Wednesday, September 26, 2012

Identity Theft: Stolen Laptop Response

Encrypt, secure, prohibit or pay the price!

That's what Congress and state legislators should tell Ernst & Young, Veterans Affairs and other companies and agencies that play fast and loose with our personal data.

In the last several days, major news networks and countless online news sources reported two more incidents of lost or stolen laptops containing personal data of millions of individuals. The first theft involved a laptop stolen from a Veterans Affairs employee. Follow-up reports on that theft go from bad to worse, indicating 2.2 million active-duty personnel are now at risk for identity theft [http://www.cnn.com/2006/US/06/07/vets.data.ap/index.html]. The lost data in this case includes Social Security numbers.

The second incident involved a laptop stolen from an Ernst & Young employee. That laptop contained the personal data, including credit card information, of approximately 243,000 customers of Hotels.Com who had booked rooms between 2002 and 2004. In a way, this second incident is more egregious because losing laptops is reportedly commonplace for Ernst & Young.

        Nokia staff jacked by Ernst & Young laptop loss (30 March 2006)
        40,000 BP workers exposed in Ernst & Young laptop loss (23 March 2006)
        Lost Ernst & Young laptop exposes IBM staff (15 March 2006)
        Readers amazed by Ernst & Young's laptop giveaway (4 March 2006)
        Ernst & Young loses four more laptops (26 February 2006)
        Ernst & Young fails to disclose high-profile data loss (25 February 2006)

According to The Register, a British technology news site, password protection was the only security available on some of the laptops lost by Ernst & Young during a prior incident, which any avid computer user knows can be easily compromised. What about the laptops more recently lost by Ernst & Young employees? Was the data contained in those laptops encrypted? Are there any company policies limiting the extent of personal data that may leave the office where presumably network security standards and firewall protection are in place? Are there any company rules prohibiting employees from leaving laptops unattended (though you would think common sense would be enough)? Or better still, are there rules prohibiting the transfer of personal data to employee laptops? I expect there aren't. If any such measures were in place, Ernst & Young’s public relations people would have plastered that all over the media to reassure clients and the public in an attempt to save the firm’s corporate derriere.

Ernst & Young and the VA are not the only entities that have lost laptops with personal data, and most of these entities have developed a typical response straight from the Corporate Playbook. Ernst & Young has agreed to offer Hotel.Com customers a year's free credit monitoring. That’s no compensation for someone who will have to spend potentially years clearing up a resulting bad credit history. Anyone who’s been in the tenuous position of having to prove they do not owe a debt they do not owe will tell you that. If Ernst & Young created a task force to help consumers clear identity theft issues, then maybe that could be considered compensatory. If they offered to pay legal fees for anyone having to clear resulting bad credit histories, or pay state fines for prosecution of identity thieves, that might be considered compensatory. If they committed to and implemented a program to encrypt and secure the data and, in particular, prohibited downloading of personal data to portable computers in the first place, that would be considered the best move of all.

Employees of the auditing companies don’t seem to care what happens to your personal data. The Register reported that, in one case, employees left laptops in an unattended conference room while they went off to lunch. You can just see how that might happen. They’re in Miami at yet another conference. The conference is at a downtown hotel they’ve been to a couple times. They’re familiar with the hotel and the area so already they feel some sense of false security. Someone’s been talking for hours about converting more sales, pushing certain investments, or their company’s new data recovery center that will help clients feel more “secure.” Anyway, the speaker stops to take a breath and everyone realizes it’s a good time to break for lunch. They’re coming back to the room so, hey, why lug around those heavy laptops? Aren’t they coming back to the room for the second half of the conference? Do they even ask if the conference room will be locked during lunch? Of course not. They’re company laptops. What’s a few lost laptops to a big corporation like Ernst & Young.

Maybe these irresponsible employees need a little incentive to show better judgment. Suspending reality for just a moment, wouldn’t it be interesting if, any time one of these employees acted that irresponsibly, his or her Social Security number were posted on StupidIrresponsibleJerks.Com? That way they could sweat it out with the rest of us who have personal data floating out there and possibly in the wrong hands. While we’re at it, lets also expose the personal data of policymakers at these auditing companies who are too shortsighted to better secure your data and the company’s reputation. Let them sweat it out too. At a minimum, how about if these employees immediately lost their jobs, were required to be individually named in negligence lawsuits filed by victims of identity theft, or at a minimum SIMPLY HAD TO PAY FOR THE LOST LAPTOPS? I bet we’d see a decrease in stolen laptops then. Seriously people, some of these employees were so careless you can almost imagine them extending their arms and presenting the laptop to Joe Thief. “Here, take it. I’d give you my Windows password too, but you won’t need it. I didn’t bother to log off before going to lunch – check out my Paris Hilton screen saver.”

Most of these companies who have lost laptops with sensitive data try to pacify the public by saying the thieves are just after the hardware. Sure. That’s like telling a home burglary victim the burglar just wants your jewelry box. He’s not really interested in the $50,000 tear-drop diamond earrings you had inside. Bull. When a thief steals, every part of the stolen item has value. Everything. Even a computer illiterate thief knows there will be programs on a laptop and, if he knows what’s loaded, he can better evaluate the asking price when he fences it.

Ernst & Young’s web site praises the company’s network security measures in their section titled "Security and Technology Solutions." These measures may well be admirable. However, too often individuals, companies, and the public in general are so focused on stuff going over the Internet that they forget about stuff sitting in hard drives. A truly secure network focuses on data stream (information being transferred) and on data storage (information waiting to be used). In my dreams, my personal data is properly stored in a secure location, in a building with armed guards, vicious dogs, and an unfriendly receptionist. Well, I can hope. I can also hope that some of that data might also be encrypted. I realize my personal data with one institution may be stored in more than one location; for example, Building A (their main offices) and Building B (a branch office or, better still, a data recovery center). But, not in my wildest imagining would I expect that any business storing my personal data would allow it to be downloaded and stored on a laptop that an employee can take home where he does his online shopping. I know I also don’t expect that the laptop with my personal data is being left unattended in a hotel conference room, a bar counter or someone’s car. I don’t care how many financial or online banking agreements I sign. I’m never consenting to anyone downloading my personal information to a laptop. No one consents to the mishandling of their personal data.

I have yet to read any banking or credit agreement that expressly states the information will be downloaded to a laptop or in any way made available to anyone outside the secured network of the financial institution. There is a vague all-encompassing comment about information sharing, but the appearance given by these institutions is that the information will be handled and “shared” in a secure method over an encrypted Internet connection. Everything they say about their security has to do with their firewalled and encrypted data streams. To me that means that anyone working from home and needing access to my personal data is doing that using one of the many encrypted remote access programs that are out there: for example, Windows Remote Desktop or GoToMyPC or some other Citrix product. These programs are by no means impenetrable, but they are simply a better option, utterly available and far more secure. That’s just not the case with data downloaded to laptops without encryption or adequate password protected (though passwords are simply not enough). Over the years, I have used a number of remote access programs to log into my office and work on client files. I’ve even used a laptop to work downstairs on files stored on my main computer in an upstairs bedroom. The remote desktop creates a window that shows me the programs and data files on the main workstation or network server that is hosting my connection and contains what I need to see. I am NEVER required to download any data to the laptop to work remotely on it. That’s the whole point of the remote access software.

By compelling employees to log in, do the work and immediately exit the remote access program, Ernst & Young, the VA and any other entity that stores personal data minimizes the window of opportunity for your personal data to fall into the wrong hands while remaining behind an encrypted and presumably firewalled connection during the entire time that your personal data may need to be accessed. During remote access sessions, the company retains control of your information and there is oversight of the employee’s use of your information. Best of all, if your personal data is not needed during that particular remote access session, it never even becomes part of the encrypted data stream traveling over the Internet. This would expose even fewer people from the threat of identity theft. Think about it. Can any Ernst & Young employee work on the data of 243,000 Hotel.Com customers during one remote access session? Can one VA employee work on the accounts of 2.2 million active-duty personnel during one online remote access session? And yet, both these individuals collectively had the personal data of nearly 2.5 million people stored on their laptops and immediately available to anyone using their laptops. Why?

There ought to be a law, right? Oh, absolutely. Congress should immediately implement its own measures, including possibly levying fines against any entity that acts irresponsibly with your personal data, and should impose broader guidelines regarding access to your personal data. In 1996 Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) regulating the use of and access to personal health information and related identifying personal data, like medical record numbers and Social Security numbers contained in patient medical records. Though HIPAA caused a lot of headaches in the medical and legal communities, it validated concerns over privacy. HIPAA was still a step in the right direction even if, like most legislation, it needs to evolve to better reflect the legislative intent. Similar, legislation needs to be considered with respect to the personal data maintained by businesses and financial institutions. A person shouldn’t have to get sick to protect his or her personal data, though the apparent lack of security is sure to make you sick.

Although HIPAA addressed privacy concerns, the issue of protecting personal data isn’t a question of privacy; it’s a question of security. Protecting personal data could easily fall within the purview of Homeland Security. Personal data needs to remain secure because the casual criminal is not the only one making use of it. Whether it’s to raise fear or awareness, consistently our government tells us about the manner in which terrorists make use of other people’s personal data to create phoney IDs, buy cell phones, or book plane tickets. It’s not a leap of logic to suggest that protecting personal data thwarts terrorist activity. A bold politician might even say failure to do so is a breach of national security. But that’s going a bit too far, don’t you think? Certainly, though, it’s conceivable that personal data has the potential of falling into the hands of someone desiring more than just an overpriced pair of shoes, hair extensions or HDTV.

Other measures offer consumers far more protection than we’ve been seeing. There are currently legislative initiatives in certain states that would allow their residents to place a security freeze on their credit files prohibiting any new credit or loan application to go through without the consumer’s authorized PIN number. The freeze would allow consumers to lock their credit and temporarily unlock it when they know they will be applying for a loan or need to make some other type of major purchase. For more on security freezes, read the June 8, 2006, Home Watch article on WomensWebWatch.Com. A link to that site is provided in the author's bio below.

Ernst & Young is not a small operation. It is a successful business with, I imagine, an exceptional track record and the ability to provide solid services or it would not be retained by so many reputable businesses. However, the best company can show poor judgment and in this case it has. To be fair, I surmise that, like all companies, Ernst & Young has careless employees and most certainly careful ones. The company as a whole may be undeserving of the resulting bad reputation it’s getting. On the other hand, it has not shown it’s done enough to curb the loss of personal data. Frankly, even the most careful employee can be overwhelmed during a crime, or overly fatigued, and become dispossessed of his or her laptop. There is little compelling reason for those laptops to contain personal data. Every entity that handles personal data needs to implement a zero-download policy and issue essentially dumb terminals to their employees (laptops just for remote access).

Too many times, these institutions forego implementing some security measures because, they argue, no measure is 100% foolproof. They claim it would not be cost-effective for them to implement measures that can be breached. Well, every one of them has already implemented security measures which are not impenetrable. Most of these places already use encrypted Internet security connections for their data streams because failure to do so in this day and age is unthinkable, right? I’ve even heard that some of these places lock their doors at night so someone can’t walk in and steal the CEO’s favorite coffee cup. Adopting a company policy prohibiting the download of personal data to laptops is as expensive as sending around a memo about the upcoming company picnic. There is no need to download the data. Workers can still remote access the encrypted data using adequate alphanumeric passwords through a secure Internet connection behind firewalls on both sides, on the host computer and remote desktop. No, it’s not 100% foolproof. That’s true. My front door can be broken down, but I still lock it at night. Allowing downloads of sensitive data to laptops is the same as leaving the front door wide open.

N. Saco is a contributor and founder of several information web sites, including WomensWebWatch.Com  and WetwareSolutions.Com. Her blog is located at InternetExplorerBlog.Com, and a copy of this article can be found there. She has a degree in Communications, focusing in critical analysis, a minor in cultural anthropology, and 20 years experience in research, writing and investigation, primarily in medical litigation support.

Now You See It, Now You Don't: Preventing Laptop Computer Theft

When Irwin Jacobs, chief executive and founder of Qualcomm Inc. had his laptop stolen from a journalism conference in September 2000, it shed light on a growing problem.

Other recent events have focused national attention on the laptop security issue, consider the following:

o In July 2001 the Federal Bureau of Investigation reported that 184 laptops had been stolen or lost. At least one and possibly as many as four contained classified information.

o In April 2001 the British Defense Ministry reported 205 laptops missing since 1997, most of which contained classified materials.

o In February 2000 a laptop computer with "highly classified" information disappeared from the U.S. State Department. Then, in May 2000 two more laptops were reported missing from the U.S. State Department.

While technology has made laptops smaller, easier to store and transport, it has also made them easier to conceal and steal. It's the convenience that has made the laptop computer so popular and the information vehicle of choice for business people throughout the world.

.The computer itself is a valuable asset and one that should be protected, but it can be replaced, however, the information stored on it in many cases is not replaceable and of greater value to competitors if compromised. A thief can get a few thousand dollars for a top of the line laptop, but he can get a whole lot more for a company's marketing plans.

High Risk Locations

A high percentage of laptops are stolen from the office. FBI officials estimate as much as 75 percent of laptop thefts are committed by insiders, individuals who are expected to be on the premises. For example, employees, delivery people and janitors all have access to the grounds and buildings and have opportunities to steal unprotected laptops.

In one case, Canadian authorities apprehended a man believed to have stolen 20 to 30 laptops from an office building over a span of a few weeks. The suspect would enter the building dressed as a maintenance employee, load computers onto a dolly and exit the building. He performed this routine so often, that building employees believed he was actually a member of the maintenance staff.

According to a USA Today article, heightened airport security as a result of the September 11 terrorist attack has caused an increase in the number of lost laptops at airport checkpoints. . The problems stem from new procedures that require passengers to remove their laptops from their cases and put them through x-ray machines. They either forget to pick them up or grab a stranger's laptop by accident. It becomes more problematic for travelers who are singled out for magnetic wand searches and may be separated from their valuables on the conveyor belt for extended periods of time.

Business travelers should also pay close attention to their laptops when at the following locations:

*Hotels

*Train Stations

*Bus terminals

*Car rental agencies

*Conference Centers

*Restaurants

*Restrooms

*Payphones

Always remember, laptop theft can happen anyplace, at any time.

Laptop Theft Prevention Tips

Employees

o Disguise your laptop. By carrying your laptop in a case designed for computers, you alert the thieves you have a laptop. Carry your laptop in an ordinary piece of luggage, satchel or other inconspicuous bag.

o Record the laptop serial number, make and model information. Keep this information in your purse or wallet so if your computer is stolen, the information will be readily available when you file a police report.

o Never leave your laptop unattended in a public place.

o Use computer-locking cables to secure the computer to a desk or table

o Never place a computer in checked luggage.

o If a laptop must be left in the car, store it in the trunk of the vehicle prior to arriving at the final destination.

o Identify your carrying case in some unusual way to make it stand out from all other bags. An unusual color, colored tape or yarn or exceptionally large or brightly colored tags attached to the bag will help you immediately locate the bag and give police probable cause to stop and question the carrier.

o Also consider taping colored paper or placing a large tag on the front of you laptop to avoid accidental mix-ups at the x-ray machine.

o Regularly back up information and store it separately in case your computer is stolen.

Employers

o All laptops should be permanently marked or engraved with inventory or serial numbers so they can aid in recovery if found by the police. Check with the manufacturer regarding appropriate marking locations and warranty criteria prior to marking.

o Conduct scheduled inventories of laptops periodically.

o Proper documentation should be maintained for all laptops. Records could include the type of equipment identifiers such as make, model and inventory or serial numbers, an equipment assignment date, and the employee responsible for the laptop.

o Some companies utilize electronic asset tracking technology. Employers can tag laptops with a small electronic transponder. If an employee attempts to leave the building with the computer, the system records the time, date and exit used. Some systems can also give security the ID of the employee taking the equipment.

o Access to the area where laptops are stored when not assigned should be limited to a select few individuals.

o The limited access storage area should be situated away from high traffic areas.

o Access should be controlled to areas such as offices where employees utilize laptops. This can also be accomplished through the use of ID card systems.

o Some companies have established policies making employees responsible for the loss of a laptop if they do not follow company policy for safeguarding it. Communicate the policy in writing and get a signed statement of acknowledgement.

o Employers have also been known to require employees to purchase their laptops, reasoning that employees will better care for them.

o Provide employees with loss prevention and security awareness training. E-mails, brown bag luncheons, new hire orientations security awareness literature/posters and video presentations are all excellent vehicles for getting the word out.

o Provide employees with adequate secure storage areas for their laptops such as locked security closets, cabinets and lockdown devices at desks and workstations.

Johnny May is an independent security consultant/trainer and the executive producer of the video production Now You See It, Now You Don't: Preventing Laptop Computer Theft. For more information visi

Ever Tried to Choose From Identical Specification Laptops at the Same Price - How Would You Choose?

As we all know, the modern world has boundless amounts of technology, gadgets and gizmos to choose from and nowhere is this more obvious than when looking at computer related products.

The challenge many people face when choosing a laptop is that there are simply so many models which are of a similar specification and price range. This means that choosing the right laptop often comes down to totally non specification aspects such as if their friends have the same make or if they saw an advert.

It is true to say that you can get several models of laptop from different manufactures' that all have the same specification on the box but what the less informed laptop buyers should take into account 9and often do not) is what the quality is of the components that have been used to make the laptop. To give you an analogy where the choice is much clearer: you can get two car makes with identical specifications, both have air conditioning, CD player, electric windows, etc but one is a Mercedes and the other a Ford. Now both are great manufacturers but for anyone who has experience of these two brands, you will know that the Mercedes overall is of a much higher quality - and much more money.

But back to our laptops, the choice is made harder as the models we are looking at are similarly priced as well as having the same specification - so how do most of us choose? Well, this comes down largely to marketing and what the store may be pushing (unless you are buying online). Invariably the best laptop buys are those that meet your budget, have the right specification and are made by a brand you trust.

The best thing someone new to buying a laptop can do is read online about reliability. You should do you research, refine your choice to a handful of models then do a final "reliability" search to see which one has the best reviews or the lest bad reviews.

Wednesday, September 12, 2012

Can You Afford a Laptop Theft?

Losing your laptop is a recipe for disaster. All of your personal information, all of your contacts, all of your work; gone and in the hands of the unknown.

If your laptop is stolen then all of your precious information is in the hands of a thief who will not stop with just stealing your laptop. We're talking Identify Theft as well as data loss.

Many people believe that just having a laptop password protected in good enough for them. It's not. There are too many softwares available that can bypass passwords in under a minute.

According to the FBI, laptop theft loss totaled more than $6.7 million dollars in 2005 to personal users and companies. The average theft of a laptop costs a company $89,000 in software, data and personal information.

MAJOR COMPANY LAPTOP THEFTS

• AICPA lost a laptop during shipment; over 300,000 members personal information was compromised.
• The Federal Trade Commission had an employee's laptop stolen out of his car. Over 100 social security numbers and other information about top employees at this company were stolen.
• AIG, a major insurance company had close to one million customers private information, including credit card numbers, jeopardized when several of their laptops were stolen.
• The U.S. Department of Veterans Affair put 26.5 million people at risk for identity theft when one laptop was stolen from a employees home.

If large companies and even the United States Government can't keep their information secure how can you?

WELCOME NEW TECHNOLOGY

In our ever changing technology world, ways to protect your laptop (and more importantly, the data stored on the laptop!) is becoming a main stream conversation piece. Programs that track your laptop are available to prevent such things as above happening to you or your company.

• Get a location on your laptop to within thirty to forty feet
• See who is using your laptop through the webcam
• Encrypt your files even after it's reported missing
• Backup your files even after it's reported missing
• Lock down the computer once your important information has been backed up, rendering it useless

Not only will the program save your important data, but it can help you retrieve it thanks to GeoTracking.
Never worry again about losing your most valuable possession; the possession that has the capability of destroying who you are if it were to fall in to the wrong hands.

Secure it with a Snuko's Anti-Theft program and give yourself one less thing to worry about.

Snuko is an IT and Security company with offices around the Globe. Snuko specializes in making laptops and smart phones more secure by offering anti-theft programs to their clients. These programs provide clients with essential information on the whereabouts of their equipment as well as ensuring that no data is ever lost because your laptop or smart phone was stolen. With innovative ideas and around the clock monitoring, Snuko is always there to lend a helping hand.