|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Primarily Lessons Learned from the TSA Laptop Mess
Post 302222366 by Linux Bot on Wednesday 6th of August 2008 05:40:07 PM
08-06-2008
Primarily Lessons Learned from the TSA Laptop Mess
Last Christmastime, I was walking around Reagan National Washington Airport. I walked by a booth for the Clear program. I asked about the program which promises to help you clear security at the airport in much less time if you provide your personal information so the TSA contractors can conduct a background check. Since I already had a Top Secret security clearance, I thought it would be no problem. However, I had some nagging doubts and decided that I should wait and see how the program works out.
Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.
Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:
- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.
- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.
- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.
- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.
It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.
More...
Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.
Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:
- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.
- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.
- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.
- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.
It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.
More...
|
|
4 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
This post captures my recent experience in getting my Dell XPS Gen 3 to support dual boot of Windows XP (Professional) and the Fedora 9 Linux distribution.
I searched quite a bit on the internet and found, of course, a variety of opinions regarding how to setup this type (dual boot) of... (1 Reply)
Discussion started by: rlandon@usa.net
1 Replies
2. Shell Programming and Scripting
Hi!
I am asking me what is the best way to become a good knowledge of scripting, perl etc. Because i have only a little bit knowledge about bash, also a little bit of sed & awk. when i start reading a book or article about scripting it is often so, that i have not enough knowledge of one topic.... (3 Replies)
Discussion started by: locutus01
3 Replies
3. Ubuntu
Hi to all,
I have the problem that a laptops with windows XP cannot startup even in safe mode nor using last good known configuration. I have a Ubuntu 10.10 Live CD and booting from it I can read the Hard Drive.
I need to do a backup the Hard Drive from XP laptop and I want to connect this... (5 Replies)
Discussion started by: cgkmal
5 Replies
4. Ubuntu
Dear all,
I would like to transfer my old laptop documents/files etc to the new laptop without using any external hard disk.
Please let me know if its possible via any way.
Thank in advance,
emily (3 Replies)
Discussion started by: emily
3 Replies
LEARN ABOUT SUSE
lm-profiler
LM-PROFILER(8) System Manager's Manual LM-PROFILER(8) NAME
/usr/sbin/lm-profiler - laptop mode profiler SYNOPSIS
/usr/sbin/lm-profiler DESCRIPTION
This manual page documents briefly the /usr/sbin/lm-profiler command. lm-profiler is a tool for profiling disk operations. It is a part of laptop mode tools and is useful only in relation to rest of laptop mode tools. It helps you to detect programs and services that use up system resources and that cause disk activity, and it allows you to disable them when laptop mode is active. When you start lm-profiler, it will execute a "profiling run", which can take some time. Start lm-profiler when you are working on batter- ies, preferably, because that will allow it to analyze the actual situation that it is supposed to optimize. During the profiling run, you can use your system normally; however, any disk activity caused by your actions will end up in the profiler's results. When the profiling run is finished, you will be presented with a list of programs that deserve your attention, either because they listen on a network (which is not usually useful when you are working offline) or because they caused disk activity in a disk-spindown-unfriendly pattern. When lm- profiler can guess an init script that belongs to a program, it presents you with the opportunity to disable the program when you are work- ing on battery. It does this by placing a link to the init script in /etc/laptop-mode/batt-stop. Any programs that lm-profiler cannot find an init script for is simply reported, so that you can stop the program manually if you want to. WARNING ABOUT DISABLING PROGRAMS: It may not be safe to disable some programs. They may be needed for proper operation of your system. Dis- able services only if you know what they do and why you don't need them. FILES
/etc/lm-profiler.conf lm-profiler retrieves its profiling rules from this file. SEE ALSO
lm-profiler.conf(8). laptop-mode.conf(8). daemons.conf(8). AUTHOR
This manual page was written by Bart Samwel (bart@samwel.tk) and Jan Polacek (jerome@ucw.cz) for the Debian system (but may be used by oth- ers). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 any later version published by the Free Software Foundation. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. LM-PROFILER(8)