Robbers and Virii and Worms, Oh My!

We're all familiar with poor victimized Microsoft being infected with the QAZ worm a few years back. There are a couple of theories about how such a nasty could have made it through the maze of firewalls in Redmond, but one very plausible theory actually is an age-old woe. I can't count how many times I've spoken to folks who have locked down the perimeter, only to allow not-quite-up-to-date laptops in and out, malware and all.

Not too long ago, there was a wave of reports of government laptops being stolen, or otherwise going unaccounted for. Shame. Yeah, as an American taxpayer, the cost of these boxes and the associated software was probably right up there with government toilet bowl seats and toothbrushes, but that's not the half of it.

Information, dear readers, is infinitely more valuable. How long will it take to re-create all of the pearls that were on that brick? What is the thief intending on doing with it? Blackmail? Direct sale to our competitors, enemies, or wives? I corresponded once with a worm author who offered to sell me databases, which I knew included sensitive military data. Who do you think would be a willing buyer?

In my formative security youth, I was onsite implementing a new core security architecture for a pretty big company. I was all smiles and self-assuredness as things were going better than expected.

My partner and I decided to stop into a local restaurant for some dinner and weren't too keen on lugging our black beasties around, so we decided to lock them in the car. Hey, it was rural America. Just in case, I slid the laptop bag under the seat and locked up. Plus, who was going to see anything in the dark? Right?

Wrong.

One smashed window later, I found myself doing some explaining to my boss, the rental car company, AND the ISSO of the client company. Which do you think presented the greatest possibility for backlash?

Luckily, the configs on that machine were about three revisions old and bore little resemblance to what was actually being fielded. Next time you bump into me in an Arby's sporting my laptop bag, you'll know why. Please keep your chuckles to a low roar. Others are trying to eat.

What to do? What to do?

Here are a few simple, but not always obvious, tricks for laptop info survival...

  • First off, burn a CD or DVD of your trip-critical data and software. USB flash drives work well, too. You never know when the absolute worst-case scenario will jump up in front of you minutes before the big presentation. It usually isn't too hard to beg, borrow or... well, we'll stick with borrow... a laptop for the show.

  • Secondly, put the goods on a webserver. When I'm going to be talking to groups, my material is usually developed in OpenOffice.org. If laptop death should rear its ugly head, do I really want to reinstall on someone else's machine? Better to export to a universal format, like PDF or HTML and put a copy on a webserver you can get to. Just about everyone is likely to have a browser and/or Acrobat on there. I personally prefer PDF as, no matter what I view it on, it always is exactly as I laid it out -- no font discrepancies or format funnies.

  • And remember to use a crypto filesystem for the naughty bits. It is simple enough to use GPG or PGP to encrypt individual files, and only slightly less convenient to set up and use a cryptographically protected part of your hard drive, or just one large file as a pseudo-drive. I uses AES on a separate cryptoloop partition, but PGPDisk, part of PGP Desktop, is pointy-klikky easy and is available for Microsoft and Apple systems.

    What goes in your crypto vault? The important stuff, which could mean the end of happiness, as you know it, should it fall into the wrong hands. The kids' Christmas shopping list, that new security architecture -- including firewall rules -- for a Fortune 500 client's network, personal correspondence outlining the latest hostile takeover strategies with your life coach. Well, you get the idea.

    I keep my email there, as well as any client data that would, at the very least, be rather embarrassing to explain the loss of. The crypto storage area won't help you recover it, but it sure makes it hard for a thief to find any use for it.

    Cryptography isn't perfect, but when done well, it sure is a nice added layer to slow the bad guys down.

  • Now this is important. Repeat after me: ''My laptop's infected... My laptop's infected... My laptop's infected."

    Sure, most folks run, and regularly update, anti-virus software on portables, but are you just as religious when on the road? When you plop that baby into its cradle at the office, before accessing anything, please run an update. Better yet, make that one step a mandatory part of the network access process, be it login scripts, policy objects, remote admin packages, whatever.

  • And lest we forget... passwords. Yuck!

    True, we already have more passwords than we know what to do with, but ''synchronizing'' passwords between your portable and your stationary systems is probably not the best idea. Oh, yeah... I can hear the helpdesk staff groaning right now.

    Seriously, choose different passwords for different systems, and keep them in a GPG/PGP email to yourself, or in a file on the encrypted partition. Just be sure that the password -- how about a pass-phrase? -- to that list is good and strong.

    And to settle the argument -- Size does matter. As long as your passphrase isn't predictable, quantity is more important than complexity. ''This is a really good passphrase'' is 58,132,832,403,135,834,945,587,234 times harder to brute force crack than "!@4P5(*jMMh-:{". Check it.

  • Now, repeat after me... backup, backup, backup.

    I personally use rsync at home and in the office via a simple cron (scheduler) job that checks to see if I'm on my home or office network, then syncs all updated files between my portable and whichever big box I'm closest to. Seems kind of wasteful, to have three copies of everything, but when figuring how I value every spare moment and how those moments have been thrown away, storage space is much too cheap to care.

    If you don't use Linux, *BSD or some other OS that has RSYNC and SSH, there are plenty of commercial backup software choices to achieve similar results.

    Another option is an external hard drive. I'm particularly fond of the ABSPlus from CMS Peripherals. Alas, CMS only provides software for Windows users, but a few simple tricks using dd and rsync provide the core functionality for us renegades, too.

  • And finally, use Google for plenty of other good general laptop security guidelines. I'm not going to regurgitate all of the other ''best practices'' documents out there. You're big boys and girls and know how to surf.

    The single biggest factor in mitigating risk exposure is responsible awareness of it. Maybe I'll go back to transparencies and grease pencils.

    George Bakos is a Senior Security Expert with the Institute for Security Technology Studies at Dartmouth College. His research includes worm detection and intrusion analysis. Bakos formerly was a security engineer for Electronic Warfare Associates.