The headline "Laptop - Along with Hundreds of Thousands of Identities - Stolen" seems to be repeating itself -- over and over again -- these days. Whether it's an executive trusting the hotel cleaning staff or a name-brand auditor storing his laptop unsecured in his car (who, by the way, would ding his clients on an annual review for such carelessness) -- laptops and other physically insecure computers are getting lost and stolen by the truckload.
It's no longer just an inconvenience to lose a laptop. Being careless in today's overly governed society now leads to business contracts being dishonored, laws being broken, and industry regulations being violated. Above all, it's putting a lot of sensitive information at risk -- both trade secrets and, more importantly, personal livelihoods. According to the Chronology of Data Breaches Reported Since the ChoicePoint Incident, as of this writing a total of 31,796,785 identities have been compromised due to lost or stolen computers! There are dozens of these incidents listed on the Privacy Rights Clearinghouse site, and in many cases, it is unknown how many identities were put at risk.
For crying out loud -- why aren't people speaking out about this problem? More importantly, why aren't organizations doing anything about this problem? You want to do the right thing and keep your laptops secure? Read on.
How it can happen
Have you ever wondered how the people finding and/or stealing these unsecured laptops and other computers are breaking into those systems and gleaning sensitive information? Well, I haven't interviewed any criminals, but I'd venture to guess they've got their own tools and techniques. However basic it may seem, many people simply don't have passwords on their laptops. It doesn't take a computer engineer to crack that code, and I won't elaborate on security testing techniques and solutions for that problem. But what about those systems that do have passwords - how are the bad guys getting in?
The best way to approach this problem is to look at it from a malicious viewpoint. I'm not advocating or supporting criminal activity. I do, however, strongly believe the only way to truly secure your systems is to look at security issues from the bad guy's perspective. When it comes to laptop hacking, there are a few tests you need to run to see just how far you can get into the system and into your network.
Already logged-in with full access
A computer system can be stolen while it's still turned on. Laptops with well-charged batteries are especially convenient for the bad guys. There's no unplugging and trying to get in later -- they simply take the system and run with it to another location and see what can be gleaned off it.
Once they're in, anything's fair game. Many organizations have policies that state no sensitive information shall be stored on local hard drives or mobile devices. Yeah, right. I see it all the time. It's usually just a matter of looking at the person's desktop to find all sorts of word processing documents, spreadsheet files and other areas containing sensitive information.
Take a look and see for yourself. You can actually do this from the network if you have remote logins enabled and you're part of the local administrators group. Look under C:Documents and SettingsAll UsersDesktop and C:Documents and SettingsusernameDesktop. You can also load up Outlook or whatever email client the victim uses to see what's stored inside. Odds are your users use email as an information repository, and it's a gold mine for sensitive information.
Think about what could happen if any of this data was accessible by a criminal. That's a good reason to use short screensaver time outs, require users to lock their screens when leaving their computer unattended or to even use proximity sensors to automatically lock the screen when the user leaves.
The next step a would-be criminal could take is to simply guess a login or screensaver password -- sometimes it's easy as 1-2-3. In this scenario, let's assume the laptop is powered on and the user has locked the screen with a screensaver. The hacker could enter the user's login ID (the last logon ID is likely displayed) as the password or append a 1, exclamation point, or "pass" to the end of it. It's actually pretty common. If the screensaver password doesn't work, simply reboot the system to see how it comes up -- you might not need a password to login to Windows.
If you reboot and you're prompted with a BIOS power-on password, that's yet another layer of defense, but it's no problem to get around. There are resources galore on how to reset those.
How to crack a laptop
If they're already in, hackers can look at stored passwords that may lead to other sensitive information -- especially those stored in VPN clients that could provide a direct link into your network. You can find this type of information using a tool such as ElcomSoft Ltd.'s Proactive System Password Recovery. It will recover logon passwords, network passwords, wireless encryption keys, dialup/VPN passwords and more that can be used against you. Figure 1 shows the Proactive System Password Recovery interface.
Figure 1: Proactive System Password Recovery
If you've done the right thing and require Windows logins combined with Windows-enforced strong passwords, you're probably wondering how else someone could possibly get in. Well, never fear, it can be done. It is simple password cracking, and you don't even have to buy a commercial tool to do it. There's a relatively new tool I've been using called Ophcrack that uses rainbow tables for really fast Windows password cracking. Ophcrack has a bootable "Live CD" version that you can use without having any other access to the Windows system. So, think about this: The bad guy finds/steals your system, boots it up using a tool such as Ophcrack and -- viola! -- in just a few minutes, he's got one or more Windows account passwords. It's all over after that. Try running the Ophcrack Live CD yourself and see what you can find.
Figure 2 shows the Windows version of Ophcrack - the Linux version on the Live CD is essentially the same.
Figure 2: Windows version of Ophcrack
How to secure a laptop
There's a simple solution
Having shown you all these laptop hacking techniques and tools, you can still lock down your systems to keep bad things from happening. You could create encrypted "partitions," which, basically, are files that mount as a regular drive. But I'm not a big fan of that. It all boils down to the fact that you cannot trust your users to store sensitive information on the secured partition every time. People will store things on their desktop, in their email application, and in local temp directories that may not be protected. Plus, if someone is able to obtain a laptop and crack various Windows passwords as I described above, what do you think the odds are that the encrypted partition uses one of those same passwords? Based on what I see, the chances are pretty darn good.
Many people are installing laptop-tracking software such as LoJack for Laptops, which can certainly aid in recovery. The problem is that by the time the system is recovered, sensitive information on the laptop could've been compromised. Good solution -- just a little too late in the security breach time window for me.
The only truly secure solution (although still not 100% -- nothing is) to keep information from being compromised is to use a whole disk encryption technology such as PGP Whole Disk Encryption, Voltage Security SecureDisk, and SecurStar DriveCrypt Plus Pack. They're independent of the operating system and use much stronger encryption technologies and some can even be centrally managed reducing administrative burdens. Even if stolen computers are powered on, as long as the entire drive is encrypted and the screen is locked, the only option for the criminal is to reboot the system to try and get in. Once he does that, he'll be prompted for a passphrase to unlock the drive. As long as the passphrase to encrypt the drive is strong -- he's at a dead-end. Also, be on the lookout for BitLocker Drive Encryption in Windows Vista
as well as the built-in encryption features in the new Seagate Momentus drives. These technologies seem promising as well.
Remember that policies enforced by technologies -- not just trusting users to do the right thing -- will keep sensitive information on your computers from being compromised. Sure, it's going to cost money (up front and ongoing) in both software licenses and operational costs. But that seems like a better alternative than losing credit card merchant privileges, explaining to one or more government regulatory bodies why your stolen systems weren't protected or having to notify every single person whose information is believed to be compromised.
Laptop security summation
Those are real issues happening to real people and the problem can be avoided if you -- and your management -- do the right things. Here are some final takeaways to keep your laptops and other stolen computers safe:
- Look at your laptop vulnerabilities from a malicious-eye view and revisit this issue often.
- Educate your users -- over and over again until it's ingrained in their minds -- that thoughts like "I'm just going to run into the grocery store real quick -- the laptop will be OK in the car" and "I just need to step into the restroom real fast -- others in the coffee shop will lookout for my stuff" are very dangerous and can end up getting a lot of people in trouble.
- Ensure screens are getting locked via CTRL-ALT-DEL or a short screensaver timeout.
- Configure Windows to require passwords to be entered upon return from hibernate, suspend or a screensaver time out.
- Most importantly, use whole disk encryption with strong passphrases.
There's always the chance that your stolen systems will be sold, new software will be reloaded, and nothing bad will ever come of it. However, you've got to look at the worst-case scenario. Given that so much information is being stored in so many different places, without whole disk encryption in place combined with sensible password and screen-locking technologies, there's not really any way to be sure everything's protected at all times. That's a risk no savvy business person should ever be willing to take.