive"

      It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

      It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

    2. Re:It's always sad by Chris+Mattern · · Score: 4, Funny

      If they could actually take retroactive measures, they'd be much happier. "Johnson, I need to secure that data so that it didn't get stolen three days ago!"

      Chris Mattern

    3. Re:It's always sad by mlts · · Score: 3, Insightful

      I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

      If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

      Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

      A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

      By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.

    4. Re:It's always sad by Sancho · · Score: 2, Informative

      Many companies have policies that state that machines must be password protected--BitLocker, OS X, etc. handle encryption seamlessly if this is the case. There is no convenience reason not to use it on company laptops if they're managing sensitive data.

  4. Encrypting Personal Information by Dragonslicer · · Score: 2, Funny

    After two laptops were lost containing the personal data... we mandated that contractors need to encrypt any and all data Is there anything to say besides "Duh"?
    1. Re:Encrypting Personal Information by beavis88 · · Score: 2, Insightful

      Is there anything to say besides "Duh"?

      Yeah - "Don't write your encryption passphrase on a sticky note and attach it to your laptop"

      Because you just know that'll be the next TSA directive.

  5. Not Enough by s31523 · · Score: 5, Interesting

    OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

    Either the data needs to be "shredded" or stored in it's natural form on a fully encrypted volume.

    1. Re:Not Enough by ic3scrap3r · · Score: 3, Informative

      Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

      Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

    2. Re:Not enough by moderatorrater · · Score: 2, Funny

      This is one of the many reasons I haven't set foot in an airport since 9/11. Let me guess, another is that your hat sets off the metal detector?
  6. this should read by ILongForDarkness · · Score: 2, Interesting

    We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.

  7. You can't believe how sad... by WED+Fan · · Score: 3, Insightful

    That these kind of measures are retroactive instead of proactive.

    Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

    Uh, dude, I think you mean "reactive".

    --
    Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
  8. The norm for govt. by Nick+Driver · · Score: 2, Informative

    As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer from such moronism, but we sure see a lot of it when we have to come in and finish or repair a system implementation that a prior contractor botched up.

  9. Don't forget! by suv4x4 · · Score: 2, Funny

    Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!

  10. "Only a small chance"? by Opportunist · · Score: 3, Informative

    Be serious here!

    You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

    Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

    Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

    The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

    And yes, those people exist...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:"Only a small chance"? by RobertB-DC · · Score: 2, Insightful

      You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

      You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance. They couldn't undelete a file to save their life.

      If someone has the wherewithal to undelete files and sell the contents to the Russian Mafia, they're not going around stealing random laptops.

      And if it's a targeted hit, then they're probably smart enough to guess that your password is "18wh33ler".

      --
      Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
    2. Re:"Only a small chance"? by mlts · · Score: 2, Informative

      Thieves are getting smarter though. Its on the news often how the data stolen on a laptop was worth millions. Even the local "swipe and run" guy at the university prowling the library for people who briefly leave their laptops unattended are becoming aware that the data on the laptop is just as valuable if not more than the hardware itself, so they will be more likely to find a partner in crime to extract the data from it for either selling to someone else for ID theft, or just outright extortion. If a thief can't use the info, there are people who they can sell it to who can.

      Even if its a personal laptop with nothing more sensitive than Facebook cookies, that is still valuable info to a thief.

      I strongly urge anyone with a laptop to spend the $100 or so and buy a decent WDE (whole disk encryption) program. There are a number of good programs out there to choose from. I personally use (on different machines, of course) PGP, Jetico's BestCrypt, and MySecureDoc, and found them all to be pretty much install and forget (other than providing the passphrase at boot.) PGP and Jetico both offer eToken support for added security, so someone stealing the laptop would have to have the eToken, the laptop, and the password of the eToken to obtain any useful info.

      One feature of Jetico's offering I like is the fact that you can install it on a BartPE CD, which makes recovery of a damaged, encrypted filesystem a lot easier. You do not need to decrypt the volume completely, just mount it, and do the repairs needed.

  11. Now that got me thinking by suv4x4 · · Score: 3, Insightful

    So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

    The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

    Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

  12. Easy encryption, but not with Windows by RobertB-DC · · Score: 2, Informative

    The latest versions of Puppy Linux have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.

    Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.

    Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  13. Re:And it seems... by jojo1835 · · Score: 2, Interesting

    What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

    I'm not as concerned about the laptops being lost as I am about contractors keeping the data on their laptops as long as they like.

    Tim

    --
    See... and you thought your sig was boring - TT
  14. Ch-ching! by bug · · Score: 2, Informative

    The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.

  15. Effective solutions? by WPIDalamar · · Score: 3, Insightful

    Are there any real-world effective laptop encryption solutions?

    Encryption requiring a simple password:
        They key space will be limited making for easy cracking.

    Encryption requiring a sufficiently complex password to avoid above:
        The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

    Encryption requiring an external device to supply complex key:
        This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

    I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

    1. Re:Effective solutions? by jandrese · · Score: 2, Informative

      Most of the military is going towards the CAC Card, which is good because since it is your badge you have to take it with you when you go somewhere (you can't just leave it plugged into your workstation when you stand up to go somewhere, because eventually a guard will stop you and ask why you're not wearing your ID, and then you're in trouble).

      Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.

      --

      I read the internet for the articles.
    2. Re:Effective solutions? by cadeon · · Score: 2, Insightful
      Are there any real-world effective laptop encryption solutions?

      Are there any real-world effective encryption solutions, period?
      Encryption, overall, is a slippery slope of hate and doom. The only way (currently) to encrypt something is to use a key that's long enough to take a 'really really long time' to guess. Unfortunately, 'really really long time' shortens with growing processor power.

      It wasn't all that long ago that we were using 40bit encryption for online banking. . . now that's unthinkable, we're using longer keys . . . with longer keys comes more overhead, and we're not any closer to a real solution to the encryption problem.

      Expoential systems cannot exist in perpetuity. We need to come up with a new system for encryption or have fewer secrets, I'm a fan of the latter.

  16. Truecrypt! by NitroWolf · · Score: 4, Informative

    I use Truecrypt to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

    You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

    1. Re:Truecrypt! by mlts · · Score: 4, Informative

      TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

      The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

      Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

  17. FDE works too.. by rickb928 · · Score: 2, Informative

    Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.

    My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.

    Without it, they would have to throw out the drive and buy a new one.

    And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.

    Honestly, this is not that hard.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:FDE works too.. by rickb928 · · Score: 2, Informative

      My understanding (and we grilled our supervisor on this one - he was good) is that flashing the drive would REQUIRE the password. But even if it didn't, the data is encrypted. If the password is on the drive firmware, flashing it would lose the password and woops, no data.

      This is the hardware encryption scheme - supposedly, even if you put the drive in another Thinkpad, that chip has a different hardware key and even the right password won't decrypt. So it encrypts data onto the drive.

      Yes, you could send it out to be extracted. Then go about breaking the key. We didn't get much guidance on the password, but mine was 8 characters and included upper/lower and symbols. It would be nontrivial to extract the drive and decrypt.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  18. Re:And it seems... by Creepy+Crawler · · Score: 2, Interesting

    Im assuming high hostility against a federal machine. So, no, the host password will NOT be easily extracted. You know.. SysKey, encrypted ~/windows directory, encrypted user directories... Not fun. To combat that, you use an ICE. In Circuit Emulator.

    Next the VM... Yes, you could roll back the clock, but how would one prevent that simple of an "attack"? Record via signed encrypted file when the last time/date access was. Ok.. so now we can just 'freeze' the VM so restart starts with those very files at that exact time.

    The question is "How can we verify accurate and precise time in a VM?" The answer here is that the VM needs to have a secret that is shared with a trusted server, however one must also have trusted access to the CPU to verify that no tampering takes place during the critical connection. To combat replay attacks, the VM client could send a very fine granularity time (say HH:mm:ss:SSS) and request a response using this time. Any significant deviancy from this timebase would seal off the VM.

    --