TSA to Contractors - Encrypt Your Laptops 132
eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"
The norm for govt. (Score:3, Informative)
"Only a small chance"? (Score:4, Informative)
You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.
Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?
Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.
The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.
And yes, those people exist...
As a Government Contractor (Score:1, Informative)
It has been especially annoying for my department because we have lots of older hardware (like Sony Vaio Picturebooks that are really nice for portable testing, and Sharp Zaurus SL-C7xx series linux boxes that we really have no way of encrypting, and must plant clear instead, even though they'll never have any kind of vital information on them). Not to mention all of the people who are in to dual booting (we now use VMware a lot instead, although VMware has several issues that make it annoying, the most basic of which is the clock drift). It's also been a pain for our laptop re-imaging system (which is basically dead now)
In the end I'll be glad if my main work machine is stolen since I'm pretty sure Outlook doesn't encrypt anything and I have confidental information on it, but the cost is a lot higher than the price of one copy of Pointsec.
Re:Not Enough (Score:1, Informative)
This way your entire OS will be encrypted.
Easy encryption, but not with Windows (Score:3, Informative)
Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.
Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.
Ch-ching! (Score:3, Informative)
Truecrypt! (Score:5, Informative)
You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.
Re:Effective solutions? (Score:3, Informative)
Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.
Re:"Only a small chance"? (Score:3, Informative)
Even if its a personal laptop with nothing more sensitive than Facebook cookies, that is still valuable info to a thief.
I strongly urge anyone with a laptop to spend the $100 or so and buy a decent WDE (whole disk encryption) program. There are a number of good programs out there to choose from. I personally use (on different machines, of course) PGP, Jetico's BestCrypt, and MySecureDoc, and found them all to be pretty much install and forget (other than providing the passphrase at boot.) PGP and Jetico both offer eToken support for added security, so someone stealing the laptop would have to have the eToken, the laptop, and the password of the eToken to obtain any useful info.
One feature of Jetico's offering I like is the fact that you can install it on a BartPE CD, which makes recovery of a damaged, encrypted filesystem a lot easier. You do not need to decrypt the volume completely, just mount it, and do the repairs needed.
Re:Not Enough (Score:3, Informative)
Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.
Re:Truecrypt! (Score:5, Informative)
The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.
Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.
FDE works too.. (Score:3, Informative)
My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.
Without it, they would have to throw out the drive and buy a new one.
And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.
Honestly, this is not that hard.
Re:It's always sad (Score:3, Informative)
Re:Contractors (Score:1, Informative)
Bitlocker? (Score:1, Informative)
Re:FDE works too.. (Score:3, Informative)
This is the hardware encryption scheme - supposedly, even if you put the drive in another Thinkpad, that chip has a different hardware key and even the right password won't decrypt. So it encrypts data onto the drive.
Yes, you could send it out to be extracted. Then go about breaking the key. We didn't get much guidance on the password, but mine was 8 characters and included upper/lower and symbols. It would be nontrivial to extract the drive and decrypt.