What’s this security stuff for anyway?

I am currently sitting in the BA lounge in Heathrow awaiting a flight to Delhi, and as I look around at the number of laptops lying around it reminded me of something I saw a few years ago at Delhi International Airport as I was waiting to fly back to the UK. It was so shocking I even used it as an example in a security article I wrote for my company on my return. Regular readers will know that I have a thing about unattended laptops anyway as it  has the potential of negating all of the technical measures put in place in certain circumstances. Anyway, I decided to write it up here as an example (and of course to kill the time in the lounge!).

It was about midnight, and I was in the BA lounge (sometimes shared with other airlines), and it was quite a busy evening so most of the seats were taken.

I was sat next to a gentleman who opened up his laptop and switched it on. It immediately asked for a password, I presume for the on disk encryption. He then had to log into his account, and then finally he connected his own data card (no local WiFi and inherent insecurities for him!) and subsequently connected to his corporate VPN using a username, password and an RSA two factor authentication token. All good stuff from a security perspective.

I noticed from his wallpaper logo right in the centre of his screen that he worked for an aeronautics defense contractor, so the level of security didn’t surprise me. What he did next however did…

After successfully connecting, he placed his laptop on on the table in front of him and went to the toilet… without even locking his laptop. He was away for 15 minutes.

I was so shocked I even took a photo of his laptop which is attached – this is honestly the laptop in question! If you look carefully you can see the window with his VPN connections in the middle of the screen

image

It summed up to me that even though there was all of this security on his laptop, it was rendered useless by his carelessness and utter disregard (or utter lack of awareness) of the security of the contents on his laptop. He entered the passwords that protected his data because that was what he needed to do to get his job done, not because he understood what it was for.

When we overcome scenarios, attitudes and understanding that results in this kind of thing being played out the world over, we will have addressed a huge amount of risk in our industry.

Bon voyage!


And they say security awareness training is working?

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

  1. They are able to afford expensive looking laptops or have been issued an expensive looking laptop
  2. Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

 

Now you see it...

Now you see it…

Can you see it?

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.


We turned around, and there he was… gone!

This is a picture taken in Starbucks, just a few minutes ago. Can you guess what’s missing?
Why the owner felt it was a good idea to go to the toilet (while carefully taking his iPhone with him, because otherwise it might get stolen!), leaving his laptop in a busy room where it could be easily removed is beyond me. It was made worse because when I peeked around the screen, it was also not screen locked.
With so much noise and argument going around the infosec community at the moment around security awareness the lazy conclusion would be that all users are idiots and need their hand holding all the time before they hurt themselves with their private data. Of course it is never that simple but it is no less infuriating to see this kind of attitude in practise. Where do we go from here in trying to avoid these situations?
I have a colleague who likes to highlight that we should consider our laptops and tablets and other various devices as “bathroom buddies”. I didn’t like this term at first (my knee-jerk reaction against the American use of the term bathroom), but it really does make sense. When in a public place such as a cafe, train etc and you need the toilet or a break, take your equipment with you! It is a simple alliterated phrase that sticks in the mind, makes you smile and therefore might actually make someone change their behaviour.
On the subject of humour, there was an XKCD cartoon very recently that summed this up perfectly.
The point is that this individual who left himself logged in could have had untold damage done to his personal and professional reputation if I was so inclined. Facebook posts, Tweets, work emails, Amazon orders etc could all potentially have caused him grief. Sure, after the fact he could probably “tidy up” the mess, but why put yourself in this position?
In the security awareness debates, system design is often touted as the way ahead, and in actual fact I think this may have come to the aid of our hapless coffee drinker, if he was lucky. The laptop itself looks like a new MacBook Pro, possible a Retina given the new style charger. That would mean he would be running Lion or Mountain Lion, which means FileVault is installed, although not enabled by default. If it was enabled and I ran out of the cafe with his laptop chances are when I sat down at the nearest park bench to check my prize the laptop would have locked and required a password. There is a good chance there that his data would be secure and encrypted. The same would be true if it was a Windows 7 or 8 laptop. The problem here though is that the key phrase above is “not enabled by default”. It’s great these operating systems now come with encryption built in, but there aren’t even annoying prompts a la Microsoft that, for instance, I don’t have an anti virus program installed; it is left entirely to the user to be educated and security savvy enough to enable it. I have joked on this blog before that encryption today is at the same level of anti virus of twenty years ago (Dr Solomon’s anyone?). Today, I would wager virtually everyone knows about anti-virus, and in fact it is often bundled and enabled by default on new laptops. (I am not going to take this opportunity to talk about the efficacy of anti virus as an endpoint protector!). When will encryption become such a commodity that you are an oddity if you don’t have it?
This isn’t a particularly racy topic, but it is one that is played out every day in cafes around the world. As every teacher will tell you, when you get the fundamentals right, the rest will follow far more easily. This person really should have known better, but when will we be at a point that he wouldn’t have had to?


Open Letter to Apple – Why Have You Forsaken Me?

Dear Apple,

Your new MacBook Pro’s rock… the screen alone is just like moving from black and white to colour, and with the Air-like instant on, solid state disk and all round grooviness I nearly sold a kidney there and then (thank goodness the market in kidneys crashed; this could have been a very different letter).

And then, I saw it. Or more accurately I didn’t. The lozenge shaped hole of hope, that sliver of sanity, the goddam lock lead hole… It wasn’t there; in fact I looked again and it still isn’t there!

WTF Apple? What kind of insane douchebaggery is this?

You have strived and toiled and driven to be accepted into the enterprise. You have integrated with Microsoft Exchange, AD and even licensed ActiveSync for the iPhone. You have built in full disk encryption into your OS(X), allowed corporate Microsoft into your walled garden and introduced Employee Purchase Programs. In fact, you sounded like my hip godfather; all grown up and wise and everything, and yet still somewhat cool and groovy.

I even use a MacBook Pro at work for goodness sake! You make ME look cool and hipster like, and THAT is hard work I can tell you…

I tell people about how much more stable OSX is, how much more consistent the hardware is and how much more intuitive the interface is. Sure, your enterprise hardware support isn’t as good as say HP’s and Lenovo, but it is good enough, and at a pinch I just wander up to Oxford Street and chat to a Genius and they fix it anyway.
And then you announce the retina display, and all the other coolness that goes along with the new MacBooks; everyone in the office is talking about how they need one, my work and productivity depend on it, and you know what?… I ignored them because I needed one and my productivity suddenly depended on one as well…

And when I didn’t see that hole of hope, I think I died a little inside, and not just because I couldn’t lock my laptop up now, but because I will never be able to lock it in the future. This is obviously a design decision, one that was actually thought out, not just forgotten.

I have fought and fought to get my people to understand the importance of basic DLP, that is, lock your frickin laptop up, and your data will not literally walk out of the door. And in one fell swoop, you have told all of my MacBook users that it’s OK not to have a laptop lock. “If Apple don’t think it is important, why should I listen to you?”.

Godammit.

I now have to fight for extra budget for a case that screws into the chassis of the laptop that I can lock a lead to (ugly) or pieces of metal to slip between the hinge for the lock lead to attach to (screen crunchingly efficient) to get a basic security control in place. And I bet the answer will be “no” – these new Macs are expensive enough, we have encryption, why bother? Ummm, downtime, productivity, overhead of security incident reporting, cost of hardware replacement and just generally lax security practises (or “risk homeostasis” – a topic of a forthcoming presentation).

You have two choices; either reintroduce said hole, or introduce the most amazingly designed and fabulous looking security device for these laptops that I will spill £50 of my own money to buy one.

Do you dare to “think different” in this regard…

Yours sincerely,

Thom “lockless” Langford


The Simple Things Part One – The Lock Lead

ImageWhy is the humble lock lead the first item in my top ten? Many people would complain it is a pain in the backside to use day after day, that it can’t provide that much protection given the tiny connection to the laptop in the small rounded rectangular hole, and the cable must be pretty easy to curt through, so why bother?

Let us look at the two main aspects of lock leads, namely the physical aspect (how strong, reliable etc) and also the deterrent aspect (will it put people off?).

1. The Physical

There are good quality, well made lock leads and there are bad quality, poorly made lock leads. Make sure you choose the right one. How do you choose? Look for recommendations, and also purchase range of them and try them out yourself. Some can be opened with a rolled up business card, and some can be snapped off with a sharp turn of the barrel using a pair of pliers. My current favourite is the Compu-Lock lead, http://www.compu-lock.com (I have no business or personal interest in the success of this company but the lead they produce meets many of there criteria I lay out in this article). You of course may fall to one of the other major manufacturers.

The cable itself (at least in a good one) is made of stranded hardened steel (allowing flexibility with strength) and covered in a durable plastic coating that also provides initial protection from cutting (such as with pliers). The construction is very similar to a bike lock albeit thinner, and although it can be cut it takes some considerable effort with hand tools. I have tested this with a lower specification cable, cutting through it in just under two minutes with a pair of snips; it took a considerable amount of effort and grunting to do so, and I was still left with a “tail” attached to the laptop. The better specification cables will take significantly longer.

The lock itself is also important. Kensington came under fire some years ago (somewhat unfairly) when many of their locks were shown to be susceptible to Bic biro barrels and rolled up business cards being forced into the key hole to take the shape of the key and subsequently open the lock in a matter of seconds. This problem went beyond laptop locks and affected other barrel lock manufacturers for bikes etc.. Although the problem has been solved, I still feel wary of these types of lock, albeit without foundation! As an enterprise you will want a lock that provides master keys specific to your organization, something that is not always easy to find, especially in the lower end of the market.

Finally, the fit is important. Many locks will connect with the laptop but then be loose. Some try and overcome this with rubber flanges which is ultimately useless. the problem a loose lock poses is that if the gap is big enough to get a hacksaw into you can attack the pin(s) that lock it, or even worse get a good grip and twist the barrel to break the pins. The better locks will have an adjustment mechanism that ensures the barrel is tight against the laptop meaning there is significantly less leverage and no gap to cut through.

2. The Deterrent

So you have the Rolls-Royce of locks in your possession… there are a numbers of things to bear in mind to ensure its effectiveness.

Firstly, you have to use it! Time after time I see them looped into a desk and then not connected to the laptop. FAIL on all counts. Use it all day, every day; in the office, hotel room, client site, even in the boot of your car if you have to leave it in there for whatever reason (avoid this last one at all costs though!).

Secondly, given it will not put off a determined attack, it should not be left overnight in your office for instance. Their primary use is as a casual theft deterrence; any thief in a time pressured situation (perhaps during a fire evacuation drill?) will not bother with the laptop that is locked and move very quickly onto the one that isn’t. If somebody has the luxury of thirty, undisturbed, minutes in the middle of the night they may think differently as well as be equipped for it! Always take your laptop home; if nothing else it is a very effective contributor to your company’s BCP initiative!

Finally, having the lock leads helps keep you in a security mindset (hopefully without becoming paranoid!). It is a constant visual reminder of the need for security, and if it reminds you to lock your screen every time you step away for a coffee then you have doubled the value of the lead straight away.

In conclusion, the lock lead has to be one of the most simple, best value and effective data loss prevention tools available. It’s use will significantly reduce the potential for theft of not only the physical device, but the cost of replacing the laptop, the data, the time in getting everything back and potentially a front page spread in a national newspaper;” Company X loses One Million Public Records“.

Surely £25 is worth avoiding that?