You Can't Hide from the Laptop Grim Reaper

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
The end of the world is coming -- again. Of course it's coming -- we use laptops. We invite the end of our world.

I have this silly habit of keeping my laptop running as I move about from place to place. Home to office, office to campus, etc., maximizing ''uptime''. It's kind of like accumulating frequent flyer miles that I know I'll never use. At home, I usually leave it running all night in the kitchen keeping the dogs and coffee pots company with its pleasant whirring and blinking.

A couple of weeks ago, I was working on a research paper with the deadline looming large (I hate deadlines, they force me to betray my ADHD), and I thought I'd go over a few things at the breakfast table before heading to the lab. I flipped open the display of my ridiculously large Toshiba with a creak, and I heard it. I heard that awful buzzing sound we mobile computists all know and fear, my hard drive all too obviously on a course heading due north of Ultima Thule.

Well, since it was unresponsive anyway, I just powered it down hard and prayed that it would resurrect itself after cooling off for a bit. At the office, Yaweh smiled upon me long enough for a HOMEDIR rsync to my workstation, and one final day of work before Ol' Not-So-Faithful sputtered and died.

''No problem,'' I thought. ''I'll just reinstall -- hey, why not upgrade, too? -- on the warranty replacement hard drive and RSYNC back. Right?"


All told, the death and resurrection of my precious data, settings, software, etc. easily took 12 hours that I really didn't have to spare.

Boy, what a dolt.

Don't I regularly preach ''data redundancy'', ''backup, backup, backup'', and all that rot? Yeah, but this was MY laptop, for cryin' out loud. Funny how the carpenter's house needs the most work.

Well, if misery loves company, I should have been ecstatic. A quick survey around ISTS, where I work, revealed at least three other laptop hard drive failures in the past few months -- various makes and models.

It's only a matter of time before the reaper comes for your laptop, too. Don't bother to run. You can't hide.

Physical security... Yeah, right

One of the fundamental tenets of information assurance is identifying the network perimeter and implementing data controls across it. You can just about throw that idea away, folks. Portable computers give an all new meaning to ''mobile code.''

While on vacation, do you VPN in from the Jersey shore? How about from home, or the bus? Do you come in from a long weekend of net surfing and IM'ing and plug into the network, ready to charge ahead on the corporate information Autobahn?

That machine of yours is, if you get any work done at all, a trusted component of the organizational IT infrastructure. Well, so is plant physical security, right? And never shall these two concepts meet.

A buddy of mine was at a military training site in Maine when he strolled into an open building and found a beautiful Thinkpad -- property of a senior operations officer -- sitting alone on a table, the building otherwise deserted. We seem to think that notebooks are somehow different from our fixed-location servers and workstations. We put in place policies and procedures for configuration and change management, physical access restrictions, like cypher locks and pass cards, then allow a portable with the exact same network permissions -- and often cached passwords, keys, etc. -- to wander freely about the outside cyberspace.

Continue on to hear how laptops leave gaping holes in your perimeter and how to protect them... and your enterprise.

Robbers and Virii and Worms, Oh My!

We're all familiar with poor victimized Microsoft being infected with the QAZ worm a few years back. There are a couple of theories about how such a nasty could have made it through the maze of firewalls in Redmond, but one very plausible theory actually is an age-old woe. I can't count how many times I've spoken to folks who have locked down the perimeter, only to allow not-quite-up-to-date laptops in and out, malware and all.

Not too long ago, there was a wave of reports of government laptops being stolen, or otherwise going unaccounted for. Shame. Yeah, as an American taxpayer, the cost of these boxes and the associated software was probably right up there with government toilet bowl seats and toothbrushes, but that's not the half of it.

Information, dear readers, is infinitely more valuable. How long will it take to re-create all of the pearls that were on that brick? What is the thief intending on doing with it? Blackmail? Direct sale to our competitors, enemies, or wives? I corresponded once with a worm author who offered to sell me databases, which I knew included sensitive military data. Who do you think would be a willing buyer?

In my formative security youth, I was onsite implementing a new core security architecture for a pretty big company. I was all smiles and self-assuredness as things were going better than expected.

My partner and I decided to stop into a local restaurant for some dinner and weren't too keen on lugging our black beasties around, so we decided to lock them in the car. Hey, it was rural America. Just in case, I slid the laptop bag under the seat and locked up. Plus, who was going to see anything in the dark? Right?


One smashed window later, I found myself doing some explaining to my boss, the rental car company, AND the ISSO of the client company. Which do you think presented the greatest possibility for backlash?

Luckily, the configs on that machine were about three revisions old and bore little resemblance to what was actually being fielded. Next time you bump into me in an Arby's sporting my laptop bag, you'll know why. Please keep your chuckles to a low roar. Others are trying to eat.

What to do? What to do?

Here are a few simple, but not always obvious, tricks for laptop info survival...

  • First off, burn a CD or DVD of your trip-critical data and software. USB flash drives work well, too. You never know when the absolute worst-case scenario will jump up in front of you minutes before the big presentation. It usually isn't too hard to beg, borrow or... well, we'll stick with borrow... a laptop for the show.

  • Secondly, put the goods on a webserver. When I'm going to be talking to groups, my material is usually developed in OpenOffice.org. If laptop death should rear its ugly head, do I really want to reinstall on someone else's machine? Better to export to a universal format, like PDF or HTML and put a copy on a webserver you can get to. Just about everyone is likely to have a browser and/or Acrobat on there. I personally prefer PDF as, no matter what I view it on, it always is exactly as I laid it out -- no font discrepancies or format funnies.

  • And remember to use a crypto filesystem for the naughty bits. It is simple enough to use GPG or PGP to encrypt individual files, and only slightly less convenient to set up and use a cryptographically protected part of your hard drive, or just one large file as a pseudo-drive. I uses AES on a separate cryptoloop partition, but PGPDisk, part of PGP Desktop, is pointy-klikky easy and is available for Microsoft and Apple systems.

    What goes in your crypto vault? The important stuff, which could mean the end of happiness, as you know it, should it fall into the wrong hands. The kids' Christmas shopping list, that new security architecture -- including firewall rules -- for a Fortune 500 client's network, personal correspondence outlining the latest hostile takeover strategies with your life coach. Well, you get the idea.

    I keep my email there, as well as any client data that would, at the very least, be rather embarrassing to explain the loss of. The crypto storage area won't help you recover it, but it sure makes it hard for a thief to find any use for it.

    Cryptography isn't perfect, but when done well, it sure is a nice added layer to slow the bad guys down.

  • Now this is important. Repeat after me: ''My laptop's infected... My laptop's infected... My laptop's infected."

    Sure, most folks run, and regularly update, anti-virus software on portables, but are you just as religious when on the road? When you plop that baby into its cradle at the office, before accessing anything, please run an update. Better yet, make that one step a mandatory part of the network access process, be it login scripts, policy objects, remote admin packages, whatever.

  • And lest we forget... passwords. Yuck!

    True, we already have more passwords than we know what to do with, but ''synchronizing'' passwords between your portable and your stationary systems is probably not the best idea. Oh, yeah... I can hear the helpdesk staff groaning right now.

    Seriously, choose different passwords for different systems, and keep them in a GPG/PGP email to yourself, or in a file on the encrypted partition. Just be sure that the password -- how about a pass-phrase? -- to that list is good and strong.

    And to settle the argument -- Size does matter. As long as your passphrase isn't predictable, quantity is more important than complexity. ''This is a really good passphrase'' is 58,132,832,403,135,834,945,587,234 times harder to brute force crack than "!@4P5(*jMMh-:{". Check it.

  • Now, repeat after me... backup, backup, backup.

    I personally use rsync at home and in the office via a simple cron (scheduler) job that checks to see if I'm on my home or office network, then syncs all updated files between my portable and whichever big box I'm closest to. Seems kind of wasteful, to have three copies of everything, but when figuring how I value every spare moment and how those moments have been thrown away, storage space is much too cheap to care.

    If you don't use Linux, *BSD or some other OS that has RSYNC and SSH, there are plenty of commercial backup software choices to achieve similar results.

    Another option is an external hard drive. I'm particularly fond of the ABSPlus from CMS Peripherals. Alas, CMS only provides software for Windows users, but a few simple tricks using dd and rsync provide the core functionality for us renegades, too.

  • And finally, use Google for plenty of other good general laptop security guidelines. I'm not going to regurgitate all of the other ''best practices'' documents out there. You're big boys and girls and know how to surf.

    The single biggest factor in mitigating risk exposure is responsible awareness of it. Maybe I'll go back to transparencies and grease pencils.

    George Bakos is a Senior Security Expert with the Institute for Security Technology Studies at Dartmouth College. His research includes worm detection and intrusion analysis. Bakos formerly was a security engineer for Electronic Warfare Associates.

  • Submit a Comment

    Loading Comments...