back to article Friday security roundup: Secret Service laptop bungle, hackers win prizes, websites leak

Friday is usually a good day to bury bad news and there are a number of stories bubbling under before we all head out for the weekend. US Secret Service lost a laptop The US Secret Service has admitted that one of its agents' cars had been broken into by persons unknown, and a laptop was stolen, along with other items. The …

  1. streaky
    Black Helicopters

    Permission

    not permitted to contain classified information

    This is in no way incredibly naive, honest, you believe me right? Not being permitted and it not being on there via some technical measure or validation are completely different things.

    1. bazza Silver badge

      Re: Permission

      Well, the thing apparently has full disk encryption, so it's hardly likely to matter one way or the other.

      Backing up a soft control (the no classified content policy) with a hard, reliable control (full disk encryption, if done properly) is perfectly reasonable. So long as the laptop was powered down at the time and not just sleeping, there's almost nothing to worry about.

      1. Terry 6 Silver badge

        Re: Permission

        Password = Spy007 anyone?

      2. Pascal Monett Silver badge

        Re: "it's hardly likely to matter"

        I beg to differ. It is much more reassuring to be sure that classified data was not on a stolen laptop then it is to trust in the strength of encryption to keep it hidden.

        If it is there, they might just have the resources to dig it out, and then there will be trouble.

        If it's not there, they cannot find it, period.

    2. Anonymous Coward
      Anonymous Coward

      Re: Permission

      Apparently video shows the thief being delivered to the driveway, getting out and walking directly to the car, stealing the laptop and walking off. Hard to imagine this string of events being possible unless the agent was involved.

      Given the agencies involved, I imagine the usual clown show will commence.

    3. The Vociferous Time Waster

      Re: Permission

      Sure, Streaky, you know more about security than the USSS.

      1. streaky
        Facepalm

        Re: Permission

        Sure, Streaky, you know more about security than the USSS

        Plis most of us here work in tech and many of us work in information security. "know more" - I'm commenting on the naive PR guff they put out not their actual procedures but the naive PR guff they put out is extremely naive. That's why I mentioned it.

  2. oiseau Silver badge

    > The database has been added to the excellent Have I been pwned?

    Really?

    Looks like it could well be a site for people to voluntarily build a nice email database for someone ...

    1. Spotswood

      Er no

      It's a very reputable service.

  3. Christoph

    MD5 hashed passwords?

    This is 2017. Why are they still using MD5?

  4. HieronymusBloggs

    "a server containing production customer information was used on a test bed system"

    That old chestnut.

  5. Anonymous Coward
    Anonymous Coward

    Assange

    Damn! I was hoping the sticking point would be money.

  6. John Smith 19 Gold badge
    Unhappy

    "multiple layers of security including full disk encryption "

    So better than any UK government/local authority/NHS laptop then?

  7. mr_souter_Working

    Disk encryption - yeah right

    sure, they have whole disk encryption setup - assuming the drive ever completed the encryption process (i have encountered times where, after several months in use, it was noted that the disk had never encrypted, because the user only ever used the laptop disconnected from mains, and it was never powered on while connected).

    Many public sector organisations also use incredibly insecure encryption passwords - often just some part of the asset tag of the machine - because users need something they can remember).

    I have also seen cases where the encryption password was written on a label attached to the laptop, as the user could not remember what it was.

    And of course, if the laptop was merely sleeping, then the disk encryption is bypassed - and it has already been shown that plugging in certain USB sticks, correctly configured, will net the account credentials.

    All in all - you should always assume that if someone has physical access to a computer, that all data on it is accessible. The only way to be sure nobody can get anything off of a computer, is to make sure it never gets onto it in the first place (this applies to all computing devices, phone, tablet, desktops, laptops, etc...)

    1. GruntyMcPugh

      Re: Disk encryption - yeah right

      "sure, they have whole disk encryption setup - assuming the drive ever completed the encryption process"

      Which would be ensured by the delivery team. I've built a fair few laptops for our staff, BitLocker is deployed as part our standard build, and laptops aren't issued until they meet all required criteria. We don't trust users to do that stuff themselves.

  8. crasch48

    residual data

    if you have the skill and technowledge you can read down 5 layers of overwrite. and, if not overwitten many more layers. so the problem is not just the current layer has no clasified material!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021