[ISN] Encryption taken off Transportation IG laptop shortly before theft

From: InfoSec News (alerts@private)
Date: Thu Aug 10 2006 - 22:50:02 PDT


http://www.govexec.com/story_page.cfm?articleid=34763

By Daniel Pulliam
dpulliam [at] govexec.com
August 10, 2006

The Transportation Department inspector general's office removed the 
encryption on a laptop containing the personal information of 133,000 
Florida residents about two weeks before it was stolen late last month 
from a government-owned Chevrolet Blazer parked outside a Miami area 
cafeteria.

Acting Transportation Department Inspector General Todd Zinser said 
Wednesday that the data is routinely encrypted but it was removed as part 
of software upgrades, despite an Office of Management and Budget request 
[1] for all government mobile computer devices containing sensitive 
information to be encrypted.

The laptop is a Dell Latitude model and is believed to contain four 
databases with the names, Social Security numbers, dates of birth and 
addresses of 42,792 Florida pilots, 80,667 Miami-Dade County commercial 
driver's license holders, 9,005 individuals who obtained their personal 
driver's licenses in the Tampa area and another 491 drivers who obtained 
their commercial driver's license in the Tampa area.

The IG office stated the computer is password protected, but experts say 
that a computer with only a routine system password could be easily 
accessed by someone interested in misusing identities for credit theft 
purposes.

In an Aug. 9 letter [2] to members of Congress, Zinser said he did not 
learn of the July 27 theft until July 31 and he did not learn of the 
presence of the databases containing sensitive information until Aug. 5.

An instruction sheet [3] given to all IG office employees to whom laptops 
are assigned states that all data is supposed to be saved in an encrypted 
folder.

David Barnes, a spokesman for the IG office, said the office maintains its 
own IT operations that mirror the policies established by the department's 
chief information officer.

Chris Fedde, senior vice president and general manager of SafeNet's 
enterprise security division, said a common way to protect sensitive data 
is to encrypt the entire hard drive, but a drawback is that when you have 
to do repairs or install new software, you have to decrypt it.

"Normally that's a tightly controlled process," Fedde said. "I bet [the IG 
office] has a new policy by now."

Special agents in the IG's Miami office were using the databases as part 
of a multi-agency task force working to identify the use of fraudulent 
information to obtain driver's licenses or flying certificates. Past use 
of this type of data has led to guilty pleas in licensing fraud cases, the 
IG office said in a statement.

The IG office stated that it does not believe thieves targeted the laptop 
because of the information it contained. A full-scale effort is being 
undertaken to recover the laptop, Zinser said.

On June 23, OMB Deputy Director for Management Clay Johnson signed a 
memorandum [4] urging, but not requiring, agencies to encrypt data on 
remote computer devices holding sensitive information, among other things.

The request came in the wake of a series of data breaches involving 
sensitive information, namely the early May theft of Veterans Affairs 
Department computer equipment containing the personal information of 26.5 
million individuals.

Johnson said in the memo that most agencies already take this precaution, 
but Alan Paller, director of research at the SANS Institute in Bethesda, 
Md., a nonprofit cybersecurity research organization, said policies do not 
equal implementation.

To ensure that every security policy is constantly followed, agencies need 
to implement automated monitoring systems, Paller said. Such systems 
could, for instance, check machines for compliance every time they are 
connected to the agency's network, he said.

[1] http://www.govexec.com/story_page.cfm?articleid=34713&sid=1
[2] http://www.oig.dot.gov/dataseccongress.pdf
[3] http://www.govexec.com/pdfs/NotesonDellPortables.pdf
[4] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 10 2006 - 23:00:34 PDT