VeriSign has warned workers of the theft of a laptop that contained their personal information. The laptop was stolen from a car parked in the garage of a California worker sometime on the night of 12 July. The laptop contained personal information - name, Social Security number, date of birth, salary information, telephone …
For f**k sake how hard is it for these people to understand that storing confidental data on laptops is an accident waiting to happen.
CIO's of these companies should be dragged to the nearest field and shot repeatedly until the message finally gets through to everyone who does this.
You wouldn't leave a full copy of your own credit history sitting in the boot (sorry trunk for our US readers) of your car so why is it ok to do it with your employees or customers data?
a potential use for DRM ?
If this had been a music track instead of personal details you just know that it would have been riddled with DRM which would mean that the raw data could not be got at, and it could only be used in the correct authorised programs etc etc.
I think the mistake was in letting it be possible to get hold of the data in an unencrypted form to begin with, obviously users cant be trusted with it despite company policies, the same way that the MAFIAA dont trust users with unencrypted media despite laws forbidding copying.
So why doesnt someone apply the same kind of principles to data files too, maybe openoffice could get ahead here by implimenting something like this. Have a way to mark a document/spreadsheet/db file, whatever, as 'must be encrypted' and enforce that once loaded it cant be saved, or cut and paste out of the application in an unencrypted way.
It doesnt have to be majorly secure, there will always be the 'analog hole' of screen scraping etc, but if all the basic operations are covered then the average idiot user (they must be idiots otherwise they wouldnt have needed this) wont end up with unencrypted data on a stealable device.
Happens again and again
Does anyone remember how the plans to the Gulf War (part one) were stolen when a high-ranking British army officer left his laptop in his car to going shopping?
The world is full of idiots.
Re: a potential use for DRM ?
DRM my possibly help, especially if it was a random opportunistic theft. However I'd avoid using any flawed technology from the music industry.
The DRM implementations for restricting music are not truly secure in the technical sense, since the OS/software/licenses/media files contain all the information to play the contents without requiring any passwords. Instead they employ security by obscurity. The media is encrypted, however by necessity the decryption keys are included with the player/user license files, which implies they are available by reverse engineering the software. The encryption is a genuine headache for legitimate users, however it should not be considered secure from an attacker who can reverse engineer the software (just like the DVD).
A real solid portable (unconnected) DRM platform would still be vulnerable to brute force/dictionary password attacks. Expect toolkits to simplify the process as DRM becomes more common for business security. A security key could help here except in all likeliness it gets stolen with the laptop.
Interestingly the most modern CPUs have begun integrating TPM units into their designs, which basically limit the possibility of reverse engineering by making sure the software is encrypted and only the hardware knows how to decrypt it. It is much harder to hack the keys out of hardware, and assuming the keys do not get leaked somehow this may finally be considered "secure".
Yes, cupid stunts
I can only agree. If you don't want confidential information getting out, don't put it where it can be leaked!
I was once told by a CIO of a large bank that they didn't worry about that kind of data getting out because all of their laptops were password protected. So I grabbed his laptop, pulled the drive (2 minutes, I'm slow), plugged it into an external drive enclosure (1 minute, these are easier) and was reading data in less than 30 seconds (it's an old laptop). He said they were going to require encryption on all laptops. Just like VeriSign.
Actually he was a member of the Royal Air Force. He was, of course, promoted and given a plum job in, I think, Canada.
If you done your job at work
If you done your job at work, you would not have to take it home with you.
Register editor sleeps at his desk
This story bears the title: "Verisign worker exits", but the story says absolutely NOTHING about any Verisign worker exiting, in any sense of the word.
Re: Register editor sleeps ...
"The unnamed worker involved has left VeriSign.."
"The employee involved in this incident has since left VeriSign."
You're right ... it should have read "Verisign worker lefts"
They let it leave?
so if i was in charge of that outfit,
 the data would be secured to the highest practical level (considering available technology):
-[a] every machine in the place (especially portable devices) would have an encrypted file system (and, come to think, would be a Mac, UNIX, Linux, or mainframe box, depending on purpose);
-[b] every user (including janitorial staff) would be trained on security practices, evaluated on compliance with same, and required to log in using one of those RSA-type fobs with random numeric key sequences (i prefer CryptoCard on BSD, actually);
-[c] visitors and consultants would have to sign NDAs and confidentiality agreements that make them individually liable for damages; they would also require oversight, and would be given very limited access (no data to be transferred off premises), which would end the moment they are finished work;
-[d] all laptops and portable devices would have call-home and remote-kill LoJack-type functionality, and all connections would be encrypted and secure.
 this individual would be facing a civil lawsuit.
 the person wouldn't "leave", they would be fired for negligence and escorted off the premises, their manager would be subjected to an audit and an investigation (at least), and that's what the press release would say, too.
aside from all that, whenever this sort of thing happens, i always get a mighty urge to throw the idiot so hard that the moron would bounce.
this company is (supposedly) a security vendor (among other things); they should try harder to act the part (they're far from broke, and their profit outlook is excellent).
unfortunately, VeriSign (and NSI before that) has never had its stuff together. they were always fsckups, so no news here (just had to deal with them last year, and they were still fscked up). this twit likely fit into their culture of incompetence just fine, and was probably either management or HR, or maybe both.
*VeriSign is taking the recent laptop theft very seriously. *
Don't make me laugh! If they really took anything seriously, this wouldn't happen.
Stupidity #1: have emplyees data in a laptop
stupidity #2: have the data unencrypted
stupidity #3: give the laptop to a manager, with an MBA or similar and no clue.
And then they even seem surprised when the unevitable happens.