[ISN] Forrester Loses Laptop Containing Personnel Data

From: InfoSec News (alerts@private)
Date: Thu Dec 06 2007 - 23:13:40 PST


http://www.eweek.com/article2/0,1895,2228887,00.asp

By Lisa Vaas
eWEEK.com
December 5, 2007

The incident appears to be a clear case of, "Do as I say, not as I do."

Thieves stole a laptop from the home of a Forrester Research employee 
during the week of Nov. 26, potentially exposing the names, addresses 
and Social Security numbers of an undisclosed number of current and 
former employees and directors, the company said in a letter mailed to 
those affected on Dec. 3.

Forrester "Chief People Officer" Elizabeth Lemons said in the letter 
that the hard drive is password-protected but made no mention of 
encryption.

The laptop contained records pertaining to those who have received 
grants of Forrester stock options or who have participated in the 
research firm's Employee Stock Purchase Plan, according to the letter. 
Those who have done contractual work for the consultancy, but who 
haven't participated in either stock plan, also appear to be affected.

The incident appears to be a clear case of, "Do as I say, not as I do." 
Besides the irony of a technology consultancy that apparently does not 
encrypt sensitive data on employee laptops, the office of Forrester's 
"chief people officer" apparently had not informed the firm's media 
staff of the incident before sending out the letter.

When eWEEK contacted Forrester's press hotline on Dec. 5, a staffer said 
that this was the first she had heard of the incident.

As such, the media relations staff was not prepared with an incidence 
response plan. In these days of multiple weekly high-profile data 
breaches in the news, consultants routinely warn firms of the importance 
of encrypting portable data devices such as memory sticks, PDAs and 
laptops.

They also encourage organizations to lay out incidence response plans 
that detail a chain of command to ensure that the right executive is 
informed, that public relations staff are devoted to incidence response 
and that the proper authorities have been notified, among other things.

The idea that password protection actually protects laptop data is one 
that's laughed out of the room by security professionals. "Anybody with 
a relative clue, or at least a copy of Knoppix or F.I.R.E. [data 
recovery tools], could potentially bypass security measures implemented 
on lost or stolen drives. Period," wrote data breach experts at 
Attrition.org, a volunteer-run site that keeps a running list of data 
breaches relied on by organizations including Privacy Rights 
Clearinghouse.

"Unless data on a drive is encrypted with a key either unknown or 
inaccessible to an intruder, that data is open to compromise," Attrition 
said in a February posting that followed the recovery of a lost VA 
laptop.

"We won't even go into cracking AES256 or 3DES here; for the most part, 
such measures are impractical. Cracking algorithms over 128-bit is 
possible, but only with a lot of time and/or firepower. However, shoving 
a CD in the machine, rebooting and typing: '# mount /dev/hda1 
/tmp/stolen_info/ # cd /tmp/stolen_info/ # ls -la' is not that difficult 
and it makes all of that 'password-protected' data quite readable, even 
for a casual computer user.

"If the person who stole the laptop were to remove the drive and perform 
a bit-by-bit copy, they would circumvent any password protection on the 
computer. Remember, BIOS and Operating System passwords rely on the 
computer and OS to boot up. If you remove the drive, neither will offer 
any level of protection and are completely worthless."

A volunteer for Attrition who goes by the online name "Lyger" told eWEEK 
that Forrester's notification letter to those affected "should be of 
little comfort," given that Forrester didn't divulge whether the 
laptop's hard drive was encrypted.

At any rate, it may be ironic, but Forrester's dilemma is far from 
unique. A former analyst for a defunct technology consultancy wasn't 
surprised to learn the details behind the breach. "When I was at Meta, 
we didn't do anything in our back office that we preached to others," he 
said. "It is symptomatic of all businesses. They really don't pay any 
attention to their own employees when warned of something wrong."

Forrester finds itself in good company when it comes to lost laptops. 
According to a recent study from the Ponemon Institute, lost and stolen 
laptops and mobile devices rank as the most frequent cause of a data 
breach:

Almost half (49 percent) of data breaches in a 2007 study were due to 
lost or stolen laptops or other devices such as USB flash drives. That 
finding has been consistent throughout the years, Larry Ponemon, 
chairman and founder of the Ponemon Institute, told eWEEK when the study 
was released last week.

Forrester has reported the theft to the local police department and the 
Middlesex County District Attorney's Office in Massachusetts. Lemons 
said in the Forrester letter that the theft is an "isolated incident" 
and does not involve a breach of network security.

Forrester is providing those affectedexcepting residents of New York, 
due to what Forrester said are state laws restricting the practicewith a 
full year of credit monitoring, including $25,000 identity theft 
insurance.

Forrester was not able to provide input for this article by the time it 
posted.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 23:27:46 PST