Steps To Protect Oneself From Corporate Espionage? 259
rhizome asks: "Our CIO had his laptop, along with all media (CDRs and floppies) stolen from his desk last night. Being that there were several other laptops out in the open, it would seem that the thieves knew what they were looking for. Our company enjoys a unique position in our market, and there has been interest by other, larger, companies in absorbing our role. The numbers are adding up nicely, to say the least. Beyond calling the police, who may just take down enough information for our insurance company to replace the hardware, what can be done? How have others dealt with this situation?" Encryption is the best bet for keeping sensitive information on anything that can be picked up and carried out of a secure location (this includes handhelds). If such precautions can't be performed on a specific piece of hardware, then said hardware shouldn't be used for sensitive information. What other precautions should corporations put in place to protect their data?
Re:how did the thieves gain access to the building (Score:1)
-- Michael Chermside
Re:Thermite :) (Score:1)
Protect your data by protecting your execs (Score:1)
Some specific methods include "ambient encryption" which is using language that is sufficiently obfuscated when in the presence of an executive. This guarantees the executive will not gain real information by word-of-mouth. If an executive gains this information, he may decide to record it on his laptop, endangering the data. Use terms the exec cannot possibly understand, and decide upon code words for terms that he MIGHT understand.
Another method is called "email exclusion" which means that any emails that have real information never reach the executives. Therefore it's not on his laptop and can't be stolen.
The most severe form of Exec-Cryption is physical security. In other words, chaining your executives to their desks to ensure that they can't go to meetings and gain information.
I hope this new data security method is useful to you.
Re:Security (Score:2)
Re:Dead man's switch? (Score:2)
A "Dead Man's Switch" is simply a switch that will change state if the user suddenly disapears. (or dies)
The gas pedal of your car is an example. If you suddenly die or leave you'll probably let up on the gas and the car will come to a stop. (If you die on cruise-controll you're screwed but what do you care anyway?)
Anouther example would be if you had stuff on your computer that you didn't want anyone to see you could write a script that would require you to give a certain command every so many days or it would erase/encrypt your harddrive. (So your next of kin can't look at your porn.)
In this case, though, I think the original poster just ment a switch that would detect if the HD was removed from the computer's case. (who knows how you upgrade the thing!)
-AndyYou could always... (Score:2)
And they call it an institution of higher learning :)
Re:Security (Score:2)
Re:Information wants to be free (Score:3)
Sure, the hardware is a real monetary loss, but as for the corporate info, isn't this what all of us Napster supporters are for? Freedom to acquire others' information without consent or cost.
(using sarcasm, of course)
-----
D. Fischer
Re:it's automatic (Score:2)
You know why those older SGI machines (think Indigo 2 era) have removeable drivers? SGI had a large contract with the US miltary and the miltary wanted to be (easliy) take the hard drive out at night and lock it in a secure safe.
I know on the older IBM think pads (think 486), it takes 2 seconds to remove the hard drive (a switch on either side of keyboard, pull keyboard up, grab hard drive "bar", pull up on bar, hard drive is removed).
It might be worthwhile to look for easy hard drive removeal for all notebooks that contain senstive data. At night, take the hard drives out and put them in a secure safe that is non-remove-able OR extreme difficult to move the entire safe out of the building.
Also there is notebook "chains" that you can buy, if the user is at their desk, require them to lock down the notebook to the desk so some one can't just pick it up and walk away.
When getting a laptop make sure the "chain hole" goes THOUGH part of the hard drive. If you have a laptop securly fashioned to a desk, but the hard drive can be removed easliy, this is stupid. Those older IBM think pad had the "chain hole" actucally go into part of the hard drive, you could NOT remove the hard drive when it was chained up. If you tried, it would cause ALOT of phyiscal damage to the hard drive (hopefully rendering most of the data unuseable), if you tried to force the laptop from the desk, it would also phyiscally damage the hard drive.
Get a chain that can hook to "most things". If they need to take the notebook off site, make sure they chain it up to a fixed structure at all times.
I haven't seen anything like this, yet. But what would be REALLY NEAT is to have the power supply REQUIRE that the notebook is securly fashioned before power on. That way, users would be more likely to chain it up before using it. (this doesn't help if they have it unchained with the power off (ie. having it just sit on their desk))
Use an encrypted files system, encrypt all important files by hand (with a differant, stronger but slower encryption method and differant key). Use a GPS tracking system. Require that "important" data be backed up on a secure offline server in the office and deleted from the notebook hard drive if the user doesn't need or isn't working on that file. (like if you have 2 projects on your laptop, but project A has already been completed and no longer involved with it, back it up and delete it from laptop)
Also a security guard at the front door could be usefull for on-site theft. Have a list of which items can and can't be taken from the building, and for each item have a list of people that can or can't take the item out of the building. Require ID for anything taken from the building. Require a quick "pat down" when leaving the building (if you have a notebook stuff in your pants, this is quickly revealed to the secuirty guard in 2 seconds with a pat down)
Also require you "check in" you "important" equipment during the day with the security officer on site, so they know exactly where all important hardware is (do this when you first get there, before and after all breaks, bathroom breaks, meetings, lunch, about anything you have to leave the office or anything the equipment leaves you eye sight...)
Be a bastard, lock it down really heavy if you have to, but make sure that "important" equipment doesn't get a chance to leave company eyes...
How much does it cost to get a good physically secure site going? How much does it cost if all your companies trade secerts are posted on slashdot and usenet forums?
Re:Physical security (Score:2)
Example: Yes you remove your encrypted hard drive and put it into a safe, however a cleaning crew put a small device between the computer and the keyboard that logs all your keystrokes. When you power your machine up everything you type, all your passwords, and all e-mail replies will be logged. Next time your office is cleaned all you keystrokes are taken as well. I have seen devices that do this and the are SMALL (you could fit a several of them on a dime!)
Also you need to make sure devices are not added to your organization. Think of what the effects would be if every room was bugged. Every conversation, either in executive's offices, or in the break room was taped and examined.
Either a common thief stole the laptop or an amateur spy. Anyone who knew what they were doing would have copied the information, bugged the device, and would not have been so foolish to make a whole laptop disappear (unless they accidentally damaged the devices and thought this was the best way to cover it up).
BTW If anyone knows of a security company who is looking for someone like me, let me know.
Re:Servers (Score:2)
Encryption not a solution for everything (Score:2)
1. Run a script that unencrypts everything you need to work with when you start up.
2. Re-encrypt everything before you shut down.
Now, really, is that a good solution? It may work, but what a tremendous pain. Does anyone actually do this?
Thoughts from the peanut gallery (Score:2)
(Having said that, this reminds me of how a senior British MOD staff member had his laptop stolen, during the Gulf War. Complete with battle plans, intelligence information, etc.)
To secure the machine, there needs to be something in the machine which depends on something external to function correctly, and cannot be removed to allow the thief to use/sell the machine to someone else.
What this "something" would be, I don't know. I guess that a soldered-on HET chip, set up to only allow the PCB to function if a particular signal exists on a particular frequency, would be one possibility.
In other words, portable computers and laptops should be capable of the same self-protective measures as a diplomatic briefcase.
Remember, though, whatever device you use needs to be able to recognise and distinguish RELIABLY between FOUR possible cases:
In other words, taking portables carrying vital information by someone authorised to have that information out of an authorised area SHOULD be grounds for the portable to stop operating for that time. On the other hand, it wouldn't be grounds for self-destruction, necessarily. A fire or other disaster can make exceptional actions entirely reasonable.
A thief, though, stealing and using (or selling) the equiptment should not profit from their venture. IMHO, a portable with sensitive stuff on it should be quite capable of detonating the hard drive, if an unauthorised user is detected. Which would reduce the market value quite substantially. Especially for commisioned thefts (which tend to be the name of the game, when it comes to targetted theft)
Servers (Score:4)
Encryption. (Score:3)
encrypted filesystems, www.kerneli.org
Or use Sentry program if you have Windows.
Thanks
Gaz
Use Stealth Recovery Software (Score:3)
Absolute Software [absolute.com] makes such a product. It periodically polls the company's servers with location data (like the phone number you are calling out to the Internet with, or your IP settings). It will even stealthily call out by itself to the Absolute servers by a 1-800 number even if you are not connected! Call-blocking, etc, is all covered, the software will get your phone number.
So when your laptop is stolen, you just contact the company and it will monitor the location of the laptop the next time it is hooked up, contact the cops, etc. A lot of corporations have used this, with recovery success. And the kicker is, the software is installed such that even if you reformat the hard drive, it still works! I don't know how this works but it does.
Check it out.
Keep your eyes on it at all time... (Score:3)
Seriously, I think everything should be password protected and encrypted (32-bit+ encryption). Especially if it is sensitive info. That's the best you can do.
Being careful is all about paying attention to what you do. Is it imperitive you burn sensitive info to a CD?? Stuff like that...
-- Don't you hate it when people comment on other people's
Security (Score:2)
Boot passwords (will stip the trivial thief)
Encryption of sensitive data - there are a number of pruducts available - having the HD alone means squat.
Tracking methods. Hook one of these babies up to the internet, it quietly squeals for the police to come pick it up. As some of the current crop of laptops have built in cell modems, just turning it on is probably enough. A bit after the fact, in your case, but suggestions for your remaining laptops ;-)
How about... (Score:2)
Re:Don't use a dumb password scheme (Score:2)
Don't keep anything on desktop machines.. (Score:2)
Re:Security (Score:2)
If you set the administrator password, and lose it, IBM will tell you the only way to fix it is to replace the mainboard. Period. Convince them you're the rightful owner, etc. and you're still screwed.
There's a company on Usenet that claims to be able to recover the admin password, but there have been no reports whether it actually works.
Re:I had an interesting experience like this one (Score:2)
Re:Real Simple (Score:2)
2 hard drive password
my thinkpad does both
Power on password? On theft that's not a solution at all. It's only a hassle to either cut power to your CMOS or change drive to other computer. Besides is not you hard drive password stored on CMOS? If so, that's double insecurity...
Hard Drive passwords? Sincerly I have slightly heard about these. But I have also heard of the dumbiness of some. I am not sure if IBM falls in this category. Some HDD seem to have a possibility to have a password, which can be installed from any computer through special tools. However this password is stored on the disk itself. A careful work with the controller may turn this feature off, by wiping the surface where the password is and make a recovery of the partition table in certain cases. This is not exactly the same as those software tools that "protect" HDD's. In this case it seems that a read/write to the 0 cylinder "triggers" the call on the controller.
There seems also to exist passwords capable of being stored on the controller itself. But well, what barrages an expert from wiping this password with the proper signal? Most chips have a very simple system of basic calls, even in cases when they preform very complex tasks.
In the bad end. You peek the controller and substitute for another one... That is not so rare. Experts call it the "last solution" for burned HDD controllers.
In the very bad end. Pick up the disk itself. The one 99% of you people never see because it is inside of the that black/silver cage. With propper tools, the stuff can be copied...
Re:Stupidity (Score:2)
Re:Security (Score:2)
IBM Thinkpads have one nice feature in them.
If you implement a boot password, it's permanant. You can change the password, but you cannot power up the machine without it.
But never lose your power on password!!
Presumably their password protection scheme has gotten better in the last few years, or is more sophisticated on higher-end notebooks. A few years ago, I had a ThinkPad 500 (cute little machine, nice keyboard). I used it for a while, then put it away and completely forgot my power on password. Oops. Luckily, it turned out that you could key in possible passwords, and the machine would only choke when you typed a key out of sequence. So I started with A and kept going 'til the machine didn't die, then I typed the good letter followed by A 'til the next letter the machine didn't die on, and so on until I had enough letters to remember the password. Phew. But not really that secure.
Re:Keep your eyes on it at all time... (Score:2)
And as we all know, that's a real time-saver when it accidentally falls in.
Hmm. (Score:2)
2) Have strict controls as to who can handle backup tapes. Use a bank safe deposit box.
3) Keep server room locked.
4) How about some building security? How did someone gain access to the CEO's office in the first place?
Re:This Particular Situation (Score:3)
The notion behind these thoughts is to establish that the concepts and ideas were generated from within the company, before any possible implementation date by the thiefs. If it comes to it, you may have a leg to stand on if you identify the party responsible and pursue legal action. Since this could occur *after* they take a product to market using your ideas, this will help show that you generated them earlier.
- First & foremost: talk to your IP legal counsel and ask how to document IP retroactively for information that isn't properly documented, dated, etc.
- After determining what info was stolen, make sure you have current documentation and/or duplicates of it.
- If not already done, write up the information in a proper lab book, dated, signed by author and knowledgable witness
- Possibly place copies in sealed envelopes with dated forms notarized by lawyer.
- If you have working, but non-public, implementations then photograph (if hardware) or print and date code (if software), etc.
- Perhaps now is the time to file that patent.
- Talk to professional contacts!!! You may have a colleague at the (presumably) offending company who knows about the theft and is willing to provide information. I don't know if it would be considered bribery, but since whistle-blowing can be hazardous to one's career (despite protectionary laws), possibly make an opening in your company as a safety net if someone comes forward and subsequently loses their job.
IANMOA (I am not much of anything), but documentation is always good, even after the fact; and most people view corporate theft as slimy and would rather not be part of it. Use that to your advantage.
-----
D. Fischer
And when a crowd comes in.... (Score:2)
Whether or not the guard sees every card, how well does he inspect them? That's the monotony problem. If it even looks remotely close enough, he is so bored that he doesn't pay a lot of attention. Ever been driving, look to the side for a lane change, and do a double take because there was a car you didn't realize was there? Why didn't the first look catch it? -- Because you were bored with such a routine task.
No human guard can pay attention to everybody. Cardlocks are better, but how many times have a bunch of you come back from lunch, one guy does the cardlock, everybody else crowds thru. Now imagine it's a big lunch, 50 people (an awards ceremony, release party, going away party, etc) and some appropriately dressed stranger comes thru at the end, even catches the door and comes thru, or fakes it with a swipe and catches the door? Suppose he's not dressed like a typical engineer in that crowd, but has a fancy suit, briefcase, etc? How many engineers (or secretaries, assembly line people, etc) would actually challenge him?
Happened all the time when I worked in such places. I've been to friends' companies where they let me in, in front of a guard and all.
Happens all the time.
--
Re:Fortezza PC cards (Score:2)
They developed a "SmartDisk" (I think that's what it was called), that employed an RSA capable chip inside a floppy-like device. It drew its power from the rotation of the disk spindle and used the drive heads for transferring data. It could provide boot level protection and/or disk encryption. Very slick indeed. Wonder whatever happened to it (They were a UK based company).
Despite the power of encryption, however, there would, invariably, be the person who writes their encryption key down and sticks it to the inside of their desk.
Use encryption (key escrow or secret shared keys for sensitive data) and removable storage devices.
Require the users to check-in/check-out the media at prescribed times.
Use access control to determine access to the work areas and/or media.
Log out when you are not at your machine.
Finally, use common sense and don't leave the stuff laying about where somebody can see or steal it.
Re:Thermite :) (Score:2)
- Get a DC power supply, like the one used on a train set. Cut the connector off, seperate the wires, and strip them both.
- Now you need a jar of water with a tablespoon or so of sodium chloride (SALT!) added to it. This makes the water conductive.
- Now insert both wires into the mixture (I am assuming you plugged the convertor in...) and let them sit for five minutes. One of them will start bubbling more than the other. This is the POSITIVE(+) wire. If you do not do this test right, the final product will be the opposite (chemically) of rust, which is RUST ACID. You have no use for this here (although it IS useful!).
- Anyway, put the nail tied to the positive wire into the jar. Now put the negative wire in the other end. Now let it sit overnight and in the morning scrape the rust off of the nail & repeat until you got a bunch of rust on the bottom of the glass. Be generous with your rust collection. If you are going through the trouble of making thermite, you might as well make a lot, right?
- Now remove the excess water and pour the crusty solution onto a cookie sheet. Dry it in the sun for a few hours, or inside overnight. It should be an orange-brown color (although I have seen it in many different colors! Sometimes the color gets f***ed up, what can I say... but it is still iron oxide!)
- Crush the rust into a fine powder and heat it in a cast-iron pot until it is red. Now mix the pure iron oxide with pure alluminum filings which can be bought or filed down by hand from an aluminum tube or bar. The ratio or iron oxide to aluminum is 8 grams to 3 grams.
- Thermite requires a LOT of heat (more than a blow torch!) to ignite. However, a magnesium ribbon (which isn't too hard to find... say you need it for a school experiment if you want) will do the trick. It takes the heat from the burning magnesium to light the thermite.
- You want electrical ignition, so get yourself a 120w lightbulb. These get really hot when on. Carefully break away the glass and wrap the magnesium around the filament, solder two wires on for power and pack the thermite around it.
- Congratulations! You have your very own hard disk destruct tool! Just add electricity.
This, however, would not destroy printed copies or removable media. To do this, go down your local radio shack and get a few solenoids. These are little bars that shoots out of a block when electricity is provided. Now get an equal number of self-defence CS spray canisters. Wedge the solenoids in the CS spray triggers and blue-tack them around your office, by your computer, above the door etc. running wires between them. Wire these into the office alarm, the same as your light-bulb. Now if you get an intruder, they get 15 bottles of CS spray pumped into the office, detering even the most determined thief.
I did something like this for a school project once...
Michael
...another comment from Michael Tandy.
Re:Stupidity (Score:2)
He will promptly fire you because, as the IT guy, it is YOUR job to inform him that he should be encrypting his data, as well as telling him how, or doing it for him.
Re:Don't keep anything on desktop machines.. (Score:3)
This accomplishes nothing whatsoever for infosec -- it's just IT masturbation. Why? If your network is not encrypted, any idiot can be hired to attach a network sniffer and recover it later. Or not recover it, if your firewall allows enough packets through, and most practical firewalls do. Any you'll never know unless you're running a network traffic analyzer and conscientiously attending to its logs. It doesn't prevent any idiot from pointing a tiny video camera at a monitor, or planting a microphone in the executive conference room. It doesn't prevent printouts from being dumpster-dived (-dove?). It doesn't check whether client hosts are trustable (think Back Orifice, recording keyboards, TV-transmitter monitors, Trojan executables/OSes, et cetera ad naseum). It doesn't keep yahoos from faxing trade secrets to unknown destinations. It doesn't keep applications from writing local temporary files, nor OSes from paging things out to local hard drives.
Your approach is like having all the cowboys mend a small hole in the fence, while the gate stands open. It wastes their time, and the cows get out anyway. Guarding the doors and cultivating a security-conscious culture has a much better payback.
Re:Security guards are vastly overrated (Score:2)
Here's something else to consider:
One of the places I temped at let me go completely out of the blue (long story, not really relevant). I don't know if they bothered to tell the security guard I was gone or not.
If the thief is a former employee, a friendly security guard who knows the person might not have really thought about the person waltzing in.
This depends, of course, on how tight security was to begin with. When I worked in the vault of a bank, that certainly wouldn't have been an option -- the pass I used there had three levels of security coded into it to actually get me to my desk.
There is of course also the possibility that the thief is a current employee -- possibly even one of the security guards. Especially given how precisely targeted the whole things was.
Re:Encryption not a solution for everything (Score:2)
Assume the worst (Score:2)
Put your system files in one partition --enough for the system to boot up and your data files in another one, encrypted by a strong on-the-fly encryptor (I recommend E4M [e4m.net] as ScramDisk is stuck on Win9x).
Go through your important applications and make sure they put even less important stuff (like temporary files) into the encrypted partition --Outlook .pst files, and %tempdir% come to mind; you don't want Word leaving whole copies of your business plan on C:/temp. You'll see a slow-down, but it's worth it.
Do not store passwords for anything in non-secure media (i.e. anything short of an encrypted file on a non-networkable machine or a PDA). I use Secret! on my Palm to store passwords and PINs I don't remember.
Go active: write a little hidden app (a batch file should do even) that will 'call home'. If you lose the laptop and the thief is stupid enough to go on the Net, the machine should start giving info about its wherabouts.
Re:Home Page (Score:3)
It reports back to servers throughout the world on a regular basis.... without user interaction (normally).
Another way, is place a "backdoor" that uses STRONG encryption, and connects to a remote server (at your company). Like sshd... only REVERSED... sshd that establishes a connection to the outside system... allowing that outside system to gain shell access. (I saw something like this on the _new_ packetstorm recently)
Good luck on recovery.... Usually doing a "backdoor" is better, cause you can login and move information from your stolen system back inside your network.... and then trash the laptop (and then pursue the criminal).
A fascinating career path (Score:3)
--G
Re:A fascinating career path (Score:2)
Security in and out of the Office (Score:2)
Who has access to where? What types of locks are on the doors? Who has the keys, or knows the combination?
Train your staff. No-one gets a laptop without signing a paper confirming that they have attended a security course and agree to abide by the company rules. Penalties can vary from a slap on the wrist through paying for lost or stolen property to dismissal and going before the judge.
Carry a laptop regularly? Throw away the black plastic bag that says mug me I'm carrying something valuable. Get a lockable case or airline trolley if you insist on carrying everything with it. If you drive, consider a case which locks into a frame fixed to the car and out of sight.
Train your staff to be aware. A while back, some PHBs were having a meeting in a hotel. One hour in, guy in coveralls pokes his head around the door. So sorry, mandatory electrical check, please step outside and help your self to coffee. 10 minutes later, three laptops had gone from the room.
What is your comapny's policy to data storage depending on data classification? Is it one size fits all, or do you differentiate. NB: there are some things which should never be stored on any computer system. Think typewriter, fireproof safe, and a shredder for the carbon paper.
Train your staff. No exceptions. Get your CEO to agree that this applies even to her. Point out that she and the PHBs work on the really interesting stuff and that there are evil asocial scum out there who would love to get their hands on it. Get her to give you the teeth to carry out your policy. In writing.
What data can you afford to lose?
Now for the tech. Up-to date AVS on the desktop and the company firewall. Preferably a different AVS on the firewall: what one misses, the other may catch. No networked PC to have a modem connected to it. All email, web-browsing, etc. through one point. Install evil censorware to stop untrustworthy active code and cow-orkers downloading Back Orifice. Install really evil checkers to stop them installing it on their PCs. Put in writing what users can't do on-line and enforce it. Training comes in handy here.
If you have to store data on a laptop or desktop, what level of encryption do you use on the hard drive? One cow-orker thought he was being smart by boot-protecting his desktop. Took me 20 minutes with a screwdriver, a second PC, and Drive Image Pro to change his mind.
Companies like http://www.intercede.co.uk/ provide what I personally consider to be an adequate level hard drive protection (No, I don't work for them, nor do I have shares: consider them a benchmark.)
YMMV, obviously. What everyone has to do on a regular basis is:
- check what you currently do
- review what you currently do
- do it
Oh, did I mention train your staff?
Re:Security (Score:2)
Re:Thoughts from the peanut gallery (Score:2)
The theft of diplomatic/strategic laptops. Sincerly the Gulf War case is a problem of IQ of the person carrying the laptop. It is tremendously stupid to walk away from an authorised environment with such information, and specially with time-critical one. And mostly with everything stuffed in one small briefcase which was visibly expensive. The only thing that he lacked was a paper in his back : "ROB ME!"
You forget about the Unauthorised users in a legit environment. Worse, the "Legit"/"Unauthorised" users in a VERY legit environment. The famous 90% of brek-ins. And, besides, the case we are looking here. People grabbed the one laptop that carried critical information and nothing else. Which is stupid because expertise may get a track on them. At least we know they are insiders...
These chips/mips/encryptions & Co. You know what they are? 90% of the cases pure trash. My experience has shown that many of these devices only help weakening your own awarness. Once I knew about a case when a very expensive program, with a special encryption chip, was broken in less than... guess... 15 seconds! Why? Because developers didn't have brains to do anything better than:
Start program
If function_to_check_for_encryption_chip==1 then continue
else cry "THIEVES!!!!"
Well people knocked this off by stamping two assembler instructions in place of this condition. And had the whole stuff fresh and running. This is one of the most well advertised corporations of America that produces key and encryption devices... So I wouldn't be so sure to put my money on such things.
Re:how did the thieves gain access to the building (Score:2)
Once upon a time, I was attending a particular university and had some rather difficult classes. These classes were very lab-work intensive and it was hightly possible that you could not get it all done during the day. Therefore, you could get these special passes that would allow you to gain access to the rooms that you needed. The campus police would check your ID and the pass and unlock the specified rooms for you. This building had lots of expensive equipment in it, but it was locked up. Sounds safe enough, but.... at a certain time in the early morning hours the custodians would enter the building and begin to clean.
The first time I saw this happen I could not believe it, but this is what they did. They went into every room in the whole building, unlocked all the doors, turned on all the lights, and then went to a remote part of the building and listened to music while they took a break. All the expensive equipment was just sitting there, not to mention all the professor's offices in the building were wide open. The building would remain like that for hours until they would slowly take out the trash in each room and vaccume the floor.
So, it's 3am....do you know where your custodians are?
I doubt it happened like that example, but I would not rule out an inside job. Especially since they knew where and what and took nothing else. Lets say that an employee is disgruntled and instead of going 'postal' he sells-out to a competitor. He uses his badge and access to take it or move it.
Home Page (Score:3)
I set my homepage on Netscape on my PowerBook to my website with a URL that grabs my IP and logs it to a file on my site. I've never had a "homepage" before, and I feel a little stupid using it.
The result is that if somebody were to take my laptop and use the browser on it, I'd have their IP, therefore their ISP, and therefore their identity, or something very close to it.
Like I said, it doesn't prevent the information from being stolen (though I don't think that's possible -- somebody with your computer has all the time that they like to crack your encryption), but it is a possibly useful method of capturing the thief.
-Waldo
Re:Don't have your offices in the Chrysler Buildin (Score:2)
At the lowest level: (Score:2)
Would this guy's laptop have been stolen if he'd put it into his briefcase and taken it home with him after work? If this company was a small startup, they probably don't have the building security features that they'd like to have protecting their hardware. Thus, leaving nothing at work seems prudent.. depending on how important it is to the guy.
Of course, I suppose someone could have mugged him at night and taken the briefcase, but by that point, I think the scenario would have become a James Bond movie.
Encrypting data is one obvious method of protection; prevention of hardware theft itself is a lot more basic, and a tad more simple to implement.
You can't always do that (Score:2)
Backing up your data from laptops is the best solution to making sure you dont lose any data in the event of theft, but if you want to make sure noone gets a competitive advantage by stealing your computers, theres nothing else than oldfashioned hardware-based 128bit-encryption.
Now just don't ask me where you could find a card which would exactly do that, because I really have no clue (and I'd admire any tips as to where to acquire such a card, I'd certainly be willing to pay a 100-200 bucks for an encrypting disk-controller (IDEA or AES or some comparable standard) )
--------------------------------------
Real Simple (Score:2)
2 hard drive password
my thinkpad does both
and oh yeah - lock and key. If someone is determined to take what you have there is little you can do to stop them so if encryption and safe storage don't seem safe enough for you then you should consider not putting sensitive information out in the open and auditing EVERYONE under threat of instant termination to comply. If that's not enough then don't permit local storage at all and give everyone a dumb -err - thin terminal.
Audit everyone anyway. Establish a clear security policy and stick to it. Compartmentalize your security so that it is not hierarchical. This avoids the problem of giving the most sensitive information to the alpha monkey.
Log everything.
Have a building property pass or something to slow someone down when they're walking out the door late at night with a couple of laptops under their arm and a car waiting at the curb.
Install docking stations and tethers for laptops. Install trip alarm cards in your desktop machines and keylock the cabinets and keep the keys under seperate lock and key.
There is a Swiss company that makes exploding CDROM disks. That's right they can be programmed to self destruct.
Remove all hard drives from desktop machines..
Remove all floppy drives and tape drives from desktop machines. Remove all CDROMs, CDRs CDRW's DVD's from all machines. Outlaw bringing any equipment onto the site that didn't orginate there.
No cameras no recording devices or any kind. No briefcases in or out and everybody gets searched in both directions.
You get the picture. Do whatever it takes to protect your stuff as long as the cost of that is less than the value of the information or the equipment.
Hell, I once worked in a site where we had to shred everything daily including diskettes and they were reshredded and burned. Printer platens and ribbons were removed and destroyed weekly. An armed guard was in visual contact at all times. Do you want to go that far?
Palm (Score:2)
I had an interesting experience like this one (Score:4)
Re:laptop less secure at home. (Score:2)
It is said that the number one place laptops are stolen from is the dining room table. This may be an exageration, but the point is valid. A laptop is probably more likely to be stolen from an employee's home or car then the workplace.
Lock the laptop up in a good safe and invest in a actively monitored security system.
Re:Well it's basically the same thing (Score:2)
Crap (Score:2)
Thanks alot Cliff. Now what the hell are the rest of us Slashdot mongers going to do, if we can't give advice?
Where's the next DeCSS story?
Don't start with the computers... (Score:2)
And it isn't only computer information, a good spy can use social engineering better than most hackers, knows when to go garbage diving, and what records that you'd normally consider insensitive actually reveal critical inside information.
Read the book if you care about security, and if you don't... read the book and you will :-)
Physical Security (Score:2)
-neil
"Now you see that evil will always triumph because good is dumb."
Thermite :) (Score:2)
This is the wrong forum to ask for help.... (Score:2)
If you really are in a "unique position" in your market, and there really are large companies trying to take that position from you that you suspect are trying to rob you, then you really should be hiring a security consulting firm to help you out here... public forums are rarely the place to find serious, professional quality help.
Encryption, desktop firewalls (Score:3)
Secondly, consider a desktop firewall. Consider a CEO that is on an Ethernet switch along with other employees on the same switched backbone. There is probably zero chance that remote exploits against the desktop will ever be monitored. Many companies put armor around servers but leave such desktops wide-open. An amazing number of corporate desktops have File and Print Sharing enabled or can easily be compromised by a Trojan.
Finally, I also "honeypot" my system. This is a little esoteric, but I've configured Outlook to check a number of e-mail accounts. One of those accounts I've saved the password in the registry and it goes of to check a POP account on a special system. That system is triggered to notify me when anybody but me logs in to read mail. (The password is saved in exactly a location that many Trojans will look for). This is a little esoteric for most people, though.
(Disclaimer: the company [networkice.com] I work for makes a popular remotely-managed desktop firewall/IDS combo).
Granted, nut doesn't that prove my point? (Score:2)
Give you an example - I used to work in an office that had a scanner that could tell if a source document had been previously photocopied so that you could make a guess about whether the 'x' of 'y' mark on the doc was accurate. You have to decide:
what is this information worth to you
what do you do once you have it.
Of course you could reverse engineer the drive controller. It would easier still to pull the platters out altogether and mount them into some clean room prototype device and have at them in a controlled enviroment where you scan the platters with an electron microscope, subject it to magnetic flux testing, etc etc. etc. but again - what is it worth to you.
PC-DACS (Score:2)
Missing the obvious? (Score:2)
Of course, for the truly paranoid, there's always surplus TEMPEST equipment available for a price...
Schools of Thought (Score:2)
I also use NT, so you can't to the operating system login without a valid password.
One or both of these methods can be circumnavigated by connecting the hard disk to a secondary hard disk controller and booting via an Operating system on the primary controller. As long as the operating system on the primary controller can access the partition on the secondary controller then you're in no problem, the drive will appear data and all once you view/mount it.
Our rule is:
If you hold confidential information then store it centrally on a server, it's unlikely that a thief is going to be able to walk out with your Raid array (even if it's OK for them to forget one of the drives
I advise, if you hold data locally on mobile equipment, and it is confidential or sensitive in any way that you employ some kind of key reliant encryption... then you only have to guard the processes that guard the keys.... Whether your encryption is on a file basis or on a sophisticated encrypted file system it doesn't matter, just protect your data the only way you really know how!!!
You'll never get fully secure, armed with enough data, and having full access to a hard drive for an indefinite period of time - enough time, that is, to brute force the easy password that your CIO will set, "emily" for instance.
Also, generally this information can be gained quite easily:
Call to your CIO: "Hi CIO [got his name from his username], This is Paul Smith from the [local law enforcement department], we've seem to have come across a laptop that could be the one you reported stolen, it was left on a train!!"
CIO: "Wow!!! That's great, you know I was really worried!!!!"
Caller: "We just need to verify that it is indeed your Laptop, I've turned the thing on and it's asking me for a password, could you tell me what I should type?"
CIO: "If it's my laptop then you should type EMILY"
Caller: "Thanks" *click*
Silly boy!!!
how did the thieves gain access to the building? (Score:5)
At other buildings in this company I work for every door has a security officer. That's right, every...single...door. And the only way to enter that door is to have a key card or to have the security guard buzz you in. And the security guard will only buzz you in if someone with a valid company ID can vouch for you.
There are security personnel in our buildings 24/7. Even with this there is a clean desk policy in place, and all employees are required to lock everything up if they are away from their desk for more than 2 hours. All employees are also required to have two passwords on their machines, boot-level and system level. You may scoff at these 'rules' and say that no one follows them, but the majority of people do. It's the double edged sword of a bureacracy, you have to follow the process if you want to do anything, but if you want to do something there is a set process for you to follow.
Moller
Laptops: Good or Evil? (Score:3)
1. it must be easy to use - because otherwise the PHBs won't use it.
2. it must prevent swapping to disk - because otherwise, you can encrypt all you like, but the data is still fairly easy to recover.
3. it must be fairly quick - because otherwise the PHBs won't use it.
Frequently, CIOs make a policy statement and get the managers to enforce it, but avoid the security and encryption protocols themselves and allow the managers to avoid it too. Which makes it an annoyance for those who actually follow it, while protecting nothing.
In my training (used to have a Secret Clearance), I learned that Confidential material or even unclassified material, gathered in reports and summaries, can have a higher rating. Cost center budgets for one cost center usually don't tell you much, but a spreadsheet of cost centers for the entire corporation tells you a lot, especially with historical data as might be found on a manager's report.
Fortezza PC cards (Score:5)
The Rainbow Mykotronx FORTEZZA Crypto Card implements cutting-edge cryptographic security and authentication methods in a PCMCIA hardware token for Government and commercial applications. Self-contained, standardized, and easily integrated, the Card provides the ultimate in portable security, together with on-board storage of user credentials, keys, and digital certificates.
Fully FORTEZZA compliant, the card incorporates the National Security Agency-certified CAPSTONE RISC-based cryptographic processor. It is the hardware crypto token chosen to secure the Defense Messaging System (DMS).
More info on the card we're looking at can be found here [rainbow.com]. (IANAF - I am not a flack).
All or nothing (Score:2)
A good example is the company who's project I've recently been assigned. At the moment they are particularly concerned with security as they have a high profile product quality problem (really high profile) and they are worried about keeping information 'in' as much as they are keeping people out. It is maddening to try to get these people to understand that they won't secure their data by getting everyone together and trying to work out a best fit solution. Their most recent decision was to require everyone to change their network passwords so that the string contained at least one non-alpha and one capital letter. I attempted to make the point that, since they were an NT shop, the passwords could be fairly easily cracked (L0phtcrack) regardless but the solution caused too many hardships.
Many times the benefit of security isn't realized until something catastrophic happens. Managers don;t want to spend the money, devote the resources, or make the kinds of sacrifices required to maintain really good security. Convenience is far more important to them.
That said, I suppose that the particular situation in the example could be remedied by some better physical security. Things like alarm systems, cameras, etc. As for the laptop itself I guess it depends on the operating system and by the time I submit this I'm sure many will have already suggested using BSD's ability to encrypt data. Maybe even something as simple as PGP would have helped in this case.
What to do with 1000+ laptops (Score:2)
You can't force everyone to keep data on a central server because they often are traveling, working from home or other locations where they can't access their data. They all use totally different programs, dev tools etc for their work.
The only possible solution I see would be a system level encryption tool but it would require that everyone use it correctly. Even then it would probably annoy enough people that a certain percentage would just uninstall it.
Anyone have any other possible ideas that everyone (or close to everyone) could accept and some method to encorage the use (let along the correct use) of the solution?
Automatic Deletion (Score:2)
This reminds me of a Dilbert cartoon... (Score:2)
To that, Dilbert hugged his laptop and said, "Stop it. You're scaring them."
Re:Stupidity (Score:2)
It is not the CEO's job to know all the details about how the internals of computers and crap work. That's why he hires 'information technology' people (who most commonly, especially the younger ones, just like to bitch how those that hired them are 'stupid').
They hire IT people because they KNOW they need them.
He's only a PHB if he refuses to listen.
Physical security (Score:2)
As with computer security don't just lock the front door, look at other methods of entry. How big of a gap is there under the door, could a agent put a tool under the door to unlock the door from the other side (hint, hint). Are there windows? What about an alarm? A good locksmith can take you through all these steps.
Second if you are serious about protecting your corporate secrets look into Technical Surveillance Counter Measures (TSCM). A good starting point is www.tscm.com [tscm.com]. After your are comfortable that your site is secure look into ways of keeping it that way.
Re:Security (Score:5)
The technology is just a mean to help you implement the security policy, it`s not the wonderous tool that relieves you from your security worries.
Security is not just a job for IS/IT-departments, it`s something that is achieved troughout the entire company. You need to get well written procedures, dealing with every aspect of security. From securing your hard drives with encryption, to making sure there`s a decent lock on your server room, and to making sure people don`t just leave there cd-roms and disks floating around
In this case the notebook was stolen from someones desk, this proves that in your security policy, you not only need to include encryption, firewalling, logging,
A minute to learn, a lifetime to master... (Score:3)
Then lock down the servers. Lock them to each other, and lock them to a stud in the wall (you're not secure unless you get drywall dust on you).
Put a security cam in the server room, and probably in the chief's office.
Use a cable lock to lock the laptops to a desk. Better still: since he didn't take it home, he doesn't need a laptop. Make him use a desktop. Lock that to the desk.
Encrypt drives. You can do this in WinXX and Linux (and probably mac and everything else). There are also products for Windows that will call a specified site or phone number if plugged into a modem or 'net connection.
Register the hardware when you buy it. If the drives are encrypted or otherwise won't boot, criminals will often take them to white box shops to get them 'fixed'. Most shops will call the maker (in the case of some Dells, they HAVE to call them, depending on what is broken) and then it can be tracked. Oh, yeah, call the laptop manufacturer and let them know it was stolen.
Finally, if you can patent/trademark it, do it. If all of the above fails, you need to have 'first dibs'.
Re:Keep your eyes on it at all time... (Score:2)
32-bit keys would only give a cracker a possible 4.3 billion keys to search. You should really use at least 128-bit keys (3.4E+38 possible keys) to keep data secure for any length of time.
Re:Security (Score:5)
If you implement a boot password, it's permanant. You can change the password, but you cannot power up the machine without it.
And forget about flashing the BIOS, clearing the CMOS or any other means of bypassing it. The only way is to replace both the motherboard and HDD. The M/B also stores some info on the HDD, so it can't be used in another laptop.
If you want to get another M/B, you have to give the serial # of the machine. If it's reported stolen to IBM, it will be forewarded to the authorities. If you try to re-use the drive, no-go. In short, brick wall.
But never lose your power on password!!
Re:Another true story (Score:2)
The thing is - if you're into corporate espionage - then you can idenatify encrypted data and start attempts at brute forcing it. The NSA admits that plenty of commercial encryption systems have mathematical holes hiwhc permit cryptanalytic attack.
6 months ago mp3.com had enough money to build a reasonable brute force machine (now thye've spent all that money on record company deals)
Anyway - the traick is to not only encrypt the data but Hide the data using something like Steganography - I believe there is a filesystem for linux which permits filesystems to be mouted inside each other to hide the very existence of encrypted data.
OTOH - it also hides this data from legal attack - something mp3.com definately could have taken advantage of.
This Particular Situation (Score:3)
Someone has sensitive data, and that someone may well be the competition.
First off, make sure you know exactly what was on the media which was stolen. If possible, grill the CIO and make sure you can identify as much of the data as possible. If it's confidential, and this data begins to appear elsewhere, then you'll have a pretty good clue who took it.
Second, assume that the company which can do you the most possible damage has your information. At this point, you need to develop a strategy to counter their use of this information. It may be something as simple as changing any password you think they may have gotten (or, to be safe, every single one of them), to doing things like changing your business plan and internal strategies. The competition now knows many of your most intimate intimates, and you have to make sure that they can't use them well at all.
The next thing is to look over your security. Data security and site security can be approached at the same time. The suggestions posted here (encryption, secured servers to house data, etc) are all excellent. confer with a security consultant, preferably one who has experience working with the Federal Government, which, in most cases, has some of the tightest security around. A security consultant can do both data and physical security.
For site security, you're going to have to do things like replacing door locks with more secure models (or with electronic card locks, if you want to spend the money) and replacing doors and door jambs with more sturdy material (i.e. something that can't easily be kicked in). Make sure, if you have a drop ceiling, that the tiles can't be lifted up, which might let someone just climb up and over the door, through the ceiling (yeah, I've seen it happen...). Other than that, hip everyone who works there about security...the small things that everyone can do to make sure their information and offices are secure.
-Jimmie
First use time. Then level information then... (Score:5)
Do you have an confidential agreement to be signed tomorrow? Hold it in a place that does not give a chance to anyone to see it before being signed.
Do you have an highly confidential database? Calculate the potential of a break-in and for how long the base should be confidential until you process countermeasures.
Never consider information "eternally" confidential. There is not such thing in Nature.
Maybe people will never know 100% what you know. But surely they will get something out of you. Your problem is to qualify information, and secure it in the propper way. Some information is needed to use in the laptop. but you don't need the whole client database on it. It's better to loose two contracts than to have all your company naked in front of the concurrency.
Encryption is good. But encryption can be broken. In fact encryption should only be considered as an element that "delays" access to information but it does not secure it forever. The stronger the encryption the longer it will be taken to broke it. But, there is a big "BUT here.
The most fundamental of all is that, no matter what you do with information, the time X is not broken. Several people use to encrypt their E-mails, documents, filesystems. but they forget that still there is memory, EM emissions, swap files. Specially I noted that many people forget to look over their shoulders when dealing with information. Someone is typing his "honey123" password and you are standing back and looking.
Citrix (Score:2)
The laptop part is irrelevant (Score:2)
Obvious answers (Score:3)
Let's see. You put your company's soul into a little box. It's really important stuff, and you don't want the bad guys to get it. So, what's a good place to store it?
A) Stick it right dead center on the desk of one of the fanciest offices in the building, which is clearly marked on the door as "Guy Who Has Great Information to Steal".
B) Get a good, solid safe, bolt it into the building, and keep your treasured secrets in it.
This isn't a technological problem. As far as laptops go, sure, good crypto can help you, but not all sensitive data lives on a laptop. You need a plan to deal with data - generically - to protect it.
If your data is really valuable, here are some more tips off the top of my mind:
Good solid locks on the doors of the office
Security cameras monitoring the areas where sensitive information lives
A night-shift security guard. (Is it worth $35k/year to have a guy camp your building at night, to save this lifeblood of your company from being stolen?
It's just common sense, guys. You don't need whiz-bang software to fix this problem.
--Kai
--slashsuckATvegaDOTfurDOTcom
Use One of these Security Devices (Score:2)
Well it's basically the same thing (Score:2)
In general a dead man's switch is based on the concept of lack of input from the user to *not* do an action. For example suppose I have a shell script that checks for a certain program to be running if I am at my computer logged into my account. Now suppose that the program will start calculating the number of seconds that I was away from the computer and say saving news headlines from slashdot since that date. It's just based on the principle of inaction.
Re:it's automatic (Score:2)
Security guards are vastly overrated (Score:4)
Furthermore, doing the same thing all the time numbs one to exceptions. If one out of ten visitors needs some kind of personal attention, the guards would be much more alert in general. When days on end go by with nothing to break the monotony, they get complacent, and it doesn't take much to fool them.
You yourself say "You may scoff at these 'rules' and say that no one follows them, but the majority of people do."
Security isn't a democracy; majority does *not* rule. It only takes one crook getting by to steal that laptop.
--
Re:Dead man's switch? (Score:2)
Yeah, it's off topic, but he asked and I knew.
-B
Re:Magnetic Gates (Score:2)
Remind me never to take my laptop onto the fourth floor of my University department. There is a 400Mhz NMR machine there - magnetic field of about 9 1/2 Tesla. The Uni Biology guys are getting an 800Mhz machine next year, bastards.
Anyway, back to on-topic.
The best way is layered security, as someone pointed out about a month ago.
Number one: Make people accountable for their f***ing laptops. If it gets nicked and there was important/secret data on it, it is your fault and responsibility. "But my car was locked" doesn't cut it, you shouldn't have left it in plain view - bollockings, firing and financial penalties should be enforced.
Number two: Restrict the data or the number of copies. The probability of a secret getting out is proportional to the SQUARE of the number of people who know the secret. (Hard drives are cheap. If your data is that secret and you are that paranoid, burn them with a really hot flame - camping stove should do it - after wiping the data - or give it to someone you trust who has access to an NMR machine!). Better yet store it on zip drives and make sure that the data isn't cached to disk.
Number three: Encrypt the data. One time pads, RSA, PGP, TLA's galore - they exist and can be made simple to use if your internal systems guys do some work.
Number four: If you're really paranoid about network theft of data then don't store the bl***y stuff on a network! Physical isolation of data is the watchword here.
Number five: NEVER assume that anything you do electronically is secret.
Elgon - I'm being paranoid but am I being paranoid enough?
ZipStream Secure by Carbon Based Software (Score:2)
--
Re:Physical security (Score:2)
Changing work habits to be more security oriented is incredibly difficult. Most people do not like having to use access cards to limited access areas, sign in and out, lock up sensitive material at night, or even have awareness of intelligence threats. I have seen companies that spend a chunk of change on computer security but do not even have good locks on the doors. I have seen the same company allow cleaning crews to enter "sensitive" areas without even thinking about running background checks. You would be amazed what leaves companies through the garbage.
For the lay-person, I would recommend reading two books: Corporate Espionage by Ira Winkler and War by Other Means by John Fialka. If you are still interested, I would recommend reading Competitive Intelligence and Counterintelligence books.
Essentially, it is a cost benefit analysis. "How much of a threat do we have, what is vulnerable, and how much will it cost/hurt when it gets out" Ira Winkler talks about this a little bit too.
Remember, all companies have security holes. It is just a matter of Identifying, Evaluating, and Prioritizing. Furthermore, if you have identified a potential problem and your employees do not want to cooperate in fixing it, you have one of two problems. The first is that they are probably not educated and you should explain why. These individuals want to do right and just have to be shown the importance. The second is that they may not care. Even if that individual is "key" player, you may want to consider removing them from the sensitive information or from the company.
Anyway, good luck.
- inj
Security through obscurity (Score:2)
It's also important to make sure the sensitive design documents are on individual sheets of paper seeded throughout the mess on your desk and not in one place, like a binder!
--GnrcMan--
Re:Stupidity (Score:2)
I fully agree with this sentiment. My company has had a laptop stolen from an exec who was working out of our parent company's office. He left it on a desk to go to lunch and, surprise, it was gone when he came back. After he alerted us to this fact, we spent days going around on 'why' it shouldn't have been stolen (e.g. it's our parent company, you'd expect some level of security) but the final conclusion was it wouldn't have been stolen if he would have taken some simple precautions.
Likewise, the laptop had some sensitive information on it. The police and others feel it wasn't a theft to get the info, but a theft to get the laptop. But, the idiot, hadn't ever bothered to back up the information to the network when he was in the office. His 'defense' was he was never told to do it. If he were a 22-year-old man on his first job, that may fly, but he has been an executive in the industry for several years and clearly should know better.
That is when we hit him with the statistics of harddrive failure on laptops. The bottom line is someone like him shouldn't be using equipment like this.
Another executive had left his palm pilot on the roof of his car. He lost all his contact data because he never bothered to sync it.
The best way to prevent sensitive data from falling in the wrong hands is to make sure it can't be accessed by anyone who doesn't need it, and everyone in the company has gone through adequate training. This last one is a key. Some people just don't know how to secure data, let alone apply encryption to it. Sadly most executives don't feel the need to learn.
The Inside Job (Score:2)
In most cases a disgruntled/greedy employee has offered his services, or believes he can cash in by stealing something.
Data encryption is great, but once the theif has the goods the game is already over. You've been hurt, and there is at least a 50-50 chance that there is something left behind that is a clue to what the pass word is.
And what about the network. The network admin, or even helpdesk people, have wide control over what they can view on a network file system. You can encrypt all you want, but in mid size companies the person who is god on the file server is probally god on the CA server.
Beyond that, swiping some actual paper out of the desk is just as good. Most CEO's are old, let's face it. They REALLY LIKE paper. There's probally tons of good stuff they can get their hands on.
These are some of the key items:
* Physical security is key. If you would be alarmed to see someone in your office during the middle of the night you should lock it. Keys, Puchcode, Prox cards all work well. Digital Biometrics work best.
* If you're going to store the secret stuff get a file server just for your department. Get a specific IT person to administer it. Make sure the normal IT group doesn't have access. As the business side of the house you'll never know when an IT person is snooping your directory. You'll never know if someone in IT is PO'd with work because they don't work for you. This is what will cost you your files.
* If you impliment a corporate encryption package make sure the employee who administers the CA server is not the same person who administers the file server. Seperating the two out helps with lone wolf problems.
* Impliment rotating passcode systems such as secure ID. Even if the end user comes up with a crappy password (which they will), the would be thief will need to have the dongle in order to get in. As always, the person who administers the server should not be affiliated with the other systems.
* Assume that information theft is an internal problem (because it usually is) but make sure you protect for both internal and external sources.
Re:A minute to learn, a lifetime to master... (Score:2)
Oh, this was only on laptops, BTW. Don't think they do it on desktops.
Re:Physical security (Score:2)
If someone is not physically using that laptop or desktop it (laptop or removable hard drive) should be locked up in the safe and the safe should be in a secure room as well.
Moan about the pain in the rear this is all that you want, now moan that someone stole whatever information from you company that ruins everything. Which moan sounds the worst?
Andrew Borntreger
Re:it's automatic (Score:2)
GPS is impractical for that. A GPS signal is easily blocked by "natural" causes (buildings, steep cliffs). However, there is such a gadget that uses cellular phone technology [vehicletracking.com] to track whatever your fit with it...
--
Americans are bred for stupidity.
Is there any other way to get a signal out? (Score:3)
But I digress. It could be possible to have a smart card reader installed as a means of accessing your laptop to read and decode a magnetic stric. Or maybe a cuecat.
Re:Use Stealth Recovery Software (Score:2)
A serious theif will beat all these "call in" methods. The only theives it will catch are the stupid ones. As for the "reformat, it still works" forget it. Use fdisk to overwrite the MBR, format the disk and the software is effectively gone.
Proper physical security is the number one defence against theft and espionage.
Who is doing the stealing? (Score:2)
Someone payed a 'trusted' employee, with neccessary badges and clearances to scarf the stuff for them.
It's clean, it's simple, it's fairly safe for the primary party and. . .
It's virtually unstopable.
The first step is to realize that EVERYONE in the company cannot be trusted and put a cop in everyone's pocket.
Of course, the cops are no emplyees and need a cop in THEIR pocket as well. . . ad infinitum.
Contraban is readily available in high security prisons. It's often the guards who supply it.
Theft and how to prevent it has been gone over by the combined minds of all humanity back to Australopithicus and no solution has been found as yet. There is more secure and less secure, but there is no such thing as secure.
The only things that will not be stolen are those things not worth stealing.
Even then, The Secret Service is continually amazed by the fact that many counterfiters could have made more money applying their skills in the open market than they ever garnered from counterfiting.
Face it, for some people stealing is as much a 'leisure activity' as it is a monetary one. They get off on the rush.
Rich people are arrested for stealing trivial items every year.
Don't use a dumb password scheme (Score:2)
Logon: CARectosis
Password: cjr Scary no? I know you've seen it and freaked out, so did I...