[Infowarrior] - Responses to: Laptops and PII

Richard Forno rforno at infowarrior.org
Fri Aug 7 11:21:39 UTC 2009 

 From various folks last evening:

If any one of those lappies is recovered and found WITHOUT total cryp  
on the hard drive, well, that makes a case for severe public flogging.

But... inasmuch as the drive is encrypted?  No, fuck it -- that's  
still freakin' grievous -- when I was on the road for DoD earlier this  
year, I was assigned a Toughbook. It had several gigs of rather  
important data, and... well, AFTER I installed TrueCrypt on it (it was  
given to me without /anything/), I still looked after the damn thing  
like it was my left nut.  Why?  Well for one, I didn't wanna' have to  
replace it!  And, you know, all that data that we didn't want released  
into the open...

*sighs*

=====

In the US, the Congress are the whores of business. Business tells
Congress that business are the victims, and not the individual whose
lives might be ruined. For example, until the Identity Theft
Assumption and Deterrence Act, only creditors were the victims.

Because individuals are generally not considered victims, there is
little to no redress for an individual. So businesses know they can
loose the information with little to no penalties. This has allowed
business to treat individuals with utter contempt and impunity.

As an example, TJX’s data breach cost the company about $10 million to
settle with 41 attorney general offices [1] (I know this is not a
'lost laptop'). $10 million is a pittance for a company which earns
$210 million on sales of $4.4 billion per quarter [2].

Now suppose one-fifth of the 94 million records were unique in the TJX
breach [3]. Further suppose that each individual were able to claim
$1,000 per incident under some legislation (which the citizens will
probably never enjoy). The penalty could now be $18 billion - which is
a number that cannot be dismissed as easily as $10 million.

Congress serves themselves first, and then business. I don't believe
they have any concerns for the citizens at any time other than when it
comes time to 'pitch their re-election platforms'.

[1] http://www.atg.wa.gov/pressrelease.aspx?id=23062
[2] http://www.marketwatch.com/story/tjx-earnings-per-share-up-14
[3] http://datalossdb.org/incidents/548-hack-exposes-94-million-credit-card-numbers-and-transaction-details

=====

I realize your question may be rhetorical, but since there are so many  
reported incidences of theft there must be many many unreported  
thefts, and far more cases of people carrying this stuff around. I  
dealt with it - users who do this - for awhile before becoming  
internal security and might shed some light on it.

In the companies I dealt with, laptops had become the de facto single  
computer for many users - especially the "more privileged" users, i.e.  
the higher paid class. Admin assistants <cough>secretaries</cough>  
rarely get laptops. So the higher paid class carry *all* their data  
because they have to in order to have access to it, because they  
haven't been sufficiently trained (or refuse to accept sufficient  
training) to use a server that sits behind a hard firewall that can  
only be reached with an encrypted connection. So they carry the data  
around. And there seems to also be insufficient awareness in the  
Windows sysadmin world of high grade encryption. Also, a CIO's goal is  
to reduce cost, so they often reduce tech support at the direct user  
interface level. So we get people who aren't trained or indoctrinated  
being supported by people who aren't trained or indoctrinated, and are  
carrying around insufficient or no tools to protect the valuables.

Personally I think more CIO heads rolling might staunch some of the  
bleeding in the ranks.
(As it always is in warfare.)

=====

Rick - it's because we can! We have the ability to bring our work  
where ever
we go and if it's all on a drive then broadband be damned - we can  
work from
anywhere with anything we may need at our immediate disposal... some  
of us
are too busy to think about that kind of risk because it breaches like  
those
happen to other (not as smart) people - not us,

=====

Honest answer?

1.  Because many companies still aren't able to a) know where their data
involving PII is stored, and b) can't control where that same  
information
is saved (local hard drives, removable media, and email come to mind)

2.  I'd be confident in saying that most corporate laptops run Windows  
and
probably Microsoft Office.  With that said, those pesky "OLK" temporary
files get stored for indefinite periods of time without user knowledge.
If the company in question knows this and is backing up hard drives or
doing other forensics, they should know this:

http://www.groovypost.com/howto/microsoft/outlook/find-the-microsoft-outlook-temporary-olk-folder/

More common than people realize, actually:
http://datalossdb.org/search?query=stolen+laptop&commit=Search

More information about the Infowarrior mailing list