"Clear" Laptop Found, In the Same Locked Office 264
jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."
Re:Sorry (Score:5, Informative)
Re:Two Passwords? (Score:5, Informative)
It could be a big deal. We do warranty and service work for HP hardware and in the past laptops have come in with BIOS passwords and we were not able to remove them. The password is actually part of the ATA protocol and so the disk is unusable without it, even in another machine. I think the only operation you can do is an ERASE. If you remove the battery then the BIOS forgets not only the BIOS password, but the disk password too.
I'm sure there are backdoors for some drives, but the customer in question in this case certainly wasn't willing to pay for us to investigate it so the data was as good as lost.
TPM, if implemented correctly, provides fairly good protection too. As does Microsofts BitLocker.
Physical access reduces security by a whole heap, but if things are done right then it doesn't reduce it to zero.
Of course as others have mentioned, an organisation that loses laptops like that probably isn't 'doing things right'...
Re:Two Levels of Passwords? (Score:5, Informative)
You don't even have to remove the HD. If the data is not encrypted you can boot from a USB key or CD and just copy the files.
Re:Sorry (Score:5, Informative)
Your (mysterious) reply prompted me to go to the far corners of the internet to learn that the proper word is "defuse". Words spoken like a true zen master - you don't get a clue unless you are already enlightened.
Thank you.
Re:Two Passwords? (Score:3, Informative)
A hard drive password wouldn't technically be encryption. It's just a level of access restrictions. It works with the firmware of the micro-controller board to regulate access to the device.
If I remember right, swapping the control boards on identical drives and placing it in a different computer could get around that. There are some issues with that though, the the encryption places some code in the boot sector which if read by the drive's controller (on the drive, not the main board) will block access to the disk without the controler answering the code in however it does that.
This is built into almost all drives and is part of the ATA spec. If it isn't present on your main board, it is likely that it just wasn't implemented in the bios your manufacturer used.
The Response from Clear (Score:1, Informative)
I am a clear member, and here is what was sent to me:
Thank you for your email; we appreciate your concern and apologize for it. We will be sending out an email this morning to everyone laying out exactly what happened â" and what didnâ(TM)t happen, but Iâ(TM)ll share the essence of it with you here:
We take the protection of your privacy extremely seriously at Clear. Thatâ(TM)s why we announced yesterday that a laptop from our office at the San Francisco Airport containing a small part of pre-enrollment information (but not Social Security Numbers or credit card information) recently went missing. And we were prepared to send all applicants and members the appropriate notice yesterday detailing that situation.
The laptop was recovered yesterday. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found; therefore, no unauthorized person has obtained any personal information.
We are sorry that this theft of a computer containing a limited amount of applicant information occurred and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix â" and other security enhancements â" to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. In the meantime, all airport Clear lane operations continue as normal.
Mootpoint