This week I'll be in Las Vegas,
attending Black Hat Briefings USA 2004
, the annual security professionals conference, immediately followed by DefCon 12
, the annual security script kiddies conference. Of course, I'll be packing a laptop. While the 2004 Computer Security Institute/Federal Bureau of Investigation (click here for PDF
) computer crime survey showed a drop in reported laptop thefts over the previous year, PSA Insurance Services Limited, an insurance brokerage company, stated that approximately 318,000
laptops were reported stolen last year. So of course, I'm paying attention to the safety of my own laptop--both the hardware and the precious info therein--and this week, I'm offering a few guidelines that should help you keep your laptop safe as well.
Safeguard your hardware
Nothing screams laptop faster than the bulky black bags sold by laptop vendors. I recommend instead a padded, nondescript bag--I use an Eddie Bauer backpack--but other choices exist. Also, consider having your laptop engraved. Don't use your full name or social security number; instead, use your driver's license number or your company's toll-free number. Laptops have been recovered, but without ID, the cops won't know whose it is.
One security expert I talked to said you should think of your laptop sitting on the table as a thousand dollars in cold cash; you wouldn't turn your back on that, would you?
When traveling, never take your eyes off your laptop, even if it's in that nondescript bag. One laptop theft scam involves a security screener at the airport who passes your laptop computer through the X-ray machine while another screener stops you because of some metal on your person. During the screening, your laptop goes missing. Although I couldn't find exact numbers on how often this happens, I've heard a number of first-person accounts.
But don't stop your constant vigilance when you leave the airport. Never leave your laptop unattended anywhere, especially at a big conference like Black Hat. One security expert I talked to said you should think of your laptop sitting on the table as a thousand dollars in cold cash; you wouldn't turn your back on that, would you? And--this is really just common sense--don't leave your laptop out in plain view in your hotel room; bury it under some clothes or in a backpack, out of sight. The same goes for laptops in cars. Put your machine in the trunk or at least hide it under a jacket.
You can equip your laptop to phone home if you ever lose track of it. A few online services, such as Synet nTracker, will bug your laptop so that if you report it stolen, the service can trace the IP address of its next Internet connection and, in some cases, inform the local police. Unfortunately, there are no statistics, apart from the vendors' own, to show whether this is a good investment. But if you're really worried about losing your laptop, consider one of these services.
Safeguard your data
In most cases, laptop thieves simply resell your hardware on eBay to make a few bucks; the criminals never think to check out the contents of the hard drive. That can be a good thing. Within the last year, two laptops used by Wells Fargo Home Mortgage were stolen--one in April of this year and one in November 2003. These incidents illustrate how damaging such thefts might have been. In both cases, the suspects wanted only the hardware, not realizing the treasure trove of personal data contained within. Nonetheless, Wells Fargo did the right thing by contacting all the affected individuals to let them know that their mortgage data had entered the wrong hands.
Another inexpensive tip is to remove the hard drive when the laptop isn't in use and simply carry it in your jacket pocket.
Wells Fargo did something else right, too: the company encrypted its home mortgage data. While encryption doesn't guarantee your data will always remain safe, it will hamper all but the most persistent criminal hacker. For the best all-around encryption, I recommend the Steganos Security Suite
. This package gives you individual file encryption, a secure file eraser, and a stealth hard drive. A person who steals this laptop won't be able to find your most sensitive data; the drive is hidden to anyone who doesn't know how to access it.
Here's a more inexpensive tip: some laptops allow you to remove the hard drive when you're storing your laptop and carry the drive in your jacket pocket. You can, for example, pass the drive around the X-ray machine at the airport along with your keys and wallet, then reinsert it on the other side if asked to power the laptop up. That way, even if someone at the security checkpoint steals your laptop, they won't make off with your company's prospectus or client database. If you can't easily remove your hard drive, you can also keep all of your sensitive data on removable media, such as recordable DVDs, CDs, and USB storage devices, and keep these separately in a backpack or a briefcase.
Safeguard your wallet
Connecting to the Internet from your hotel room is not without its own risks. Some hotels use nonencrypted text to capture and bill your credit card, so whenever possible, use a company credit card. The same goes for in-room wireless connections: someone could be sniffing your data from the very next room if the hotel's wireless network isn't properly encrypted.
Since I'm borrowing a company laptop for this trip, I'm downloading copies of ZoneAlarm Security Suite, which is a suite of desktop firewall tools, and Spybot Search and Destroy, which removes spyware. I'm also making sure that I have the latest Microsoft security patches by running Windows Update before I leave home. These steps won't guarantee total security, but they will slow down potential criminal hackers.
It has been widely circulated in e-mail and on some Web sites that expired hotel keys may contain personal data, such as your credit card information and home address. Luckily, this isn't true. I'm not sure where this urban myth comes from, but your hotel key is the least of your worries. At most, hotel systems load only the name of guest, the room number, and the dates of stay onto their keys.
I know this isn't an exhaustive list of steps you can take to secure your laptop, but it's a start. If you have other laptop travel suggestions, I'd like to hear them.
Got a security question? Let me hear about it!