Laptop Lojack

  • Laptop Lojack

    With all of the data issues that have been in the news in the past year, this is a good idea. Not just having encryption, but also a way that can disable the laptop or trace it so it can be recovered. It's similar to software that was available on some Macintosh PowerBooks that will send messages to a service and allow the laptop to be traced. There are also capabilities for encryption and file deletion.

    What I like about the file deletion options is that they work in the absence of an Internet connection. Meaning that if the thief boots the machine, but doesn't access the Internet, something that could happen, the machine will still start deleting files after a set period of time.

    While these are good ideas, and will help protect data from accidently release, they don't help targeted theft. Most people steal a laptop to sell it, so the data on it is a bonus. If the data deletes itself, the thief can still sell it, and everything works as it should, except for the theft of course.

    But targeted theft, when a thief specifically targets a laptop for a company, like a CPA's laptop when they know that some work is being done, can easily foil these mechanisms. In these cases the criminals would just move the hard drive to another machine, boot that machine and access the data from another machine. They could even brute force the encryption schemes and recover the data.

    That's the problem with these schemes. They all depend on the laptop being booted. A true kill switch would receive a satellite signal that could be sent when the laptop is stolen and it would wipe data without even being booted. Now that would be a great step for people that must carry sensitive data.

    Then our big problem would be accidently release of the wrong signal. Guess we're be way more diligent with backups if that system was in place.

    Steve Jones

  • Sometimes you don't have to be too smart to out-think the criminals. I used to work at a University in the North West of England. We had a break-in in the network engineers room downstairs. The police turned up, and commented that the criminals had really 'turned the room over'. The technicians then pointed out that the room normally looked like a storeroom for piles of tools, cable and pieces of defunct electronic equipment, and that in fact, the thieves had only taken the laptop.

    It all ended well anyhow, when one of the technicians went to buy his lunch, he spotted the laptop in the window of the electrical shop down the road. Subsequent investigation showed that it still had the data on the hard disk intact.

    More seriously though, I was robbed of my laptop at knifepoint in my car, when I stopped at Traffic lights one day. I have to admit I was more concerned that the thieves had my organiser and driving licence than the laptop.

    David

    If it ain't broke, don't fix it...

  • Technology is a wonderful thing, especially if it stops people from asking and/or answering hard questions, like what the h*** were all those VA records doing on an employee laptop in the first place? Have these people never heard of networks and VPNs and such? Is the work so crucial and the employee so deep in the woods that there is no other choice? I hardly think so.

    Certainly there will always be data of a sensitive nature on virtually every electronic device. I, too, would consider a contact list sensitive information. And we are fortunate that there are solutions that can help keep such data from falling into hands where it doesn't belong. But I fail to see where that absolves companies and governments from taking very basic precautions. If all that VA data had not been on that laptop, it could not have been stolen and perhaps compromised.

    ------------
    Buy the ticket, take the ride. -- Hunter S. Thompson

  • Every time I hear about a lost laptop I wonder when it became common practice to put highly sensitive data in a portable device. To me, it seems unforgivable for any company to allow customer data to be floating. This seems especially odd to me when in many cases the excuse for the data being on the laptop is flimsy at best. Even when we hear the "auditor lost laptop" excuse, it seems to me that if I ran a billion dollar enterprise, even a third party auditor would have some policy governing the portability of my sensitive financial data. Then again, perhaps I'm just too old-fashioned in my view that data management is a management exercise rather than a shot in the dark.

  • I agree with Frank. My laptop contains very little of use to a potential data thief. The hard disk is password protected. So

    The hard drive itself is encrypted and as the first stage of booting requires a password. That password is different from the hard drive password. Assuming the NSA crack both passwords what will they find on my laptop... not much, white papers on the newest and greatest products and similar fluff. Oh right they will also find a VPN software and a RDP shortcut on my desktop. So once they crack the VPN password, they can then RDP to my desktop computer at work and enter it's password and help themselves to the data..... I wish them luck.

    In my laptop I have a sierra air card so I can connect to the company VPN almost anywhere / anytime. Yes it's a expense, Yes it's a pain having 4 different passwords, But It won't be me , or the company I work for that will have to explain to a client how we lost their data.

    IMO there is no excuse, except it's cheaper and more convenient to be insecure. I am not a fan of big government, but would dearly love to see them make a financial incentive to convince companies that if they want to save money and not properly secure sensitive info, then they will pay. At this point it's just good business practice to loose client data over spending the money to avoid it happening. hell if there is a data leak, it's a one day wonder, and you might have to contract for some credit monitoring , (for less than the cost of the needed infrastructure to have prevented the loss). The other problem of course is the manager who knows it all and can’t be bothered with different passwords and those other silly ideas that the security geeks try to foist on them…. Well you might sort of compare their complaining to that for CFO and CEOs before Enron, when it came to taking financial responsibility. Now that there is a real and measurable responsibility and penalties if they allow wrongdoing to occur, there cannot be too much security around financial transactions and documents. … LOL apply the same kind of penalties on both a personal and company / gvmt level and you will suddenly see these data leaks stop

    Just my 2.4 cents Canadian ( 2 cents US currency)

  •  In these cases the criminals would just move the hard drive to another machine, boot that machine and access the data from another machine. They could even brute force the encryption schemes and recover the data.

    With proper encryption (using vetted algorithms) brute force should not be a serious threat, well beyond the capacity of lone, or often even corporate thieves (there was a recent case mentioned on Schneier's blog) where a person being investigated for a crime had the hardware password (apparently encryption was not used) bypassed by police but neither police nor the FBI successfully decrypted files that were software encrypted)

    File deletion is not so effective as encryption, because to really delete the files the disk would need to be wiped which would take significant time. By powering down the drive, the thief can forstall this till it gets on a workbench. Encryption, however protects the files immediately, and disassembly is of little use.

    Of course this does little against the hardware thief (the far more common problem), and I'm not sure that a remote kill switch would really be workable.

     

     

    ...

    -- FORTRAN manual for Xerox Computers --

  • Amen on the data security and data responsibility measures that we'd all like to see companies implement!

    I'm not sure that we could rely on even a firmware-based "lo|jack" system because any function of deleting the data would still require more than a little battery power... Spinning those disk heads requires energy, but even when we switch to flash-based drives (soon I hope!), it'll still require some juice. When I'm traveling (which is where it's most likely to be stolen), my Tablet PC is usually pretty close to a dead battery a lot of the time.

    In the targeted theft case, defeating a satellite-triggered data bomb would be as trivial as removing the battery or the hard drive (or hiding inside a Faraday cage while transferring the data to a flash drive -- most any underground parking garage will do).

    The best defense is to make the mobile unit just an access mechanism, a window into the corporate network, not a data container. An ounce of prevention and all that...

  • The problem isn't really loading data on unsecured devices, but inside jobs. The corrupt DBA or system admin or whatever can do a heckuva job, much worse than any laptop.

    When it comes to security, the question is always "what's good enough". You can never have perfect security, in any case.

  • "So once they [the NSA] crack the VPN password, they can then RDP to my desktop computer at work and enter it's password and help themselves to the data..... I wish them luck."

    I think if anyone can do that, the NSA can. They may even be able to copy the data (encrypted as it is) wholesale to one or more other hard drives and run attacks against it to break the encryption. They can probably do the same with the VPN password once they see that the laptop has no important data.

    Still, the setup you have appears to be strong enough to deter anyone without NSA-level resources. Nice.

    -------------------
    A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
    Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html

  • True. The only thing I have seen that comes close to preventing inside jobs (aside from fairly ethical employees) is the nuclear launch system where two (or more) people need to "turn a switch" or log in, simultaneously. That way, at least more people need to be in on the job, which can happen but is less likely if you require, say, 3 or 4 people.

    -------------------
    A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
    Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html

  • We issue all engineers and Directors with Blackberry's now. Some still have laptops too, but if lost/stolen, the blackberry's can be wiped and rendered useless by send out a kill command from the BES (Blackberry Enterprise Server).

    Surely the technolgy could be adapted for laptops?

    I agree that users should not have sensitive data on a company laptop or PC.

  • I know that the technology for lojacking exists as it's already in use in some high performance cars.

    However a problem that happend to a friend of mine might show the opposite spin.

    Friend tries to start car to go home

    Car does not Start

    Friend Calls Helpdesk of Car Manufacturer

    Helpdesk: I'm afraid that the satelite cannot 'see' the car so it cannot be started. You might want to push it around the corner to an open space.

    he nearly did

  • I organizations where I have worked, security problems have always been a result of ignorance or desire to save a buck. Unless there are high profile prosecutions and penalties for companies and agencies that allow security breaches to occur this problem will always exist.

    The technology to prevent this already exists. Biometrics and encryption are generally all that is needed in addition to not allowing live sensitive data in test and qa environments. The reason that it is so widely abused is that there is little consequence for exposing customers to risk.

    Large fines and jail time are the only solutions to the problem.


    Karen Gayda
    MCP, MCSD, MCDBA

    gaydaware.com

  • High profile prosecutions and penalties will never exist until the government stops being one of the worst offenders!!!

    Who is going to go after the CIA for a laptop getting stolen? The FBI?


    My blog: SQL Soldier[/url]
    SQL Server Best Practices:
    SQL Server Best Practices
    Twitter: @SQLSoldier
    My book: Pro SQL Server 2008 Mirroring[/url]
    Microsoft Certified Master: SQL Server, Data Platform MVP
    Database Engineer at BlueMountain Capital Management[/url]

  • Steve, how appropriate, on a day when the news here in the UK was reporting the finding of an army officer's stolen laptop with intelligence information on about military response to terrorism!

    It's stupidity that puts the information there in the first place - I can't blame ignorance as in the MOD and Civil Service we are told about data security and have umpteen restrictions. The problem is fixing the human not the machine. The character mentioned above obviously failed to comply with security rules otherwise the laptop should have been chained down or handcuffed to him with data that important!

    Until we can prevent stupidity there will always be risk, but insisting on network storage and only providing a connection mechanism will lower that risk. Until the user writes down the passwords and leaves them in the laptop case!

Viewing 15 posts - 1 through 15 (of 19 total)

You must be logged in to reply to this topic. Login to reply