[ISN] Encryption can save data in laptop lapses

From: InfoSec News (isn@private)
Date: Mon Jun 19 2006 - 00:41:59 PDT


http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html

By STEPHEN MANNING
ASSOCIATED PRESS WRITER
June 17, 2006 

ROCKVILLE, Md. -- Reports of data theft often conjure up images of
malicious hackers breaking into remote databases to filch Social
Security numbers, credit card records and other personal information.

But a lot of the time, the scenario is much simpler: A careless worker
at company or agency with weak security policies falls prey to a
low-tech street thug who runs off with a laptop loaded with private
data.

In the biggest case, the Department of Veterans Affairs recently lost
data on 26.5 million veterans and military personnel stored on a
laptop and external drive stolen from the suburban Washington home of
a VA employee.

Security experts and some privacy groups say simple measures could
protect data if a laptop falls into nefarious hands. They include
encrypting the information so it's nearly impossible to access without
the correct credentials.

"It is shocking how many of these are stolen laptops and that fact
that the users of the laptops did not use encryption to secure the
data," Beth Givens, director of the Privacy Rights Clearinghouse, said
of recent data losses. "If thieves read the newspaper, they can
readily figure out that they have got more than just a piece of
hardware."

Since June 2005, there have been at least 29 known cases of misplaced
or stolen laptops with data such as Social Security numbers, health
records and addresses of millions of people, according to the Privacy
Rights Clearing House, a San Diego-based nonprofit that tracks data
thefts.

So far, there is no evidence the stolen data were used for identity
theft or other nefarious purposes. In most cases, the laptop itself,
not the personal information on it, was the likely target of the
theft.

Sometimes, there's no good reason for why so much information is being
kept on individual machines that are designed to be carried out of the
office. In other cases, workers were allowed to have the data on the
laptops but didn't follow proper procedures for keeping it safe. In
others, they broke the rules by taking personal data out of the office
or not protecting it with digital tools.

Laptops have been stolen from cars, gone missing when checked for
airline flights, and been taken from offices and employee homes.  
Hospitals, universities, consulting firms, banks, health insurers and
even a YMCA have lost personal data.

The portable computers are usually protected by passwords needed to
boot them up, but the data on their drives are still accessible.  
Encryption, on the other hand, scrambles the information and would
render it useless to a thief without a digital key that decrypts the
data.

A variety of encryption tools are available, including software as
well as specialized chips.

But many people are reluctant to use them because losing the key can
make it hard to access the data and the programs can slow down data
access, said Alan Paller, director of research at the SANS Institute,
a computer-security organization in Bethesda.

That could change as computer manufacturers start selling laptops with
encryption built in. Microsoft's Windows Vista operating system, due
late this year for businesses and early next year for consumers, is
expected to make it easier for users to encrypt all their data.

Many states now require companies and organizations that store
personal information to inform the public when the data leaks. But
those laws generally don't make reporting obligatory if the lost data
were encrypted.

Some companies that have lost laptops are responding with better
security measures.

Ernst & Young, which has 30,000 laptops used by its highly mobile
staff of consultants, is encrypting all contents on the computers,
according to company spokesman Charlie Perkins.

But in February, as the policy was being implemented, a laptop that
hadn't been encrypted was stolen from an employee's car. With it went
the names, addresses, and credit card information of about 243,000
customers of Ernst & Young client Hotels.com. Perkins said there is no
evidence any of the data was misused.

"We evaluated our polices in this area across the board," he said.  
"Encryption is the most significant step."

Of course, security measures can only work if they are actually used.  
In several cases, laptops were lost or stolen when employees violated
company rules by leaving them in parked cars or in their homes. And
data that are supposed to be encrypted by an employee sometimes
aren't.

On June 2, grocery retailer Royal Ahold NV said contractor Electronic
Data Systems Corp. lost a laptop with personal information on an
undisclosed number of retirees and former workers of Ahold companies,
including grocery chains Stop & Shop and Giant Food.

The EDS worker was asked to check the laptop on a flight because the
plane's storage bins were full, according to EDS spokesman Kevin
Lightfoot. When the flight arrived, the laptop never reappeared. The
employee was disciplined for violating company policy by checking the
computer as luggage, Lightfoot said.

Since the incident, EDS has reminded its employees about rules on
handling laptops.

"You have to work with your employees to make sure this information is
protected," Lightfoot said.

In January, Ameriprise Financial, an investment advisory company, said
the internal account identification numbers of 158,000 clients were
lost when a laptop was stolen from an employee's car. The employee was
supposed to have encrypted the data, which was on two files, but had
not, according to Ameriprise spokesman Steven Connolly. The worker was
fired.

The VA plans to recall every laptop to make sure the security programs
are up to date. The data on the laptop taken from the suburban
Washington home were in a form difficult for an outsider to use, and
authorities believe thieves may have erased the information before
selling the hardware.

But that doesn't satisfy August Woerner, an 80-year-old World War II
veteran from Westerly, R.I. He received a letter from the VA saying
his data may be on the laptop because of a claim he filed several
years ago at a VA medical center.

Woerner takes every precaution he can to shield personal information -
he checks his credit rating online regularly, shreds financial
documents and monitors the balance of his credit card nearly every
day. Despite his diligence, he is convinced someone will steal his
identity soon.

"I do the best I can, but I can't very well fight this theft," said
Woerner. "That data should not be readily available by someone simply
walking it out of a building."

©1996-2006 Seattle Post-Intelligencer



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 19 2006 - 01:02:13 PDT