It doesn’t have to be that way.

There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.

Theft

The best way to deal with the risk of laptop theft is to ensure that the thief cannot possibly get any of your information off of the computer. If you work for a real business, the cost of having private information (proprietary data, HIPAA Protected Health Information, PCI records, etc.) fall into the hands of the bad guys is immeasurably greater than the value of the physical laptop. Insurance will probably pay for new equipment anyway. Fortunately, good technology is available to protect your information at a reasonable price. My favorite price is free.

TrueCrypt is a free, open-source, high-quality Full Disk Encryption (FDE) product. It supports a wide variety of modern encryption algorithms that are sure to foil any information thief. But remember that once somebody has possession of your computer, it would be a very simple thing to boot it from a CD-ROM containing an FDE password cracker, a tool that would make short work of a simple boot-time encryption password like “letmein“. So choose a really good password, where really good means really long. Something like “till the end of time” (20 characters) will keep any current password cracker hunting for a few hundred years, or until someone adds phrases from popular songs or the Bible to the word lists employed by these hacker tools. You can mix it up with strange capitalization or a misspelling (say, “@ the end of Time”) to make it even harder, but the best way to make it better is to make it longer.

Packet Sniffing

You may have confidence in your WPA2 wireless G network at work, but what about when you’re on the unencrypted wireless network at Starbucks or plugged into the Ethernet at your hotel? This is where the Virtual Private Network (VPN) shines, and there’s a really nice one out there at my favorite price.

OpenVPN is a free, open-source VPN tool that runs on Windows, Linux, and even wireless access points. When using TLS (the successor to SSL) to negotiate 256-bit AES encryption authenticated with 1024-bit RSA certificates, this is a solid protocol with excellent credentials. When carried over UDP, it has none of the difficulty traversing NAT routers or firewalls that bedevils IPSec users. We set it up so that it’s always on, staying out of the way when no network is attached or when accessing public web sites, but connecting automatically when possible to allow secure access to corporate internal systems. It’s especially secure if all your traffic goes through the VPN, even when performing such mundane tasks as browsing public web sites. Setting up OpenVPN, however, is not for the faint of heart, so hire a professional to do it for you.

Network Attacks

Being sniffed is not the only threat you face on public networks. You are also open to direct attack from other network dwellers, so don’t make it easy on them by leaving your file shares open to the world. The best configuration is termed “stealth”, where your computer refuses to respond to any incoming traffic at all. No file sharing, no iTunes sharing, no remote desktop and no ping. Only ARP remains operational, but it has to because you need it so that other devices can respond to your outbound web and other requests.

Fortunately, you can probably have your cake and eat it too. Windows XP has two separate sets of firewall configuration rules, one for when you’re attached to a corporate Active Directory domain and one for when you’re not. If you use Active Directory at work, you can set up the “domain profile” to allow management by your IT staff and configure the “standard profile” to be stealth when you’re on the road.

If you use Vista, you have even more choices. There are three different firewall profiles: domain, public and private. With Vista, you can have one set of rules for work, one for your home, and one for Starbucks and other dangerous places.

But what if you work at a small place that doesn’t use Active Directory? You still have options. On Vista, you can use your private firewall profile for work and the public one for everywhere else. If you’re running XP, though, it’s a little tougher. Have your IT folks set up rules in your standard firewall profile that are very tightly fitted to their setup. Perhaps allow Remote Desktop and remote administration only from the corporate server’s IP address. It’s not perfect, but an attacker will never know the difference unless you just happen to be on a public network with the same IP network number as your office and he happens to have the same IP address as your corporate server. Not perfect, but pretty darn good.

Passive Attacks

Nearly all successful penetrations of home or corporate desktops occur through passive attacks such as visiting an infected web site or opening an infected e-mail attachment. We’re so familiar with this kind of attack that it should come as no surprise that the mitigation is also familiar. Keep your computer up-to-date with all the latest Windows and other patches, and use a good antivirus system. Set your computer to update automatically with Windows as well as other applications: Adobe Reader, Flash, Apple QuickTime, etc. Not all antivirus systems are created equal, either. Check out AV-Comparatives.org to find out which are the best.

“Drive-by” Attacks

Someone plugs a hacked USB drive into your computer. Or they load a CD-ROM while you’re in the bathroom. Or you leave it unattended and someone reads your e-mail or steals a file by e-mailing it to himself. These scenarios tend to be more paranoid than the ones above because you typically leave your computer unattended only in environments where the people are trustworthy. Or so you think.

We keep hearing the statistic that 80% of all data breaches are perpetrated by insiders, but we can’t think of anyone where we work who would ever do that. But they must exist, and, of course, any such person would keep such evil thoughts very, very private. So let’s make a few changes that keep easy access to your computer just out of reach.

The first and easiest step is setting up a locking screensaver. On nearly ever screensaver, there is an option to have it prompt for a password before returning to normal operation. Some computers also allow you to set up a quick and easy way to engage the screensaver, such as moving the mouse pointer to one of the corners of the screen. Or you can press the Windows logo key (if you have one) plus the L key to immediately engage the screensaver.

Sometimes the Windows autorun feature is handy, but just as often I find it annoying. But it can be positively dangerous if inserting a USB drive or CD-ROM automatically runs software from the device, especially if you think your computer is safe because the screen is locked. Get rid of this behavior by disabling autorun (not autoplay—that’s different and not dangerous). Just google for the phrase “disable autorun” and you’ll find dozens of step-by-step recipes.

Finally, any malicious person or software will find it much more difficult to infect your computer if you log in under an account that does not have administrative powers. You need to be an administrator to do things like install new software, but that’s best done in a separate account. Go to Control Panel -> User Accounts and create a new login with account type set to Computer administrator, then change the type of your regular account to Limited. This is what Apple recommends its users do on OS X, and it plays a significant role in making Macs more secure than Windows computers.

Summary

You can carry a secure laptop, and it doesn’t have to be painful or expensive. Here’s the list again:

• Use Full Disk Encryption (FDE)
• Choose a long FDE password
• Use a VPN to connect to your company’s systems
• Set Windows firewall to stealth
• Configure Automatic Updates
• Install a good antivirus system
• Use a locking screensaver
• Disable autorun
• Use a non-privileged account for normal computer uses

Although the weather was rainy and bleak in Sofia, Bulgaria, Yevgeny had a spring in his step as he quietly slipped up the stairs to an almost empty room above the Onda coffee shop with its valuable wireless Internet connection. He would have to wait to get his morning “Americano” coffee until he checked on the state of his “import/export” business. Sure enough, his e-mail contained an anonymous order for up to 250,000 “dolls” and an additional order for as many “cribs” as he could obtain.

Yevgeny had spent the last several days improving his software to assure a targeted, automated, consistent flow of inventory that would have a much lower percentage of “damage” as he euphemistically called it. He had developed quite a reputation for delivering reliable goods to buyers who had customers waiting to fully exploit what he sold. Yevgeny always chuckled at the use of dolls and cribs as descriptions of compromised user accounts and servers. It made him feel like the 007 that he had seen in American movies. It certainly didn’t hurt with his friends who viewed him as a very worldly, successful man. Why, this month he was on pace to make $600, three times the income of the average Bulgarian. With his new scripts, he would not only double his income, but he would begin to initiate his plan to advertise for some “entrepreneurial software engineers” to enlarge his one-man shop. Within a year his dream of a 1600 square foot, palatial luxury apartment in the Lozenets district would be realized, making him neighbors with American diplomats and foreign business executives. It would be a nice change from his 350 square foot apartment.

With a sudden lunge for his keyboard, Yevgeny jerked himself from such unprofitable dreaming. Now to check inventory. Indeed, it had been a good night’s work as his newly refined little software servant had performed wonders. Just look at all of those bank account numbers and passwords, too! And the best part was that most of them were from smaller companies without the resources to track him, although as a Bulgarian, he could care less. Not only would he fill all of his standing orders, he also had a bit left over to develop new buyers. Tonight he would have to join his friends at Chervilo for their customary night of celebration. As he lit his imported Marlboro, all he could think was, “God bless America, mother of opportunity!”

Does this read like a dime store novel? Perhaps, but this is the state of cybercrime in 2006.

A short “Hacker History”

The very first “port scanner” was called SATAN, released in 1993 by Dan Farmer. A port scanner is a tool used by network administrators and hackers alike for examining a system or network in depth, reporting on the services being provided by each machine and revealing potential weaknesses. SATAN, short for “Security Administrator Tool for Analyzing Networks”, was widely reviled in the press ostensibly because of its purpose, but also because of the implication its name gave to nefarious use. At the time I was a co-founder of Morning Star Technologies, where we were just beginning to experiment with possible applications of our newly invented Dynamic Firewall technology. In response to the buzz about SATAN, we wrote a rule that would detect port scans, tested it internally, and deployed it on our corporate firewall. Finally, after waiting a couple of weeks, one of our support staff came running into my office saying, “Look at the firewall logs!” Sure enough, the rule had detected and shut down access to someone probing our network.

Eight years later in 2001, I was testing my brand new cable modem connection with my brand new laptop and preparing to install my brand new firewall. Within a few seconds of connecting the cable modem to the laptop’s Ethernet port, my personal firewall displayed a pop-up window telling me that someone was trying to get into my computer. Closing the pop-up, I went back to work, but was interrupted again by another pop-up. And another. And another, every ten or fifteen seconds, until I disconnected the network cable and configured the firewall to ignore all inbound connection attempts.

These two stories illustrate basic differences between Internet security in its early days versus what we’ve seen in recent years. Thirteen years ago the Internet was still a friendly place, where probes against your firewall were probably just a system administrator with time on his hands trying out the latest network diagnostic program. His motivation? Curiosity. That, and the love of seeing a cool tool “work.” Was he a criminal? Probably not, although his ethics could certainly be questioned. The nearly continuous attacks back in 2001 were a completely different story; those probes were probably still individuals, but they had different goals. They wanted to break into my machine, to “own” it, to completely control it.

Were they criminals? Absolutely. But they were still loners, hackers working on their own, using the latest automated tools to search through huge numbers of Internet-attached computers, trying to find the ones that exhibited the specific weakness that they were looking for. Then they’d take the list of vulnerable computers their scanner had harvested and, one by one, they’d apply a specially crafted program called an “exploit” that knew exactly how to turn that weakness into total access.

Once they owned the machines, they’d use them for a variety of purposes. One important use was to help them cover their tracks. Rather than attacking a target directly from their own computer, they’d use one of their “owned” systems as a relay. Or two. Or more likely, twenty-five or fifty. Another use was to express their displeasure with whatever organization they currently had a beef with, be it Microsoft, the White House or their least favorite spammer. Sometimes all they’d do is deface the victim’s web site. But a more satisfyingly destructive strategy was to direct dozens or even hundreds of owned machines to send a continual stream of inquiries to the victim’s web server, flooding it so thoroughly that it would be unable to process legitimate requests.

But nearly every purpose was personal in some way—something that helped them hack other systems, something that made them feel better, or something that allowed them to express themselves or gave them bragging rights among their fellow hackers. There were a few professionals, stealing credit card numbers or transferring money from a victim’s account into theirs, but most were amateurs, doing it for the love of the game.

A Critical Turning Point—Viruses and Worms

Independent of this initial community of vandals that acquired the title “hacker,” certain programmers began developing viruses and worms that they would release into “the wild,” again, just for the sport of seeing them run. An incredible amount of damage was done because their experiments were just too successful, replicating at such prodigious rates that it often took whole teams of IT staffers to extinguish the virtual flame fronts roaring through corporate networks. Again, the authors were motivated almost exclusively by personal pride in having done something “big.” The 1999 Melissa virus appeared to have had no purpose other than propagation and fame. The Code Red worm of 2001 defaced Microsoft IIS web servers and then launched denial of service attacks against the White House and other sites. The Slammer worm of 1993 infected most of its 75,000 victims in a single ten-minute period, but performed no actions other than spreading rapidly. It did that exceptionally well, overwhelming hundreds of major backbone connections and essentially performing a denial of service attack on the entire Internet. These were all criminal activities, to be sure, but they were the work of vandals, not thieves.

But the potential of this new technology did not go unnoticed by the rest of the criminal world.

A Change in the Basic Nature of Attacks

Symantec provides an amazingly valuable service to the entire IT and security world by publishing its Symantec Internet Security Threat Report twice a year. This voluminous document draws from an immense volume of security data Symantec collects, providing analysis of past events and predictions of what to expect in the future. Let’s look at some of the trends:

Financial Services Targeted

Prior to 2005, attack victims appeared to be randomly chosen. Attacked and penetrated systems were more or less evenly distributed over all sites, from business to education to personal systems. But in the first half of 2005, Financial Services organizations leaped to third place, and by the second half of the year held first place by a commanding margin. Why? Because “that’s where the money is.”

The core focus of most profit-based attacks is the acquisition of information. Today’s most popular malware programs are those that allow attackers to record keystrokes, steal passwords, and download files from the compromised host. Theft of account names and passwords leads to theft from on-line financial accounts; theft of credit card information leads to fraudulent charges; theft of client account information leads to identity theft. 2005 saw the percentage of threats that targeted confidential information rise from 54% of all attacks to 80%.

Attack Code Exhibits Greater Maturity

Much of today’s malicious code is purposely designed to be small, with limited functionality. Once entrenched, however, the latest versions of these “bots” (short for robots) download additional modules that enhance their abilities in various ways. These include updating to later versions to overcome defenses recently developed by the security industry, or responding to detected local security software by installing weapons designed to overcome the discovered defenses. Many newer bots are employing a technique referred to by the press as a “rootkit” that allows the malicious software to make itself undetectable by virus scanners or other security software running on the same machine. Bots can also download components that refit the compromised machine to accomplish specific roles, as would be required when the machine’s “owner” sells it to another criminal for a specific purpose such as hosting Denial of Service attacks, Spam forwarding, keystroke logging, adware installation, or stealing confidential data. Over the course of 2005, this type of exploit rose from 63% to 88% of all malicious code.

Attack Code Gains Commercial Status

Increasingly, information on discovered vulnerabilities is now being sold, often to the highest bidder on E-Bay-like black market sites. In 2003, only a small handful of vulnerabilities were sold privately instead of being released to the public. In 2005, that number had increased to well over 100. As organized crime increasingly recognizes the economic value of unpublished vulnerabilities, they will exploit those weaknesses and sell the know-how to others who will do the same. Meanwhile software publishers are increasingly left in the dark about security flaws in their products, discovering them only when security companies catch viruses and worms in the act of penetrating customer systems. This time gap between hacker discovery and software vendor (e.g. MicroSoft) discovery creates a huge window of opportunity available for exploitation and makes it increasingly difficult for businesses to defend against newly developed attacks.

In the End It Is About One Simple Thing

Just imagine, in the past 20-25 years the act of hacking has “progressed” from an exercise of the curious, to an act of a maladjusted “geek”, to an exploit of a privateer to a highly organized business run by big crime. The truth is that Yevgeny in the opening story is far outnumbered by the Russian mafia and by crime syndicates in China, Bulgaria, North Korea and other places where western law enforcement cannot protect your ability to safely conduct business. And why would they not operate this way? It is efficient, clean, highly profitable with very little possibility of being caught and prosecuted. And with the “no boundaries” nature of the Internet, it is very possible to rob a small bank in Ohio for far more than the typical armed bank robber carries out the door. And the worst part of it is, you never see the gun or their face or a withdrawal slip when these 21st century criminals transfer money from your bank accounts into theirs.