news / tech talk

Lessons from a stolen laptop

by Lee LeClair
10/20/2006
As seen in Inside Tucson Business

Stolen Laptop

A friend of mine recently told me that his laptop had been stolen and he was seeking some advice on whether he should try to do anything to prevent identity theft. Laptop theft is a big problem these days especially as laptops have become the prevalent business and consumer computer. Anyone who travels must face this issue but even those who just go to coffee shops locally have to be vigilant.

One of things my friend asked specifically was whether or not it was easy for someone to get into his account which he says was password protected on Windows XP. My response was that, unfortunately, it is very easy to get past the operating system password protection if someone has physical possession of the computer. Even a moderately knowledgeable computer user can quickly find out how to do this using Google. Full access is simple using special boot disks that provide anyone to change the admin password. Even without such a disk, using a commonly available CD-based operating system like Knoppix will allow anyone to read your files. Basically, you have to consider your data compromised if you lose your laptop just like you’d consider your credit cards compromised if you lost your wallet.

Similarly, the type of action you would take immediately to minimize the possible damage includes:

• Change any online passwords for bank accounts, email accounts, etc. if you had them saved in your browser or email client (which you shouldn’t have done anyway but its soooo convenient)
• If it was a business laptop, let your employer know right away – they should have a checklist of things to do which may include changing account passwords on servers
• Examine your last backup (you did have a backup, right?) to see what damaging information you had in files. Loss of identity theft information (like SSN) should be reported to the police along with the theft of the actual item

What can be done to prevent laptop theft in the first place? When I travel, I use a backpack to transport my laptop; this leaves both of my hands free. When traveling alone in suspect locales internationally, I wear my backpack in the front – I look like a dork but it prevents light fingers behind me. In airports, I leave my backpack on most of the time (e.g., for number 1 in the bathroom). When I take it off, for example at an airport café or while waiting to board, I make sure to keep in physical contact with it; usually it’s in contact with my leg or foot. I always take it carry-on and I try not to leave my laptop in a car if I can help it; if I must, then I make sure it isn’t visible by putting it in the trunk.

What can I do to protect my data? Many people must work with sensitive data that they do not want lost or compromised. Real loss is prevented by making regular backups (external USB hard drives are pretty common these days). Preventing data compromise is trickier. Windows XP Pro provides for folder and file encryption using the built-in Encrypted File System (EFS) feature. This is pretty good but is entirely dependent on how good your password is (I hope I don’t need to remind everyone to use a tough password). Also, it will encrypt file contents but not the file and folder names. Disadvantages also include the fact that your encrypted files cannot be scanned by your anti-virus software.

My solution is to use an external USB 2.5” (laptop) hard drive that is full-disk encrypted. This leaves very little data actually resident on my laptop other than applications like Word (which actually makes it easy to switch to another laptop if I need to). I use an open-source program called TrueCrypt for disk encryption. My data is then fully portable; when traveling I will often carry this small flat disk in my pocket, especially when leaving my laptop in a hotel or car. Even if my portable disk were lost or stolen, I’m reasonably confident my dual-encrypted (two algorithms – one of which is the Department of Defense standard AES) data, 15+ character password, and key file protection would ensure that my data is invisible. Even this isn’t foolproof; if my laptop were stolen by a computer forensics expert, then such a person could examine temporary files, pagefiles, etc. to obtain information (I purge such data regularly but for convenience not with specialized wipe tools so residue still exists). This is a bit paranoid for non-military settings but you get the idea. I hope I’ve provided some food for thought in securing your mobile equipment and data. For any type of security: develop a strategy, create a detailed plan, and make it a habit.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business