|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Primarily Lessons Learned from the TSA Laptop Mess
Post 302222366 by Linux Bot on Wednesday 6th of August 2008 05:40:07 PM
08-06-2008
Primarily Lessons Learned from the TSA Laptop Mess
Last Christmastime, I was walking around Reagan National Washington Airport. I walked by a booth for the Clear program. I asked about the program which promises to help you clear security at the airport in much less time if you provide your personal information so the TSA contractors can conduct a background check. Since I already had a Top Secret security clearance, I thought it would be no problem. However, I had some nagging doubts and decided that I should wait and see how the program works out.
Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.
Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:
- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.
- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.
- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.
- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.
It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.
More...
Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.
Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:
- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.
- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.
- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.
- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.
It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.
More...
|
|
4 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution.
I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
2. Shell Programming and Scripting
Hi!
I am asking me what is the best way to become a good knowledge of scripting, perl etc. Because i have only a little bit knowledge about bash, also a little bit of sed & awk. when i start reading a book or article about scripting it is often so, that i have not enough knowledge of one topic.... (3 Replies)
Discussion started by: locutus01
3 Replies
3. Ubuntu
Hi to all,
I have the problem that a laptops with windows XP cannot startup even in safe mode nor using last good known configuration. I have a Ubuntu 10.10 Live CD and booting from it I can read the Hard Drive.
I need to do a backup the Hard Drive from XP laptop and I want to connect this... (5 Replies)
Discussion started by: cgkmal
5 Replies
4. Ubuntu
Dear all,
I would like to transfer my old laptop documents/files etc to the new laptop without using any external hard disk.
Please let me know if its possible via any way.
Thank in advance,
emily (3 Replies)
Discussion started by: emily
3 Replies
LEARN ABOUT DEBIAN
lm-profiler.conf
LM-PROFILER.CONF(8) System Manager's Manual LM-PROFILER.CONF(8) NAME
/etc/laptop-mode/lm-profiler.conf - Configuration file for lm-profiler, a profiler for laptop-mode-tools. DESCRIPTION
This manual page documents the options that can be set in the /etc/laptop-mode/lm-profiler.conf configuration file. For a description of what lm-profiler does, see the lm-profiler(8) manpage. SETTINGS
The syntax of options is OPTION=value. The following settings are available in lm-profiler.conf: VERBOSE_OUTPUT Set this to 1 if you want to see a lot of output when you run lm-profiler, and 0 if you don't want this. Useful for debugging purposes. (Currently does nothing.) PROFILE_RUN_LENGTH The length of a profiling run, in seconds. This should be a while, so that lm-profiler can gather enough information. The default is 10 minutes (600 seconds). ACTIVITY_INTERVAL_MIN ACTIVITY_INTERVAL_MAX The behaviour that you want to avoid when you have your hard drive spun down, is disk accesses that are spread out over time, because your hard drive will have to spin up for each access. lm-profiler detects when applications perform disk accesses that are at least some time apart (otherwise they can be considered part of the same access) but not TOO far apart (otherwise they are no problem). These settings configure what lm-profiler considers "at least some time apart" and "too far apart", respectively, in seconds. RECOMMEND_DEFAULT_SERVICES DEFAULT_SERVICES If RECOMMEND_DEFAULT_SERVICES is set to 1 (enabled), then lm-profiler will always suggest turning off the services listed in DEFAULT_SERVICES (separated by spaces). IGNORE_PROGRAMS Programs listed in this option, separated by spaces, will be ignored for disk activity profiling. The default settings (which can be referenced as $DEF_IGNORE_PROGRAMS) include common utility programs and all programs used by lm-profiler itself. RECOMMEND_NETWORK_SERVICES When this option is enabled (value 1), lm-profiler will detect any services that are listening on network ports, and it will sug- gest that you disable them. IGNORE_NETWORK_SERVICES Services listed in this configuration option (separated by spaces) are not suggested as a network service by lm-profiler. The default values can be accessed as $DEF_IGNORE_NETWORK_SERVICES. SEE ALSO
lm-profiler(8). laptop_mode(8). laptop-mode.conf(8). AUTHOR
This manual page was written by Bart Samwel (bart@samwel.tk). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 any later version published by the Free Software Foundation. LM-PROFILER.CONF(8)