CALIFORNIA LESSONS FROM THE HP STOLEN COMPUTER CASE MercuryNews.com 04/10/2006 Don't let your data fall into the wrong lap

By Dean Takahashi
Mercury News
If your laptop computer is stolen, you could lose a lot more than just a piece of hardware.

That became obvious to more than 196,000 current and former employees of Hewlett-Packard recently when a laptop storing their sensitive personal data was stolen from a car in a Palo Alto restaurant parking lot.

Security experts hope the attention from that case will prompt computer owners to take measures to prevent the loss of valuable data in case of laptop theft.

In a recent survey, 68 percent of computer administrators said that laptops represent the biggest risk for the loss of confidential information, according to market researcher Enterprise Strategy Group. About 97 percent of stolen computers are never recovered, according to the FBI.

``This is getting more visibility as more people in the corporate world are moving from desktops to laptops,'' said John Schindler, director of product marketing at computer maker Gateway.

The data in the stolen laptop contained names, Social Security numbers, compensation and other information for 196,000 current and former employees of HP. The laptop belonged to a worker from Boston-based Fidelity Investments, which administers HP-sponsored retirement plans.

Like most businesses, Fidelity Investments did not use encryption technology, which seals data without a password, on the stolen laptop. Most businesses don't: Only about 28 percent of business computer owners use encryption on their laptops, according to ESG.

To improve laptop security, computer owners have to think about the problem in several ways. First, they can prevent the laptop from being stolen in the first place. Then they can adopt safe computing practices so that even if a computer is stolen, it won't give up any real secrets.

``Laptops are the biggest and most easily exploited security risks,'' said Jim Hudson, a 23-year law enforcement veteran and president of security firm Amcrin in West Linn, Ore. ``People put too much stuff in laptops they shouldn't be carrying around.''

Physical security

To prevent a laptop from being stolen, the first rule is to keep an eye on it at all times. Many laptops are stolen at airports, left behind in cabs, or pilfered from hotel rooms.

Another rule is to keep it out of sight. Putting a laptop in the trunk of a car is better than keeping it in the passenger seat. Using the hotel room's safe is also wise. But thieves often look for laptops in trunks.

If you have to keep the laptop at a desk for some time, you can lock the laptop to a desk with cable locks that wrap around a piece of furniture or connect with security plates bolted to a desk. Accessory makers such as Kensington sell these cable locks.

Companies such as LoJack and Absolute Software (Computrace) make tracking technologies that enable laptops to send messages about their locations once they've been swiped. Gateway managed to track a stolen laptop through its Internet address and associated credit card information to Nigeria. To use such services, users will have to pay annual fees of about $99 and register their hardware with the manufacturer so there is a chance of recovery.

Technological security

When it comes to protecting data on the laptops, Bruce Schneier, CEO of security firm Counterpane, suggests that workers minimize the amount of data they carry on a laptop.

``I just keep a year's worth of e-mail on the machine,'' he said. ``The odds are zero that you will need more than that.''

Windows XP machines also include built-in password protection, so a user can set up a laptop with a password to prevent someone else from booting up the machine.

Windows 2000 and Windows XP Professional users can also use a form of encryption by right-clicking on a file. That isn't the strongest means of protecting data, but it's better than leaving the file unprotected. When Microsoft ships Windows Vista operating system next year, it will have a much higher level of basic security.

But for now, it takes a lot of work to protect a machine. The problem is many users don't bother. In fact, many users have an unprotected file on their laptops with their passwords written on a Post-it note attached to the machine. That is one consequence of companies requiring users to have multiple passwords that are both hard to crack and hard to remember.

To protect against someone seeing sensitive files, Schneier uses encryption software with PGP technology. There are free versions of such software, while corporate users can buy programs such as PGP Desktop for $99. These programs allow users to create a large file that is sealed via password protection.

Hudson, of security firm Amcrin, says it's even better and more convenient to store the sensitive data on an encrypted universal serial bus drive, available for about $50 for 512 megabytes of storage. You can carry it in your pocket and plug the USB drive into the laptop to view the data. If a laptop is stolen, the data will be safe on the password-protected USB drive.

Other programs will encrypt the entire hard drive, rather than just a folder or file. But Schneier notes that encryption could slow down the performance of the laptop.

Those who travel can back up data and store it on a machine at the home office with products from companies such as Iron Mountain's Connected product. A traveler who needs the backup data on the road could carry it on a USB drive too.

Double-checking

Even restricting access to a laptop by requiring a single password may not be enough.

Some companies sell two-factor authentication devices, which check two pieces of information to verify the user's identity. That can mean checking someone's fingerprint, putting a smart card into a laptop's card reader (the reader attachments cost $15 or so), and then typing in a password or a rotating PIN code to unlock a laptop.

360 Degree Web in Santa Clara sells two-factor authentication devices for about $100. With this solution, a user can log onto a Web site to verify identity through the smart card and a PIN.

There are other means to protect data. Beachhead Solutions in Santa Clara sells a $129-a-year service, Lost Data Destruction, which enables an administrator to send a command to destroy data on a laptop that has been stolen. If the thief tries to hook the laptop up to the Internet, it will send a message to the administrator and trigger the data destruction.

``What you need is backup protection, a way to destroy the data if the machine is stolen, and encryption,'' said Jeff Rubin, vice president of marketing at Beachhead Solutions. ``With our data destruction, it's like the laptop will swallow cyanide.''