Laptop Security
SIRT IT Security Roundtable
Harvard Townsend
IT Security Officer
harv@ksu.edu
May 2, 2008
Laptops are risky business…
2
Agenda






Physical security
Protection while traveling
Information security
Recording identification information
Tracking and Recovery software
Wireless security





Public WiFi hotspots
Home wireless
VPN service
Useful freeware tools demo’d throughout
USB thumb drive security
3
Physical Security – Theft
Prevention




Never leave unsecured laptop unattended
Lock your doors (reshall room, apt., office)
Lock it in a cabinet
Use a locking security cable






Room/office
Hotel room
Public locations
Conferences, training sessions
Cost $15-$50, combination or key lock
Use strong password on all accounts
4
Traveling



Don’t let it out of your sight when you travel
Be particularly watchful at airport security
checkpoints
Always take it in your carry-on luggage




Never put it in checked luggage
Use a nondescript carrying case
Be careful when you take a nap in the airport
Don’t leave it in view in your vehicle

Don’t trust the trunk - remember the quick
release lever inside the vehicle?
5
Information Security


DON’T store confidential data on mobile
devices
If you must, encrypt it






Beware of managing encryption keys
Work with temporary copies on the laptop – keep
original file(s) on secure server
Backup data regularly


Whole-disk encryption best
File or folder encryption reasonable
Demo TrueCrypt (open source, Win/Linux/Mac –
http://www.truecrypt.org )
Imaging is a lovely tool
Diligently manage the security of the device
(patches, antivirus software, firewalls, etc.)
6
Finding Confidential Data




Don’t assume you don’t have any
confidential data on your laptop
“Spider” from Cornell useful for finding
confidential data
http://www.cit.cornell.edu/security/tools
Searches files for SSNs and credit
card numbers
Lots of false-positives but still very
useful
7
Preventing Recovery of
Deleted Files

Deleted files easily recovered


“Eraser” freeware tool to securely delete
files (http://www.heidi.ie/eraser/)





Even after you empty the Recycle Bin
“Erase” Recycle Bin
“Erase” a file instead of delete it
“Erase” free space on hard drive
“Erase” a USB flash drive
“Media Sanitization” when disposing media
8
Record Identification Information



Record make, model, serial number
Take pictures of it
Label it with ownership and contact info





Engrave cover
Tamper-proof asset tag
Write on it with permanent marker
Distinctive symbols, art
Record network “MAC addresses”
9
How To Find Your MAC Address
In Microsoft Windows XP/Vista

Get a Command Prompt window




Select Start, then Run, then type cmd.exe
In the command prompt window, type
ipconfig /all
Look for the “Physical Address”, which is the
MAC address
For other operating systems, see
http://www-dcn.fnal.gov/DCG-Docs/mac/index.html
10
MAC address
11
Tracking & Recovery Software



If stolen, the computer contacts the company
who traces it and contacts law enforcement to
recover it
Computrace LoJack for Laptops from Absolute
Software (www.absolute.com) is an example
Pre-installed in BIOS on many laptops




Dell
HP
Have to buy the license to activate
Costs about $30-$50 per year
12
Wireless Safety



K-State, home, hotels, public “hot spots”
Rule of thumb – FEAR WIRELESS!
K-State information:
http://www.k-state.edu/infotech/networks/wireless/

General wireless security:
http://www.onguardonline.gov/wireless.html

Wireless terminology:
http://www.onguardonline.gov/wireless.html#glossary
13
Wireless Safety

Use encryption




WEP (weak)
WPA (strong coming to campus
soon)
VPN
Don’t work with
sensitive data in
public hot spot
14
Wireless Safety

Securing wireless at home
http://www.k-state.edu/infotech/news/tuesday/archive/2006/10-24.html#sectip



Use strongest encryption possible – WPA2
Restrict access to specific computers by
MAC address
Change default settings



Admin password for configuration interface
SSID
Do not broadcast SSID
15
Default SSID
No Encryption
16
Default SSID
Strong
Encryption
Weak
Encryption (WEP)
Default SSID
17
18
19
Virtual Private Network (VPN)




Encrypts all network traffic between your
computer and the K-State border
Makes your computer appear to be on
campus to get access to restricted
resources
Does NOT necessarily encrypt everything
that goes to the Internet (“split tunneling”)
Also does not encrypt traffic on campus
20
21
Virtual Private Network (VPN)


Must install “VPN Client” software
Information and software available at:
http://www.k-state.edu/infotech/networks/vpn/


Cannot use it on campus yet (to secure your
wireless, for example); will be able to soon.
If can get to Internet but not K-State, modify
the “Transport” configuration:


Enable Transparent Tunneling
IPSec over TCP
22
Disconnected
Connected
23
USB Flash Drive Security

No confidential data!





Too easy to lose, easy target of theft
Don’t use it as a backup device
“Erase” files so they aren’t recoverable
Encrypt files on it with TrueCrypt or Encrypted USB flash drives


Ironkey very popular https://www.ironkey.com/
View demo?
24
More Information…

K-State’s “Mobile Device Security
Guidelines:
http://www.k-state.edu/infotech/security/mobile.html
25
What’s on your mind?
26