My favourite TV commercial from 1999 was the wonderful IBM “two hackers” routine:
Girl hacker: “This senior vice-president makes twice as much as this one does. I bet he’d love to know about that.”
Guy Hacker (types something) “He does now. I just e-mailed everyone in the company.”
So why, at least two years after this ad was on television, do we have front-page stories about the theft of a laptop computer belonging to PC Leader Joe Clark’s press aide? Apparently Stacey Gray’s laptop contained as-yet unrevealed material about the Prime Minister’s conduct in the so-called Shawinigate affair.
As best as we can tell the machine was password-protected but we all know how easy it is to break that type of security if you really, really try. Official reaction was mainly wishful thinking, along the lines of “Maybe they just stole it because it’s an expensive piece of hardware.” Sure, that’s a possibility, but the information on board that hardware is thousands of times more valuable, in the hands of the right (or wrong) people.
What could Mr. Clark’s people have done to head off this ugly situation? Traditionally, we’ve seen a forced tradeoff between security and functionality. It takes extra work, both human and computer, to be continually encrypting and decrypting, typing in passwords and checking them, and worrying about security breaches. In a perfect world, we’d all be happy and trust each other and there would be no need for computer security (or door locks for that matter.) Those with enough gray or missing hairs to remember the 1960s may recall that is precisely what it was like in those big mainframe computer rooms. There was painfully little isolation between programs, so Bob’s job could easily overflow its memory bounds and wipe out Sally’s and Sam’s. We actually used to resort to booking entire multi-million dollar computers just so we could test a problem in proper isolation.
Still, people’s programs stepped on each other, and there were fistfights in the machine room between graduate students whose data had collided. (One more historical note: this situation gave birth to a game that some people still play with the charmingly old-fashioned title Corewars.)
Since you probably don’t sit around playing destructive games like Corewars, maybe you’d like to think about how you would protect Joe’s laptop. Aside from physical aspects like locking it up, how can he keep the data on board safe from prying eyes? A few thoughts spring to mind, all somewhat problematic:
Security through obscurity. Just hide away confidential information in routine or meaningless filenames. The downside is that even Windows 2000 on a decent computer is powerful enough to go searching through gigabytes of hard disk, looking for key words like “Bre-X” or “merger.”
Thin client accesses remote data from secure host. This has the advantage of physically moving the data off the laptop, but let’s not be too hasty here. If you are going to use this laptop as you main computer (Ms. Gray appeared to have a docking station in the TV footage of her office) then all data will eventually pass through it, however briefly. There are perfectly good tools from HexEdit up to EnCase that specialize in building in this type of security approach. Look in the slack space, look at deleted files. You’re sure to find something interesting on any computer that’s not just an office decoration.
On-the-fly encryption. Special purpose machines, such as those used for military applications, employ hardware encryption/decryption routines to secure information. For us mortals, we have to go chase down software to do this, then remember to enable it, then remember to remember our passwords. It’s difficult to endorse a particular vendor but the SecurityPlus! product from Softbyte Laboratories seems to be on the right track. It allows whole programs to be encrypted and run from a “Secured Access List.” And of course, those sensitive data files can also be encrypted, regardless of format. So, whether it’s your tax return or the “art collection” you don’t want the kids to see, this tool should hide them well. The retail cost is $29.95 and you can order it on-line.
If there’s a problem with the last approach, it certainly isn’t modern processors, especially those in the 1GHz-plus range, which can do the encryption operations so fast that it’s hard to notice any degradation. But then there’s the human side of all this. If you change even one little procedure, some employees will notice and take exception. So look at the $29.95 cost of this product, or a similar one, as a down payment on what will probably be many hours of getting the system really humming along.
Exciting times always ensue when a user with important files under encryption forgets his or her password. Or the person leaves the company on less than happy terms, and just doesn’t feel like uttering that password. Oh, you could take the delinquent to court but that might take months and you need your data now. This argues for a product that supports “administrative password recovery,” in other words, that gives the boss’ henchmen a back door, hopefully to be used only in emergencies. One such product, PC Guardian, (www.pcguardian.com) offers a 30 day free trial. Just don’t lock yourself out of your own computer — that would be undignified, especially if you’re the designated security officer.
As for the strength of the encryption, private schemes are often the hardest to judge. Unless you have a Ph.D. in math, you’ll have to take somebody’s word for it. PC Guardian does fly the flag of noted cryptographer Dr. Bruce Schneier.
The company bills its product as follows: “We build our software using the well-known and documented Blowfish algorithm, a fast, 192-bit block cipher designed by Bruce Schneier. Encryption Plus Folders supports administrative data recovery as well as two password recovery methods, making it almost impossible for your users to lose their passwords.”
Impossible or not, users will lose their password or their laptop or their sanity. The trick is to expect the unexpected and be ready for it. I don’t know if the PC Party had an orderly plan for dealing with a laptop theft, but if they did it certainly didn’t show itself. Maybe next time it will be your laptop that goes out the door. Are you ready?
Dr. Keenan, ISP, is Dean of the Faculty of Continuing Education at the University of Calgary and teaches a course called Hot Issues in Computer Security.
