Charlie & Lola’s Information Security Adventure

lauren_childBeing a frequent traveller, be it train, bus, car or plane, I often get to see people working in all of these environments to one extent or another. From seeing people’s laptops on the front seat of their cars to leaving them unattended in travel lounges, I have seen all sorts of behaviour that we, as information security professionals, would see as unforgivable. We regularly question ourselves as to why this happens, especially when the effects can be so dramatic and have direct impacts on our professional and personal lives.

My most recent example was just last week, sitting opposite a woman who was working on her laptop and referring to a sheaf of A3 colourful papers. They had the unmistakable artwork of Lauren Child, a children’s author and illustrator. As a father of a ten year old and an eight year I recognised the artwork and style immediately as the author of Charlie and Lola, some of my children’s favourite story characters. The papers in questions had plenty of hand drawn mark up on them suggesting this was in the final stages of editing and layout prior to printing, the story itself centering around one Elmore Green who was jealous at the arrival of a younger sibling into his family. It all ends well of course, with Elmore having someone to snuggle with at the end of  the book.

Three things surprised me. Firstly, the way in which the papers in question were left out of the direct sight of the woman concerned, either on a seat on the opposite side of the walkway, or even underneath her own seat (and very accessible from behind). Secondly I was able to discern a large amount of detail from the book in a very short period of time; this is of course partly down to the nature of the book itself, but also, because each page was carefully moved to in turn and then placed somewhere I could review it and even photograph it. Finally, I was alarmed that someone like Lauren Child, who has a very unique and successful place in children’s literature would allow an as yet unpublished book be revealed in public in such a way as this.

Fingers crossed for Elmore Green!

Fingers crossed for Elmore Green!

This is of course very serious for Lauren Child and her publishers; why was this person allowed to take large copies of this book into a public space? If they knew it needed to be worked on in a train or other public space why weren’t electronic versions made available? Or had they even considered the fact that someone could have easily stolen the manuscript and copied it for an earlier release to capture their particular market?

The implications for UK PLC are probably not that great, and yet examples like this are played out across the country whenever people travel and feel they are in ‘safe‘ environments, with a dangerous cumulative effect for the country. The combined effect of actions like this could potentially add up to the millions in lost opportunities and lost work.  It reminded me of Wendy Nather’s response to a question about public apathy to security, and her surprising yet eerily accurate response was;

I don’t think that society in general will stand up and do something about security until people start dying in enough numbers that it could happen to them individually and not just organizations because we don’t care about organizations.

I sincerely hope Lauren Child has not been hurt by this incident financially or otherwise, she has given too much joy to my children to wish that; but if she reads this I do hope she feels sufficiently motivated to insist on stronger controls around the management of her manuscripts from her publishers.  If you would like some help doing that Lauren, feel free to contact me!

Open Letter to Apple – Why Have You Forsaken Me?

Dear Apple,

Your new MacBook Pro’s rock… the screen alone is just like moving from black and white to colour, and with the Air-like instant on, solid state disk and all round grooviness I nearly sold a kidney there and then (thank goodness the market in kidneys crashed; this could have been a very different letter).

And then, I saw it. Or more accurately I didn’t. The lozenge shaped hole of hope, that sliver of sanity, the goddam lock lead hole… It wasn’t there; in fact I looked again and it still isn’t there!

WTF Apple? What kind of insane douchebaggery is this?

You have strived and toiled and driven to be accepted into the enterprise. You have integrated with Microsoft Exchange, AD and even licensed ActiveSync for the iPhone. You have built in full disk encryption into your OS(X), allowed corporate Microsoft into your walled garden and introduced Employee Purchase Programs. In fact, you sounded like my hip godfather; all grown up and wise and everything, and yet still somewhat cool and groovy.

I even use a MacBook Pro at work for goodness sake! You make ME look cool and hipster like, and THAT is hard work I can tell you…

I tell people about how much more stable OSX is, how much more consistent the hardware is and how much more intuitive the interface is. Sure, your enterprise hardware support isn’t as good as say HP’s and Lenovo, but it is good enough, and at a pinch I just wander up to Oxford Street and chat to a Genius and they fix it anyway.
And then you announce the retina display, and all the other coolness that goes along with the new MacBooks; everyone in the office is talking about how they need one, my work and productivity depend on it, and you know what?… I ignored them because I needed one and my productivity suddenly depended on one as well…

And when I didn’t see that hole of hope, I think I died a little inside, and not just because I couldn’t lock my laptop up now, but because I will never be able to lock it in the future. This is obviously a design decision, one that was actually thought out, not just forgotten.

I have fought and fought to get my people to understand the importance of basic DLP, that is, lock your frickin laptop up, and your data will not literally walk out of the door. And in one fell swoop, you have told all of my MacBook users that it’s OK not to have a laptop lock. “If Apple don’t think it is important, why should I listen to you?”.


I now have to fight for extra budget for a case that screws into the chassis of the laptop that I can lock a lead to (ugly) or pieces of metal to slip between the hinge for the lock lead to attach to (screen crunchingly efficient) to get a basic security control in place. And I bet the answer will be “no” – these new Macs are expensive enough, we have encryption, why bother? Ummm, downtime, productivity, overhead of security incident reporting, cost of hardware replacement and just generally lax security practises (or “risk homeostasis” – a topic of a forthcoming presentation).

You have two choices; either reintroduce said hole, or introduce the most amazingly designed and fabulous looking security device for these laptops that I will spill £50 of my own money to buy one.

Do you dare to “think different” in this regard…

Yours sincerely,

Thom “lockless” Langford

The Simple Things Part One – The Lock Lead

ImageWhy is the humble lock lead the first item in my top ten? Many people would complain it is a pain in the backside to use day after day, that it can’t provide that much protection given the tiny connection to the laptop in the small rounded rectangular hole, and the cable must be pretty easy to curt through, so why bother?

Let us look at the two main aspects of lock leads, namely the physical aspect (how strong, reliable etc) and also the deterrent aspect (will it put people off?).

1. The Physical

There are good quality, well made lock leads and there are bad quality, poorly made lock leads. Make sure you choose the right one. How do you choose? Look for recommendations, and also purchase range of them and try them out yourself. Some can be opened with a rolled up business card, and some can be snapped off with a sharp turn of the barrel using a pair of pliers. My current favourite is the Compu-Lock lead, (I have no business or personal interest in the success of this company but the lead they produce meets many of there criteria I lay out in this article). You of course may fall to one of the other major manufacturers.

The cable itself (at least in a good one) is made of stranded hardened steel (allowing flexibility with strength) and covered in a durable plastic coating that also provides initial protection from cutting (such as with pliers). The construction is very similar to a bike lock albeit thinner, and although it can be cut it takes some considerable effort with hand tools. I have tested this with a lower specification cable, cutting through it in just under two minutes with a pair of snips; it took a considerable amount of effort and grunting to do so, and I was still left with a “tail” attached to the laptop. The better specification cables will take significantly longer.

The lock itself is also important. Kensington came under fire some years ago (somewhat unfairly) when many of their locks were shown to be susceptible to Bic biro barrels and rolled up business cards being forced into the key hole to take the shape of the key and subsequently open the lock in a matter of seconds. This problem went beyond laptop locks and affected other barrel lock manufacturers for bikes etc.. Although the problem has been solved, I still feel wary of these types of lock, albeit without foundation! As an enterprise you will want a lock that provides master keys specific to your organization, something that is not always easy to find, especially in the lower end of the market.

Finally, the fit is important. Many locks will connect with the laptop but then be loose. Some try and overcome this with rubber flanges which is ultimately useless. the problem a loose lock poses is that if the gap is big enough to get a hacksaw into you can attack the pin(s) that lock it, or even worse get a good grip and twist the barrel to break the pins. The better locks will have an adjustment mechanism that ensures the barrel is tight against the laptop meaning there is significantly less leverage and no gap to cut through.

2. The Deterrent

So you have the Rolls-Royce of locks in your possession… there are a numbers of things to bear in mind to ensure its effectiveness.

Firstly, you have to use it! Time after time I see them looped into a desk and then not connected to the laptop. FAIL on all counts. Use it all day, every day; in the office, hotel room, client site, even in the boot of your car if you have to leave it in there for whatever reason (avoid this last one at all costs though!).

Secondly, given it will not put off a determined attack, it should not be left overnight in your office for instance. Their primary use is as a casual theft deterrence; any thief in a time pressured situation (perhaps during a fire evacuation drill?) will not bother with the laptop that is locked and move very quickly onto the one that isn’t. If somebody has the luxury of thirty, undisturbed, minutes in the middle of the night they may think differently as well as be equipped for it! Always take your laptop home; if nothing else it is a very effective contributor to your company’s BCP initiative!

Finally, having the lock leads helps keep you in a security mindset (hopefully without becoming paranoid!). It is a constant visual reminder of the need for security, and if it reminds you to lock your screen every time you step away for a coffee then you have doubled the value of the lead straight away.

In conclusion, the lock lead has to be one of the most simple, best value and effective data loss prevention tools available. It’s use will significantly reduce the potential for theft of not only the physical device, but the cost of replacing the laptop, the data, the time in getting everything back and potentially a front page spread in a national newspaper;” Company X loses One Million Public Records“.

Surely £25 is worth avoiding that?