Stolen VA Laptop Recovered 202
lancejjj writes "Remember how the VA was pinning the theft of 26.5 million veterans' personal records on a hard working-but-renegade employee whose laptop was stolen? Surprise! It turns out that the employee had written permission to bring the sensitive data home. Fortunately, the laptop has been recovered. It is still unclear how the laptop was recovered, or if any of the veterans' personal data was leaked."
Yeah, Fooooound (Score:3, Insightful)
Nothing taken (Score:4, Interesting)
Re:Nothing taken (Score:3, Funny)
"No way!"
"Yes, way. Looked at the report and it looks like the report says it looks like the data had not been looked at."
"Who's Wei?"
"'Yes way', not 'yes, Wei"
"Who?"
"Not Hu, not Wei."
"I dunno!"
"THIRD BASE!"
Re:Nothing taken (Score:2)
If you don't find porn, what's to look at?
Re:Nothing taken (Score:5, Insightful)
They gave us all a years worth of ID theft tracking service at a cost to the gov't of $(several millions?).
If a class action law suit against the VA for this debacle is successful it will cost them a lot more than that.
I am more than a little annoyed that they gave the guy permission to take the data home, and now they are firing him for having done so.
In spite of my feelings, I hope such a lawsuit fails, since it will only hurt those who rely on the VA's funding for their health care, etc.
The people who allowed this to happen certainly aren't going to give themselves a cut in pay!
Re:Nothing taken (Score:3, Insightful)
Re:Nothing taken (Score:3, Insightful)
Where would you put them all? These people probably number in the millions, since they include everyone who thinks that a SSN is anything other than a personal name.
Re:Nothing taken (Score:4, Insightful)
The real fault lies with the credit reporting/monitoring companies.
They have created a system where it's easy for anyone to get credit in another person's name. Their solution, of course, is to pay them to monitor your credit in case someone tries to do it.
The data is not very valuable for most ID theives if they cannot open up instant credit. So, the "solution" is to for the VA to pay the very companies that make it easy to get instant credit for monitoring services.
What a racket.
The easiest first step is to require those agencies to allow every person to put a credit freeze on their credit records. This would stop the instant credit and at the same time would stop a vast majority of the ID theft going on.
Those very same companies have lobbyist to prevent this, of course.
Re:Nothing taken (Score:5, Funny)
Start ---> Documents ---> Recent Documets
FBI Analyst #1: Doesn't seem like anyone looked at the file.
FBI Analyst #2: I concur
FBI Official: We are pleased to announce that it does not seem that anyone accessed the records in question.
Re:Nothing taken (Score:2, Interesting)
In actuality, they probably ran some sort of forsenics tool against the drive and preliminary investigation says it probably was not accessed. But my question is, is there a way to track cloaing of a drive. What's to say that whoever had it didn't make a bit-by-bit clone that can't be traced. Granted, I get the feeling that the dumba$$ who stole the computer may not have had the knowledge to
Re:Nothing taken (Score:2)
Re:Nothing taken (Score:4, Insightful)
Is there any way in hell to determine when a read head moves over a piece of data? If there is (which I do not see how), how could it determine with any resolution of when that head passed over the data? One week, one month, one hour ago etc.. What ever magical thing they messure would have to decay away over time with some consistancy to determine WHEN it was last read.
On that note, boot up with Knoppix, mount hda1 read only (which is the default), mount a network share through lin neighborhood and copy \mnt\hda1 to \home\user\mounts\server\share. Shut off laptop and remove Knoppix cd. You can do that whole process in minutes and all with a gui if you'd like! We do that exact process at least once a week from tanked XP laptops that we need data from.
To get back to reality, if Joe random stole that laptop and was playing with it, he would probably not have the desire and knowledge to do the Knoppix thing or really even care about the actual data on the laptop at all. Someone specifically targetting this VA employee and that data could easily do it.
Re:Nothing taken (Score:3, Insightful)
I don't see how the credit reporting/monitoring companies can fix this.
To me the problem is very simple. If I lose my keys, I don't put a "key watch" on my door to see if someone attempts to use the lost keys. I change the locks on the door and get new keys.
If the confidentiality of my social security number is lost then I need to get a new social security number.
Re:Nothing taken (Score:2)
You suck at analogies. A credit report is like a burglar alarm on your house.
If the confidentiality of my social security number is lost then I need to get a new social security number.
And you're going to hope that the thousands of agencies and tiny little companies that have your data will get the updates in a timely manne
Re:Nothing taken (Score:2)
Bullshit, I got their email and they're still working out who is going to provide the credit monitoring service.
So there's no offer to accept, yet.
Here's proof in the latest press releases [va.gov].
From the June 21 press release:
This week, VA will solicit bids from qualified companies to provide a comprehensive credit monitoring
Wow (Score:2)
We're not there yet. I think people talking about it in these extreme terms makes it hard to discuss the issue as it is.
Re:Nothing taken (Score:2, Interesting)
There is no reliable forensic technique to determine beyond doubt that data has not been read. Imagine if you had left a page with notes in a public, high traffic area. When you found that page a
Re:Nothing taken (Score:2)
See my previous post for the exaxt syntax...
Data Wasn't Accessed (Score:4, Insightful)
Re:Data Wasn't Accessed (Score:3, Insightful)
However, how does the FBI know the data wasn't accessed?
Re:Data Wasn't Accessed (Score:4, Insightful)
Re:Data Wasn't Accessed (Score:5, Insightful)
Re:Data Wasn't Accessed (Score:4, Funny)
Given what we've seen so far in the case, it's more likely that they carefully scanned it, determined the data was still there, and therefore must not have been stolen.
Re:Data Wasn't Accessed (Score:2)
How much are you paying to sit up at Portland State's CS department and /not/ know about dd or cp? :o) It's not like copying data is destructive.
For the most part, you can (Score:2)
So how much faith do you put in it? Well you look at the circumstances of the crime. Does it look like it was a targeted hit, to get this specific laptop and data, or does it look like a normal theft of opportunity? If it looks like a normal theft, the accessed
Re:For the most part, you can (Score:2)
Re:For the most part, you can (Score:2)
Re:Data Wasn't Accessed (Score:4, Interesting)
The data probably wasn't accessed. If the thief knew what they had, and was at all clever, they could have pulled the drive, performed a raw sector copy, and put it back. Poof! No date changes. I'm sure the FBI forensics team will be checking for this possibility.
Schwab
Re:Data Wasn't Accessed (Score:5, Informative)
Just boot with knoppix, or some other bootable linux on a cd and do something like:
dd if=/dev/hda |gzip -9 |ssh -l someuser somemachine.com "dd of=stolendrivebackup.gz"
Re:Data Wasn't Accessed (Score:2)
Copying data while verifiably not changing a single bit on the drive is one of the basic operations of an investigation. It's off-the-shelf technology.
Re:Data Wasn't Accessed (Score:2)
Of course! Why hadn't I thought of that!
Re:Data Wasn't Accessed (Score:2)
dd if=/dev/hda |gzip -9 |ssh -l someuser somemachine.com "dd of=stolendrivebackup.gz"
Because we know that the thief was a linux user who carries a copy of knoppix in their back pocket.
So what? (Score:2)
First, they cannot know whether the data has been read or not, since they could have simply copied the disk, sector by sector (as anyone with data forensics experience knows, FBI included).
Second, the fact that the data this time was not accessed is not the important thing. The important thing is that the security policy regarding this type of data is not tight enough. Maybe the next time a laptop is stolen someone wi
Tinfoil Hat Time! (Score:2)
That's how cargo theft works (Score:4, Informative)
The situation you describe is not at all unlike how the mafia cargo-theft operations run (or used to run...the people I know are all ex-OCTF types). Basically they'd find some truck driver who had a gambling problem, and make him a deal: he parks his truck at a certain rest area on a certain night, and goes into the restaurant to have dinner. When he gets out, his truck is missing. Sometimes they'd even arrange it so that the cargo in question that night would be particularly high-value (load of VCRs, whatever), or easy to fence merchandise.
The key question in the data-theft is whether or not U.S. organized crime is really involved in large-scale identity theft, to the point where they would have wanted to get their hands on a laptop full of data that badly. If you think that they are, then the whole scenario doesn't seem totally implausible.
I'm fairly confident, however, that the FBI is probably looking down this angle -- it's not really that hard a thing to imagine, so I expect that they're going through the employee's finances and everything else, seeing if there's some way he could have been compromised.
Re:That's how cargo theft works (Score:2)
Re:Tinfoil Hat Time! (Score:2)
The bigger story here is... (Score:2)
Re:Data Wasn't Accessed (Score:2)
I'm sure it's safe (Score:4, Interesting)
Re:I'm sure it's safe (Score:2, Insightful)
Re:I'm sure it's safe (Score:2)
Well, the thief was, most likely, not an educated person. He may not have even turned on the laptop. Also, what if the laptop had a password prompt (i.e. Windows XP)? The thief would most likely not be a technological mastermind, so may not have even been able to log in.
Also, this laptop was most likely taken by a small-time, petty thief. The last thing he'd want is so much government attention--I would not be surprised if the thief returned it himself.
Put yourself in his situation--if you were a s
Re:I'm sure it's safe (Score:2)
Re:I'm sure it's safe (Score:2)
For this reason the Department of Veterans Affairs has been looking at whole disk encryption systems for deployment on all portable computers. It looks like Pointsec will likely get this contract in the near future.
Re:I'm sure it's safe (Score:2)
Oh, it probably was . . . with DES . . . in ECB mode . . . with the key 00000000 [slashdot.org] . . .
Perfect disguise (Score:2)
Perhaps this was an organized gang, they could have booted off a live cd, mounted the hdd in read only mode, pulled the database onto the network and then set up a bungling thief to take the rap.
If you were working for the mob then that would seem like one of the best ways to pull this off without causing suspicion
Re:I'm sure it's safe (Score:3, Insightful)
2) Identity theft on a large scale is nearly worthless because it's news. People get notified accounts get watched, you get caught if you use it. It's the small stuff where the harm happens. You get one person's identity and they don't know so you can abuse it for a couple months.
Re:I'm sure it's safe (Score:2)
The US just needs data privacy laws (Score:5, Insightful)
Re:Yeah - laws that let the gov't have all access (Score:5, Insightful)
As Gomer Pyle used to say... (Score:2)
Re:As Gomer Pyle used to say... (Score:2)
Renegade employee?
If the VA is like an any other U.S. Government installation (non-military), then information security is very weak.
Example: All users, at DoD installation that I was a contractor on a desktop migration, where given local Admin permissions on their Workstations and Laptops.
I brought this to the attention of the sites "Admin" who didn't seem to worried. Not sure if it was ineptitude or the bureaucracy that prevented the site admins from making changes without the permi
Re:As Gomer Pyle used to say... (Score:3, Informative)
If access to the network is being granted by Active Directory, giving the user access to the local admin account is relatively OK for them updating software/hardware on their machine since that account can't get on the network. That's how the machines at my current job are set up and I wouldn
Re:As Gomer Pyle used to say... (Score:2)
Let me guess, you're one of those people who goes bonkers every time your IDS detects a port scan, right?
Users can get admin access to both their workstations and their laptops anyway. The only good reason I can think of to not give them admin access is to keep them from accidentally breaking something, if they're extremely un-tech-savvy. On the
Re:As Gomer Pyle used to say... (Score:2)
How it got recovered? (Score:4, Funny)
They probably just put up a blog [evanwashere.com].
Re:How it got recovered? (Score:2)
TrueCrypt (Score:5, Informative)
And the hidden volumes feature in truecrypt makes it much harder to steal the data (not only you'd need the normal volume password, you'd also need the hidden volume password - IF there is a hidden volume, which you don't know).
Re:TrueCrypt (Score:5, Informative)
Re:TrueCrypt (Score:4, Insightful)
Re:TrueCrypt (Score:4, Informative)
Disagree. On the preferences, TrueCrypt enables you to Auto-Dismount the encrypted partition when a user logs off, when the screen saver is launched, the computer enters power saving mode, if no data is read written for x amount of time, etc. You can even tell the program to force a dismount even if the volume contains open files/directories
My settings are simple: dismount when I log off and when the computer goes into power saving mode. I like this little app.
TrueCrypt needs admin privileges; now what? (Score:3, Interesting)
Unfortunately, this does not work on our laptops at work; I am being coerced to use WinXP at work (damn you!) without admin privileges, and TrueCrypt refuses to install without admin privileges.
Does anyone know a
VMware, Qemu, etc? (Score:2)
VMware, Qemu, etc.: good idea! (Score:2)
In response to your question, no, they won't let me install anything, but that hasn't stopped me from installing Firefox, Servant Salamander, VideoLan Client and IrfanView (software I know from my Win2k days; there's probably better stuff out there now).
Re:VMware, Qemu, etc.: good idea! (Score:2)
Re:TrueCrypt needs admin privileges; now what? (Score:2)
That's what happens... (Score:2, Insightful)
New requirements for protection of Personal Data. (Score:3, Interesting)
Re:New requirements for protection of Personal Dat (Score:2)
Not gonna happen.
Major policy changes don't happen in 45 days.
They just don't.
Why real data? (Score:5, Insightful)
Re:Why real data? (Score:2)
SO If I wanted to analyz how many people who where assign SSN in new york that were now collecting benefits in LA, I could use the SSN.
Also, there are batches of SSNs they maintain special relivence, so if you were testing an app you might need to not have any of those.
Re:Why real data? (Score:3, Informative)
Yeah, just ask the assistant secretary (Dennis Duffy) and the deputy assistant secretary (Michael McLendon). Oh wait, they've all been fired.
-h-
Bah... (Score:4, Informative)
Nothing appeared to be copied? Bah. What's keeping a would be data thief to boot up with a Linux distro, copy at will and shutdown the computer
.I use a utility called TrueCrypt on my computer. I don't use a Mac (I would if I had the money), but I think the Mac has a utility (built in to the OS to boot) that let's you encrypt the contents of your home folder. This utility (TrueCrypt) enables me to reserve a chunk of space on my HD and encrypt it. I'm pretty confident that if my laptop gets stolen, the data will be *reasonably* safe.
This is just a mix of bad infosec policies and worse OS.
Re:Bah... (Score:2)
Re:Bah... (Score:3, Informative)
Re:Bah... (Score:2)
Load of crap (Score:3, Interesting)
Load of tinfoil. (Score:4, Insightful)
Does your specially-formed tinfoil apparel help you to know these facts? The scoop is that someone turned it into the Baltimore FBI office, and they're keeping it quiet because the $50k reward was part of the picture. Their forensics people were the first ones to look at the machine, and that's what they do all day.
More likely whatever ever idiot looted the house and took the portable fencables really didn't know what to do with it, and probably saw the government markings on the machine later. Not something you can put on eBay or take to a pawn shop. And people like that are in the habit of asking their equally ass-hattish what friends to do with something like that. Obviously one of the more enterprising ones is looking to turn it into $50k.
Another whacked summary (Score:5, Insightful)
The VA still contends that the employee did not have permission to put the social security numbers on the computer and take it home.
Look at the timeline. He gets permission to access SSNs in February. He gets permission to take a laptop home in September. Sometime during the year he got permission to use a database program at home. It still sounds to me like he took a little personal initiative to take the SSN database home.
Still, the whole affair was handled pretty damn poorly, particularly the delay in reporting it, among other things.
-h-
It's deeply flawed nevertheless (Score:3, Insightful)
What is needed is a far more positive identification system. Granted, it might be a piss-off to not be able to get instant credit to purchase that new thingamabob, but as things reach unmanageable proportions, something has to be done.
Ethical Hacking Rule no.1 (Score:3, Funny)
It will be interesting to see the public's reaction when 26.5 million SSN are posted tommorow on a blog.
Messy office? (Score:2)
I smell a fish... (Score:3, Interesting)
So which is it? He was or he wasn't allowed to? It is a bit too convenient for my taste that the laptop was recovered so magically and with the data intact.
This kind of back-and-forth "truth" on these kinds of issues gets very old very fast.
Smells fishy...
Bringing live data home (Score:2)
I'm very skeptical that he needs access to "real Social Security" numbers. If they were doing application testing or statistical analysis on the data, they could have anonymized the data before copying it out of the live environment. 27 million records isn't an impossibly large data set (especially if
Amusing aside (Score:2, Insightful)
Re:Amusing aside (Score:2)
Why is this even possible? (Score:2)
There's a big catch to the offer of free credit (Score:3, Insightful)
He's not going to cut any of the huge tax cut he gave his billionaire buddies. Kids will have to pay for it.
What an asshole!
I do not believe for one minute that they found the laptop.
The most important acronym in Gov't / Military (Score:2)
CYA.
Oh it matters! (Score:5, Funny)
Re:If he keeps his job (Score:5, Insightful)
Re:If he keeps his job (Score:5, Insightful)
Re:If he keeps his job (Score:2, Insightful)
Re:If he keeps his job (Score:2)
What makes it safer, both in this case, and maybe also with airlines, is the guy getting extra paranoid after there's been an accident.
I do. (Score:3, Informative)
(Although I saw this article earlier elsewhere.)
Re:I do. (Score:2)
Here is a piece of that letter..
The employee's home was burglarized and this data was
stolen. The data contained identifying information including names, social security
numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as
some disability ratings. As a result of this incident, information identifiable with you was
potentially exposed to others. It is important to note that the af
Re:Yet another 'Who gives a shit' article on Slash (Score:2)
HUZZAH! another whiner gone.
"RIP
your the one thats leaving, not
RIP looser.
Re:data on 26.5 MILLION people? on a laptop (Score:2)
Well, uhm, as a matter of fact: no. Add all the headers, padding, and indexing you want. It would pretty hard to burn up over 1k for each name/ssn pair. You're high by a factor of at least 10.
Re:data on 26.5 MILLION people? on a laptop (Score:2)
the SSN field may need 11 spaces if they are storing the dashes.
of course, the database probabable hade more info, like address, phone, medical ID number, Insurance info, spouse info etc . . .
Re:data on 26.5 MILLION people? on a laptop (Score:2)