backtop

Print E-mail del.icio.us 23 comment(s) - last by fic2.. on May 8 at 1:03 PM
The Transportation Security Agency is the latest government agency to lose or have data stolen

An external computer hard drive containing the personal, bank and payroll information of up to 100,000 former and current Transportation Security Administration (TSA) employees was reportedly stolen from a human resources office in Crystal City, VA.  The Federal Bureau of Investigation and U.S. Secret Service are now helping the TSA investigate the theft -- FBI is conducting the investigation, with the Secret Service conducting a "forensic review of equipment and facilities."

The TSA learned about the missing hard drive sometime Thursday, but the agency informed possibly affected employees Friday evening -- a delay which has upset some employees.  TSA spokesperson Ellen Howe reassured agency employees by stating the TSA was "not trying to stall."

"TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," said Kip Hawley, TSA Administrator.

The TSA is unaware if the hard drive has left its premises.  The hard drive contained sensitive information on employees who worked for the TSA from January 2002 until August 2005.  The agency employs almost 50,000 people and is the agency responsible for securing transportation systems in the country, including airports and railroads.

Letters were sent out to all affected employees promising one year of credit monitoring services.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Security
By filibusterman on 5/5/2007 7:24:30 PM , Rating: 5
I guess they should work on the security in their own offices before they are trusted with the security of millions of individuals traveling every week within the US. Just another example of a wasteful and bloated government agency. Lets secure all of the airports in the nation and just leave the borders to the south and north relatively open.




RE: Security
By nutxo on 5/5/2007 7:30:56 PM , Rating: 2
It's become painfully obvious that laptops in business are a really bad idea. It seems no one is able to maintain physical security of these devices.


RE: Security
By gerf on 5/5/2007 7:44:02 PM , Rating: 2
I use a laptop at work all the time.

I just have no access to anything like SS#s or Gov't sensitive defense data.

And if I did, I'd be salty if I couldn't work in the same easy manner as everyone else (with laptops, thumb drives etc).


RE: Security
By Vertigo101 on 5/5/2007 8:45:41 PM , Rating: 3
Many government installations strictly forbid any device that makes the physical transportation of secure information easily possible.

Operational security easily trumps your personal comfort.


RE: Security
By Talcite on 5/5/2007 11:30:11 PM , Rating: 2
I don't know why government agencies just do away with laptops altogether. They're stolen or lost way too easily.

They should use a VPN for work or use an SSH connection to transfer files. It's much more secure if the employees are educated properly.


RE: Security
By fic2 on 5/8/2007 1:03:20 PM , Rating: 2
Apparently, strictly forbid is rather loosely defined.


RE: Security
By Hare on 5/6/2007 2:45:54 AM , Rating: 3
quote:
It's become painfully obvious that laptops in business are a really bad idea. It seems no one is able to maintain physical security of these devices.

First of all it was an external computer hard drive according to the article.

Laptops are not a bad idea. They are a brilliant idea when information is managed properly. I work for a big tech company and everything and I mean everything is encrypted. You can't read a single document if you stole my laptop. Secondly most files are kept on network drives that are physically in data vaults and accessed through VPN connections that are verified with a smart-card. Even if you stole the laptop and my smartcard you still couldn't log in without my password etc. There's no way you could get access to this information without my consent.

It's all about security and how you manage information. The problem is that most people have no idea how to secure data. It just blows my mind that government etc laptops with massive amounts of files are not encypted and handled better (and I'm not talking about just this specific case).


RE: Security
By GI2K on 5/6/2007 6:15:51 AM , Rating: 2
"There's no way you could get access to this information without my consent."
It has been proved again and again that there's no 100% safe protection...


RE: Security
By Hare on 5/6/2007 7:24:37 AM , Rating: 2
There's no 100% safe protection but you can get very close in practise.

If you wanted access to my/company files you would need to steal my laptop and find out my pointsec encryption password. Without the correct password you have a dead computer. If you found my encryption password (three tries allowed) you would still need my login credentials to the network to access the actual files that are kept on servers. Server VPN connections are secured with my username and password and a secure/smart id card that changes the password on each login.

If I lost my laptop it would take about 2 minutes to shut down my account preventing anyone with the computer from accessing the network even if he/she knew every single password and login and had my computer and password-card. Safe enough...


RE: Security
By leexgx on 5/6/2007 9:06:27 AM , Rating: 2
quote:
If I lost my laptop it would take about 2 minutes to shut down my account preventing anyone with the computer from accessing the network even if he/she knew every single password and login and had my computer and password-card. Safe enough...


but thay be able just format the hdd and use it (on in your case thay probly need to do an Low level format or need to replace the hdd)

you can get laptops that have TPM chips on them + the Bios password lock (or even better an SD card that works with the bios that stores the key on it) + hdd encryption

buy any biz laptop from toshiba (that has Vista bis on it)
it has an Easy to use securtiy progrm on there that can set the password on the BIOS and the HDD (hdd is useless with out the password as its stored on the hdd it self) you can allso store it on an SD card so thay need to insert it on boot up or it not get pass the password

Vista has HDD TPM support that the toshiba program thats on the desktop that makes it easy to set up as well (and agane in this case VIsta supports any Mass storage device {SD card/USB stick} so the user does not even need to know the password)

so if the laptop is stolen it be quite hard to use as it be protected by all that stuff / the first part can be done in an matter of 30 secs and will render the laptop useless unless thay know the master Bios password that the user should Not know when set or have the SD card
the seconed part Useing the TPM protection the time it takes to encript the hdd (probly 30 mins)

if the admin's even bothers to invest in 2 SD cards and 30mins of setting up the security at most this type of stuff should not happen (the securty Comes with the Vista/XP Biz Toshiba laptops for Free)


RE: Security
By leexgx on 5/6/2007 9:12:18 AM , Rating: 2
or the other way is Full Boot HDD encryption software (at most i guess $100 for something basic but afective)

thay still be able to use the laptop but only after an format or an Low level format if that fails


RE: Security
By leexgx on 5/6/2007 9:14:40 AM , Rating: 2
this site needs edit button


RE: Security
By Hare on 5/6/2007 10:07:28 AM , Rating: 2
quote:
but thay be able just format the hdd and use it (on in your case thay probly need to do an Low level format or need to replace the hdd)

Information is all that matters. Hardware is cheap to replace. As long as data is safe the actual hardware loss is irrelevant. From a security standpoint it wouldn't really matter if the laptop was stolen or if someone just spilled their coffee all over the machine.

Another thing to consider is that no matter how strong an ecryption etc is it's useless if the user has "James" login with "James123" password. Too many people use their pets names or something similar as their password.


RE: Security
By leexgx on 5/6/2007 12:02:05 PM , Rating: 2
thats why i posted about useing SD cards as its commen an Most cases its not the user that has stole the laptop but i do think there should be an password + SD keys for the data part


RE: Security
By FoxFour on 5/6/2007 11:36:38 PM , Rating: 2
All of you advocating better information security procedures are forgetting the single greatest factor to be considered: social engineering.

You can encrypt the data, lock it down with a hundred passwords, do whatever you want to make it impossible to read... but you CANNOT force every single employee to use a good password. You're lucky if you can get 10% of your employees to use strong passwords. The other 90% will continue to use their last name spelled backwards, or their son's birthdate, or a word in the top hundred of any decent dictionary attack.

And suddenly all of that encryption and account security isn't worth a damn, because the bad guy has the key to the front door and the code to the alarm.


Government Security=Oxymoron?
By marileeess on 5/5/2007 7:30:50 PM , Rating: 2
The TSA is a part of the Department of Homeland Security. A branch which wants to create a nation ID database.

I think Representative Sheila Jackson Lee of Texas said it best, "Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting. We should expect it to be secure." http://www.essentialsecurity.com/news.htm?id=200

Is Government Security in the U.S. now an oxymoron??? This hard drive loss followed by the AL Veteran's Administration hard drive loss - sheesh!




By MrDiSante on 5/5/2007 9:14:44 PM , Rating: 2
Well Microsoft must be happy. They'll be all like "see, this wouldn't happen if you had bitlocker drive encryption with windows vista!". and then the government will be like, "hey you're right! let's cough up hundreds of dollars/laptop!"


I hope they at least had the data protected
By Snuffalufagus on 5/5/2007 8:14:17 PM , Rating: 2
This seems like the perfect candidate for drive and/or data encryption and any of the other data protection tools out there. If you're responsible or in possession of anyones personal data it seems like common sense to use these sorts of security tools, granted most can be broken, but it's still a huge deterrent to many. The idea that this isn't standard policy or best practices for any government equipment seems plain stupid to me. I have a friend who works in a Accounting firm, and they're security for all their equipment dwarfs what I've seen that a military friend of mine has in place. Then again, the article doesn't indicate that they did or didn't have some sort of protection in place.




By mcp555 on 5/6/2007 10:15:12 AM , Rating: 2
I'm no authority on security but it would seem to me putting these external hard drives in some kind of hardened safe or small data vault might be a good place to start. They should also look at being more restrictive about who can get into and how to access the office/room as well. At least they didn't bring it home or put it in their car...

The encryption, TPM, and secure remote access ideas are good options as well but I think the physical security part would be relatively cheap and easy to implement. I guess we'll have to wait and see what the FBI learns from its investigation. Hopefully the Secret Service includes all of the ideas everyone mentioned in their review.


By CollegeTechGuy on 5/6/2007 11:27:46 AM , Rating: 2
Why does the goverment have all this data on laptops and external hard drives. All this information needs to be on 1 database server, for each agency or whatever. And the employees that work with it just need to access what data they need at the time. Database + Proxies = mine and everyone else information more secure.

Or maybe the government should go back to some old ways and just have terminals.




By Jeff7181 on 5/6/2007 12:09:55 PM , Rating: 2
WTF is this kinda stuff doing on an external hard drive?! Sensitive data like that shouldn't be stored on an external PORTABLE hard drive that anyone can pick up and walk away with.




can't help it
By Chernobyl68 on 5/6/2007 10:18:45 PM , Rating: 2
after seeing the re-broadcast of the TSA sketch on SNL last night, I can't help but laugh at this.




Encryption?
By DLeRium on 5/7/2007 3:32:33 PM , Rating: 2
The funny thing is that with most tech companies, when it comes to sensitive data, it's usually encrypted.

Most pathetic institutions like schools (universities), and government organizations somehow lack decent IT departments to manage their data security.

Take my university which was the case of many stolen laptops and lost data in the past 2 years. It's ridiculous. A glance at simple management of computers shows that IT does a terrible job. It's funny how most of our computer labs operate at extremely high temperatures and things break left and right. Moreoever, it's also funny how they can't even run a decent email server for 30,000 individuals. How do you expect them to even manage sensitive data on a laptop?




"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki