In-Depth
Used Laptops Offer Secrets for Sale—Cheap
Even laptops with hard drives that had been erased and defragged were easily hacked to reveal company secrets
Five pounds sterling (about $9) is all it took for Stockholm-based Pointsec Mobile Technologies, a data encryption vendor, to buy a laptop on eBay which still contained, it says, the access codes needed to gain administrator rights to “the secure intranet of one of Europe’s largest financial services groups.”
As part of an experiment to see how well companies protect information on their laptops, Pointsec purchased laptops at Internet and public auctions—including auctions of laptops lost and never reclaimed in airports, or turned into police stations—in Britain, Germany, Sweden, and the United States.
Of the 100 laptops acquired, the company was able to read information on 7 out of 10 hard disks, sometimes using easily available or off-the-shelf password cracking tools.
“Dozens of Web sites … offer password-cracking software or [recovery] software which criminals, hackers, and opportunists use when they want to break into laptops or Web sites,” notes Peter Larsson, CEO of Pointsec Mobile Technologies. Such tools make it easy to recover information from a laptop, even if all files have been erased and the hard drive defragmented.
Just take the aforementioned financial services firm’s laptop. Beyond passwords, there were also 77 Microsoft Excel documents containing such things as customer e-mail addresses, dates of birth, home addresses, and telephone numbers. If a competitor procured such data, the results could be devastating; someone might try to blackmail the company into paying hush money.
Despite those potential threats, however, Pointsec says the unnamed company in question is already in violation of Britain’s Data Protection Act, which mandates safeguarding citizens’ private information. Any of those threats could adversely affect a company’s stock price, if made public.
Pointsec says companies obviously need to do a better job of wiping data from computers to be sold. “Even when companies or individuals believe they have wiped the hard drive clean, it is blatantly clear how easy it is to retrieve sensitive information from them both during their current lifetime and beyond it,” says Larsson.
For laptops lost in transit, which Pointsec tested at lost-property auctions for such airports as Britain’s Gatwick, researchers were able to access information on one in three laptops’ hard drives. When performing the experiment on laptops at an auction in Sweden, Pointsec even found sensitive information from “a large food manufacturer,” including “four Microsoft Access databases containing company and customer-related information, 15 Microsoft PowerPoint presentations containing highly sensitive company information, and 1512 JPEG pictures of both a company and private nature.”
Evidently many companies aren’t protecting in-use laptops with strong encryption in case the laptops are lost or stolen. Yet “Pointsec’s research demonstrates just how easy it is to access information which is not adequately protected,” notes Tony Neate, the tactical and technical industry liaison at the UK National Hi-Tech Crime Unit. His recommendation: “Encryption and other security measures are vital to ensure that security is not compromised—something as simple as a hard disk drive password can deter the opportunist.”
Pointsec recommends companies follow four steps to better secure their employees’ mobile devices: centrally manage mobile device security technology, removing responsibility from employees; mandate access control and encryption use; create a company-wide policy for mobile-device use, and educate staff on it; and encrypt hard disks (this “protects the information during the laptop’s life and beyond its active service”).
For those enamored by a new calling in used hard drives and corporate blackmail, Larsson recommends against it. Despite the relative bargain—corporate secrets for little money—“you could be facing a very long stretch at Her Majesty’s pleasure,” he notes.
Pointsec says it will destroy all laptops procured for its experiment.
RELATED STORIES:
Businesses Ignore Mobile PDA Threat http://esj.com/news/article.asp?editorialsId=927
Case Study: Fielding Service Calls Securelyhttp://www.esj.com/news/article.asp?EditorialsID=867
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.