Laptops

Secure your laptops, seriously

Are your users loading laptops with sensitive data? If so, they probably do it without a thought for security. There are alternatives. Don't let your laptops and data become easy prey.

Years ago, I worked for a medium-sized company with about 130 employees. We shared one laptop. No kidding, but back then, laptops were expensive and as we all had all the hardware and software we needed at the office, management didn't see the need to invest in laptops. You had to sign the thing out and it was never available, and at 100 pounds soaking wet, I could barely carry the thing to the car anyway. I don't know why they called them laptops back then -- it certainly didn't fit in my lap!

Things have changed. Now employees carry laptops like books onto planes to meet with out of town clients. While this convenience is great for your users and clients, it can be a nightmare for you. As your company's IT guru, your job is to secure both the laptop and any data that's on it. Big job! Huge job! You aren't paid enough, right? I feel your pain and I'm here to help.

Your first line of defense is to prevent theft, and that includes the hardware and its data. The way to avoid data theft is simple -- don't store sensitive or confidential data on a laptop. Make that company policy and make it hurt when employees break it. You simply don't have any other choice but to be ruthless. Education is the key. You simply must make users understand that they can't store sensitive data on laptops that leave the building. The truth is, they don't need to as there are other options:

  • If you have remote capability, let users sign in from home or while they're on the road. There are still security risks, but you alleviate the problem of direct theft.
  • If there's no remote access or when remote just doesn't meet the need (and that happens occasionally), train users how to use a USB flash drive. They're (typically) removable and rewritable. They weigh just a few ounces and fit into a purse or briefcase, or better yet, into a pocket. They can store from 64 MB to 32 GB! As an added bonus, you really should train them how to encrypt the data, just in case.
  • Unfortunately, nothing's absolute, so if a user must store sensitive data on a laptop, instruct him or her to dump the data when they're done with it. Don't pass Go; don't collect $200. As soon as the meeting's over, dump the data. In the long run, you just can't afford to run around with a laptop full of sensitive data any longer than you have to. (It is with great reservation that I even offer this piece of advice because I know some users will ignore it or forget it.)

Prohibiting the storage of sensitive data on laptops helps protect your data, but it won't stop a thief from stealing your laptop or keep an employee from simply losing it during their travels. You can be proactive in this area though:

  • Register the laptop with the manufacturer.
  • Store the serial number in a safe place in case you need to identify the laptop to claim it.
  • Engrave your business name and address on the outer case so that it's clearly visible. A thief that's after just the hardware won't want a laptop that's marked up that way. In addition, good things do happen and if the laptop is lost, you might get it back.
  • Take a play from Ian Fleming's James Bond character and disguise your laptop. It only sounds like overkill, but f theft weren't big business, manufacturers wouldn't build laptop cases that look like courier bags and brief cases.

Training users is critical. You're a team, remember? Your efforts are only so good -- the person carrying the laptop needs to be informed and take responsibility. Train users not to be too casual with a laptop:

  • Conceal the laptop as much as possible and never leave it unattended.
  • Take it into the restroom stall with you.
  • Keep it on your lap in a taxi, subway, or plane.
  • Ask for a booth when you eat out and set your laptop in the booth with you.
  • Lock the car while driving around to avoid a quick snatch while stopped at a traffic light.
  • Don't sit the laptop on the passenger seat -- it's just too easy a target there.
  • Don't leave your laptop in the car. If you must, lock it in the trunk.
  • Buy a lock and train users to secure the laptop to an immovable object at home or in a hotel room. You won't stop a determined thief, but you will slow them down.

If the worst happens, users should call you immediately so you can change their network passwords immediately. A laptop with remote access is an open door to your server and your company's data. Also consider reporting the theft or loss to local authorities.

It sounds like a lot of trouble, but truthfully, you can't afford not to put strict laptop security policies into place and then enforce them. As a small business, you don't have the luxury of deep pockets and legal resources to protect your company if the worst happens. You're it...you have to be up to the task.

About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

28 comments
mamies
mamies

This post has turned mainly into a post about Encryting and hiding partitions so customs cant find it. This is illegal and why does it matter if customs finds your data unless you are hiding something. People should not have responded to the post where encrypting drives and hiding partitions to pass customs. It undermines all the work our govt (even tho at times it seems like very little) does to protect us

Tommy S.
Tommy S.

You better be kidding me. The governement is only giving you a false feeling of security, just think about the ''no-more-liquid-on-board'' shit. Does anyone EVER did anything with a liquid explosive?? No. The only one benefiting from this is airports stores. Now what if someone fill a baby with C4, they would ban babies from boarding? That would be awsome, no more fucking crying babies! My point is, dont think blindlessly that any gov care about anything else than VOTES. From my view, having to let them check whatever they want simply because its a border is nothing else than pointless intrusion in private data. Never forget that WE pay for this useless security so we have the right and the moral obligation to question it. Its ok to check for bombs and drugs smuggling, but if I undermine their ''great work'' and national security by denying them my traveling pictures, im damn proud of it. Lets face it ACSTA and its US equivalent are big fat white elephants that need to be shot down by political power, witch will never happen thx to poeple like you. God bless blindness!

Neon Samurai
Neon Samurai

As foreign nationals, we are actually potential threats to US security as we are the guest. Returning home usually just means a long lineup and a wave at the Canadian customs counter provided you fill the card out correctly. When your going there though, your a potential threat entering the nation so border checks are even more valid; the extend may not be justified. The end result is that we are more of a potential threat than a US citizen returning home and, as third parties, we also won't be effecting US policy and legislation by calling our local politician. Consider it from the perspective of the defensive side; how would you react to someone breaching your personal network. Even if it's not something of any threat, just knowing that someone snuck past into your lawful domain. It'd be like finding a "hey, your backdoor was open but I didn't eat anything" note on your fridge after returning home from a weekend away.

Neon Samurai
Neon Samurai

IF the people get the government they deserve, let's hope they are more deserving this vote than they have been the last few votes. Like you said; it's bad enough that outsiders are a threat but that is a natural possition for any country. What is really bad is how the countries own citizens have been sheep'd into being treated; and there are still enough who say "thank you, more please". I don't think the threat for Mexico is anywhere near the concern either; the majority breaching that border are simply looking for a better life. The irony is that coming to America for a better life is now seen as a threat by those who, in like fasion, did what they had to to come to America for a better life. (There's a whole lot of open economy and land so the usual illigal alien invasion stuff doesn't fly but again, not a topic this discussion needs to devolve into). I'm all for playing games with authority but I prefer to be accepting of the potential outcomes. I'll screw with bosses where it doesn't effect work. If you no the officer, play some police games if you like. When I'm an unknown and especially at a border; yes sir, no sir, thank you sir and move on. Either way, it does suck to be trampled over by false security and opertunistic polititions regardless of where that may happen. I fear we're due for a trampling with Canada's own DMCA in the works finally. Screwing the citizens for the benefit of the corporate entities is not unique to US soil.

Tommy S.
Tommy S.

Of course they lawfully can exerce their sovereignty as they wish. Witch doesnt make it any better from a moral and ethical standpoint, we are potential ''threat'', great. The saddest part is that their own citizens are equaly victims of an unrealistic view of what security is or should be. Take a look at europe, no borders within all western countries. 0 risk doesnt exist. We are no fucking mexicans, there is simply no justification for considering Canadian citizen as a threat. And btw i really do enjoy to play little games with border agents and you all should, since everyone here is smarter than them. Its not arrogance, its a fact. We dont work for the gov, they do... They are just OUR underqualified employees, they should act like it. PS Im not regarding gov agencies as divine entities nor im a paranoiac that sees conspiracies everywhere. I just dont like to get my civil rights fucked by some public agencies.

Neon Samurai
Neon Samurai

The extreme possition of "if you've nothing to hide, being searched shouldn't be an issue" is not much better than the other end of "death first". There needs to be a middle ground taht doesn't trample the indavidual while still maintaining true security of the nation rather than "feel safe" demonstraitons like the street theater now. Really, it's a legislative and political issue though not a technological one; solving it one's self by hiding something from legally supported (even if injust) is just asking for things to go badly.

David1957160
David1957160

What about tracing/tracking software? Is it any good? Which companies would you recomend?

Neon Samurai
Neon Samurai

If Mr badguy finds your notebook, it's not likely going to be the installed OS that get's booted first and probably without a network connection so the software based lowjack may not have a chance to call home. Is anyone doing hardware based lowjacks which become active before the bios triggers the OS boot loader?

Tommy S.
Tommy S.

Isnt encrypting all laptops a simpler idea? I mean you simply encrypt everything and if your fellow employees cross the borders, make a hidden volume while your at it, customs officers dont even know what a volume is. It is 100% safe if they have a long password with lets say AES-Serpent-Twofish. We have over 50 laptops and no headache.

Neon Samurai
Neon Samurai

Encrypting the drives in your laptop is just generally a good idea. The only time I've seen it be an issue is with high drive traffic tasks like running VM especially when creating the hard drive files; 8 gigs "formatted" on an encrypted partition takes a while. You may want to consider caution when crossing boarders though if your going to build an encrypted and hidden partition. Obscuring the data really only makes it more interesting when some curious boarder gaurd does notice it. Also, a hidden partition or data file may show intent which paranoid boarder gaurds could take personally. Outside of the ethics and personal safety at the boarder, the bigger issue I'd take is depending on obscurity. Encryption provides a mechanism to protect the data. Placing value in that data file or partition being obscured through hidden attribute flags weakens my security posture. It also places me in the attacking possition since I am depending on the limited time advantage of evasion to bypass someone else's security processes. That may be just me though and when not bypassing another's security processes, a hidden partition will get past the casual snoop who does not take the time to look for it. Professionals won't find it anything more than a speedbump or anouncement of what to take an ISO of for working on later.

Tommy S.
Tommy S.

you cant see that there is a hidden partition in truecrypt, if you scan a drive with truecrypt it look like its full of random bits. So you cant see the actual size of whats used and what isnt. So when the moron at the border ask you to open the laptop, you use the lower password and he will see a clean windows. And for the ''work it after'' thing, lets say you have a bluegene to bruteforce it, you better have a few hunded spare years ahead. But i do agree that its a major speed bump most of our laptops can decrytp only at around 50MB/s with this level of encryption. You cant have it all, but it work great with sensitive CAD files and office stuff.

NickNielsen
NickNielsen

In response to your comment [i]No more rewriting of the 4th amendment,[/i] a warrant is not required to conduct a search at the border, since all such searches are considered reasonable.

MGP2
MGP2

[i]Moreover, while prolonged detention of travelers beyond the routine customs search and inspection [b]must be justified by the Terry standard of reasonable suspicion having a particularized and objective basis,[/b] Terry protections as to the length and intrusiveness of the search do not apply.[/i] http://caselaw.lp.findlaw.com/data/constitution/amendment04/04.html

MGP2
MGP2

They can see that I have a laptop. It's not a gun. It's not a bomb. It's not anthrax. It's my personal computer.

NickNielsen
NickNielsen

What do you do the day you win the border search lotto? As the TSA IT guy, I'm going to have some very pointed questions for you: If there is no data on the hard drive, how is it booting? Why is the partition table encrypted? What's on the drive that you don't want us to see? Why aren't you giggling and smirking any more? There's a word for people who think they got over on the government and then brag about it. Genius isn't on the list.

Neon Samurai
Neon Samurai

Oh I see no problem in having encrypted data nore do I think James Bond is gaurding the US borders. Bruteforce is definately not the best aproach either since most encryption is broken through finding weakness not guessing at passphrases. Cross the border as much as you like with a truck full of encrypted hard drives if you like. The first issue is that "hidden" is not hidden if it is on that machine. It may be encrypted barring casual access but it can never be truly hidden. Puting value in obscurity is a weakness in your security posture. The second, you are placing yourself in the attacker possition. You are intending to sneak something over the border. Being well suited to the task (white, male, nice smile) does not make it more acceptable. If TSA (maybe you get the one James Bond in the entire service), takes interest in your machine you have no deniability provided by drive encryptiong. You have only the secured data and how long it will take you to hand over the key. It's not at all the encryption. That's just good practice these days on any mobile device. And, while the TSA may be or be percieved as goofs; the boys in the back offices at the NSA who test government security, offer free security evaluations to any developer who sends in code and stroll through most security are the ones you want to consider. I'll make fun of much of the US gov but the navy seals and NSA keyboard spooks are not in the same categories as Officer Dumpshmuck or Sargent Earlyretirnment. In reality, you'd probably have to give some probable cause to have the gov that interested in you. Gov would simply let the courts and prison time persuade you. The problem in it all is still using encryption to sneak past authorities rather than using it to protect against snooping by those without legal grounds. Your applying a risky technological solution to what is actually a social and legislative problem.

Tommy S.
Tommy S.

1- NSA or anybody else will take decades if not centuries to decrypt a random 20+ character password with AES-Serpent-Twofish, that suposing they have a BlueGene/L or even Roadrunner dedicated to it, witch i doubt they would use for a random Joe laptop. 2- I crossed the borders to the US like 10 times over the last 5 years with encrypted laptops ( w/o anything to hide) and they are dumb as fuck. You know the ''random searches'' thing, guess what, if your white and you dont look like your trying to smuggle Cocaine, theyll only ask you to boot it. And get your fact straight , its virtualy impossible to detect that there is a hidden volume because the whole drive looks like its full of random bits. So before arguing over something you have no clue about, read a little. Does anyone of you pay more taxes on purpose cuz you love the governement so much?? PS: im not smuggling child porn or chemical weaponry secrets, i just don't want to let them acces to my data. So if you shit your pants thinking about almighty guys that werent able to get a decent job, thats your business. Just dont say its impossible because of their divine powers. And i also alwais smuggle too much alcool from the dutyfree shops, btw i never seen a jail cell from the inside.

normhaga
normhaga

But what happens if that moron whips out his trust calculator and adds up the directory sizes and then because he has been instructed to, boots a live cd of linux looks at the occupies space on the drive. I would say game over. You would be better hiding your data inside jpegs of other large photo files of you wife and children. The hidden data is not so hard to determine.

Neon Samurai
Neon Samurai

These days, I think the TSA can hold one without reason for long enough to be a pain. If you give them reason like not providing a password when asked by the nice fridge of a gaurd, they can send the notebook away and hold you then wait for which works first. If the recent ruling about notebook search at the border holds then they have legal support for picking through your data. Legally, withholding the password has the same result as withholding the house keys or lock combinations when they have grounds for justifiable search. I'm no lawyer either so what do I know. There are some fights you just don't pick.

Neon Samurai
Neon Samurai

There is nothing on it that is illegal except in Germany (nmap). I had dreamed up a complicated thing where I keep the current build on removable SD and either leave it at home or pack it separately and juts keep a clean install on SD in it's place. Ultimately, the how it's done is not the issue and wouldn't make any difference to me if it wasn't advocated as a way to sneak past the check point. In my case, they just wanted to confirm that it was really running. It was right after the Mac Airbook story else I wouldn't have thought twice. The reason I wouldn't play such games crossing the border is exactly what you point out; they just hold you until you unlock the encryption if they decide it needs to be checked. Really, the NSA's testing teams could open it too while one waits with the gaurds. You may get past most of the time but that one time you don't the trade-off is not going to be worth it. ;)

NickNielsen
NickNielsen

[i]That searches made at the border, pursuant to the longstanding right of the sovereign to protect itself by stopping and examining persons and property crossing into this country, are reasonable simply by virtue of the fact that they occur at the border, should, by now, require no extended demonstration.[/i] http://caselaw.lp.findlaw.com/data/constitution/amendment04/04.html

MGP2
MGP2

[i]Suspicions raised, laptop kept, you lose both the laptop and the contents.[/i] To the best of my knowledge (although, I've been wrong before), they can't arrest you for not giving them the password, but they can confiscate the laptop. Knowing that, I'd love to take an old laptop I didn't need or want, strip it down to nothing but the operating system, encrypt it, reufse to give the password, let them confiscate, and let them waste however long they choose, only to find there was nothing there in the first place. If they wanna perform unreasonable search & seizure, let them top it off with unrewarding wasted time. No more rewriting of the 4th amendment.

jvalencia
jvalencia

The original "idea" is just to protect your data if the laptop is "missing" either through encryption or to other security meassure. I travel out of the country twice or three times every year. The "security people" asked only to turn the laptops on to be sure that it boots Ok. The hard disk is encrypted, but I do not have there anything that I am not "supposed" to have. One of my laptops has Network analysis and troubleshoot software installed that I use for network analysis or forensics. I never had a problem It they believe that there is "something" there (maybe child porn), they would hold me for as long as they want/need. It does not matter how well protected the hard disk is, there is always a way and they have the time. All the new laptops today have a hidden partition that holds the OS in case it needs to reinstalled and many security guards (today) at the border have an idea about what to look for. Good luck

Neon Samurai
Neon Samurai

Breaking laws across state lines is dump enough (usually makes it a federal case). Breaching a countries border is definately federal and falls under national security rather than simple criminal law. Keeping your company data safe from staffer's leaving the machine at the pub, on the bus or in there unlocked car; perfectly reasonable. Keeping your data hidden from government authorities with legal justification by the old fast switch method; that's asking for things to go badly. With the current level of politically beneficial paranoia, you'd best make sure you get a GitMo tourist shirt while your visiting. As for "plausible deniability", I think you've got that backwards. If someone in law enforcement asks you for the encryptiong key it's the same as being required to provide safe combinations and house keys; that bit of paper from the judge will sway your resolve or put you in contempt of court. TrueCrypt was more likely developed as a free and open source program to encrypt hard drives against people without valid grounds to be snooping through your data. If you think any form of drive encryption provides deniability "oh, how did that encrypted partiton get on my computer officer?" I'd be very curious to hear how that court case turns out.

Neon Samurai
Neon Samurai

Like I said: - The casual snoop trying to amuse themself may miss a "hidden" partition or file if they are not bored enough to look for it - The professional is going to see missing space, hidden partitions or hidden files; for them, it's a big billboard anouncing "hey, look, something interesting". That's where I slap ripper on your drive, take a duplicate ISO and work at my leasure. With those given the task of protecting a border, I'm not prepared to play games. - The encryption is protecting your data. At that point, it depends on how much value the information has for the snoop. A casual snoop may run a cracker against it for a few days then get bored. A professional has resources to through against cracking it and probably a specific target to justify it. A gov forensics snoop will simply ask you for the encryption keys and leave you with the nice border gaurds until you comply. Encryption and obscurity are two different things also. Hidden or "obscured" means that it's only not visible on first casual inspection. That attribute should not be considered to provide any value or improved security of your data. Your idea was presented as a way to get data through border inspections by using hidden partitions or image files. The intent alone is to breach a countries security to smuggle something past it's borders. That's not a possition I'm willing to explain my way out of when Mr TSA asks nicely with a big smile and a heavy threat.

NickNielsen
NickNielsen

I know all about Truecrypt. And if a good tech or a forensics pro examines your hard drive and sees the current partition only takes 50% of the drive, but 95% of the drive is allocated... Like I said, hope you had a backup.

Tommy S.
Tommy S.

When you get at the border you open the laptop w/o arguing with [password A], he will see a nice working Windows. Theres no way of telling there is a hidden partition except if you try loading the HDD with crap until its full, then notice its full at only 95% (exemple) . When you enter [password B] its the same damned thing with 1 more partition. And we have backup on everything, including toilet paper expenses. And if you are the ''moron at the border'' you have no clue about whats going on, you only see a friendly guy, kindly giving you his password. And in case you didnt knew, nobody can crack truecrypt. The basic idea behind TrueCrypt is "plausible deniability" - that someone who examines your hard drive, even someone who demands and gets your password, shouldn't be able to find all of the encrypted data. They employ a variety of strategies to achieve this, starting with the fact that you can hide a TrueCrypt-encrypted file system inside of any file. You can also put a "hidden volume" on the drive - a TrueCrypt volume inside another TrueCrypt volume, which is statistically indistinguishable from random noise.

NickNielsen
NickNielsen

If I'm the "moron at the border" I've got my instructions, so I'm going to hold this punk and call in the IT guy. The IT guy says it boots up clean, so now I'm wondering why the punk is so worried about letting me see the contents of his laptop; it's confiscation time! A good computer forensic examiner would probably deduce the existence of a hidden partition within a few minutes of being given hardware access, particularly since the computer was observed to boot to Windows. He might not be able to gain access, but he'll definitely know it's there. Suspicions raised, laptop kept, you lose both the laptop [u]and[/u] the contents. Bummer. Hope you had a backup.

Editor's Picks