Forgot your password?
typodupeerror

Handling Corporate Laptop Theft Gracefully 197

Posted by Zonk
from the it-hurts dept.
Billosaur writes "From NPR, we get a Marketplace story about the theft of corporate laptops and the sensitive data they may contain, specifically how to handle the repercussions. From the story: 'TriWest operates in about 21 states. It's based in Phoenix, Arizona. In December of 2002, somebody broke into the company's offices and stole two computer hard drives.And those hard drives contained the personal information of 550,000 of our customers from privates in the military all the way up to the chairman of the Joint Chiefs of Staff.' How they handled the situation earned them an award from the Public Relations Society of America."
This discussion has been archived. No new comments can be posted.

Handling Corporate Laptop Theft Gracefully

Comments Filter:
  • Encrypt the disks. (Score:4, Informative)

    by base3 (539820) on Friday May 12, 2006 @02:59PM (#15320202)
    Then there's no data loss, and thus no ethical or legal obligation to tell anyone, and thus no need to handle getting caught with your pants down gracefully.
    • I didn't think any excryption was perfect. So what happens if they do encrypt the disk and the drive gets stolen. If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?
      • by winkydink (650484) * <sv.dude@gmail.com> on Friday May 12, 2006 @03:23PM (#15320388) Homepage Journal
        It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?
        • It's not perfect. Nothing is perfect. How close to perfect do you have to get to be good enough?

          Keeping all of the files on a networked filesystem via an encrypted channel that is backed up, redundant and secure.

          Who in their right mind keeps important files on a laptop? Especially if those files are valuable to those outside of the organization that owns the laptop.

        • >How close to perfect do you have to get to be good enough?

          XOR the data with itself. Since the key is the same length as the data, cryptanalytic attacks don't apply. Anyone who doesn't have the data, by definition, doesn't have the key. The ciphertext contains no clues to the plaintext and, in contrast to most crypto systems, is highly compressible. An additional convenience is that you can generate the ciphertext from one of the standard special devices without even needing the plaintext.

          Some might argu
          • I realize you're joking, but do you even know what XOR is? Just how exactly do I perform an exclusive or conditional on data to get any results resembling cryptography in even the most distant ROT-13 sense?

            ~Rebecca
        • Frankly, there's a very simple solution to laptop theft and I'm really suprised nobody does it : diskless laptops.

          There, problem solved.
      • I didn't think any excryption was perfect.

        Well, not unless the key is as long as they data. If it is, then you can prove that the encryption is perfect.

        In practice, though, the imperfect crypto that we have is damned good, and if you do encrypt you disks with something decent you can quite safely assume that no one who grabs the disks can read the data, as long as they don't have the resources of a major world government available to them (and maybe even if they do). If you're worried about whether

      • by vertinox (846076)
        If they don't report it and the encrytion is broken what recourse do those people with compromised information/identities have?

        A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop. Well... Maybe... If he thinks it was really critical, but chances are he might just format the drive and sell it at pawn shop.
        • chances are he might just format the drive and sell it at pawn shop.

          In many cases true, but if you had sensitive (we're talking geopolitically sensitive, not credit-card and Social Security numbers sensitive) then such an assumption might be unwarranted and a very bad idea. Certainly it's not a chance that I want people taking if I was in a position of responsibility.
        • The laptop in question contained data on the US military, including senior officers (Joint Chiefs of Staff et. al.). A random thief wouldn't bother cracking it. Iran would.
        • A laptop theif isn't going to spend 3 months and 10,000 distributed computers to crack your laptop.

          If three months and 10,000 computers is enough to break the encryption, you should have used better encryption. It's easily available.

        • "chances are he might just format the drive and sell it at pawn shop."

          Exactly. Thieves are usually looking for fast money. If the data is easy to get, they get it. If it's not, then they aren't going to waste their time and maybe expose themselves as the thieves when they can hock a quick bit of change and move on to the next target of opportunity.

          There are several dissertations easily found through Google about making boot media (such as a USB memory stick) with a really good key for the disk drive itself,
      • I didn't think any excryption was perfect. So what happens if they do encrypt the disk and the drive gets stolen.

        Let me get this straight. There are two scenarios: leaving the disk unencrypted, and encrypting it. Under scenario 1, if the laptop is stolen, the thieves have free access to all the info on the hard drive. Under scenario 2, the thieves have potential access to all of the info on the hard drive, but only if they break the encryption.

        Are you arguing that scenario 2 is no better than scenar

        • by shawn(at)fsu (447153) on Friday May 12, 2006 @04:19PM (#15320869) Homepage
          I think you missed the a 3rd scenario.

          Do not store sensitive data on a laptop.
          • by sgent (874402)
            Not an option.

            I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

            You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

            Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't chan

            • by cmacb (547347) on Friday May 12, 2006 @06:02PM (#15321746) Homepage Journal
              "I don't know what world you live in, but people need access to sensitive data on their laptops -- espcially if they are in an area that doesn't have internet / communications availability.

              You can take precautions such as encrypting the disk -- but many people can't do their jobs without access to that information.

              Before computers, people often put files in their cars, or carried pen / pencil notebooks. The requirements to have that information available away from the office haven't changed."


              I know what world you live it. It is the world of video games and powerpoint presentations with cute little pie charts.

              In the 60s (the 40s and 50s were before my time) we got access to sensitive data by going to the office, passing an armed guard, signing in and sometimes using several keys or typing in combinations to get into certain rooms. Yes, you could take notebooks (paper ones) and pens and pencils with you in your car. You might also take a printout or so with sensitive data from one place to another, but that was pretty rare. There were telecommunications back then and you could even get to your data over those links, which were a lot more secure than todays WiFi and dial-up.

              What changed is that computers became toys, and many of the people using them now know nothing about the underlying technology other than it's easier than using an adding machine. Ninety nine percent of the problem is that the boobs entrusted with these toys didn't take even common sense precautions with the physical security of the devices. Given the mindset of such people, there is zero hope that they would know enough to take the proper electronic precautions.

              I maintain that if the data is REALLY important, and that includes all the examples given above, the the proper way to use a laptop is as a dumb terminal with a highly encrypted communications link back to the actual data. Such a link can happen over the Internet, or via a satellite link. There is really no excuse for carrying such data around, in the past, now, or in the future.
              • Maybe in your industry -- but doctor's have carried patient charts home, to and from hospitals, etc., forever. My father used to have a milk crate full of active patient charts in his car trunk.

                There is no network in most nursing homes, and most hospitals won't allow their doctor's (or any staff) direct access to the internet and the ability to run something like TightVNC & SSH. A physician who downloads their currently hospitalized / nursing home bound patient charts to their laptop has no other wa

    • Sure, encryption would help.

      But, first I have to ask: why on earth is this data on a laptop?

      I mean, really! This is health-care data for top military officials! Who needs to take that data on the road with them? Encrypt, stick it in a secure database, on a server in some closet in HQ. At least make it take effort to get at, no?

    • While California's SB1386 specifically mentioned encryption as a reason for not having to disclose to customers under that law, other laws do not. Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it. Now, of course I am not a lawyer, nor do I play one on TV, but I know this is a new law (March 16th, 2006) and have any Jurisprudence clarifying this. On the
      • Specifically Wisconsin Act 138 does not mention encryption as a way to preclude disclosure. Basically Wisconsin's law states if someone unauthorized has a clients data, you must tell the client about it.

        If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?
        • by hazem (472289) on Friday May 12, 2006 @04:14PM (#15320842) Journal
          If the data is on an encrypted disk, does the thief really have the data if they steal the encrypted disk?

          Yes. Because the thief may be able to decrypt the data because they also copied down the password/key that was on a post-it note hidden under the keyboard of the computer. Or they might exploit a flaw in the encryption. Or they manage to socially-engineer access to the key needed to decrypt the data. Or they might have installed a key-logger to get the key and then came back a week later to get the drives too.
    • OT: Moderation (Score:1, Insightful)

      by mizhi (186984)
      This post is currently moderated as "Flamebait"

      WTH are /. moderators smoking?
  • by suso (153703) * on Friday May 12, 2006 @03:00PM (#15320206) Homepage Journal

    Tip 1: When you make your get away, float above the carpet like a feather caught in the wind.
    Tip 2: If you encounter security or other obstacles, aim for the biscuits.
    Tip 3: Make sure you check the laptop for any homing devices that will help them track you down.
    Tip 4: The password is usually the username with 123 at the end or the their children's ages.
    Tip 5: Get the evidence out of your hands as quickly as possible to beat the feds.
    Tip 6: Relax and enjoy reading the next day's headlines on Slashdot about stolen private information.

  • by digitaldc (879047) * on Friday May 12, 2006 @03:07PM (#15320267)
    Resign with thank you cards, smiles all around and a wonderfully inspiring anecdote about how much you had accomplished in your career up until that day.
  • Handled Pretty Well (Score:4, Interesting)

    by Wannabe Code Monkey (638617) on Friday May 12, 2006 @03:09PM (#15320279)

    I actually listened to this story last night on the way home (or the day before, can't remember). Anyway, at first I was shocked when I heard the intro, they lost all this sensitive data, did some stuff and then won a PR award. If the actions they took were so great shouldn't they have won some sort of privacy award. Winning a public relations award makes it sound like you did a great job covering it up. But actually listening to the story I found that they really did handle it in a great way for their customers.

  • So I am researching encryption for this very reason (laptop encryption) anyone have any links or insights into why anyone would choose file/directory encryption? I am heavily leaning towards whole disk, mainly because how can you be sure you get everything. (i.e. temp files, pagefiles, hibernation files) I have seen some items regarding "inteligent encryption" but I just can't see how any program can "know" what to encrypt and what not to without tons of administrative overhead. That's why I like whole di
    • But for individual workstations/laptops with single users where there is no protection of the data from multiple users, whole disk works well (except for /boot with the kernel and an initrd with dm-crypt tools). I have / and swap encrypted and don't have to worry about theft much with respect to private data.

      Individual directory/file encryption is important for multi-user workstations/servers, where you have to worry about other users getting the files when owner is not logged in. encfs and the like provi
    • Generally, disk encryption is great if a machine is stolen; however, it doesn't offer you any benefits should the machine be compromised following login of the encyption product (generally at boot). Some products have timeout modes kind of like a screensaver where it forces a login to the encrpytion package following a period of inactivity, but basically disk encryption isn't a safe bet for complete safety. For instance, it can do nothing if someone remotes in to the machine or a "rogue" employee accesses
      • My Mac OS X laptop is set to require a password to wake it from screen saver or sleep. I make it a point to never leave it without sliding the cursor to a hot corner to start the screen saver (or sleep it if it isn't doing anything in the background and I'm not coming right back). That coupled with disk encryption would be a pretty hard thing to defeat.

        Short of that, storing important information on encrypted disk images goes a long way towards solving the problem, though.

        • But that is user habits, just like my ctl-alt-del when I leave my windows notebook for any length of time. Most users do not do this (and it sacres me).
          I use disk encryption on my notebook through IBM's TPM setup, and then I run container encryption on-disk for two reasons. First reason: I have top-security documents on my machine. They are encrypted, and I must access a server to obtain a decryption key every time I want to view them. The encryption is by authentica. I do not trust this encryption, t
          • This is because I also do not trust my employer. The notebook is theirs, but not all the data is.

            Would your life be a lot simpler if you stored only company data on the company laptop and non-company data on a non-company laptop/storage device???

          • A seperate true-crypt container is used to store my personal information, saved web-pages, personal projects, my website backup, etc. This is because I also do not trust my employer. The notebook is theirs, but not all the data is.

            Why do I think that if your work is as confidential as you say it was, and you're going to the obvious effort to ensure its sanctity as best you possibly can, that there would not be a clause somewhere that mentioned your use of company resources for personal purposes, and that I

            • There is, in fact, a policy regarding private use of company assets. Basically as long as what I do is only step one and two and omits "3) Profit!", then I am fine. Thus I do not op the site in my sig from my notebook, but I do op: farmersreallysucks.com [slashdot.org]. That is protected speech, and allowed (on my breaks) to be operated on with company bandwith and assets. Even to that end we run an application called CNB that backs up the entire PC. There is a special folder that we can use to store personal stuff t
        • Well my laptop holds a small nuke that is set to explode at midnight if I haven't logged in the previous day.

          Beat that. Hah !
    • If you log in to the encryption system after the OS is running you leave a copy of your password in the swap file.
  • by GillBates0 (664202) on Friday May 12, 2006 @03:10PM (#15320290) Homepage Journal
    How they handled the situation earned them an award from the Public Relations Society of America.

    You mean they handled the situation (and the laptop) with a single three-fingered hand [publicradio.org]? That is quite impressive.

    Creepy though.

  • Marketplace != NPR (Score:2, Informative)

    by Palshife (60519)
    ARGH. This is the second time this has been done. NPR does not produce or distribute Marketplace. NPR has nothing to do with Marketplace. It's produced by American Public Media. Please get it right. You're even LINKING TO APM!
  • Explosives (Score:5, Funny)

    by Infernal Device (865066) on Friday May 12, 2006 @03:20PM (#15320365)
    All laptops with sensitive information should be equipped with a remote detonation device and 10 grams of C4.

    Not to stop the criminals.

    For the entertainment value ...
  • by Doc Ruby (173196) on Friday May 12, 2006 @03:26PM (#15320413) Homepage Journal
    Capitalists know that PR is cheaper than security. Never trust them.
    • Moderation -1
          100% Troll

      I guess the PR of the Year Award comes with a free subscription to AsTrollTurf Inc.
    • visible security as PR?

      consider Israeli airlines... when was the last time they got hijacked or blown up? The Israelis take security very seriously, and a lot of it is not visible at the airport, it's behind the scenes... such as depressurizing baggage, well trained plain-clothes security on board... it costs a lot of money, much more than a few smartly dressed low-pay security guards at a screening desk.

      contrast this with other airlines - it's all about making people feel confident.

      similar, corporate

      • The Israeli security you mention is real security, not just handwaving PR. They are winners. The empty American "security" gestures you describe, from airlines to marketing, simulates security ("simcurity"). It's a loser.

        As usual, the best practice is real security, with tasteful promotion that people can trust as much as the security itself.
  • bad headline (Score:2, Insightful)

    by Anonymous Coward
    This isn't about laptop theft, it's about how the company handled potential identity theft and loss of sensitive data. The hardware is irrelevant.
  • by mythosaz (572040) on Friday May 12, 2006 @03:31PM (#15320480)
    I work as the senior engineer for the desktop engineering department of a large west-coast healthcare organization with over 20,000 PCs.

    Not only do we encrypt EVERY laptop, regardless of if we think it contains PHI; theft of desktop equipment has prompted us to encrypt EVERY desktop, regardless of if we think it may contain PHI. We also encrypt and monitor every PDA (including phones with sync).

    The software: Millions of dollars.
    Support: Millions of dollars.
    Not being sued in California for losing PHI: Priceless.
  • Interesting theft (Score:2, Interesting)

    by Anonymous Coward
    Breaking into an office and stealing two hard drives, which contains all that data may point to a sophisticated, targeted hit, maybe using hired pros.
  • by MarkusQ (450076) on Friday May 12, 2006 @03:43PM (#15320578) Journal

    There's very little you can do after the fact (though the C4 idea above was cute). The key is to do what somewhere I once worked did: make sure that there are effective corporate policies in place long before hand to make sure that laptop thieves don't profit when they get their hands on sensitive information.

    For example:

    • Have policies that make corrupting corporate data easy, but correcting it tedious/impossible.
    • Give different departments "ownership" of different data and encourage them to distribute it to people who need it via e-mail (hand copied from the application), screen shots, or exported spreadsheets that do not correctly propagate column names.
    • Encourage employees to edit the e-mails to produce versions of the data that they think are more accurate, and distribute them with names like "New (revised) revision of Q4 draft data dump--updated, with corrections by MQR for some of the errors introduced by BC in Q3"
    • Have data retention policies that assure that every laptop has at least twenty such interpretations of any key data on it at any time.
    • Prevent the addition of new columns to databases, and instead encourage users to reuse existing columns (Title, Address_line_2, Retirement_date, ROI_projection, Collateral_damage, NSA_contact_name etc.) that are otherwise underutilized.
    • Make test data by permuting fields (and words/digits within fields) between rows of live data. Do not clearly distinguish live data from test data, to assure that some of these will end up on laptops as well.

    With a few simple precautions like these, you can be sure that the bad guys may steal the laptop, and the data, but they won't have any more idea what to do with it than you do.

    --MarkusQ

  • by redelm (54142)
    Laptops get stolen. It's a reality of life. The worst thing is to compromise cutomers/other's data. This can easily be prevented by using crypto for data directoris. GPG has a Windows drop-in for the clueless.

    • True, PGP Co. has a product for the Windows "clueless." But doesn't better protection start by asking yourself if the "clueless" should actually be handling or otherwise be responsible for this type of data?
      • Specialization! As computers get used more and more, the lusers _must_ get less and less clueful. The available knowledge has to be bolted in.

      • I think he means 'clueless' as in IT ignorant. No 'clueless' as in stupid.
        I work with some very smart people, but they don't know much about computers
  • by schweini (607711) on Friday May 12, 2006 @03:48PM (#15320638)
    i fail to see why computer theft is still an issue - even i implemented a relativly simple, yet, as far as i can see, 'secure enough' system for these situations:
    all 'interesting' files are inside AES256 encrypted container-files wich are mounted via loop-devices.
    if, for some reason, a server or machine reboots, it asks the next higher server for the password it needs to decrypt itself via an encrypted network connection. if a machine is reported as stolen, the server that has the task of sending the passwords gets advised of this, and simply wont send the corresponding password anymore. the peak of this pyramid of trusted machines is an off-site server far, far away. thus, if the hierarchy is broken (e.g. by computer theft) anywhere along the way, it's a matter of seconds to render all information contained on the stolen machine completly useless.
    if i came up with this, surely the admins of REALLY important data can?
    • Isn't that susceptable to a an attack whereby the encrypted pw is simply replayed from a previous authorisation instance.

      So, break in, disconnect and reconnect network (with packet sniffer in place); steal computer, replay packets, copy decrypted data ... PROFIT

      ???
  • by CodeBuster (516420) on Friday May 12, 2006 @04:43PM (#15321127)
    There is one other possibility that has not been considered and that is that the break-in was organized by a foreign intelligence agency in an apparently successful operation to capture records relating to United States military personnel. If this is true then it ups the ante significantly because foreign intelligence agencies have the resources and expertise to organize these types of raids despite the best private security and especially if the operatives are willing to kill for the information. They could have infiltrated across the Mexican border, where security is sorely lacking, and gone anywhere in the US without attracting much attention. Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.
    • Most corporations do not employ the types of security measures that the military does and so they would probably be caught off guard by a commando style raid in the middle of the night. The night watchmen doesn't get paid enough to be killed over a couple of hard drives and all he saw were men in balaclavas before he was knocked over the head with the butt of an mp5 and tied up...you get the idea. This may have been a professional job.

      What you just described would not have been a professional job. A profe

  • I'm suprised my company doesn't take advantage of Dell's Ownership Tag (there is an Asset Tag as well) to put the company name on the POST screen. It won't stop systems from being stolen for the data, but it will stop those looking to resell the hardware.

    Compaq and I would assume the other major companies have this as well.

  • Hardly an appropriate category.

We are not a loved organization, but we are a respected one. -- John Fisher

Working...