"Clear" Laptop Found, In the Same Locked Office 264
jafo alerts us to an SFGate story reporting that the lost "Clear" Program laptop has turned up in the same office from which it was reported missing, but not in its previous location. "A preliminary investigation shows that the information was not compromised... The computer held names, addresses and birthdates for people applying to the program, as well as driver's license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information... The information was encrypted on the server, but not on the laptop, although it should have been... However, it was protected by two levels of passwords." Reader jafo adds, "Pardon me if I have little confidence that an organization that loses a sensitive laptop for 9 days is able to tell if it was compromised."
no excuses (Score:5, Insightful)
It wasn't (Score:5, Insightful)
The truth is, they have no idea if it was compromised or not. All you'd need is an Ubuntu boot CD and you could read the data straight off the drive.
Next time they should use THREE levels of passwords. ;)
Two Passwords? (Score:5, Insightful)
So... what does that actually mean? I know that TFA is a media fluffed version washed for the general masses, but they could've mentioned that part at least. If one was the NT login, were the admins smart enough to disable the LM Hash? Still, booting it with a *NIX CD and blanking the SAM password for administrator is trivial. What could the second be? A BIOS password? Open it and pull the battery. Big deal.
Is there something I'm missing about this? Are there a (whopping!) two password scheme that could actually make something more secure then just booting it with something else and pulling data off?
Found it again... (Score:4, Insightful)
Yeah, we...uhm...found the laptop again...really did...yeah...because claiming so leaves us protected from any coming lawsuits that might or might not be caused by any identity theft cases that could be related to (but, of course, actually are nothing at all caused by) this incident...which certainly did never happen...
And of course noone tampered with the machine...after all if WE couldn't find it, who else could have?
Friends again?
How Hard Did They Look? (Score:5, Insightful)
Correct response (Score:5, Insightful)
Whichever it was, the only information they had was that it was unaccounted for. It was actually a good response to automatically assume the worst case scenario and deal with the situation as if that had happened. If the worst case scenario was the case then at least it was dealt with as best it could be. If not then the only harm done is to them and not their customers.
So while losing it was very inept, their response afterwards was actually fairly responsible of them.
Re:Two Passwords? (Score:5, Insightful)
Hmm. Standard internal investigation procedure: Wait until suspected bad actor has gone home, go into his office, remove hard drive from computer, use Ghost to create reasonably accurate copy of existing drive on another drive, replace duplicate drive in computer. Take your original drive back to your forensics lab, use your forensics software to make a forensically sound image of the original drive, lock the original drive in your safe in case a judge ever wants to see it, drill down through your forensic image at your leisure.
If you weren't especially interested in creating chain of custody documents, you'd just make a forensic image of the original drive and replace the original drive in the box. Then, absent tool marks or other evidence that the box had been opened, even a qualified forensic technician could swear under oath that there was no evidence that anybody had accessed the data on the box. And it wouldn't matter how many passwords you had on the box if it weren't encrypted...
We'll just put it back (Score:5, Insightful)
So, what we have here is starting to sound like: employee 'borrows' office computer for home use, manager raises alarm, news media panics, employee waits until dust settles a little to slip 'borrowed' property back into office.
Either that, or the identity thieves who who masterminded the scheme to steal that data were really slow.
All data still compromised. (Score:1, Insightful)
I find these two articles disturbing. They disagree as to the level of customer information involved. The newer article also implies that although they have no idea where this laptop was for nine days - they consider the information to be uncompromised.
"We don't believe the security or privacy of these would-be members will be compromised in any way," said Verified Identity Pass chief executive Steven Brill.
I'm sorry, but if there are serious questions as to where the laptop was for nine days - the data has to be treated as compromised. If there is a question as to what sensitive information was being stored on the laptop - it points towards even more serious flaws in data handling processes.
Re:We'll just put it back (Score:3, Insightful)
Re:Clear is bullshit (Score:4, Insightful)
I'm glad someone said it.
No company that I've ever worked for that keeps salaries "secret" are being honest. There are tremendous variances in pay rates, which are based on arbitrary things, not on the position, ability, performance, or workload of the individual.
If you can have a 5 year employee making $35k/yr, and a starting employee making $75k/yr, and another making over $100k/yr, all doing the same job, with the same workload, then there's something seriously wrong with the pay scheme. If you believe a position is worth $75k/yr, then that's what the base salary is for the position, and there should be adjustments for time with the company (10%/yr), performance bonuses, incentives, etc.
I could rant for days, but I agree, the "dipshit" manager "accidentally" let a company secret out, which needed to be told.
Followed by an Incorrect response (Score:1, Insightful)
I'll give them points for raising the alert when they weren't sure what happened. I stop giving them points when they found the laptop, and decided to put out a press release that appears to say "No one did anything obvious to let us know the data was accessed. So we're going to tell you there was no data breech and wish really hard everyone will shut up about it."
A "fairly responsible" response would be "We've recovered the laptop. We are still investigating where it was and who had it during the unaccounted period. While we can tell the data was not accessed 'casually', it would be difficult to tell if someone with some computer skills had accessed the data. Therefore, out of an abundance of caution, we will proceed as if the data was compromised, including securing what we can of the possibly compromised data, and taking steps to ensure no such breech could happen in the future."
Re:It wasn't (Score:4, Insightful)
How about one level of accountability?
rj
Re:no excuses (Score:2, Insightful)
stolen + returned != not stolen
I've said it before and I'll say it again: (Score:3, Insightful)
WHY THE HELL IS THIS STUFF ON LAPTOPS TO START WITH!
I'm sorry, but there are some information that belongs on servers managed by people that at least understand (hopefully) security and encryption. And then the only access to it from secured thin client terminals inside the office.
Re:Clear is bullshit (Score:3, Insightful)
About airport security... Crashing a few planes is one thing, but what happens when someone in an explosive vest walks into an airport, and sits in the middle of a backed up line waiting to go through the security checkpoint. They don't even need a plane ticket, its public up until you get past security. Multiply that by a handfull of airports on the same day, and airports and airlines will go bankrupt in no time flat.
I've always thought that the first rule of this kind of security, is you don't present a target rich environment..
Re:Clear is bullshit (Score:3, Insightful)