TSA to Contractors - Encrypt Your Laptops

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

Overheard conversation

[postbigbang (761081)]

"No, not the keys to the truck and trailer, I need the damn keys to the laptop!"

Re:

[TechwoIf (1004763)]

That would be funny if it did not actually happen to me. I drive a truck and cross the boarder to Canada and back to the USA. I was literally asked for the keys to the laptop by customs.

Re:

[postbigbang (761081)]

We agree that the keys to encryption need to be well managed, and penalities for any kind of data loss need to be incredibly severe.

Not flying or going to an airport since 9/11 (presuming *because* of 9/11's aftermath) as a result of your demands, would appear to border on paranoia in the extreme, however. Someone has your IP address for the message you posted, and has already traced you back. It's in your service provider's info sent to the NSA. You didn't have an https connection, so everyone saw what you

Re:

[moderatorrater (1095745)]

This is one of the many reasons I haven't set foot in an airport since 9/11.

Let me guess, another is that your hat sets off the metal detector?

Many have been told to backup...

[psychicsword (1036852)]

Though many never do, will this be the same?
I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.

Re:

[sumdumass (711423)]

If MS preencrypted the drive, the default pass word would probably be something like MSr0cKs01 or something and it would never be changed and most likely useless.

There, is that good enough for you? I know it sort of slams the users too but what the hell, it is a slow news day.

It's always sad

[techpawn (969834)]

That these kind of measures are retroactive instead of proactive.

Re:It's always sad

[Volante3192 (953645)]

"Reactive"

It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

Re:It's always sad

[mlts (1038732)]

I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.

Re:

[Sancho (17056)]

Many companies have policies that state that machines must be password protected--BitLocker, OS X, etc. handle encryption seamlessly if this is the case. There is no convenience reason not to use it on company laptops if they're managing sensitive data.

You can't believe how sad...

[WED Fan (911325)]

That these kind of measures are retroactive instead of proactive.

Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

Uh, dude, I think you mean "reactive".

Re:

[techpawn (969834)]

descriptive of any event or stimulus or process that has an effect on the effects of events or stimuli or process that occurred previously

Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

The norm for govt.

[Nick Driver (238034)]

As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer fr

Mod Parent Informative

[mpapet (761907)]

Generally, a very informative post that generally conforms with my experience.

the govt organizations themselves are too cheap to do security right in the first place,
Most of the orgs comply on paper, but operationally its pretty bad.

and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits.

The blame goes both ways. I've been in situations where good security was seen as not necessary by the agency. There is also the nasty proble

Re:

[shawn(at)fsu (447153)]

You could look at this a few different ways. First you could say that this is partially active and not totally reactive. Laptops were lost or stolen with large quantities of data, it's not sure if that data was used for nefarious purposes right at least it hasn't been disclosed publicly. So you could say that this is a semi active response. Some one said we got darn lucky lets remove this vector.

Also think about all the ways some one can get to your data. You have to step up your protection to all of these

Re:It's always sad

[Chris Mattern (191822)]

If they could actually take retroactive measures, they'd be much happier. "Johnson, I need to secure that data so that it didn't get stolen three days ago!"

Chris Mattern

Encrypting Personal Information

[Dragonslicer (991472)]

After two laptops were lost containing the personal data... we mandated that contractors need to encrypt any and all data

Is there anything to say besides "Duh"?

Re:

[beavis88 (25983)]

Is there anything to say besides "Duh"?

Yeah - "Don't write your encryption passphrase on a sticky note and attach it to your laptop"

Because you just know that'll be the next TSA directive.

Re:

[afidel (530433)]

This may be the most insightful thing ever posted to Slashdot in its ten year history.

Re:

[flyingfsck (986395)]

Hmm, after the first one was lost, the data was set free already, so now after the second one was lost, the crooks have a backup too. Good luck with encrypting lost data.

Re:

[Pig Hogger (10379)]

Is there anything to say besides "Duh"?

Yes: Mmmmm! Donuts!!!

Not Enough

[s31523 (926314)]

OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program [smalleranimals.com] and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

Either the data needs to be "shredded" [fileshredder.org] or stored in it's natural form on a fully encrypted volume.

Encrypt the drive

[Skapare (16644)]

Encrypt the drive ... except for a partition or flash module with enough of the OS to get started and prompt for the drive key password.

Re:

[ic3scrap3r (641359)]

Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

this should read

[ILongForDarkness (1134931)]

We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.

Don't forget!

[suv4x4 (956391)]

Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!

And it seems...

[Creepy Crawler (680178)]

Due to the problem with most computers NOT being able to offer full HD encryption, to use a X86 emulator (like VirtualBox) with an encrypted directory via TruCrypt.

That problem is it does NOT provide good stego. I've went over that before, but there's a way to prove by contradiction that there is a likely chance of hidden partitions in data.

Re:

[jojo1835 (470854)]

What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

I'm not as concerned about the laptops being lost as I am about contractors keeping the data on their laptops as long as they like.

Tim

Re:

[Creepy Crawler (680178)]

---What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

And I dont see an easy to maintain that kind of security with exception of TPMs. They support remote network control as you describe.

If I was attacking that kind of setup, I'd extract the HD partitions to my emulator (yes, a real ICE) and pro

Re:

[Creepy Crawler (680178)]

Im assuming high hostility against a federal machine. So, no, the host password will NOT be easily extracted. You know.. SysKey, encrypted ~/windows directory, encrypted user directories... Not fun. To combat that, you use an ICE. In Circuit Emulator.

Next the VM... Yes, you could roll back the clock, but how would one prevent that simple of an "attack"? Record via signed encrypted file when the last time/date access was. Ok.. so now we can just 'freeze' the VM so restart starts with those very files at that

"Only a small chance"?

[Opportunist (166417)]

Be serious here!

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

And yes, those people exist...

Re:

[s31523 (926314)]

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it.

Or the motivation... There is a good chance the thief just took his/her booty to a pawn shop and sold it. The person who ends up buying the laptop from the pawn shop will most likely pop the latest Ubuntu Boot CD in and re-format (only a geek would buy a used laptop from a pawn shop). The laptop could have contained the answer to who really killed Kennedy, but, now it is really gone!

Seriously, the TSA is having a hissy about a few laptops that got stolen, but the reality is that probably hundreds of

Re:

[mlts (1038732)]

Thieves are getting smarter though. Its on the news often how the data stolen on a laptop was worth millions. Even the local "swipe and run" guy at the university prowling the library for people who briefly leave their laptops unattended are becoming aware that the data on the laptop is just as valuable if not more than the hardware itself, so they will be more likely to find a partner in crime to extract the data from it for either selling to someone else for ID theft, or just outright extortion. If a t

Re:

[squidfood (149212)]

So you boot the thing up and notice that you have a government laptop in your hands.

And if it's from one of the smart gov agencies that followed policies since the SSA lost some laptops, you may or may not notice that through BIOS it's phoned home provided it's been reported stolen, and you've got full disk encryption on your hands. Have fun!

The real question is why "smart" doesn't seem to extend to TSA and their contractors. Agency I contracted for mandated that over a year ago.

Re:

[RobertB-DC (622190)]

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance. They couldn't undelete a file to save their life.

If someone has the wherewithal to undelete files and sell the contents to the Russian Mafia, they're not going

Re:

[Chris Mattern (191822)]

Yes, but the same token, the smash-n-grab junkie isn't going to reformat the drive and prep it to be fenced out to an end user, either. When it falls into the hands of somebody smart enough to do that prep work, chances are awfully good that that somebody will be smart enough to know it's worth checking what info the laptop already contains.

Chris Mattern

Now that got me thinking

[suv4x4 (956391)]

So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

Re:

[faloi (738831)]

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Because, right or wrong, that social security number is your magic number. It sounds simple to just invalidate it and get a new one. And if it were more like a credit card, it would be that simple. You run the risk of having to update one or two automatic payments out of your account, and that's about it. To get your social swapped, a bunch of gov

Oh, and don't drop big heavy objects on your head

[John Jorsett (171560)]

Guess some people have to be told what should have been obvious.

Easy encryption, but not with Windows

[RobertB-DC (622190)]

The latest versions of Puppy Linux [puppylinux.org] have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.

Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.

Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.

Ch-ching!

[bug (8519)]

The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.

Effective solutions?

[WPIDalamar (122110)]

Are there any real-world effective laptop encryption solutions?

Encryption requiring a simple password:
    They key space will be limited making for easy cracking.

Encryption requiring a sufficiently complex password to avoid above:
    The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

Encryption requiring an external device to supply complex key:
    This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

Re:

[jandrese (485)]

Most of the military is going towards the CAC Card [wikipedia.org], which is good because since it is your badge you have to take it with you when you go somewhere (you can't just leave it plugged into your workstation when you stand up to go somewhere, because eventually a guard will stop you and ask why you're not wearing your ID, and then you're in trouble).

Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.

Re:

[mlts (1038732)]

The best compromise for this I've seen is a hardware token. Of course, people are likely going to keep it in the same container as the laptop, but most hardware tokens can be configured to render themselves inoperable after a number of wrong password attempts.

Now, even if someone has the token and the laptop, they have 3-15 tries to guess the password on the token, and usually that password is 8 characters or more.

Truecrypt!

[NitroWolf (72977)]

I use Truecrypt [truecrypt.org] to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

Re:Truecrypt!

[mlts (1038732)]

TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

FDE works too..

[rickb928 (945187)]

Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.

My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.

Without it, they would have to throw out the drive and buy a new one.

And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.

Honestly, this is not that hard.

Re:

[rickb928 (945187)]

My understanding (and we grilled our supervisor on this one - he was good) is that flashing the drive would REQUIRE the password. But even if it didn't, the data is encrypted. If the password is on the drive firmware, flashing it would lose the password and woops, no data.

This is the hardware encryption scheme - supposedly, even if you put the drive in another Thinkpad, that chip has a different hardware key and even the right password won't decrypt. So it encrypts data onto the drive.

Yes, you could send

Re:

[MarkGriz (520778)]

"In Soviet Russian laptop encrypts you!"

Also in Soviet Russia.... they know how to make 'In Soviet Russia' jokes.

Re:

[mlts (1038732)]

I personally have not used PointSec, but I have had excellent results with other encryption programs, where you install, encrypt the boot/system volume (PGP can journal the encryption so a cold power failure won't juice the data), then not worry about it other than punching your password at bootup.

Performance wise, I've not noticed any slowdown (the bottleneck is the HDD rather than the encryption layer.)

Please don't discount WDE programs in general because one of them is underperforming. I have used WDE p