TSA to Contractors - Encrypt Your Laptops

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

Not Enough

[s31523]

OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program [smalleranimals.com] and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

Either the data needs to be "shredded" [fileshredder.org] or stored in it's natural form on a fully encrypted volume.

this should read

[ILongForDarkness]

We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.

Re:It's always sad

[Volante3192]

"Reactive"

It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

Re:And it seems...

[jojo1835]

What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

I'm not as concerned about the laptops being lost as I am about contractors keeping the data on their laptops as long as they like.

Tim

Re:And it seems...

[Creepy Crawler]

Im assuming high hostility against a federal machine. So, no, the host password will NOT be easily extracted. You know.. SysKey, encrypted ~/windows directory, encrypted user directories... Not fun. To combat that, you use an ICE. In Circuit Emulator.

Next the VM... Yes, you could roll back the clock, but how would one prevent that simple of an "attack"? Record via signed encrypted file when the last time/date access was. Ok.. so now we can just 'freeze' the VM so restart starts with those very files at that exact time.

The question is "How can we verify accurate and precise time in a VM?" The answer here is that the VM needs to have a secret that is shared with a trusted server, however one must also have trusted access to the CPU to verify that no tampering takes place during the critical connection. To combat replay attacks, the VM client could send a very fine granularity time (say HH:mm:ss:SSS) and request a response using this time. Any significant deviancy from this timebase would seal off the VM.

Re:Overheard conversation

[TechwoIf]

That would be funny if it did not actually happen to me. I drive a truck and cross the boarder to Canada and back to the USA. I was literally asked for the keys to the laptop by customs.