Handling Corporate Laptop Theft Gracefully 197
Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."
Encrypt the disks. (Score:4, Informative)
Re:Encrypt the disks. (Score:2)
Re:Encrypt the disks. (Score:4, Interesting)
Re:Encrypt the disks. (Score:2)
Keeping all of the files on a networked filesystem via an encrypted channel that is backed up, redundant and secure.
Who in their right mind keeps important files on a laptop? Especially if those files are valuable to those outside of the organization that owns the laptop.
Re:Encrypt the disks. (Score:3, Funny)
XOR the data with itself. Since the key is the same length as the data, cryptanalytic attacks don't apply. Anyone who doesn't have the data, by definition, doesn't have the key. The ciphertext contains no clues to the plaintext and, in contrast to most crypto systems, is highly compressible. An additional convenience is that you can generate the ciphertext from one of the standard special devices without even needing the plaintext.
Some might argu
Re:Encrypt the disks. (Score:2)
~Rebecca
Re:Encrypt the disks. (Score:2)
Re:Encrypt the disks. (Score:2)
There, problem solved.
Re:Encrypt the disks. (Score:2)
I didn't think any excryption was perfect.
Well, not unless the key is as long as they data. If it is, then you can prove that the encryption is perfect.
In practice, though, the imperfect crypto that we have is damned good, and if you do encrypt you disks with something decent you can quite safely assume that no one who grabs the disks can read the data, as long as they don't have the resources of a major world government available to them (and maybe even if they do). If you're worried about whether
Re:Encrypt the disks. (Score:3, Interesting)
A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop. Well... Maybe... If he thinks it was really critical, but chances are he might just format the drive and sell it at pawn shop.
Re:Encrypt the disks. (Score:2)
In many cases true, but if you had sensitive (we're talking geopolitically sensitive, not credit-card and Social Security numbers sensitive) then such an assumption might be unwarranted and a very bad idea. Certainly it's not a chance that I want people taking if I was in a position of responsibility.
Re:Encrypt the disks. (Score:2)
Your common grab and run theif will still simply format the drive and pawn the computer.
-nB
Re:Encrypt the disks. (Score:2)
Re:Encrypt the disks. (Score:2)
A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop.
If three months and 10,000 computers is enough to break the encryption, you should have used better encryption. It's easily available.
Re:Encrypt the disks. (Score:2)
Yeah. 10k systems is the average size of a botnet.
And crypto that can be cracked in 3 months by 10k systems is horrendously weak. Single DES wouldn't fall that fast (though it can be brute-forced faster with special-purpose hardware).
Re:Encrypt the disks. (Score:2)
Exactly. Thieves are usually looking for fast money. If the data is easy to get, they get it. If it's not, then they aren't going to waste their time and maybe expose themselves as the thieves when they can hock a quick bit of change and move on to the next target of opportunity.
There are several dissertations easily found through Google about making boot media (such as a USB memory stick) with a really good key for the disk drive itself,
Re:Encrypt the disks. (Score:2)
I didn't think any excryption was perfect. So what happens if they do encrypt the disk and the drive gets stolen.
Let me get this straight. There are two scenarios: leaving the disk unencrypted, and encrypting it. Under scenario 1, if the laptop is stolen, the thieves have free access to all the info on the hard drive. Under scenario 2, the thieves have potential access to all of the info on the hard drive, but only if they break the encryption.
Are you arguing that scenario 2 is no better than scenar
Re:Encrypt the disks. (Score:5, Insightful)
Do not store sensitive data on a laptop.
Re:Encrypt the disks. (Score:3, Insightful)
I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.
You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.
Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't chan
Re:Encrypt the disks. (Score:5, Insightful)
You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.
Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed."
I know what world you live it. It is the world of video games and powerpoint presentations with cute little pie charts.
In the 60s (the 40s and 50s were before my time) we got access to sensitive data by going to the office, passing an armed guard, signing in and sometimes using several keys or typing in combinations to get into certain rooms. Yes, you could take notebooks (paper ones) and pens and pencils with you in your car. You might also take a printout or so with sensitive data from one place to another, but that was pretty rare. There were telecommunications back then and you could even get to your data over those links, which were a lot more secure than todays WiFi and dial-up.
What changed is that computers became toys, and many of the people using them now know nothing about the underlying technology other than it's easier than using an adding machine. Ninety nine percent of the problem is that the boobs entrusted with these toys didn't take even common sense precautions with the physical security of the devices. Given the mindset of such people, there is zero hope that they would know enough to take the proper electronic precautions.
I maintain that if the data is REALLY important, and that includes all the examples given above, the the proper way to use a laptop is as a dumb terminal with a highly encrypted communications link back to the actual data. Such a link can happen over the Internet, or via a satellite link. There is really no excuse for carrying such data around, in the past, now, or in the future.
Re:Encrypt the disks. (Score:2)
There is no network in most nursing homes, and most hospitals won't allow their doctor's (or any staff) direct access to the internet and the ability to run something like TightVNC & SSH. A physician who downloads their currently hospitalized / nursing home bound patient charts to their laptop has no other wa
Re:Encrypt the disks. (Score:2)
No, I'm pretty sure that you _can_ run OpenBSD on a laptop.
Re:Encrypt the disks. OR don't use laptops (Score:1)
But, first I have to ask: why on earth is this data on a laptop?
I mean, really! This is health-care data for top military officials! Who needs to take that data on the road with them? Encrypt, stick it in a secure database, on a server in some closet in HQ. At least make it take effort to get at, no?
Re:Encrypt the disks. (Score:2, Interesting)
Re:Encrypt the disks. (Score:2)
If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?
Re:Encrypt the disks. (Score:5, Insightful)
Yes. Because the thief may be able to decrypt the data because they also copied down the password/key that was on a post-it note hidden under the keyboard of the computer. Or they might exploit a flaw in the encryption. Or they manage to socially-engineer access to the key needed to decrypt the data. Or they might have installed a key-logger to get the key and then came back a week later to get the drives too.
Re:Encrypt the disks. (Score:2)
OT: Moderation (Score:1, Insightful)
WTH are
Re:OT: Moderation (Score:2)
No, I expressed an opinion. If I set the moderation agenda, I wouldn't have to say anything, would I? I'd just cancel the moderation.
I disagree. An "Insightful" moderation and a "Funny" moderation both carry a +1. They may affect the score in the same fashion, but when I see a +5 funny post I expect to read something that
Re:Encrypt the disks. (Score:1)
Re:Encrypt the disks. (Score:2)
Doesn't seam like that would be a solution for the server drives stolen for this article.
You either have to key in a password on any power-up, or have some device authorizing on boot. guess if your running multiple distant site redunency you could have it retrive the password across the network somehow, so it's authentication could be pulled if you lost just one server...
For valuable data, it seams like physical security of something that does the unlocki
Re:Encrypt the disks. (Score:2)
Now,
Works of fiction may not offer the best advice (Score:2)
Works of fiction may not offer the best advice, real world meet artistic license. People have tried to erase disks with degausers, bulk video tape erasers, etc without success.
Handling Corporate Laptop Theft Gracefully (Score:5, Funny)
Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
Tip 2: If you encounter security or other obstacles, aim for the biscuits.
Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
Tip 4: The password is usually the username with 123 at the end or the their children's ages.
Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.
Re:Handling Corporate Laptop Theft Gracefully (Score:2)
Handling Secure Data Loss Gracefully (Score:3, Interesting)
Handled Pretty Well (Score:4, Interesting)
I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.
Whole Disk Encryption vs. File/Directory (Score:2, Interesting)
Don't know the windows side.. (Score:2)
Individual directory/file encryption is important for multi-user workstations/servers, where you have to worry about other users getting the files when owner is not logged in. encfs and the like provi
Re:Whole Disk Encryption vs. File/Directory (Score:2, Informative)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Short of that, storing important information on encrypted disk images goes a long way towards solving the problem, though.
Re:Whole Disk Encryption vs. File/Directory (Score:2)
I use disk encryption on my notebook through IBM's TPM setup, and then I run container encryption on-disk for two reasons. First reason: I have top-security documents on my machine. They are encrypted, and I must access a server to obtain a decryption key every time I want to view them. The encryption is by authentica. I do not trust this encryption, t
Re:Whole Disk Encryption vs. File/Directory (Score:3, Insightful)
Would your life be a lot simpler if you stored only company data on the company laptop and non-company data on a non-company laptop/storage device???
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Why do I think that if your work is as confidential as you say it was, and you're going to the obvious effort to ensure its sanctity as best you possibly can, that there would not be a clause somewhere that mentioned your use of company resources for personal purposes, and that I
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Beat that. Hah !
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Re:Whole Disk Encryption vs. File/Directory (Score:2)
Quite impressive... (Score:4, Funny)
You mean they handled the situation (and the laptop) with a single three-fingered hand [publicradio.org]? That is quite impressive.
Creepy though.
Marketplace != NPR (Score:2, Informative)
Re:Marketplace != NPR (Score:2)
Re:Marketplace != NPR (Score:2)
Re:Marketplace != NPR (Score:2)
Re:Marketplace != NPR (Score:2)
Re:Marketplace != NPR (Score:2)
Perhaps not the worst faux pas I have ever made, but certainly an honest mistake. I am fully aware that NPR does not produce Marketplace, but NPR does carry the show, and I should have indicated it that way, or mentioned American Public Media. Guess I have to turn in my Guy Noir trenchcoat now.
Explosives (Score:5, Funny)
Not to stop the criminals.
For the entertainment value
Re:Explosives (Score:2)
Actually, believe it or not, as scary as this sounds, it's more like if, not when.
Sure, the TSA has sensors that can check for certain high-order explosives (including RDX, aka cyclonite, the main explosive ingredient of Composition C4) but it's not whether or not the sensors detect it, it's whether or not the TSA employees bother to check.
My wife once worked as an undercover security empl
Re:Explosives (Score:2)
Re:Explosives (Score:2)
Cops and Stolen Laptops (Score:2)
Re:Explosives (Score:2)
Conscientious Capitalism (Score:4, Insightful)
Re:Conscientious Capitalism (Score:2, Funny)
100% Troll
I guess the PR of the Year Award comes with a free subscription to AsTrollTurf Inc.
Re:Conscientious Capitalism (Score:2)
100% Troll
AsTrollTurf Inc is committed to consistency, if not to quality.
visible security as PR? (Score:2)
consider Israeli airlines... when was the last time they got hijacked or blown up? The Israelis take security very seriously, and a lot of it is not visible at the airport, it's behind the scenes... such as depressurizing baggage, well trained plain-clothes security on board... it costs a lot of money, much more than a few smartly dressed low-pay security guards at a screening desk.
contrast this with other airlines - it's all about making people feel confident.
similar, corporate
Re:visible security as PR? (Score:2)
As usual, the best practice is real security, with tasteful promotion that people can trust as much as the security itself.
Re:Conscientious Capitalism (Score:2)
bad headline (Score:2, Insightful)
Encryption? Priceless. (Score:5, Interesting)
Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).
The software: Millions of dollars.
Support: Millions of dollars.
Not being sued in California for losing PHI: Priceless.
Re:Encryption? Priceless. (Score:3, Informative)
http://www.guardianedge.com/ [guardianedge.com]
I'm quite pleased with the encryption product itself, but the guys who package their MSIs need shot
Interesting theft (Score:2, Interesting)
Corporate policies needed (Score:5, Funny)
There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.
For example:
With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.
--MarkusQ
Crypto! (Score:2)
Re:Crypto! (Score:2)
Re:Crypto! (Score:2)
Re:Crypto! (Score:2)
I work with some very smart people, but they don't know much about computers
why is computer-theft still an issue? (Score:5, Interesting)
all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
if i came up with this, surely the admins of REALLY important data can?
Re:why is computer-theft still an issue ... replay (Score:2)
So, break in, disconnect and reconnect network (with packet sniffer in place); steal computer, replay packets, copy decrypted data
???
Foreign Intelligence Operation? (Score:5, Interesting)
Re:Foreign Intelligence Operation? (Score:2)
What you just described would not have been a professional job. A profe
Re:Foreign Intelligence Operation? (Score:2)
Dell Ownership Tag (Score:2)
Compaq and I would assume the other major companies have this as well.
hardware.slashdot.org??? (Score:2)
Re:Wrong, wrong, wrong... (Score:1)
Re:Wrong, wrong, wrong... (Score:5, Funny)
Remember kids
Red Dawn + Bluethunder = Purple Rain
You should be thankful. (Score:2)
I was not so fortunate and read comments such as this:
Okay, I believe that "When the information theft occurred against my company" can be translated into "W
Re:You should be thankful. (Score:2)
'something' = 'and I learned state and federal identity theft laws were a joke'
Re:Worst. Article. Ever. (Score:5, Informative)
From the original article:
"This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it."
Way to declare this the "worst article ever" in the same post you brazenly declare you didn't read it, by the way. A bold move, even by Slashdot standards.
Re:Aack! Just buy a Mac already! (Score:2, Informative)
Re:Aack! Just buy a Mac already! (Score:2)
Meaning, everytine I wnat to look at a file I need to enter a key?
when I transfer a doc off my computer onto a network, is it encrypted on the network?
Re:BS (Score:2)
Bush quit eating cookies, drinking alcohol, doing cocaine, AND taking things offered by Satan when he was "born again".
Give the guy a break!
Re:BS (Score:2)
The Silver Anvil Awards program has grown in scope and stature since its inception in 1946, and awards are now given in 56 categories and subcategories. To date, more than 1,000 organizations have received
Re:What about external HDs? (Score:2)
Re:What about external HDs? (Score:3, Interesting)
Isn't that exactly why the external hard-drives are more prone ot being stolen?
but rarely, due to training, do we find an unattended hard-drive
If your training works, why not just train them not to leave laptops unattended?
Your post raises another interesting point, though: what if people use internal hard drives, encrypted, but a user brings in their own external drive? That seems like a potential security flaw waiting to ha
Re: (Score:2)
Re:Why store data on latop at all? (Score:5, Interesting)
Re:Why store data on latop at all? (Score:2)
Well there has to be some place to assemble the data again, unless it is in log term storage.
The security here depends on the motives of the thief, if the prize is a laptop to pawn then encryption is probably a big enough deterrent to stop them getting at the data. The laptop will be formatted and pawned/ebayed.
If data is the prize of the theif, then they will p