80 Irish government laptops stolen/missing

probe

While the files on the blood donor laptop seem to have been encrypted, and probably only 0.1% of the US population would have the inclination or ability to have a go at decryption (and hopefully the information would be of no interest to them because it was “foreign” and didn’t appear to have Visa or MasterCard numbers), the effectiveness of good encryption is down to the quality of the password – in the absence of multi-factor authentication. Using a brute force attack, where a computer tries every combination of password until it “gets in”, data on a laptop is a sitting duck if it is only protected by a password.

A really strong password is impossible to remember, for the average person.

1) One has to question why people have to walk around in public with PCs carrying large datasets of personal information (eg 174,324 blood donor records). Did they get the consent of each individual data subject (data victim?!) for this risk to be taken?

2) Why aren’t all government laptops carrying personal information required to have multi-factor authentication? Such as a smart card. The card gives the user 3 or 4 chances to enter the correct password, and if they repeatedly get it wrong it shuts the card down. In the same way as if someone steals your mobile phone – if it is switched off, and your PIN isn’t “0000”, the chances of someone stealing the phone and making calls on your subscription are close to zilch. Laptop smart cards have a far more complex password than a four digit number. If the laptop is recovered or the card gets accidentally blocked, it can be unlocked by the equivalent of a mobile phone PUK code – only more complex – such as “6!H"'{;6$q/j[daiM.R?#zN)'-3Cl@\<S(2|;L#p8PEzt[l@xx^3M))-D1,ESo-“.

With the computing power and hacking software readily available today, user IDs and passwords are no longer enough to protect important information, and it is grossly negligent for people to rely on them when handling other people's personal data or processing financial transactions.

.probe

http://www.independent.ie/national-news/alert-as-170000-blood-donor-files-are-stolen-1294079.html

mickoneill30

probe wrote: »

Using a brute force attack, where a computer tries every combination of password until it “gets in”, data on a laptop is a sitting duck if it is only protected by a password.

If only the IT people thought of a system that locks you out after 5 or even 10 attempts. :rolleyes:

We use a system on our laptops that encrypts your HDD and pops up a logon screen right after the BIOS check. If you get it wrong 5 times you're locked out and need to go through a procedure with IT to get it unlocked. Brute force isn't much use there.

It's true though that business fights you every step of the way to resist any kind of security mechanism (what we've implemented isn't half as secure as what we'd put on if allowed). The usual response is that "I don't carry important information around with me". It's only when something happens and they realise that by skimping on security or IT that they come back and start blaming IT for not making them secure enough. I'll bet you that the managers of that Blood Transfusion Service in NY were warned by IT about the dangers before they lost the data. I'll also bet you that they'll invest in protecting their data now. The words stable door, horse and bolted come to mind.

probe

mickoneill30 wrote: »

If only the IT people thought of a system that locks you out after 5 or even 10 attempts. :rolleyes:

We use a system on our laptops that encrypts your HDD and pops up a logon screen right after the BIOS check. If you get it wrong 5 times you're locked out and need to go through a procedure with IT to get it unlocked. Brute force isn't much use there.

It's true though that business fights you every step of the way to resist any kind of security mechanism (what we've implemented isn't half as secure as what we'd put on if allowed). The usual response is that "I don't carry important information around with me". It's only when something happens and they realise that by skimping on security or IT that they come back and start blaming IT for not making them secure enough. I'll bet you that the managers of that Blood Transfusion Service in NY were warned by IT about the dangers before they lost the data. I'll also bet you that they'll invest in protecting their data now. The words stable door, horse and bolted come to mind.

While the security you mention is better than nothing, the difficulty with it is that the IT department just uses another code to unblock the PC security. The PC department’s “supercode” is just as open to a brute force attack…..

With a smart card, one has only a few chances to enter the unblocking code – after that point, the smart card locks down permanently.

When somebody gets a new laptop, there is invariably nothing on it - and it is often not intended that they will have large datasets of personal information. But things change, and time moves on, and people break rules - and I suspect that very few people say to themselves "today my laptop has reached the stage where it has some serious stuff on board and needs to be secured" - and take the appropriate action at that point.

.probe

mickoneill30

probe wrote: »

While the security you mention is better than nothing, the difficulty with it is that the IT department just uses another code to unblock the PC security. The PC department’s “supercode” is just as open to a brute force attack…..

Eh no it's not. When the user enters the wrong password enough times they only have the option to unlock their account. When they click this they get an encrypted key. This key has to be read out or given to IT admin who verifies the identity of the user and then enters this key on the server which gives a response. Then that number is to be entered on the client laptop. This is not unusual stuff I'm talking about here.

You're right about the laptop being empty at the start though. An IT person has to assume that everything on the laptop is important. You can't pick and choose (and you'll get blamed if something important gets lost) so better to just encrypt everything from the start.

Screaming Monkey

...and what happens if i make an image of the laptop disk, with norton ghost or some such tool, then i can put in on another machine or VM and brute-force the “supercode” at my leisure..

as a side note Truecrypt version 5.0 has full disk encryption now, its pretty nice, requires you to create a backup cdrom, which is a pain if you just want to play around with it..

mickoneill30

Screaming Monkey wrote: »

...and what happens if i make an image of the laptop disk, with norton ghost or some such tool, then i can put in on another machine or VM and brute-force the “supercode” at my leisure..

This is what happens.

The laptop gives out code
xjsdfhjhewruyeruydsfjsdhfdsjfhdsfjheuy - Not exact but you get the idea.
Your brute force tool responds with
dkfjasdkfhjuweiruweiruweiruweiruewiru
I've no idea what the odds are of it getting the correct key for this. Would you say big? This is not like the film Swordfish or Hackers. The standard movies codes of Override all passwords or even just password or the users dogs name won't work here

After about 20 seconds it pops up saying you've entered an incorrect response, please try again.

The laptop gives out a brand new code
kadsfjkasdfjdskfjsdkfjsdkfjsdkfjsdkfjsdkj
Your brute force tool responds with
eiruewiruewiruewirewiruweirueiruieieiei

Are you getting it now? The code changes every single time so you're never going to break it using brute force.

I'm sure it's not foolproof. Nothing is. But it's not bad.

ntlbell

Don't worry it's all ok now.

We have appointed a new director of internet security to make the world a safer place.

Nothing to see here now.

probe

mickoneill30 wrote: »

This is what happens.

The laptop gives out code
xjsdfhjhewruyeruydsfjsdhfdsjfhdsfjheuy - Not exact but you get the idea.
Your brute force tool responds with
dkfjasdkfhjuweiruweiruweiruweiruewiru
I've no idea what the odds are of it getting the correct key for this. Would you say big? This is not like the film Swordfish or Hackers. The standard movies codes of Override all passwords or even just password or the users dogs name won't work here

After about 20 seconds it pops up saying you've entered an incorrect response, please try again.

The laptop gives out a brand new code
kadsfjkasdfjdskfjsdkfjsdkfjsdkfjsdkfjsdkj
Your brute force tool responds with
eiruewiruewiruewirewiruweirueiruieieiei

Are you getting it now?

I'm sure it's not foolproof. Nothing is. But it's not bad.

So what? You image the laptop disk on another machine as was suggested, and you can still do a brute force attack on it. You’ll only be “fighting” a code that a human being can enter (ie of the “dkfjasdkfhjuweiruweiruweiruweiruewiru” variety) – ie a bit difficult but not a problem if you have the computing kWs to throw at it.

If you have a properly set-up smart card encryption system, and someone images your hard drive they effectively have to brute force break a long long code like:

mQGiBEe8a20RBADnHjVQZGQK5u1CLpqS2cuzC1trNIx1KG5ELEYC7SsrAkNaWquZ
0sUXj0iKIhFT9m73WCsf6OaivmeO8IeeooQ0laf7b4gE/Puxa1IBRgBTSqCu8Leo
Msj5vmriwkX3z8NUXBWcx0LLQgcgy7XAzzzevSUZYY6L7Bykcg4nFO86sQCg/0Xa
li4PKy2+snMh1igkGhE+cGcD/0NKYbkIscbTtxoZvg61XwB/WxDLE3eDSBJdohuf
iWJPLQqhn+2wSk21qQTyNob/0iF4SjOEgfXHRQWZQiC7dvAOpbdUVscwgeKsu/gY
++nWr4unUqcra9RtgqrMxtTt8YDIOHRnwYlfoVdmUCZh3syyVhWiOWA5pYa9SX2i
pTfpA/9TMD6CEmLfoykRkXq82e2cw12Gzn4MM1m5AY0okIO07eTjyko0Df6JXv6J
kjcpTwYklYbndi9SMkWzNRBA99s3djGuRJByhOwmAlhQHC+ojo46JIQpwQ28E0QV
DNxCOX9xqwe4pSl1Lyz6zn5L6GlEwn3TOWwXQCnuFTexyGmqULQeVGhpcyBpc2Eg
dGVzdCA8dGVzdEAyVEVTVC5jb20+iQBYBBARAgAYBQJHvGttCAsJCAcDAgEKAhkB
BRsDAAAAAAoJEEPxaILYPzH8MNEAn19nDUP9KySyDtpxqjPSgxkzYmBWAKCpjnXw
SPQOA1PvrCwvg++xP/DJf7kEDQRHvGttEBAA+RigfloGYXpDkJXcBWyHhuxh7M1F
Hw7Y4KN5xsncegus5D/jRpS2MEpT13wCFkiAtRXlKZmpnwd00//jocWWIE6YZbjY
De4QXau2FxxR2FDKIldDKb6V6FYrOHhcC9v4TE3V46pGzPvOF+gqnRRh44SpT9GD
hKh5tu+Pp0NGCMbMHXdXJDhK4sTw6I4TZ5dOkhNh9tvrJQ4X/faY98h8ebByHTh1
+/bBc8SDESYrQ2DD4+jWCv2hKCYLrqmus2UPogBTAaB81qujEh76DyrOH3SET8rz
F/OkQOnX0ne2Qi0CNsEmy2henXyYCQqNfi3t5F159dSST5sYjvwqp0t8MvZCV7cI
fwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ
+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm
/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1F
HQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzh
sSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZ
Jrqrol7DVes91hcAAgIQAOC0uJVz08/kl5d8HZgrGA4CdU0iyc75Cm1hxEIVLKVE
X1FrpByBB2u135ml2070mnsDExbsFVrbP6jlL8FBgxUPToOY9PQHOjBrVzpljWlp
xr7fcFEra9xZo+F6APy15ttMs/an9zsol4JIWk7P/h+sZ7Ko8grlS4/EWcp+e/9B
MEep2q2xmLu/6sDcCET/nvk1Yh1Gv6jJvlgxOOUw2TOGNO4/jENcW1+ccVtSSGA+
K7mNqTciCmpETz+AA7jbV7rq0umrCjTb3/+4ZpSVVqyekgKh7Fdn9qz0L6EFnOPP
yAdp2StXQQa+eFhwit4oYplqKCCX5Gg+w3D4QOHFOX4RWrHj9QDAeapNoL74YMCq
hTP115hL07OHQvq5wVYeDwewRUbYeiz4unceyOWgnf5d8ZQX+7Em/u/uxo/7b6+Q
dIg2JQS6qGDrSfK+qGecqGgANEB5e3jnZ0uT+3eNuoIZbiX651soFJni0Rud7FnS
OW4idqY5zRc4AB9QDeCm2gsx3nnsklogwV1b19r0RwFnL0ct1Zfwt9gPPAv9oaP+
oxUDhcQsqNrU1dAU+cY7WVbauocUjpNa14Qfeuq1i9lsm9qeKHA1Fo+O3R+C3ui3
tTWPYrv/K64dVEYLjO2C8YYm+1hOwRbz4RHjD9lGuXVkErMdrPEUBDmrWv+iKEtt
iQBMBBgRAgAMBQJHvGttBRsMAAAAAAoJEEPxaILYPzH8mm0An1ZEMsPNorD/GZss
GOoH43/+Js1UAJ4nSJShMYCkUtz0NfFQsFipehVs1g==
=UIBZ

Try breaking that starting with aaaaa, aaaab, aaaac etc etc…..

In addition to shutting down during an attack attempt, the smart card does all the hard work storing and communicating long keys to the encryption software on the hard drive.

.probe

Martyr

"We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256-bit encryption key,"

can anyone verify the software used?

Cantab.

Average Joe wrote: »

can anyone verify the software used?

256-bit encryption ain't bad. I'd say there are a handful of governments around the world that could crack these codes if they really needed to.

Martyr

im not arguing with that, cantab.

you could have 448-bit blowfish encryption to protect a file, but if you only use a 32-bit password, it won't take much effort for a personal computer to crack that.

i was curious to know what actual application is used to protect the data..if they used any at all..

the very fact any data like that was outside the country is bad enough.
makes you wonder if they have any crypto applications to protect information in their possession.

wouldn't be surprised at all.

Try breaking that starting with aaaaa, aaaab, aaaac etc etc…..

elcomsoft have a tool to attack pgp keys, with support to run on GeForce 8-series GPU, but its probably not that useful unless you use a distributed attack.

and there are some more effective ways to generate potential passwords rather than straight brute forcing the key..

accessdata have some interesting technology using FPGA..passwordspro is also good program for generating password lists - neither of these attack pki algos AFAIK.

probe, you know that even if all employees had smart cards, or MFA, chances are..the end user would still be an idiot and place the file somewhere they shouldn't have or use a crap password to protect it, worse..for convenience, use the same password for access for say..their webmail, where autocomplete is used!! and can be recovered easily - the list of possibilities goes on.

probe

Average Joe wrote: »

probe, you know that even if all employees had smart cards, or MFA, chances are..the end user would still be an idiot and place the file somewhere they shouldn't have or use a crap password to protect it, worse..for convenience, use the same password for access for say..their webmail, where autocomplete is used!! and can be recovered easily - the list of possibilities goes on.

1) You can overcome that by specifying a minimum password complexity in the smart card security set-up. eg: Specify a minimum of 8 characters with at least one non-alphanumeric - and encrypt the entire of all drives on the laptop. That prevents data misplacement on the laptop and milking autocomplete stuff. Critical files can be identified and encrypted themselves at their origin - to prevent them from being "backed up" to DVDs in an unencrypted version from the laptop or elsewhere.

2) With smart card security, the attacker only has 3 to 5 chances to get the correct password - then the card locks up.

3) This password has nothing to do with the encryption key that the smart card supplies to the encryption software on the hard disk. That key is similar to the one I posted above in http://www.boards.ie/vbulletin/showpost.php?p=55191045&postcount=8

When you hang out the image of the laptop hard drive on a "super computer" array, the system has to crack that tough cookie. My guess is that it would take several thousand years. In mathematical reality the key is even tougher, because a 256 bit AES symmetric key, is approximately equivalent to a 15,360 bit asymmetric key. The key I cited above is only 4,096 bits asymmetric.

Multi-factor authentication is the only way to go, and it can be engineered to prevent morons from messing up the system and allowing criminals to benefit from our personal and financial information.

Putting one's lawyers hat on, governments, financial institutions and companies who don't use it (and use it properly) are almost certainly legally liable to data subjects for losses incurred as a result of their negligence with personal information. And logically, in the case of financial institutions, that liability might also attach to the regulatory bodies in certain instances (ie if the regulatory bodies don't require these security measures to be used by the companies they regulate and license).

.probe

Martyr

3) This password has nothing to do with the encryption key...

so why did you say the following:

Try breaking that starting with aaaaa, aaaab, aaaac etc etc…..

i assumed you were discussing the keyring..but if you mean recover the private key, then of course, it would have nothing to do with passwords.

the key you posted looks like a pgp key..i didn't try to decode it yet

When you hang out the image of the laptop hard drive on a "super computer" array, the system has to crack that tough cookie. My guess is that it would take several thousand years. In mathematical reality the key is even tougher, because a 256 bit AES symmetric key, is approximately equivalent to a 15,360 bit asymmetric key. The key I cited above is only 4,096 bits asymmetric.

what do you mean by "cookie" ?
how did you conclude that 256-bit AES is equivilant to 15,360 asymmetric bits?
is that in an article?
also, wouldn't ecc be more appropriate technology for smart cards?

Multi-factor authentication is the only way to go, and it can be engineered to prevent morons from messing up the system and allowing criminals to benefit from our personal and financial information.

well, can you tell us all how much a system like this would cost the taxpayer?

perhaps some simple policies on how data is stored/accessed would be more effective, as long as its properly enforced.

why not enforce a policy that no data is allowed to be taken off the computer network and stored on any type of media (cdrom,usb stick..etc) or portable device.(laptop,pda,phone) ??

access to data should be logged and audited on a regular basis.

lostexpectation

question is how many laptops get stolen each year, is the gov latops total higher then average, would there be vunerabilites in the maerican contractors taking this information on the net? instead of physically

probe

Average Joe wrote: »

so why did you say the following:

I was trying to get across the gargantuan task of breaking a long key, by trial and error, using brute force, in as simple a manner as possible. While you may understand the issues, many people find some crypto concepts challenging to get their head around.

the key you posted looks like a pgp key..i didn't try to decode it yet

Yes, it’s my top secret private key. Have as much fun with it as you like…

what do you mean by "cookie" ?

You mean “tough cookie”! A dictionary might suggest something like:
Able to withstand great strain without tearing or breaking; strong and resilient
Physically hardy; rugged

how did you conclude that 256-bit AES is equivilant to 15,360 asymmetric bits?
is that in an article?

http://www.nist.gov/ appears to hold this view. While there may be some argument as to the exact bit equivalence, the general concept is well established in cryptography.
In http://en.wikipedia.org/wiki/Key_size it is stated:

“Asymmetric algorithm key lengths

As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.[2] NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.

One of the asymmetric algorithm types, elliptic curve cryptography, or ECC, appears to be secure with shorter keys than those needed by other asymmetric key algorithms. NIST guidelines state that ECC keys should be twice the length of equivalent strength symmetric key algorithms. So, for example, a 224-bit ECC key would have roughly the same strength as a 112-bit symmetric key. These estimates assume no major breakthroughs in solving the underlying mathematical problems that ECC is based on. A message encrypted with an elliptic key algorithm using a 109-bit long key has been broken by brute force.”
See Table 3 http://csrc.nist.gov/groups/ST/toolkit/documents/kms/guideline-overview%20(b-w).pdf

well, can you tell us all how much a system like this would cost the taxpayer?

The question surely is how much does it cost the taxpayer if less than world class best practice technologies are applied to the protection of each individual’s personal and financial data. The risks are increasing as each year goes by as more and more people are walking around with laptops, many containing large datasets of personal information. Leaving them in pubs on a Friday night, etc. Ireland has changed over the past 10-15 years from being a state with a low bureaucratic burden on the public – to one of the most bureaucratic in the world, with virtually every EU directive implemented in the most laborious and gilt edged way (putting the country in an ever decreasing position of competitive advantage)– and much of this data arising from this bureaucracy is warehoused forever and a day.

An example from today’s Irish Times under the heading “Personal data being put online by councils” tells of local authorities putting people’s very private data including bank account numbers, credit card details, ID numbers, medical reports etc etc on local authority websites, searchable by google! “Fingal County Council, which has been placing information online for around five years said it has up to 10,000 files online and it would not have the resources to review them.” So they stay up there online? The general attitude of the public sector to these issues is alarming.

If the government was concerned about the cost of IT, it would be using open source solutions. Perfectly adequate open source laptop security software exists – and if the state has bought a load of badly specified laptop computers with no smart card readers built in, they can use a €15 USB memory stick on the legacy kit with this open source software software as a poor man’s smart card third factor device.

perhaps some simple policies on how data is stored/accessed would be more effective, as long as its properly enforced.why not enforce a policy that no data is allowed to be taken off the computer network and stored on any type of media (cdrom,usb stick..etc) or portable device.(laptop,pda,phone) ??

How do we know they will be adhered to? People on the move with laptop computers are very difficult to keep on a leash.

access to data should be logged and audited on a regular basis.

Absolutely, but that is only part of the overall system of internal control. It wouldn’t have stopped the bloodbank data or the 26 million personal records that got into the wild in GB.

.probe

stevenmu

Am I right in saying that the data wasn't actually on the laptop, that it was on a disc that happened to be on the laptop when it was stolen?

This would make me suspect that whoever put the disc into the laptop in the first place was obviously expecting to be able to read it, and that the laptop probably has the decryption software and key required stored out in the open somewhere on it.

probe

stevenmu wrote: »

Am I right in saying that the data wasn't actually on the laptop, that it was on a disc that happened to be on the laptop when it was stolen?

This would make me suspect that whoever put the disc into the laptop in the first place was obviously expecting to be able to read it, and that the laptop probably has the decryption software and key required stored out in the open somewhere on it.

The IBTS website states: "We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256 bit encryption key. These records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption." It is not really clear if the CD was also in the laptop at the time of the mugging.

If you rent a car, and the car is stolen during the rental period, the value of the car will be covered by the theft insurance in the rental contract – generally with the proviso that the renter returns the car key to the rental agency.

If the renter can’t return the key, there is a presumption that the renter left the key in the car, thereby facilitating its theft. In such circumstances many/most car rental contracts make the renter liable for the full cost of replacing the car. It tends to concentrate the renter’s mind into never leaving the key in the ignition even for a minute while they fuel up the car…

One would have thought that similar sanctions could be applied to employees who leave security smart cards, security related USB keys or written down passwords in or near laptop computers – particularly when they are in transit outside the confines of a secure office building. Lose the security “key” with the PC, and you lose your job! Tough financial sanctions being imposed on sub-contractors with the same objective in mind. One wonders what financial or sanctions the IBTS imposed on their US subcontractors in the event of data loss? They make a vague reference to some "European Commission" approved legal document to "facilitate the transfer of personal data". Presumably they are referring to the "Safe Harbor" agreement on data transfer. A bit of spin in other words, in an attempt to cover their rear ends.

.probe

http://www.ibts.ie/press_rel.cfm?mID=6&sID=94&ssID=22&yr=2008&relID=61#61

Martyr

The IBTS website states: "We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used."

Yes, i heard through a confidential reliable source that this data encryption is by private-file provided by MANK security group..it has 256-bit AES crypto.