Securing Your Laptop and Other Mobile Devices

• What are the Dangers?
• Vulnerabilities - How Do Bad Things Happen?
• Step-by-Step Guide for Laptop Security
• Securing USB Drives, PDAs and Blackberries
• Additional Resources

What are the Dangers?

In recent times, there have been numerous sensational headlines about the theft of laptops that contained sensitive data. Hundreds or thousands of identities have been potentially compromised. Physically insecure laptops, whether they are in a hotel room, a parked car or in your office are popular targets for theft and can disappear in a few seconds. If these machines contain valuable information, the consequences can be disastrous.

The Chronology of Data Breaches Reported Since the ChoicePoint Incident on the Privacy Rights Clearinghouse website lists a very large number of identities that have been potentially compromised due to lost or stolen computers. It is unknown how many of these lost accounts resulted in actual identity thefts.

Vulnerabilities - How Do Bad Things Happen?

No Password

Unfortunately, many laptop owners fail to have passwords on the login screen for their computers. Leaving the "front door open" like this is extremely careless and dangerous. When somebody finds or steals such an unsecured laptop, there is absolutely nothing stopping this person from accessing the data on the laptop.

Another scenario is a laptop system can be stolen while it is still turned on with the owner already logged-in with full access. A laptop with a well-charged battery is very convenient for the thief. There is no need to unplug and attempt to get in later.

The bad guy simply takes the system and runs with it to another location where he/she can then explore the contents of the hard drive.

Screensaver Passwords

The next step a would-be criminal can take is to simply guess a login or screensaver password, which is sometimes as easy as 1-2-3. The laptop is powered on and the user has locked the screen with a screensaver. The thief could enter the user's login ID (the last logon ID is likely displayed) as the password or append a 1, exclamation point, or "pass" to the end of it. These passwords are actually fairly common. If the screensaver password doesn't work, the thief can simply reboot the system to see how it comes up. It could turn out that there is no password for the Windows login.

BIOS Passwords

If you reboot the system and you are prompted with a BIOS power-on password, that is yet another layer of defense; but it is often not a problem to get around. There are resources galore on how to reset those.

Cracking Windows Passwords
If you have taken the security measures to require Windows logins combined with Windows-enforced strong passwords, you are probably wondering how else someone could possibly get in. Unfortunately, it can be done. It is simple password cracking, and there are free tools that can be downloaded from the Internet.

For example, there is a tool that uses rainbow tables for really fast Windows password cracking. The person who has stolen your laptop can use this tool on a bootable CD without having any other access to the Windows system. In just a few minutes, one or more Windows account passwords can be cracked. It's all over after that.

Finding Other Passwords

If the hacker has already broken into the system, he/she can look at stored passwords that may lead to other sensitive information, especially those stored in VPN clients that could provide a direct link into your network. There are tools for finding such information and these tools can recover network passwords, wireless encryption keys, dialup/VPN passwords and more that can be used against you.

Step-by-Step Security Guide for Laptop Security

Steps for Protecting Your Laptop:

1. Look at your laptop vulnerabilities from a malicious-eye view and revisit this issue often.
2. Never leave your laptop unsecured. Thoughts like "I'm just going to quickly run into the grocery store -- the laptop will be OK in the car" and "I just need to step into the restroom really fast -- others in the office or classroom will lookout for my stuff" are very dangerous and can result in a stolen laptop.
3. If you leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable will make it more difficult for someone to take your laptop. Laptop security cables can be purchased from vendors such as Targus, Keningston, Belkin, etc.
4. Ensure screens are getting locked via CTRL-ALT-DEL or a short screensaver timeout.
5. Use a Windows account login password and configure Windows to require passwords to be entered upon return from hibernate, suspend or a screensaver time out.
6. Most importantly, use whole disk encryption with strong passphrases. Remember that a passphrase serves the same function as a password. An example of a strong password is one that contains words, letters, numbers and special characters. For example, consider the following phrase: "My cat has 5 toes and blue eyes!" Take the first letter of each word: "Mch5tabe!" and you have a 9-character passphrase that is easy to remember, contains mixed case, a number and a "special" character.
7. Use tracking software that will aid in recovering your lost/stolen laptop.

Encrypt the hard disk

Inspite of the laptop hacking techniques and tools discussed above, it is still possible for you to lock down your systems to keep bad things from happening. You could create encrypted "partitions," which, basically, are files that mount as a regular drive. However, the problem with these partitions is that you have to be diligent and remember to store sensitive information on this secured partition every time. Since sensitive information can be stored in a variety of data files - email messages, spreadsheets, temp folders, etc. - it is often impractical to move these various files to a secure partition.

A better solution is a use whole disk encryption technology such as PGP Whole Disk Encryption and TrueCrypt. They're independent of the operating system and use strong encryption technologies. Some of these utilities can even be centrally managed, reducing administrative burdens. Even if stolen computers are powered on, as long as the entire drive is encrypted and the screen is locked, the only option for the criminal is to reboot the system to try to get in. Once he does that, he'll be prompted for a passphrase to unlock the drive. As long as the passphrase to encrypt the drive is strong, the system is protected from intrusion.

Also, a new hard disk technology providing built-in encryption features is becoming available (see Seagate Momentus drives). This technology seems promising as well.

Tracking Software

Laptop-tracking software such as LoJack for Laptops will help in the recovery, but by the time the laptop is recovered, sensitive data stored on the computer could have been compromised.This solution is good for getting the machine back but is usually too late in the security breach time window.

Securing USB Drives, PDAs and Blackberries

Note: The products mentioned in this section are suggestions and are not supported by Technology Services.

Secure USB Flash Drives

Kingston DataTraveler Elite is a USB 2.0 flash drive that provides hardware and software-based encryption by utilizing password access control for a private data storage area. The drive uses 128-bit Advanced Encryption Standard (AES) hardware based encryption. If the device is lost, this advanced hardware encryption system will continue to protect the data in your privacy zone under the toughest conditions.

Encrypting software for USB Devices

In addition to encrypting an entire hard disk, TrueCrypt, which is Open Source and free to use, can be used to encrypt USB devices. TrueCrypt works on Windows XP/2000/2003 and Linux.

Protecting PDAs

Because of its small size, the biggest security risk for a PDA is physical since they can be easily stolen. Therefore, securing the data at rest on the device is as important as securing the data as it links with infrastructure devices such as the desktop unit used for hot syncing or the wireless network.

If the PDA contains sensitive information, encryption should be used both to protect the data on the device and to protect the data in transit.

There are a variety of PDA security vendors and solutions.

Additional information about securing PDAs can be found at this website: http://its.med.yale.edu/security/PDA/

A whitepaper on securing PDAs used in healthcare can be found at this website:

http://www.sans.org/reading_room/whitepapers/pda/256.php?portal=73d2e51aa807b82d501e159632e08b68

Securing Blackberries

A screen password should always be used on your Blackberry, and it should be a complex password similar to what is used for your eID account.

If your Blackberry is lost or stolen, you should report it immediately to Dr. Notes at dnotes@vcu.edu or the Technology Services Help Desk (828-2227 or help@vcu.edu). The lost or stolen Blackberry can then be disabled and the data can be remotely wiped.

The Blackberry used native Notes and Blackberry network encryption, which means that the communication between the device and the mail servers is secure.

If you store sensitive data in your email messages, for added protection for the Blackberry, it is possible to encrypt while it resides on the device. Both Credent Technologies and Trust Digital make products to encrypt Blackberries.

Additional Resources:

• 9 Ways to Increase the Security of Your Laptop
• How to Protect Your Laptop from Thieves
• Chronology of Data Breaches - Privacy Rights Clearing House