Preventing laptop theft: Defense-in-depth approach

Publication Date: 
February 1, 2012
Expiration Date: 
February 1, 2015
Erika Donald, OCIO–Security, Privacy and Policy
Weight: 
0
Body Text: 

Unattended laptopIn 2011, 88 laptops were reported stolen at UC Berkeley. Most of these thefts, according to UC Berkeley Police Department's Lt. Marc DeCoulode, who manages UCPD's investigation unit, were crimes of opportunity by individuals from outside of the campus. "Most thefts happen when laptops are left unattended in offices or in classrooms, and the majority of the thefts occur in campus libraries, specifically in Doe and Moffit," DeCoulode says. "It only takes 10 seconds for a thief to grab a laptop."

I decided to see just how easy it would be to steal a laptop, if I were so inclined, and headed over to Doe Library. I walked into the main stacks and scanned the table tops. Within five minutes, I saw a woman, mid-twenties, get up and walk away from the table where her laptop rested, unsecured. I timed her: she chatted with her back to the laptop for almost four minutes. Why, I wondered, would she be so cavalier with her valuable possession that surely contained not only private information but most likely irreplaceable research data? Most likely, I guessed, the library's tranquil, academic environment lulled her into a false sense of security. And that's precisely what a thief wants: laptop owners to drop their guard for just 10 seconds.

When considering laptop (or any PDA) security, it's best to think of a multi-layered defense-in-depth approach. Combine physical security with additional, defensive layers such as encryption and location software.

Laptop portability: its greatest asset and greatest weakness

The UC Berkeley Police Department offers these general tips for both students and staff to help ensure the physical safety of their laptops:

  • Write down the manufacturer, model, and serial number of your laptop and file this information.
  • Do not walk away from your laptop, even for "a minute". If you must sleep while you're studying in the library, sleep on the laptop.
  • Do not leave valuables in common areas or ask strangers to watch them for you.
  • Do not leave laptops in a vehicle.
  • Secure your laptop in an office with quality hardware (cable locks, lockdown devices, storage cabinets).
  • When you leave your room or office, shut curtains or blinds, lock doors and windows, and take your keys with you [1].

Students heading to college need to take some simple precautions to protect not only their computers, but all sensitive information, such as Social Security and credit card numbers from college and financial applications, that may be saved on their laptops [2]. Just deleting information from your recycle bin or trash isn't enough — computer thieves are experts at undeleting such files.

Decoulode says the start of semester is usually the time when most student laptops are stolen. "Incoming freshman are more easily distracted, perhaps a little overwhelmed, and not paying as close attention to their belongings as they would normally."

Treat your laptop like cash

"If you had a wad of money sitting out in a public place, would you turn your back on it — even for just a minute?" [3] When in any public place (i.e., airports, convention centers, public washrooms, waiting areas, taxis, or public transit), keep the same watchful eye on your laptop as you would on your cash.

Around 637,000 laptops are lost each year at U.S. airports [4], most often at security checkpoints. One technique thieves use is to move between you and your laptop at the metal detector. As your laptop moves along the conveyor to pass through the x-ray scanner, one thief in front of you purposely sets off the metal detector to allow time for the second thief, on the opposite side of the detector, to pick up your laptop and walk away with it [5] — typically, airport security staff don't know or care who owns items going through the x-ray scanner.

And when staying at hotels, pay extra attention to your laptop: a security cable may not be enough. Store your laptop in the safe in your room. Again, think of your laptop like cash. You wouldn't head out of your hotel room leaving behind a stack of twenties on the table, would you?

Make sure your laptop is identifiable

Another relatively low-cost measure is to identify your laptop to make its recovery easier and resale harder. There are a number of solutions available to identify your laptop.

  • Tools are available to permanently engrave or brand serial numbers, company names, and logos onto a laptop.
  • Tamper-resistant tags can be applied to the laptop to identify it. One well-known anti-theft tag is the Stop Tag. The manufacture of the Stop Tag states it takes 800 pounds of pressure to remove this tag [6].

If you make your laptop look unique, there will be less opportunity for someone to use the excuse that they thought your laptop was theirs. Often, unique identifying marks, such as stickers, also make the laptop more difficult to resell.

Encrypting stored data on your laptop

In addition to ensuring the physical security of your laptop, another defensive security layer to consider is encryption. In fact, UC Berkeley's Minimum Security Standards for Electronic Information states that restricted information must not be stored on a laptop (or any other portable device) unless absolutely necessary and if so must be strongly encrypted [7].

Encryption obscures the electronic data with an encryption algorithm, keeping the information private and unavailable to unauthorized persons. Once the data is scrambled, a key must be used in order to decrypt the data to make it readable. Only users in possession of this key will be able to read the encrypted data.

Unfortunately in March 2005, an unencrypted laptop computer containing sensitive information on more than 98,000 UC Berkeley graduate students and others was stolen from the Graduate Division when an office was left momentarily unoccupied. Because there was restricted data (names and Social Security numbers) on the laptop, and since it was discovered that the laptop data was not encrypted, the theft raised the alarm for potential identity theft and triggered a costly requirement to notify the individuals whose information was stored on the laptop.

Encryption can be applied to laptop data in different ways. The two most common methods to protect data on laptops are "whole disk encryption" and "file encryption".

  • Whole disk encryption protects the entire hard drive. Because everything is encrypted, including the operating system, you have to first "unlock" the encrypted drive with your personal passphrase before you can even start or boot up your computer. Programs that offer whole disk encryption include:
    • Windows BitLocker (Windows Vista and 7 Enterprise and Ultimate Editions) — contact for more information on using BitLocker.
    • PGP (Linux and Macintosh) — see http://www.symantec.com/theme.jsp?themeid=pgp for more information.
  • File encryption requires users to save restricted data in an encrypted file or folder in order to ensure that the data is protected. File encryption options include:

For additional information about the various methods of encrypting your laptop, see the article Encryption Tools [PDF] by Allison Henry of IST–System and Network Security.

Laptop location software

Commercial software products are also available that can track stolen laptops. UCPD Lieutenant Adan Tejada suggests installing laptop locator software and notes that UCPD currently installs LoJack Security software on their departmental laptops.

Additionally, some laptop models purchased from Dell, Lenovo (IBM), HP, and other manufacturers may have Absolute Software's Computrace, which embeds a tracking agent in the BIOS. The tamper-resistant agent remains active even if the hard drive is reformatted or replaced [1].

Although there are obvious privacy implications around the use of laptop location software, anyone with a smartphone has already relinquished a significant amount of very private location data [8].

Time is of the essence

In the event that your laptop is stolen, remember — time is of the essence. According to Decoulode, "recovery is usually sooner than later" after a theft. If recovered quickly, the device is still usually operable. If you are the victim of a laptop theft, report it immediately.

References

[1] Protect Your Laptop. UC Berkeley Police Department.

[2] Protect your computer — and your identity — on campus. LaRita Heet, CreditCards.com, 2008.

[3] Keeping Laptops from Getting Lost or Stolen [PDF]. OnGuard Online, June 2007.

[4] Laptops Lost like Hot Cakes at US Airports. Agam Shah, PCWorld, June 2008.

[5] Laptop Theft [PDF]. Janet E. McIntosh, 2002.

[6] Laptop Security: Past, Present [PDF]. Andrew Mueller, SANS Institute Reading Room, 2001.

[7] What is Restricted Data. UC Berkeley Security.

[8] The Privacy Implications of Commercial Location-based Services [PDF]. John B. Morris, Jr., Center for Democracy & Technology, February 24, 2010.