Security Watch
Consumers Numb to Lax Laptop Security?
Plus: The FTC plays games with security, and the country's nuclear safety almost compromised by a thumb drive.
As many as 1.4 million people working in Colorado, or receiving or paying child-support payments, may have had their personal information compromised as a result of the theft of a laptop. The laptop included Social Security numbers and other personally identifiable information. No reports of abuse of this data have yet surfaced, but notification letters are being sent.
While it's certainly possible for any of these laptop thefts to result in the abuse of the information they contain, personally identifiable information or otherwise, theft of such equipment for the resale value of it is still the most common form of theft.
There is clearly no arguing that the data contained on laptops needs to be better secured or at least encrypted. Data breach notifications for every such theft is going to have a negative impact. Consumers are going to become complacent with the notices, less likely to take the appropriate actions (such as checking their credit, or simply auditing their financial statements), corporations are going to offer less to those who are being notified, etc.
We do feel corporations should do more to protect data, be it on their servers, laptops or removable devices in storage. But data breach notifications should be based on more tangible evidence of malfeasance than simply the theft of equipment.
A Leaky Water System Network
A laptop used at a Harrisburg, Pa. water plant was found to be compromised by malware that permitted criminals to gain access to the network the laptop was connected to. This could have resulted in the criminals being able to modify the controls of the plant, potentially altering the chlorine levels of the water, for example.
A perfect example of why roving laptops need to be tightly controlled. There is no indication yet whether the laptop was compromised while connected to the water plant’s administrative network, which is connected to the Internet, or whether it was compromised while connected to its user’s home Internet connection.
According to reports, there was no attempt to abuse the water treatment plant itself, or any indication that the plant was even a target as opposed to the laptop just randomly being infected.
FTC Gets In The Game
The U.S. Federal Trade Commission has launched 10 online quiz show-style games that present scenarios and then asks participants what the correct response would be. The quizzes test a variety of security-awareness issues, from phishing and auction scams to wireless hacking.
Definitely consider sending your employees to this site. While it may seem somewhat hokey, the information it provides when questions are answered incorrectly are an excellent source of common-language suggestions.
Counterfeits May Lurk in Your Network Room
According to the Association for Gray Market and Counterfeit Abatement (AGMA), nearly 10 percent of all IT products are counterfeit. The AGMA says new used equipment from the Dot.com bust spurred the counterfeiters into business, offering up used equipment labeled as, for example, Cisco WAN Interface Cards, which were in fact fakes.
According to AGMA, Cisco is the most counterfeited product out there. It also makes a case about the counterfeit products being less reliable. However, it carries that argument so far as to get into FUD about the potential for an air traffic control network to drop off the network because of fakes. As we all know, it could happen whether the NIC is fake or real, unfortunately.
Seagate Hard Drives Might be Too Tough
Seagate has announced that it plans to incorporate its DriveTrust full disk drive encryption technology into mobile device hard disks next year. The technology uses an AES encryption chip on the drive to encrypt and decrypt drive data on the fly, without impacting CPU or OS performance. The drive is decrypted during the power-on sequence, and remains unencrypted until the system is completely shut down. Hibernating systems, such as Vista, leave the data unencrypted, which could prove a PR nightmare if hibernating laptops are stolen, exposing sensitive information the owner thought was being protected.
Software to manage passwords has yet to be made available; however, Seagate does say there will be such products. The bigger question will be whether or not they are enterprise friendly. For now, Seagate says it will be able to reset a drive if it is sent to the company with a lost password, but it will not be able to retrieve the data. This could prove even more of a nightmare as data recovery from damaged drives may prove problematic also.
Nuclear Weapons Data Escapes on Thumb Drive
Last month, police arrested 20-year-old Justin Stone of Los Alamos for apparent drug possession. Nothing odd here, but during a search of his premises, police found three USB drives that apparently belonged to the Los Alamos National Laboratory. According to unconfirmed sources, data on these drives appeared to be "Secret Restricted Data," suggesting they contain information regarding nuclear testing or design.
According to LANL in April 2006, it had reduced the number of removable media devices from 80,000 to roughly 13,000 items. There’s no indication whether that includes removable media like USB drives.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.