It seems as if every passing day brings another story of a missing laptop computer with sensitive data on it. The most famous, of course, was the Veterans Affairs computer, now recovered, that had personal data on 26 million U.S. military veterans on it.

Businesses are responding to this issue with increased enforcement of who can obtain sensitive data in portable formats as well as by using tools to protect data once it leaves a secured location.

What can normal users do to protect their data?

Most home computers don't have highly sensitive business data on them but many people have tax returns, credit card information and other data on their hard drives. And it only takes one "smash and grab" of your car window to lose it all.

One study says 10 percent of all laptops are stolen or misplaced, a figure I think is high but still highlights the issue.

One thing a consumer can do is put an administrative password on the laptop. This is a simple thing, done in the setup screen right as the computer boots. (You get into setup by hitting DELETE or F2 or a different key that will display briefly just as your computer first boots.

If you put an administrative password on your laptop, you will be prompted for a password when you first boot the computer. If you don't know the password, it won't boot. (Read that again: make this a password you will remember forever because if you forget the password your PC is now a paperweight.)

A second option is to add a disk password on some models, which will put a basic level of protection on your hard disk.

Both of the above are enough to stop the routine thief from using a stolen laptop. It won't stop a seasoned data thief.

For that you need to encrypt the contents of your hard drive. There are many products on the market for this at the consumer level. Two I have tried are MySecureDoc from WinMagic, and SafeHouse.

Both are reasonably priced at under $30. My favorite of the two was MySecureDoc, which installed seamlessly under Windows XP (and 2000) and was simple to use. The password hint features were especially good because if you forget your password you are never seeing your data again. (Just don't make the hints too easy... if everyone knows your mother's maiden name it's not a good choice.)

You can see the product at www.winmagic.com.

As for recovering your stolen laptop, a fine choice is the oddly named "Lojack for Laptops" from CompuTrace. Named for the Lojack system that recovers stolen cars, this software will "phone home" and let the authorities know where the laptop is connected even if it has been reformatted.

It costs $49.95 from www.lojackforlaptops.com.
 

MySecureDoc Personal Edition Plus
PC Magazine Singapore

Security is an important issue when you have sensitive data. However, you can put your mind at ease with MySecureDoc Personal Edition Plus. MySecureDoc Personal Edition Plus is a security software that offers boot logon, hard disk encryption and password protection which provides additional protection to your data.

Password setup is straightforward – just key in your username and password, set a hint and three questions and answers for password recovery. Besides the default questions, you can also add your own. For disk encryption, you can choose the hard drive intended for Advanced Encryption Standard (AES) encrypted. There is a “Standard” mode which encrypts only the used disk space and “Thorough” mode, which encrypts the entire disk.

We tested the hard disk encryption feature on an external 20GB IDE hard disk and noted the process took about twelve minutes on standard mode. After that, we plugged the external hard disk to another PC and the system detects no data, but as an unformatted drive. However, accessing the encrypted drive on the original system is still possible if privileges are allowed to specific user account on that PC.

In addition, if the boot logon feature is enabled, user will be prompted with a special login screen before the Windows loading screen. Even though this is unlike hardware security such as biometric scanning, it ensures sufficient security from unauthorised access. Also check out the Media Edition for memory cards and Professional Edition for business.

View Article at PC Magazine >>

Getting over laptop loss
By Joris Evers

If your laptop gets swiped, consider this: 97 percent of stolen PCs are never recovered.
The rare retrieval of a notebook computer robbed from a Department of Veterans Affairs employee this week just underlines that FBI statistic. Finding the PC was made a priority for the agency, as it contained sensitive details on more than 26 million U.S. military veterans.

That outcome is unlikely for the thousands of ordinary people who lose a notebook, even though they, too, may be at risk of identity theft. A few simple things can help reduce some headaches after a laptop is stolen or misplaced, experts say. But the real solution is the most obvious: Don't let your PC get stolen.

"Common sense is the best defense," said Jon Oltsik, an analyst at Enterprise Strategy Group. That means not leaving your laptop in plain view in a car and not letting it out of your sight in an airport or at a conference or other public places, he said.

But laptop theft and loss are facts of life. More than 600,000 notebook thefts occurred in 2003, according to Safeware Insurance, which sells computer insurance. The number increased to about 750,000 laptops last year, according to Absolute Software, a maker of tools to retrieve lost or stolen laptops.

"The proliferation of laptops has made the overall theft numbers go up," said Ben Haidri, vice president of marketing at Absolute.

Laptop leashes and locks sold by companies, including Kensington and Targus, can help prevent laptops from disappearing. Of course, like bicycle locks, these measures are only a deterrent. A determined thief will be able to bypass them easily.

"One of the simplest things consumers can do, if they have a laptop, it should never be in the backseat of a car," Haidri said.

In San Francisco, police have warned that places that offer wireless access to the Internet are turning into hot spots for laptop theft. Last year there were 48 laptop robberies in the city. This year that number is projected to surpass 70, with 18 thefts as of March, according to a report in the San Francisco Chronicle in April.

Some heists in San Francisco are particularly heinous. One finance manager was stabbed in the chest for his Apple Computer PowerBook while sitting at a coffee shop in the city's Mission District, the San Francisco Chronicle reported.

Avoiding becoming a victim
There are a few techniques people can use to alleviate the problems that follow the loss of a laptop and the data on it.

A recent data backup means that a lost computer doesn't equal lost files. If there is private data on the machine, password protection and hard drive encryption can prevent access to that by the thief.

Software that scrambles full hard disk drives is sold by companies including PGP, which offers the PGP Whole Disk Encryption product for $149. Microsoft is also building encryption capability, called BitLocker, into enterprise and high-end consumer versions of Windows Vista, the successor to XP slated to be broadly available in January.

"Think about what's on your laptop. The threat to individuals is primarily about identity theft," said Andrew Krcik, vice president of marketing at PGP. "In the past the target has primarily been the hardware. We're seeing a lot of talk about laptops being targeted for the information that's on them."

Encrypting only certain files and folders is also an option. Various products can do this, including Windows XP and free software found on popular download Web sites such as Download.com. However, confidential information may be stored in the browser cache and other locations on the hard disk drive that can't be easily encrypted using those products. (Download.com, like CNET News.com, is a CNET Networks property.)

Reassuring, perhaps, is that the majority of laptop thieves are petty criminals who are only interested in the hardware. "Fifteen years ago, these guys were selling car stereos," Oltsik said.

Regardless, if a laptop with private data is stolen, laws in the majority of U.S. states now require that the people who might be at risk of identity fraud be notified. This is more likely if it is a business laptop and can be costly, not to mention a public relations fiasco. "If the laptops are corporate assets, they must be protected," Oltsik said.

Retrieving a lost laptop can be a long shot. A trace on a computer increases the chances of recovery. Companies including Absolute and zTrace sell software-based bugs. These products periodically connect to the Internet, if a PC is reported stolen, the computer returns details on its location, which is reported to law enforcement.

"We have 90 percent success rate," Absolute's Haidri said. The company has about 700,000 current subscribers to its service, about 15 percent of those are consumers who typically pay $99.99 for a three-year subscription, he said.

In the case of Absolute, the software is sometimes embedded in the system as part of the laptop BIOS. This means that it can't be removed, even if the hard disk drive is replaced or wiped clean, the company said.

The Absolute tracking packages for business users offer further options, including the ability to remotely wipe selected data when the laptop has been reported stolen. For the consumer version, called LoJack for Laptops, Absolute is considering a feature that will remotely retrieve data if the machine is reported missing, Haidri said.

Prevention might still be the best cure. James Van Dyke has been the victim of four ID crimes in the past. He runs security software on his PC and makes regular backups of his data. To prevent unfriendly eyes from understanding his personal data, he scrambles his files by hand.

"Any criminal that got a hold of my files would have nothing of value, because account numbers and other personal information is all rendered useless because I store it in a code that only makes sense to me," said Van Dyke, an analyst at Javelin Strategy & Research.

White House orders better security for sensitive data
By Candace Lombardi Staff Writer, CNET News.com

The U.S. government has 45 days to upgrade its security standards for protecting the data it holds on millions of U.S. citizens.

The Office of Management and Budget (OMB), which operates under the White House, sent a "Memorandum for the Heads of Departments and Agencies" (click here for PDF) on June 23 requesting the implementation of new security standards and practices concerning data.

The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information. Many of the incidents resulted in an accidental release of Social Security numbers and dates of birth--two key pieces of data used in identity theft.

Perhaps the worst breach took place May 22, when the Department of Veteran Affairs lost the personal data of 26.5 million U.S. veterans and their spouses after a laptop was stolen from the home of a government employee. Other government agencies that have recently lost sensitive data include the Federal Trade Commission, the Department of Agriculture and the Department of Energy.

The new standards include encryption for all data on notebooks and mobile devices unless it is specifically classified as "nonsensitive" in writing by a Deputy Secretary or other empowered superior. Agencies must additionally require two forms of authentication to access the information, such as a password and key card system.
Government employees must also employ "time-outs" that require the user to re-authenticate every 30 minutes for both remote access and mobile devices. All data downloads must be logged, and sensitive data may remain on a laptop or handheld for a maximum of 90 days, unless specifically permitted for a longer period. The memo includes a list of guidelines from the National Institutes of Standards and Technology (NIST) on protecting information.

While the new procedures are presented as a "recommendation" from the OMB, Deputy Director Clay Johnson III adds that the office will be sending government inspectors to see that the request is properly and promptly carried out. The OMB has provided a flowchart illustrating the steps it would like agencies to take, in addition to procedural lists.
"Most departments and agencies have these measures already in place," Johnson said in the memo. "We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us. Please ensure these safeguards have been reviewed and are in place within the next 45 days."

In less bureaucratic terms, the sentiment seems to be: Get it done, and soon.
Data loss has been a point of contention in the private sector as well. Many companies, or their affiliates, have lost customers' personal data. In June, approximately 243,000 Hotels.com customers were put at risk via an Ernst & Young laptop loss, and 1.3 million Texas Guaranteed Student Loan company customers had their data exposed.
In March, data on 200,000 Hewlett-Packard employees was affected by a loss. Ohio University and the University of Southern California have also recently experienced breaches of information.

Data Security Spending Rises
By Red Herring Staff

Growing incidents of data breaches have led to companies spending more on protecting their data.

Nearly 40 percent of new security spending by businesses in 2007 will be directed towards protecting data, research firm Gartner said Tuesday, indicating a shift from securing the network to shielding information.

Increasing incidents of data loss, the rising costs associated with each incident, and the public disclosure that companies have to make after a data breach have led to the change, said Gartner.

“The rate of data breaches has increased materially over the last two years,” said Rich Mogull, vice-president of research, Gartner. “There’s more information out there than ever and there’s actual financial value attached to that data, which has attracted the bad guys.”

For companies, data loss can be expensive. When customer data is stolen or misplaced, it can cost businesses more than $90 per exposed account counting legal expenses, clean up and recovery, and communications costs, said Gartner. And that’s not counting the damage to the comapanies’ reputations from the public disclosure of the loss.

“If you are a company that has lost 55,000 records, then it can work out to more than $5 million in financial losses for you,” said Mr. Mogull.

Incidents of data theft have been dominating the headlines for more than a year now. Last year was labeled a banner year for data leaks as some of the United States’ largest financial and retailing giants had sensitive customer data lost or stolen.

In March, hackers broke into CardSystems, a credit card processing company, exposing the details of 40 million credit cards. The resulting $1 billion in losses nearly put the company out of business (see CardSystems Bought (Again)).

The same month, more than 1.5 million consumer records were stolen from databases at DSW Shoe Warehouse. Later companies like Time Warner, and Citigroup said they had lost personal information of their users.

Still, few businesses are taking steps to curb the problem, said Mr. Mogull. “Just about 20 percent of enterprises are leading the way with proactive measures to protect their data,” he said. “The rest are using an approach that is more suited to please the regulators.”

Protecting the data

While businesses may be slow to react, security companies have introduced a number of products to tackle data leakage. These include access control that can regulate access to sensitive information, encryption, content monitoring and filtering so that data cannot leak out of the network, and database encryption.

Database encryption, specifically, is a fast growing segment, said Mr. Mogull.

“It makes good business sense for companies to focus on tighter controls around sensitive data, especially in databases,” said Phil Neray, vice president of marketing for Guardium, a database auditing and protection company.

Started in 2002, Waltham, Massachusetts-based Guardium said it has seen strong interest among mid-sized companies that are looking at database encryption as a way to not just protect data but also be compliant with regulations. Other startups in the segment include Tizor and Lumigent.

In a sign that the market has caught the eye of some of the bigger security companies, Symantec said it plans to soon launch a database auditing and protection product. The product is the first to come out the Symantec Research Labs that was set up about 15 months ago (see Symantec Imitates a Startup)

“Symantec recognizes that it is an important space,” said Mr. Neray, “and their entry will raise awareness that this type of technology is important for companies.”

WinMagic Announces Full-Disk Encryption Software
By PC Magazine Staff

WinMagic on Tuesday announced a line of software-based full-disk encryption programs designed to safeguard consumer data.

Three programs -- MySecureDoc Personal Edition, MySecureDoc Media Edition, and MySecureDoc Personal Edition Plus -- will be sold either through the WinMagic web site or though online retailer Tiger Direct. The company already ships a version of the software for the enterprise market.

MySecureDoc Personal Edition and MySecureDoc Media Edition will be sold for $29.95 and $19.95, respectively. MySecureDoc Personal Edition Plus, which combines the two programs into a single package, will be priced at $49.95, the company said.

Both the Personal Edition and the Media Edition use the FIPS (Federal Information Processing Standard) 140-1 level 2 validated cryptographic engine used by WinMagic's certified Professional Edition, and incorporating an AES 256-bit encryption algorithm.

While the numbers might not mean much to the average user, the National Security Agency in 2003 concluded that 256-bit AES encryption was secure enough to be used in encrypting U.S. government documents classified "Top Secret".

The Personal Edition software encrypts the entire disk, including hidden files and partitions found on a laptop or desktop computer. However, the software also allows Windows to reorganize the drive using its defragmentation tool without breaking the encryption. The Media Edition version, meanwhile, merely encrypts an external hard drive or flash card.

The software works with both Windows 2000 and Windows XP.

Buyers Scour eBay For Data-Rich Hard Drives
By Gregg Keizer Courtesy of TechWeb News

Buyers on eBay troll the online auction site for used drives in the hope that the platters haven't been wiped clean and contain valuable data, including credit card numbers, a researcher said Monday.

Simson Garfinkel, a postdoctoral fellow at the Harvard's Center for Research on Computation and Society, has been buying used hard drives on eBay since 2001, then analyzing the data he finds on some of the devices.

Of the 236 drives Garfinkel bought, 7 contained more than 300 recoverable credit card numbers; one from had more than 11,000 unique account numbers that he could retrieve.

That's because only 19 percent of drives he acquired had been wiped clean. The majority of previous owners had either not touched the drives or had only run the DOS commands FDISK and FORMAT, which actually leave data on the drive so users with simple diagnostic tools can read the information.

Some eBay buyers are sniffing for such drives. "I think that many drives sell for more than their market value," on eBay, Garfinkel said in an e-mail interview with TechWeb. The only explanation: they're playing the possibilities, and expect there's data on some of the drives they buy.

Garfinkel even tracked down the original owners of the 7 credit card-packed drives, using basic detective work such as analyzing the most common e-mail addresses on the platter and/or reviewing intact Word documents for clues.

The drive with 11,609 unique credit card numbers came from a medical center, which had also disposed of another drive with 81 additional numbers that Garfinkel purchased. Other drives came from an ATM (with 827 unique numbers), a supermarket (1,356 numbers), and an auto dealerships (498 numbers).

By Garfinkel's calculations, about 1,000 used drives are sold daily on eBay. Using his findings -- 3 percent of the drives he purchased contained more than 300 recoverable credit card numbers -- about 30 of those devices have confidential financial information.

SecureDoc disk encryption software

Mississauga, ON - WinMagic(R) Inc., a provider of full-disk encryption solutions, announces that it is has begun working on a pilot project with the U.S. Department of State, which will lead the department to a Homeland Security Presidential Directive 12 (HSPD-12) compliant solution. The pilot project centers on the integration of a Personal Identity Verification (PIV) card and biometrics with Public Key Infrastructure (PKI) and disk encryption. WinMagic, along with Entrust(R), Precise Biometrics(TM), SafeNet(R), and VMware(R) are working together on the pilot project. HSPD-12, published by the White House in August 2004, states that all federal government employees and contractors (including contractor employees) must utilize smart card technology, containing their "digital identity" in the form of a PKI certificate, in order to gain physical access to federally controlled facilities and logical access to federally controlled information systems. HSPD-12 is designed to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy.
http://www.winmagic.com