Join the army, get your ID pinched - MoD laptop goes AWOL Personal details of the 600,000 people who have applied to join the armed forces over the last ten years were stolen with an MoD laptop earlier this month, it was admitted late on Friday. The computer was stolen from the car of a junior naval officer, which was parked outside his house overnight in Edgbaston, Birmingham. It …
Heh, you've got me there. In my defence I probably did take my stuff into the house in the right order at least most of the time, it just has more effect the way I told it originally. In any case, the risk of having a laptop stolen in the 30-second window while someone carries their shopping in is insignificant, since we're talking about the risk of leaving a laptop in the car all night, in the dark, while you're asleep and not about to return to the vehicle.
The probelm is that for every big expensive database project there will be a BA working out the list of reports the users want in advance (2-5 years) which will be way off fromt he requiremnts when it goes livem so as ever someone has to buidl an access db to download huge slices of data and run some usefull reports. Thus creating this security risk.
Now if "strategic" development teams would decend from their ivory towers are care more about the end-user that their powerpoint slides then all this data might not always end up on local HDs.
"A lot of people have been suggesting the use of Encryption. Encryption is a means of slowing down the theives from accessing the data, but if they want to get to the data then they will know how too, it may take days, but they can get to it."
Bullshit. Unless by "days", you mean "many many trillions of trillions of multiples of the lifespan of the entire universe - expressed in days".
Used correctly - by which I mean, a PGPdisk or Truecrypt encrypted volume with a password that can't be guessed from a dictionary attack - encryption is an absolute brick wall. There is NO way to get through it. It's not just a matter of persistence; there isn't even enough energy and matter in the universe to count from zero to 2^128, let alone recover a 128-bit encryption key by trial and error.
If you really think that what you say is possible, please explain *how*. It could make you a very very rich man if it were only true ...
I'm in the Armed Forces and have come to the conclusion that it is a matter of when my account gets emptied - not if.
Why? Because I have to tell various members of the Armed Forces:-
a. all of my bank details
b. all of my personal details (Mothers's maiden name, wife's maiden name, addresses for the last 7 years, Parents address, wife's addresses, children's names, and birthdays for all of the above, passport number, National Insurance Number, Place of Birth.
About the only thing they do not know about me is my first Pet's name.
Ripe for a bit of identity theft? I should Coco
And in case we all think that our wonderful armed forces are above a bit of self interest, I one knew a Officer in the Territorial Army who used the names and address of his troops to open Bank accounts. He was a Bank Manager who wanted to meet his targets for new customers.
I have set up a seperate bank account which only has my Armed forces Pay going into it - and it immediatly gets moved to another account that they do not know about. It is my only defence.
6pm, Monday 21 January
BBC news reports that "...defence secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts .... the other two laptops held similar data but on fewer people, he told MPs."
As for the Birmingham incident, Browne told MPs that the Navy recruiting officer failed to follow security procedures.
So it's all down to "Gerald" the hapless underling - ministers and civil servants are not to blame. Our personal data is safe in government hands. I feel *so* reassured and simply can't wait to get my ID card.
Firstly to those suggesting crypto as a solution – please note that all crypto solutions for HMG have to be approved by CESG. Most HMG departments struggle with the concept of protective markings let alone crypto management. If the rules on storage can’t be followed then why would the password on the crypto lock be secure? In the old days of running password checks on manpower systems the favs were RoyalNavy, Car Reg, Last ship, normally in that order.
This data would have been at best marked RESTRICTED which means it could be double wrapped and sent through the normal post. In the old days of BR4006 (or was it 4005) and the first drafts of JSP440 the hard disk was to be removed from the machine and carried on the one’s person. In the early days we lost a lot of chassis which we never cared about. Machines are clearly issued with the written instruction that they have to be suitably secured and the back of the car is not listed as secure.
Finally the Falklands bit is rubbish, plans from PJHQ were very much in draft as the fleet set sail. The landings were only finalised after the practice at Ascension (which was done in bright sunshine). To almost quote Admiral Leech ‘there was no plan on the shelf for this one, we had to make it up as we went along).
"I entered a fairly long and non-obvious password"
"the penguin doesn't work in support obviously.
apply this to thousands of machines and you need to have some type of system for techies to guess this password (based on serial number or asset tag, lose the sticker for either and you are screwed), which means its not secure. Techies change jobs and talk too.
If the user enters it, when the machine goes to another user later on when that person leaves, then no-one knows the password. The user forgets the password (long and non obvious), then you are screwed when you have a whining user saying "but I need that data, can't you do anything"
"
there is such a thing called agent recover. It a nifty little thing. it allows you to export the ad min certificate. Now if you forget the password on an Efs in windows you can get into to it. I used this when I worked at a bank. The key is to limit who has access the agent recovery.
This sounds like an opportunity crime and it seems to have been announced a few days after the loss.
I thought the standard procedured after nicking a laptop was to clean it quicksmart so that it wasn't clearly not yours? And even if the thief didn't clean it I'd guess he offlloaded it PDQ to someone who did.
I'd also expect MoD to only issue laptops with encryption as standard. However, is there not a 'Recruitment Agency' or something which while it belongs to MoD may be on a longer leash.
Incidentally the Naval Disciplie Act ended a year or two back with the introduction of a joint service discipline act. That said I'm of the view that people who leave laptops visible in unattended cars are adverts for introducing penal battalions for mine clearing duties in Afghanistan.
"there is such a thing called agent recover. It a nifty little thing. it allows you to export the ad min certificate. Now if you forget the password on an Efs in windows you can get into to it. I used this when I worked at a bank. The key is to limit who has access the agent recovery."
So did I, but this lot are talking of non EFS encryption, etc, etc, which is easy to talk about, but not so easy to do across an enterprise. Couple that with who has access to agent recovery, a few people only being able to support encryption problems over a country wide enterprise. People will copy things onto USB keys to make it easy for themselves.
Most banks outsource these days, so a group of underpaid disgruntled temps (sorry, "contractors") have the keys to the castle.
'I thought the standard procedured after nicking a laptop was to clean it quicksmart so that it wasn't clearly not yours? And even if the thief didn't clean it I'd guess he offlloaded it PDQ to someone who did'
Lets hope that's the case, but with all the recent publicity on the value of data that's being exposed, just some of these thieves are going to start to realise they have something rather more valuable than a bent laptop to sell....
If you're handling laptops they should be backed up (centrally) so that the *minimal* data that only exists in accessible form on the laptop is recoverable if access is no longer possible (through loss of the hardware or of the password).
Those 600000 records should have been entered/transferred into a central recruitment/personnel database for sanity's sake.
Like many here, I too have worked in government IT projects. Those who have will know the pain, a minute in the real world IT is equivalent to about 6 weeks in government IT. If they started looking at better encryption now, they might have a project off and running by about 2050 and then it will run by some third-party contractor and a millions miles away from the original project terms of reference!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
