John Leyden, reporting from Infosec in London this week has filed a great description of tools for bypassing password protection on laptops. On reading it you will feel fairly confident that the kid who nabs your laptop when you are enjoying your caramel latte at a coffee shop will not be able to access your data. It requires fairly sophisticated abilities. But, what about the new owner of that laptop who purchases it from the thief for $300 on the street?
I talk to a lot of large IT departments throughout the year. I usually run through a litany of questions about their security practices to see where they could beef up their protection. An oft repeated scenario goes like this:
Me to the CIO: “Do you have any problems with laptop theft?”
CIO: “No, not really.”
Security Director: “Um….”
Security Director: “Well, we have had four laptops reported stolen so far this week, and it’s Wednesday. That’s about normal.”
These are big companies in large cities where there is a local market for stolen goods. But, thanks to eBay, the market for stolen laptops is now available anywhere.
So here is the common advice given by security advice givers:
Use really strong boot passwords.
Use file encryption or even whole disk encryption.
While this would indeed protect you from data loss and even protect you from having to make embarrassing disclosures under California SB 1386, it is not yet practical. File encryption and strong password management put too great a burden on end-users. I think the solution is going to arise out of the current trend towards web based apps. If your email is at Google, your documents are on Writely, your sales records are on Salesforce, you will not have all of that information on your vulnerable laptops. When they get stolen just change your access to your on-Net resources.
In the meantime here is some advice that I believe is a little more pro-active.
1. Never let your laptop out of your sight without securing it. At the office or coffee shop use a cable lock to attach it to a table or stanchion.
2. In high crime areas do not carry your laptop in a laptop bag. Especially a really cool one. Some bags are greater targets than the computers in them!
3. Put a sticker on your laptop so you know you are picking up the right one at airport security.
4. Never tape your business card to your laptop. You don’t want to advertise the potential value of your data. Your title or company name could attract a data thief.
5. Lock your laptop in the hotel safe if you are not taking it with you.
6. Be as paranoid about your laptop as you are about your wallet or purse.
By taking these precautions you should be able to avoid the expense of deploying defenses that protect your data *after* it has fallen into the wrong hands.