Section 7.10 Laptop Policy | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

7.10 Laptop Policy

Laptops have all the problems of desktops, plus the ability to be moved easily outside the physical security of the agency. Most people do not give any thought to their laptops being stolen and data falling into the wrong hands. A client of mine with the martial arts training and size to win most bar brawls was relieved of his laptop in a good U.S. hotel at gunpoint. Unfortunately, his very carefully made backup on CD-ROM was stored "safely" in the CD-ROM drive of the laptop when it was stolen. Another client of mine was relieved of his Linux laptop (that I had installed for him) when men broke into his hotel room in the middle of the night in Kenya and pointed guns at him and his wife.

Assume that the U.S. Department of Justice attorneys had their strategy and arguments for the Microsoft antitrust case on their laptops that they carried through the crime-ridden streets of Washington, D.C. This data might indicate how far the government was willing to compromise and what ruling they would ask for if a compromise was not worked out. The data then would, quite literally, be worth a billion dollars to Microsoft's attorneys. Were the government's attorneys careful enough to encrypt their data? I am not implying that Microsoft would do this; it simply is one of the more interesting "high stakes" legal cases.

Are people targeted for the data on their laptops? There have been recent claims of this. Even if you are not so targeted, some thieves might try booting up and figure out what they have. In early 2000, there were four high-profile cases known to this author of laptops with sensitive information being stolen. One was a senior British Army officer at Heathrow. Another was an MI5^[2] agent in the London Tube who set his laptop down whilst buying a ticket; it contained details on the Northern Ireland peace plan. One less on here is to keep the laptop in a carrying sack with a strap around your neck so that you will not put it down and forget it or fail to notice someone else grabbing it. A third was a "drunken" MI6 officer.^[3]

^[2] MI5 is the British Secret Service, as every James Bond fan knows.

^[3] Reported by John Kay and quoted on isn@securityfocus.com on April 5, 2000. Reported on isn@securityfocus.com on May 20, 2000 from The Times of London, May 21, 2000. (These dates are correct; the difference is due to different time zones.)

Tip for airline travelers:

Many laptops are stolen at airport security checkpoints. A common technique involves two thieves. They will arrange to be in line, one after the other, in front of someone carrying a laptop. The first, after passing through the metal detector, will fiddle with his belongings as an excuse to loiter near the exit side of the X-ray machine.

The second will have enough metal, keys, coins, belt buckle and such, to trigger an alarm. The victim behind them already will have put her laptop on the conveyor belt to pass through the X-ray machine. The guards will be "wanding" the second criminal and holding up the line. Everyone's attention will be focused on this second criminal. Meanwhile, the first criminal will pick the victim's laptop up and head out of the secured area and out of the building; sometimes he will hand it to a third criminal. This theft has become so common that the U.S. Federal Aviation Authority has issued an advisory. Do not place your laptop or other valuables on the conveyor belt until it is your turn to pass through the metal detector. If you get delayed, ask to retrieve your laptop and do not be deterred. Back up data and encrypt any confidential data on the disk before traveling in high-risk areas.

Not to be left out of the limelight, a fourth laptop containing "code word" information more secret than top secret vanished from the U.S. State Department's Bureau of Intelligence and Research.^[4] Its thousands of very classified documents included details on arms proliferation, sophisticated weapons, and methods and sources of U.S. intelligence gathering. A source close to the investigation stated that it might be one of the single worst breaches of security in U.S. history! The door to this otherwise secure room was frequently propped open for convenience.

^[4] Reported on April 17, 2000 in the Atlanta Journal.

Errors from the media reports referenced in this chapter were corrected by a friend who is retired from the CIA.

The laptop still has not been retrieved. After it came to light that other laptops were missing from the State Department, it implemented a policy for periodic random inspection of laptops to verify that they did not have highly confidential information on them. This policy is appropriate for some other organizations too.^[5]

^[5] Reported in InfoSec News (isn@securityfocus.com) on April 23, 2000 and May 22, 2000.

A login password or "BIOS password" that many people confidently think will protect their data is worthless. Most laptop disks can be removed, plugged into a commonly available adapter, and the adapter plugged into a tower system as a second disk. Then, gigabytes of unencrypted data can be copied from it in less time than it takes to watch an alien abduction on "The X Files."

This book was written on my Toshiba T4700CT laptop, bought used, running Slackware Linux. After any productive writing session, the Troff source was backed up to a floppy in case the disk crashed or the system was stolen or dropped. Daily backups were done to a tower system over Ethernet, and every few days a backup was done to a friend's system 1200 miles away over the Internet. Thus, if my house were burgled, I would lose but a day's effort. Every month, backup tapes went to a bank safe deposit box. Though the data really should have been encrypted using PGP, it was not. It is not that confidential and it is rarely in areas where it is likely to be stolen for content.

In the preceding stories of laptops with highly classified data being stolen, there was no mention that the data was encrypted to prevent it being accessed by "the wrong people." The State Department laptop's data was not encrypted. Not to encrypt it could be considered irresponsible. All confidential data should be stored in encrypted form using PGP or equivalent.

There should be a policy that all confidential data on laptops be encrypted when not in use, using some password that is not stored on the system or in a person's personal effects. Pretty Good Privacy (PGP) works well for this.

Another solution is to use a Linux disk driver that encrypts all data before writing it to disk. One such driver is discussed in "Encrypted Disk Driver" on page 274.

In the summer of 2000, the U.S. government decided that encrypting classified data on laptops was a good idea. Instead of these free techniques, it has hired a Canadian firm to provide a solution.

Another mistake in the U.S. case was lack of physical security, "Rings of Security" in fact. (This concept was examined in "Moving to Rings of Security" on page 26.) The secure room's door should not have been propped open, and there should have been an alarm on it that would alert security if it remained open for more than a minute. There should have been more checkpoints where highly classified data is checked. There should have been security cameras with images taped and saved. The "front door" security people should have stopped anyone trying to leave with a laptop, unless it was proven free of classified data or secured properly. The outside of the laptop should have been equipped with a visible pattern that indicated its security level and owner.

Presumably, someone without clearance stole the State Department's laptop. If so, why was he not noticed? When I worked at Hughes Aircraft Company, everyone was required to wear a name badge which also indicated the person's security clearance. Even though the building I worked in was a secured area, the laboratory next to mine was accessible by thumbprint only, and there was a double set of doors to prevent one from being propped open. Additionally, there should be a requirement that all important data in the laptop be copied or moved for storage to a location separate from the laptop.

What is a good separate location? Many hotels have small safes or safe deposit boxes. Because you probably carry the laptop with you, send the backup disk (with confidential data encrypted) in checked baggage or with an associate's baggage or in both places. LS-120, Zip, or CD-RW disks are perfect for this, as long as they are separate from the laptop. My client, the martial arts student, learned this the hard way when his CD-RW disk, still residing in the laptop, was stolen.

A policy of frequent scans for viruses (for Windows-based systems and Macs) and installed virus scanners that scan any floppies or e-mail before they can infect desktop systems that are prone to viruses would be an excellent idea.

Top