Slashdot Mirror

← Back to Stories (view on slashdot.org)

TSA to Contractors - Encrypt Your Laptops

Posted by Zonk on from the probably-a-good-idea dept.

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

13 of 132 comments (clear)

  1. Overheard conversation by postbigbang · · Score: 5, Funny

    "No, not the keys to the truck and trailer, I need the damn keys to the laptop!"

    --
    ---- Teach Peace. It's Cheaper Than War.
    1. Re:Overheard conversation by TechwoIf · · Score: 3, Interesting

      That would be funny if it did not actually happen to me. I drive a truck and cross the boarder to Canada and back to the USA. I was literally asked for the keys to the laptop by customs.

  2. Not Enough by s31523 · · Score: 5, Interesting

    OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

    Either the data needs to be "shredded" or stored in it's natural form on a fully encrypted volume.

    1. Re:Not Enough by ic3scrap3r · · Score: 3, Informative

      Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

      Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

  3. Re:It's always sad by Volante3192 · · Score: 3, Interesting

    "Reactive"

    It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

    It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

  4. You can't believe how sad... by WED+Fan · · Score: 3, Insightful

    That these kind of measures are retroactive instead of proactive.

    Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

    Uh, dude, I think you mean "reactive".

    --
    Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
  5. "Only a small chance"? by Opportunist · · Score: 3, Informative

    Be serious here!

    You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

    Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

    Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

    The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

    And yes, those people exist...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Now that got me thinking by suv4x4 · · Score: 3, Insightful

    So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

    The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

    Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

  7. Effective solutions? by WPIDalamar · · Score: 3, Insightful

    Are there any real-world effective laptop encryption solutions?

    Encryption requiring a simple password:
        They key space will be limited making for easy cracking.

    Encryption requiring a sufficiently complex password to avoid above:
        The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

    Encryption requiring an external device to supply complex key:
        This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

    I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

  8. Truecrypt! by NitroWolf · · Score: 4, Informative

    I use Truecrypt to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

    You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

    1. Re:Truecrypt! by mlts · · Score: 4, Informative

      TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

      The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

      Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

  9. Re:It's always sad by Chris+Mattern · · Score: 4, Funny

    If they could actually take retroactive measures, they'd be much happier. "Johnson, I need to secure that data so that it didn't get stolen three days ago!"

    Chris Mattern

  10. Re:It's always sad by mlts · · Score: 3, Insightful

    I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

    If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

    Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

    A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

    By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.