digg

Join DiggAbout

Introducing Digg Dialogg!
Check out the first Digg Dialogg with Nancy Pelosi. More guests to be announced soon!

Laptop losers hall of shame

networkworld.com — Here's a list of the 10 biggest (known) security breaches from lost or stolen laptops, where government agencies, corporations and colleges failed to safeguard the names, Social Security numbers and other personal info of their customers. Encryption software - which costs as little as $10 per laptop - could have prevented most of these incidents.

Bury
show profanity settings
expand all
  • labboy, on 05/24/2008, -0/+8I suspect companies are actually starting to get a clue here. Both IBM and EMC are rolling out encryption in a big way (of course they have a stake in this from an encryption products standpoint) and others will probably follow...of course, handheld devices will be the next big problem once the laptops are secured
  • louiebaur, on 05/24/2008, -1/+10I wasn't aware of the Gap one, 800,000 names is allot of data
  • alstublieft, on 05/24/2008, -0/+4oh gosh this is depressing...my laptop was stolen in January and I did nothing that could have prevented things like this! :(
  • SHv2, on 05/24/2008, -8/+53I stole someone's identity once... Todd Davis, Social Security Number: 457-55-5462
    • tardmaster, on 05/24/2008, -1/+15http://www.lifelock.com
      I guess not everyone got it. Or maybe they did, and it just wasn't funny to them.
    • bipolarruledout, on 05/24/2008, -0/+0Do you know what his credit line is and if it's going to be enough to cover that lawsuit?
  • edstate, on 05/24/2008, -1/+13I was half expecting to see pics of douchbags in starbucks hard at work...
  • 72Devilz, on 05/24/2008, -6/+0Dug down for the lame ass annoying flash ad in the top right corner of the page, bet it was an interesting read though.
  • Pissoff, on 05/24/2008, -3/+2riposte: http://news.cnet.com/8301-13578_3-9876060-38.html
  • BOFH2, on 05/24/2008, -1/+4slide shows, multiple page crap and post like that should be banned. Yes I dugg it. Baaah
  • NekoIan, on 05/24/2008, -0/+41Costs as little as free...

    http://www.truecrypt.org/
    • spirko, on 05/24/2008, -0/+9And for that reason, there's no excuse.
      • Mootabolife, on 05/24/2008, -0/+7Don't underestimate the power of lethargy.
      • SHv2, on 05/24/2008, -1/+1I would respond to your statement with a well though out argument against but ***** am I tired.
    • SLockhart, on 05/24/2008, -0/+4I heard about TrueCrypt on Leo Laporte's Tech Guy podcast today. It's completely uncrackable and it's free. There are no more excuses for these security breaches.

      I got it up and running, made a hidden file container within the outer file container (for plausible deniability) , set up different passwords for both and then...I realized I have absolutely nothing worth hiding from anyone. Oh well, I'm set up and ready to go if anyone gives me some Top Secret file for safe keeping.








      • elvisa, on 05/24/2008, -0/+1Not trying to troll or anything, but nothing is uncrackable.

        Truecrypt offers AES/Rijndael, Twofish and Serpent encryption (or a combination of them), up to 256bits. That is certainly some of the highest level symmetric-key encryption available to anyone. But nothing is "uncrackable" given enough time and CPU power.

        Encryption is a constant moving target, and something people need to constantly re-asses every few years. For now, products like Truecrypt are a fantastic option for anything from home users through to medical/government/financial institutions.
        • xmodem2, on 05/24/2008, -0/+1Incorrect Assuming the key is not compromised, a One-time pad cannot be cracked.
          http://en.wikipedia.org/wiki/One_Time_Pad

          And while, sure, AES might be breakable with enough CPU power, please show me any individual or organisation capable of breaking AES within my lifetime (assuming the implementation I'm using isn't flawed)
        • SLockhart, on 05/24/2008, -0/+1Yeah, what he said.
        • elvisa, on 05/25/2008, -0/+1"please show me any individual or organisation capable of breaking AES within my lifetime".

          Processing power moves at an exponential rate. What took millions of processing hours in the 70's takes a few seconds to do 30 years later.

          I say with some certainty that AES will be broken within your lifetime. Again, look at DES, 40-bit encryption, etc. These things were considered safe based on modern processing power, and were broken decades later.

          Unless you plan on dropping dead in the next 20 years, I don't doubt you'll live to see a day when AES becomes too easy to break with commodity hardware, and we'll all be using something new and different.

          And that's not even considering the future of quantum computing, and the hugely parallel possibilities it brings (and with it, a need to change the current way we all use encryption).
        • elvisa, on 05/26/2008, -0/+1http://en.wikipedia.org/wiki/EFF_DES_cracker

          DES encryption:
          * Selected as a FIPS standard in 1976
          * cracked in 96 days in 1997
          * cracked in 41 days in early 1998
          * cracked in 56 hours by mid 1998

          Nothing is "uncrackable" forever. :)
  • digidelia, on 05/24/2008, -0/+7how long until someone complains about having to click through slides
  • SoIcanDigg, on 05/24/2008, -0/+3Encryption software for laptops is not new. Companies that don't have encryption software with password protection on all of the company owned laptops, especially if they contain sensitve data, are completely irresponsible and should be held accountable with the highest penalties.
  • beauTL, on 05/24/2008, -5/+1lame.
  • tai1nega, on 05/24/2008, -2/+2yup, part of that Gap one. stupid idiots
  • chamberlanderic, on 05/24/2008, -2/+2just make your employee work at the goddam office.
  • DeFex, on 05/24/2008, -1/+5I guess they forgot there are other countries in the world. UK has had some pretty spectacular ones.
  • nociva, on 06/30/2008, -3/+2Hey, I work with the guy on the main picture. weird!!!
  • diulei, on 05/24/2008, -1/+4Really, companies / organizations don't have an excuse for not encrypting sensitive information when there is FREE software out there.
    • bipolarruledout, on 05/24/2008, -0/+0Maybe but the software doesn't install itself and employees are bad about using it unless they are consistantly trained. The weekest link in IT is always ground level staff. All the technology in the world won't help without good security and IT policies.
  • sjbdallas, on 05/24/2008, -3/+2Encryption isn't the complete answer since hackers are already finding their way around that.
    What companies with data they need to protect must do is keep the data inside the company and stop letting it float around the world on laptops.
    • SLockhart, on 05/24/2008, -1/+1There is absolutely no way to crack the encryption that TrueCrypt uses.
      • nycmac247, on 05/24/2008, -0/+2don't know where to start with that one.
        been to school a while and...well, you can probably guess what I'm going to say.
        (and no, I don't live in New Mexico nor Nevada; don't even need to go that far).
        If you think TrueCrypt is "unbreakable" you might want to know more about SGI projects, consider other countries and ....so frustrating...that's all I will say.
        Please - go back to your dormroom and hit the bong again.
        • SLockhart, on 05/24/2008, -1/+1I should have said that the encryption that it uses has never been broken. I'm sure it's theoretically possible. Anyway I'll take the word of the security expert that I saw talking about it rather than some guy on the internet. TrueCrypt uses the best encryption methods available to anyone today and it has never been compromised. If you knew what you were talking about you'd know that encryption has come a long way and there are now types of encryption that cannot be brute-forced.
        • nycmac247, on 05/24/2008, -0/+1I am sorry I was a jerk (really).
          Its just that I have worked with people that have broken more than that but yes they take very very (very!) expensive hardware.
          Bottom line is if the US gov't has a laptop missing people from other countries can probably break it, thats all.

    • bipolarruledout, on 05/24/2008, -0/+0Encryption works but in most cases is not deployed well.
  • mattieshoes, on 05/24/2008, -2/+3Just because the program is free doesn't mean there's any costs associated with it. The obvious solution here is DON'T PUT SENSITIVE DATA ON A LAPTOP.
  • FireSlash, on 05/24/2008, -1/+1I prefer the state of Ohio's old policy of giving their "off site" backup tapes to interns who leave them in their cars. ( http://www.msnbc.msn.com/id/19247094/ )
  • AlaskaLoneWolf, on 05/24/2008, -2/+1Lost my wallet once. Had my place broken into twice. Never lost a computer. [Knocking on wood] That would be the worst thing I can imagine.
  • AWBoy666, on 05/24/2008, -3/+1Woooo!!!!! Davidson county!! That's me!!!

    Ugh :(
  • nycmac247, on 05/24/2008, -1/+1ahhh... security 101 is physical security.
    Do these ***** also allow employees to take all the internal financial statements, etc. home?
    (er... maybe they do; I shouldn't be so fast to ASSume).
    I very rarely think this way, but when I see breaches like this I really think of the death penalty.
    Yes --- death.
    (but then again I get high off of thinking of caning for graffiti "artists")
  • SLockhart, on 05/24/2008, -0/+1Yeah, no worries, I was kinda rude to. Seriously though. The security guy on Leo Laporte's Tech Guy podcast said that if you are using TrueCrypt on your hard drive you can be absolutely certain that no one will ever see your encrypted data.
  • dougmc, on 05/24/2008, -0/+1`Encryption software - which costs as little as $10 per laptop'

    It's not the cost. Encryption software is available for free as well. But it's use does add some complications to your use of the computer, and it does hurt performance to some degree. And if something goes wrong with your laptop, it may make it much harder to recover your data, even with the password. And what if you lose/forget the password?

    I'm not saying that it's use isn't justified in many cases -- but the dollar cost is not the real reason it's not used more often.

    That said, I don't encrypt my laptop. It's not worth the trouble -- and there's nothing sensitive on it anyways. (It's my personal laptop, not full of financial data or anything. In fact, all I really use it for is remote web browsing and ssh access.) But I do encrypt some external disks that I use, that do contain sensitive information, just in case they get lost.

    And really, sensitive information shouldn't be stored on a laptop anyways. Physical security tends to be lacking there, and while encryption does help, it doesn't solve all the problems.
    • elvisa, on 05/24/2008, -0/+1A 5% drop in disk read/write performance and the "difficulty" of remembering another password are not good enough excuses for people carrying social security numbers on their laptops to not use encryption.

      The examples in this story are negligence, pure and simple. That data should never have left it's respective owner without proper protection.

      Where I work, the standard is Pointsec on Windows laptops and Encrypted LVM on Linux laptops. Anyone who considers it too difficult to comply has their laptop taken from them. There is no negotiation - you encrypt, or you don't use company laptops.
      • Dobby156, on 05/24/2008, -0/+1when microsofts main operating system contains drive encrytion for free, it a mystery why even the most important documents are encryted these happen.
  • iamsojelin, on 05/24/2008, -1/+3In case you don't want to read these, here's a summary of each story:

    "A laptop gets stolen from an employee that contains hundreds of thousands of names, social security numbers and other sensitive information. People get upset".
  • TechCF, on 05/24/2008, -0/+3Server side computing!
  • rkiga, on 05/24/2008, -1/+1On a slightly related note, it took UCLA more than a year to notice that a "sophisticated hacker" had been accessing their database of 800,000 "names, Social Security numbers, dates of birth, home addresses and contact information".

    The data obtained by the hacker was "limited to approximately 18,500 UCLA student financial aid applicants from 2002 through 2006 and 10,100 former employees".

    brilliant

    http://newsroom.ucla.edu/portal/ucla/UCLA-Warns-of ...
  • Dobby156, on 05/24/2008, -0/+2where is the british goverment on this list? here in the United Kingdom our goverment has lost numerouse, laptops and CDs/DVDs with databases of confidentional data.
    this is one of many.
    http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm
    amount affected 25million
  • bipolarruledout, on 05/24/2008, -0/+0Information security is a big issue everywhere and it's going to get worse before it gets better. There a multiple vectors to consider, the least of which is technology related. All the encryption in the world isn't going to help you if passwords arn't secured (or writen down on a post it attached to the computer). There is also the problem with unencrypted caches stored in memory or temporary files. A remote access solution over strong VPN's is perhaps the best solution in the short term.

    I worked for a resonably large company which collected the social security numbers of every customer (for credit checks) in an access database. The full company wide database was cached localy on EVERY workstation in the company UNENCRYPTED. The only protection was a single and very unsecure password. The problem still is not resolved and the company does not consider it to be an issue. Thankfully those using these systems are not IT experts but are grossly underpaid.

    I'm shocked that we don't see more data leeks considering how many crappy and unsecure software applications are out on the market being used everyday. Most companies have a false since of security when it comes to their data and don't want to spend the money on training and securing every attack vector.
  • kd1s, on 05/24/2008, -0/+1This doesn't surprise me at all. For example, in my former job a new administration came in and implemented a new computer and network policy. They left out anything about taking data off site, or CD's, etc. I brought it up a number of times through official channels and they didn't want the hassle.
    Put it this way, I know all their employee data is in the possession of at least four people, and they all have the data stored on machines OUTSIDE the office network.

    Then again, when the new administration cam in I heard that their most pressing question was "Where do we park?" How I hate politics.

  • nourkah, on 05/24/2008, -0/+1The military one was funny. I remember getting the letter from the government (I'm in the army), saying that they had that information stolen. I wasn't really that worried since there was almost 30 million other people who's information that they could choose from. hilarious though.
  • tapius, on 05/24/2008, -0/+0I don't get it though, if your ***** is sent somewhere else, then it depends on their security issues as well.
    .
    .
    . . . . . . . . . . . . . . . . . . . . . . . . . .OBFUSCATION
    .
    .



  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.