RealTime IT News

Stakes Rise in Notebook Safety

As the Black Hat conference descends upon Las Vegas this week, internetnews.com presents a series of articles addressing security issues past and present.

Call it the 26.5 million record wakeup call.

That's how many veteran's confidential records were at risk following the stunning disclosure of a missing notebook at the Veteran's Administration this past spring. It was the biggest Social Security numbers breach on record and the prospect of widespread identity theft loomed.

This particular story apparently has a happy ending. There was a collective sigh of relief by the government and affected veterans when it was reported in late June that the missing notebook had been recovered.

According to a preliminary FBI forensics report, no data was missing or copied off the system. A VA official said he was optimistic the chances of identity theft have been minimized.

Still, it's clear the VA dodged a bullet, and the data could just as well have been compromised. The data on the notebook was not encrypted.

Lesson's learned? Hardly, though more companies and government agencies are calling for stricter controls over notebook systems. It's a challenge, though. Encrypting files is an extra step and process for IT to implement and notebooks are by their very nature mobile and have a way of leaving the corporate desktop.

Ernst & Young is one company taking action. The accounting giant started encrypting data on laptops for its 30,000-person workforce in the U.S. and Canada after a laptop with personal information on about 38,000 customers was stolen from an employee's car in February, according to a recent report in USA Today.

But there have been about 90 million records exposed to potential ID theft since February of last year, according to the latest figures by the Privacy Rights Clearinghouse which details major incidents at its Web site.

For example, just last month, Armstrong World Industries in Lancaster Co., Pa., reported a stolen laptop containing personal information of current and former employers, 12,000 in all, was stolen from the company's auditor, Deloitte & Touche.

Data included names, home addresses, phone numbers, SSNs, employee ID numbers, salary data, and bank account numbers of employees who have their checks directly deposited.

Vendors are moving aggressively to keep notebooks more secure.

Lenovo has long offered an extra layer of security -- fingerprint authentication -- for its popular ThinkPad line. Lenovo said it's the largest provider of biometric-enabled PCs in the world.

Other notebook makers such as Dell and HP have followed suit by offering a fingerprint reader, but they have a ways to go to catch up to Lenovo.

Late last year Lenovo reported it was the first to have sold its 1 millionth ThinkPad with the integrated fingerprint reader, which sells for a $50 premium on most models.

Data moved off notebooks onto portable storage devices, such as the handy keychain or thumb drives, is also a potential security risk.

Will Poole, Microsoft's senior vice president of the Windows client business, said he was shocked to hear from some CIOs they actually used glue guns to seal off the USB ports, so their employees wouldn't use thumb drives to copy company data files.

Speaking at Microsoft's WinHec conference this past spring, Poole said companies will soon be able to put the glue guns to better use.

He said Vista's BitLocker Drive Encryption will protect data from being used by unauthorized users or even downloaded inappropriately to thumb drives.

Due out the end of this year, Vista's group policy feature can limit what information employees are allowed to transfer off their computer hard drives.

But then there's the issue of introducing problems with programs already stored on the thumb drives.

"The portability of USB devices makes it easy to accidentally infect an enterprise network with contagions carried in from a home computer," said Jim Watson, CEO of Reflex Security.

The security firm says contamination frequently starts with tainted media files downloaded from peer networks such as BitTorrent that are copied onto the portable drives. Even the act of installing P2P programs can sometimes introduce spyware and adware to a host.

Reflex has developed an inline network intrusion prevention system it says will prevent such intrusions.

Looking ahead to the holidays, the company advises IT managers to be aware of the "Christmas Effect": workers returning from vacation bearing thumb drives and MP3 music storage devices they received as gifts.