Laptop theft

Last updated

Laptop theft (or notebook theft) is a significant threat to users of laptop computers. Many methods to protect the data and to prevent theft have been developed, including alarms, laptop locks, and visual deterrents such as stickers or labels. Victims of laptop theft can lose hardware, software, and essential data that has not been backed up. Thieves also may have access to sensitive data and personal information. Some systems authorize access based on credentials stored on the laptop including MAC addresses, web cookies, cryptographic keys and stored passwords.

Contents

According to the FBI, losses due to laptop theft totaled more than $3.5 million in 2005. The Computer Security Institute/FBI Computer Crime & Security Survey found the average theft of a laptop to cost a company $31,975. [1] In a study surveying 329 private and public organizations published by Intel in 2010, 7.1% of employee laptops were lost or stolen before the end of their usefulness lifespan. [2] Furthermore, it was determined that the average total negative economic impact of a stolen laptop was $49,256—primarily due to compromised data, and efforts to retroactively protect organizations and people from the potential consequences of that compromised data. The total cost of lost laptops to all organizations involved in the study was estimated at $2.1 billion. [3] Of the $48B lost from the U.S. economy as a result of data breaches, 28% resulted from stolen laptops or other portable devices. [4]

In the 2011, Bureau Brief prepared by the NSW Bureau of Crime Statistics and Research it was reported that thefts of laptops have been on the increase over the last 10 years, attributed in part by an increase in ownership but also because they are an attractive proposition for thieves and opportunists. In 2001 2,907 laptops were stolen from New South Wales dwellings, but by 2010 this had risen to 6,492, second only to cash of items taken by thieves. The Bureau reports that one in four break-ins in 2010 resulted in a laptop being stolen. This startling trend in burglaries lends itself to an increase in identity theft and fraud due to the personal and financial information commonly found on laptops. These statistics do not take into account unreported losses so the figures could arguably be much higher. [5]

Businesses have much to lose if an unencrypted or poorly secured laptop is misappropriated, yet many do not adequately assess this risk and take appropriate action. Loss of sensitive company information is of significant risk to all businesses and measures should be taken to adequately protect this data. A survey conducted in multiple countries suggested that employees are often careless or deliberately circumvent security procedures, which leads to the loss of the laptop. According to the survey, employees were most likely to lose a laptop while travelling at hotels, airports, rental cars, and conference events. [6]

Behling and Wood examined the issue of laptop security and theft. Their survey of employees in southern New England highlighted that not only were security measures fundamentally basic but that training employees in security measures was limited and inadequate.

They concluded that trends in laptop thefts needed to be monitored to assess what intervention measures were required. [7]

Inside protection

Passwords are no longer adequate to protect laptops. There are many solutions that can improve the strength of a laptop's protection. Full disk encryption (FDE) is an increasingly popular and cost-effective approach. FDE can be taken on from a software-based approach, a hardware-based approach, or both-end-based approach. FDE provides protection before the operating system starts up with pre-boot authentication, however precautions still need to be taken against cold boot attacks.

There are a number of tools available, both commercial and open source that enable a user to circumvent passwords for Windows, Mac OS X, and Linux. One example is TrueCrypt which allows users to create a virtual encrypted disk on their computer. [8]

Passwords provide a basic security measure for files stored on a laptop, though combined with disk encryption software they can reliably protect data against unauthorized access. Remote Laptop Security (RLS) is available to confidently secure data even when the laptop is not in the owner's possession. With Remote Laptop Security, the owner of a laptop can deny access rights to the stolen laptop from any computer with Internet access.

Physical protection

A number of computer security measures have emerged that aim at protecting data. The Kensington Security Slot along with a locking cable provides physical security against thefts of opportunity. This is a cord that is attached to something heavy that cannot be moved, and is then locked into the case of the laptop, but this is not 100% secure. [9]

The Noble security lock slot is a different way to attach a security cable. [10] [11]

Centralization of laptop data

Another possible approach to limiting the consequences of laptop theft is to issue thin client devices to field employees instead of conventional laptops, so that all data will reside on the server and therefore may be less liable to loss or compromise. If a thin client is lost or stolen, it can easily and inexpensively be replaced. However, a thin client depends on network access to the server, which is not available aboard airliners or any other location without network access.

This approach can be coupled with strong authentication as such single sign-on (SSO).

Major laptop thefts

In 2006 a laptop in custody of a data analyst was stolen that contained personal and health data of about 26.5 million active duty troops and veterans. [12] The agency has estimated that it will cost between $100 million to $500 million to prevent and cover possible losses from the data theft. [13] In 2007, the United States Department of Veterans Affairs agreed to pay $20 million to current and former military personnel to settle a class action lawsuit. [14]

In 2007 the Financial Services Authority (FSA) fined the UK's largest building society, Nationwide, £980,000 for inadequate procedures when an employee's laptop was stolen during a domestic burglary. The laptop had details of 11 million customers' names and account numbers and, whilst the device was password protected, the information was unencrypted. The FSA noted that the systems and controls fell short, given that it took the Nationwide three weeks to take any steps to investigate the content on the missing laptop. The substantial fine was invoked to reinforce the FSA's commitment to reducing financial crime. [15]

In 2010 VA reported the theft of the laptop from an unidentified contractor; the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers' records.

After learning about the unencrypted laptop, VA investigated how many VA contractors might not be complying with the encryption requirement and learned that 578 vendors had refused to sign new contract clauses that required them to encrypt veteran data on their computers, an apparent violation of rules.

Common locations

LoJack for Laptops has compiled a list of the top ten places from which laptops are stolen: [16]

  1. Public Schools (K–12)
  2. Residential Properties
  3. Automobiles (excluding taxis)
  4. Businesses/Offices
  5. Universities and Colleges
  6. Restaurants and Cafes
  7. Hotels and Motels
  8. Dormitory
  9. Airports
  10. Public Transit (taxi, bus, train)

To provide some context, the Ponemon Institute released a study that indicates over 600,000 laptops will be lost or stolen at US airports every year, with 65–69% of them remaining unclaimed. [17]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Disk encryption software is a computer security software that protects the confidentiality of data stored on computer media by using disk encryption.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

Crimeware is a class of malware designed specifically to automate cybercrime.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

Physical information security is the intersection or common ground between physical security and information security. It primarily concerns the protection of tangible information-related assets such as computer systems and storage media against physical, real-world threats such as unauthorized physical access, theft, fire and flood. It typically involves physical controls such as protective barriers and locks, uninterruptible power supplies, and shredders. Information security controls in the physical domain complement those in the logical domain, and procedural or administrative controls.

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

Key disclosure laws, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

<span class="mw-page-title-main">Operation AntiSec</span> Series of cyberattacks conducted by Anonymous and LulzSec

Operation Anti-Security, also referred to as Operation AntiSec or #AntiSec, is a series of hacking attacks performed by members of the hacking group LulzSec and Anonymous, and others inspired by the announcement of the operation. LulzSec performed the earliest attacks of the operation, with the first against the Serious Organised Crime Agency on 20 June 2011. Soon after, the group released information taken from the servers of the Arizona Department of Public Safety; Anonymous would later release information from the same agency two more times. An offshoot of the group calling themselves LulzSecBrazil launched attacks on numerous websites belonging to the Government of Brazil and the energy company Petrobras. LulzSec claimed to retire as a group, but on 18 July they reconvened to hack into the websites of British newspapers The Sun and The Times, posting a fake news story of the death of the publication's owner Rupert Murdoch.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

Absolute Home & Office is a proprietary laptop theft recovery software. The persistent security features are built into the firmware of devices. Absolute Home & Office has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners. Absolute Software licensed the name LoJack from the vehicle recovery service LoJack in 2005.

The following outline is provided as an overview of and topical guide to computer security:

<span class="mw-page-title-main">USBKill</span> Software to protect from unknown USB devices

USBKill is anti-forensic software distributed via GitHub, written in Python for the BSD, Linux, and OS X operating systems. It is designed to serve as a kill switch if the computer on which it is installed should fall under the control of individuals or entities against the desires of the owner. It is free software, available under the GNU General Public License.

References

  1. "2005 FBI Computer Crime Survey" (PDF). fbi.gov. Federal Bureau of Investigation. Archived from the original (PDF) on 2006-01-06. Retrieved 2024-06-06.
  2. "The Billion Dollar Lost Laptop Problem." Archived 2023-03-25 at the Wayback Machine Page 2. Intel. Ponemon Institute, 2009. Web. 13 Feb. 2013.
  3. "The Billion Dollar Lost Laptop Problem." Archived 2023-03-25 at the Wayback Machine Page 11. Intel. Ponemon Institute, 2009. Web. 13 Feb. 2013.
  4. "Security Breaches Are On The Rise But Preventable." Archived 2013-03-11 at the Wayback Machine Druva, 2012. Web. 15 August 2012.
  5. Fitzgerald, Jacqueline; Poynton, Suzanne (May 2011), "The changing nature of objects stolen in household burglaries", NSW Bureau of Crime Statistics and Research; Crime and Justice Statistics Bureau Brief, 62, Department of Attorney General and Justice: 1–12
  6. https://laptops251.com/wp-content/uploads/2023/10/The-Business-Risk-of-a-Lost-Laptop.pdf Business Risk of a Lost Laptop
  7. Behling, Robert; Wood, Wallace (2007). "Laptop Theft: A Growing Concern For Organizations". Journal of Computer Information Systems (JCIS). VIII: 291–6.
  8. "TrueCrypt". TrueCrypt. Archived from the original on 24 December 2013. Retrieved 28 February 2014.
  9. "Kensington Security Slot Specifications for Hardware" Archived 2015-11-22 at the Wayback Machine .
  10. "Noble Security Lock Slot cannot fit a Kensington lock" Archived 2015-12-17 at the Wayback Machine .
  11. "Computer security lock for trapezoidal security slot" .
  12. "Data on millions of vets stolen from VA employee's home". Archived from the original on 2010-11-06. Retrieved 2010-12-21.
  13. "Electronic Privacy Information Center Veterans Affairs Data Theft". Archived from the original on 2010-12-09. Retrieved 2010-12-21.
  14. https://web.archive.org/web/20120121100248/http://articles.cnn.com/2009-01-27/politics/va.data.theft_1_laptop-personal-data-single-veteran?_s=PM%3APOLITICS CNN article about a class action settlement for a Veteran Affair stolen laptop
  15. "Final Notice" (Press release). Financial Services Authority. February 14, 2007. Archived from the original on May 20, 2012. Retrieved May 7, 2012.
  16. Absolute Software, Computer Theft Report, 2011 Archived 2013-03-18 at the Wayback Machine
  17. "Ponemon Institute, Airport Insecurity: The Case of Lost Laptops, June 2008" (PDF). Archived (PDF) from the original on 2022-10-03. Retrieved 2022-05-08.