LAPTOP SECURITY

The headline "Laptop Along with Hundreds of Thousands of Identities and Information Stolen" seems to be a regular phrase these days. Whether it's an executive trusting the hotel cleaning staff, a name-brand accounting auditor storing his laptop unsecured in his car (who, by the way, would still bill his clients on an annual review for such carelessness) or an accounting staff entering a “one chance”, laptops/PDA’s and other physically insecure computers are getting lost and stolen by the truckload.
It's no longer just an inconvenience to lose a laptop. Being careless in todays overly governed society now leads to business contracts being dishonored, Accounting firms loosing confidential details, personal data been used fraudulently (Gulder Ultimate search star nude picture saga), laws being broken, and industry regulations being violated. Above all, it's putting a lot of sensitive information at risk, both trade secrets and, more importantly, personal livelihoods.
For crying out loud, why aren't people speaking out about this problem? More importantly, why aren't organizations doing anything about this problem? You want to do the right thing and keep your laptops secure? Read on.
Step 1: How it can happen
Have you ever wondered how the people finding and/or stealing these unsecured laptops and other computers are breaking into those systems and getting sensitive information? Well, I haven't interviewed any criminals, but I'd guess they have got their own tools and techniques. However basic it may seem, many people simply don't have passwords on their laptops. It doesn't take a computer engineer to crack that code, and I won't elaborate on security testing techniques and solutions for that problem. But what about those systems that do have passwords, how are the bad guys getting in?
The best way to approach this problem is to look at it from a malicious viewpoint. I'm not advocating or supporting criminal activity. I do, however, strongly believe the only way to truly secure your systems is to look at security issues from the bad guy's perspective. When it comes to laptop hacking, there are a few tests you need to run to see just how far you can get into the system and into your network.
Already logged-in with full access
A computer system can be stolen while it's still turned on. Laptops with well-charged batteries are especially convenient for the bad guys. There's no unplugging and trying to get in later, they simply take the system and run with it to another location and see what can be gotten off it. After all the Anita Hogan phone picture issue (though given willing) is a classic case of stolen information.
Once they are in, anything's fair game. Many organizations (very few in Nigeria anyway) have policies that state no sensitive information shall be stored on local hard drives or mobile devices. I see it all the time. It's usually just a matter of looking at the person's desktop to find all sorts of word processing documents, spreadsheet files and other areas containing sensitive information.
Take a look and see for yourself. You can actually do this from the network if you have remote logins enabled and you're part of the local administrators group. Look under C:Documents and SettingsAll UsersDesktop and C:Documents and SettingsusernameDesktop. You can also load up Outlook or whatever email client the victim uses to see what's stored inside. Odds are your users use email as an information repository, and it's a gold mine for sensitive information.
Think about what could happen if any of this data was accessible by a criminal. That's a good reason to use short screensaver time outs, require users to lock their screens when leaving their computer unattended or to even use proximity sensors to automatically lock the screen when the user leaves.
Guessing Passwords
The next step a would-be criminal could take is to simply guess a login or screensaver password sometimes it's easy as 1-2-3. In this scenario, let's assume the laptop is powered on and the user has locked the screen with a screensaver. The hacker could enter the user's login ID (the last logon ID is likely displayed) as the password or append a 1, exclamation point, or "pass" to the end of it. It's actually pretty common. If the screensaver password doesn't work, simply reboot the system to see how it comes up -- you might not need a password to login to Windows.
If you reboot and you're prompted with a BIOS power-on password, that's yet another layer of defense, but it's no problem to get around. There are resources galore on how to reset those.
Step 2 : How to Crack a Laptop
Find Passwords
If they're already in, hackers can look at stored passwords that may lead to other sensitive information especially those stored in VPN clients that could provide a direct link into your network. You can find this type of information using a tool such as ElcomSoft Ltd.'s Proactive System Password Recovery. It will recover logon passwords, network passwords, wireless encryption keys, dialup/VPN passwords and more that can be used against you.
Crack passwords
If you've done the right thing and require Windows logins combined with Windows-enforced strong passwords, you're probably wondering how else someone could possibly get in. Well, never fear, it can be done. It is simple password cracking, and you don't even have to buy a commercial tool to do it. There's a relatively new tool which most engineers have been using called Ophcrack that uses rainbow tables for really fast Windows password cracking. Ophcrack has a bootable "Live CD" version that you can use without having any other access to the Windows system. So, let’s picture this scenario: The bad guy finds/steals your system, boots it up using a tool such as Ophcrack and in the twinkle of an eye, he's got one or more Windows account passwords. It's all over after that. Try running the Ophcrack Live CD yourself and see what you can find.

Step 3: How to secure a laptop

There's a simple solution
Having shown you all these laptop hacking techniques and tools, you can still lock down your systems to keep bad things from happening. You could create encrypted "partitions," which, basically, are files that mount as a regular drive. But for me personally I don’t go for it nor recommend it for clients. It all boils down to the fact that you cannot trust your users to store sensitive information on the secured partition every time. People will store things on their desktop, in their email application, and in local temp directories that may not be protected. Plus, if someone is able to obtain a laptop and crack various Windows passwords as I described above, what do you think the odds are that the encrypted partition uses one of those same passwords? Based on what I see, the chances are pretty good.
Many people are installing laptop-tracking software such as LoJack for Laptops, which can certainly aid in recovery. The problem is that by the time the system is recovered, sensitive information on the laptop could've been compromised. Good solution, just a little too late in the security breach time window for me and obviously for you who cares.
The only truly secure solution (although still not 100%, nothing is) to keep information from being compromised is to use a whole disk encryption technology such as PGP Whole Disk Encryption and TrueCrypt. They are independent of the operating system and use much stronger encryption technologies and some can even be centrally managed reducing administrative burdens. Even if stolen computers are powered on, as long as the entire drive is encrypted and the screen is locked, the only option for the criminal is to reboot the system to try and get in. Once he does that, he will be prompted for a pass phrase to unlock the drive. As long as the pass phrase to encrypt the drive is strong, he is at a dead-end.
Remember that policies enforced by technologies, and not just trusting users to do the right thing, will keep sensitive information on your company’s computers from being compromised. Obviously, it's going to cost money (up front and ongoing) in both software licenses and operational costs (as our people say “soup wey sweet dey cost”). But that seems like a better alternative than losing company files, personal documents, ‘Anita Hogan pictures, credit card merchant privileges, explaining to one or more government regulatory bodies, your accounting firm/ client why your stolen systems were not protected or having to notify every single person whose information is believed to be compromised.


Step 4: Laptop security summation

All I have mentioned so far are real issues happening to real people and the problem can be avoided if you, and your management do the right things. Here are some final takeaways to keep your laptops and other stolen computers safe:
1. Look at your laptop vulnerabilities from a malicious-eye view and revisit this issue often.
2. Educate your users over and over again until it's ingrained in their minds, that thoughts like "I'm just going to run into the supermarket real quick, the laptop will be OK in the car", "I just need to step into the restroom real fast, others in the coffee shop will lookout for my stuff", “I’m driving my own car if I leave it on the back seat it cant be stolen”, and “one chance is not my portion (God has given us wisdom)”are very dangerous and can end up getting a lot of people in trouble.
3. Ensure screens are getting locked via CTRL-ALT-DEL or a short screensaver timeout.
4. Configure Windows to require passwords to be entered upon return from hibernate, suspend or a screensaver time out.
5. Most importantly, use whole disk encryption with strong passphrases.
There is always the chance that your stolen systems will be sold, new software will be reloaded, and nothing bad will ever come of it. However, you have got to look at the worst-case scenario. Given that so much information is being stored in so many different places, without whole disk encryption in place combined with sensible password and screen-locking technologies, there's not really any way to be sure everything's protected at all times. That is a risk no savvy business person should ever be willing to take.

Nice tips, Thanks buddy.

, thanks mate

nice writeup. many of them are appicable to desktops as well. i also like to add that u can physically secure your laptop either in the room/office or in your car by using a security cable which has a slot on most laptops. they're usually very strong and someone who intends to steal such laptop has to physically struggle with it. i bet most laptop thieves would not want to go as far as that especially in a public place.

Tanx For The Handy Info.

Guy you try o. Hope its not "Ctrl+C and Ctrl+V" sha!

****Guy you try o. Hope its not "Ctrl+C and Ctrl+V" sha!****
i wish it were that simple, would make my materials easier. but actually we do get our inspiration from lots of forums and sources. try joining up with some. im a microbiologist turned IT consultant without going through any formal training and embarassingly no certificates. learnt on the job and from materials online.