Khaki Bandit: Extreme Social Engineering (or, An Extreme Reason For Greenlighting Laptop Encryption).

The Khaki Bandit.  That’s how Eric Almly was known in Milwaukee when they didn’t have a name to match up with the burglaries.  He’s been connected to computer thefts in Minnesota, California, Arizona, and Florida.


Supposedly, Almly’s modus operandi was to walk into corporate offices and lift laptops found in the office.  He wouldn’t walk in willy-nilly.  He’d stake out the soon-to-be crime scene, studying the place.  He would dress the part to better match the surroundings (I guess corporate America is really into khakis).  He would enter the offices close to the end of business day—when things were winding down, people were leaving work, but prior to the nighttime security staff arriving—and just hang around until people left.  Hey, he looked like he belonged.  On the rare times when he was confronted, he would lie.  Hey, he sounded and looked like he belonged.


He’d go around the deserted office, pick up the laptops, and saunter out.  Because he looked like the part, it was rare that anyone would stop him.  And if he was stopped, he’d just lie his way through.  The purloined laptops would be wiped of their information and sold on eBay, where he garnered a 99.4% satisfaction rate.


Companies affected by Almly include FedEx, Outback Steakhouse, and Burger King.


Most articles covering this case indicate that Almly was not interested in the information contained and just wanted to turn a quick profit.  As pointed out, the smaller size of laptops makes it easier for one to steal multiple machines in one go, and easier (and cheaper) to ship.  So, in a sense, the companies got lucky the security breach was relegated to hardware theft.


While I would imagine situations like the above are atypical, this is what social engineering is about: get the trust of people so you can perpetrate the crime.  The above is as much phishing scam as it is “Catch Me If You Can,” and I guess if you got strip the veneer of jargon, social engineering really means “conning someone.”


Situations like the above are unpredictable events.  While, technically, there was no data breach in the end (at least, there are no signs there were any), the above companies probably know that it was a matter of luck.  The situation could have easily deteriorated into a nightmare.  While it may not seem to make sense to install encryption in all computers at a company, especially without a specific threat looming in the horizon, the truth is that companies need to seriously consider such a scenario and figure out ways to minimize risk.  Not scenarios where a khaki-clad thirty year old comes to swipe laptops, but this scenario: what are the odds that someone will be able to make off with company equipment on which sensitive data resides?


Rogue guards, janitors, employees, temps, etc.  I’ll bet that the probability is much higher than people think or are willing to admit.  And if that is case, what would be the ramifications of someone successfully making off with the equipment?  Would the impact be the price of the laptop?  Or is there the potential for a $900 laptop to ensue in a $100 million incident?  The theft or loss a laptop can be written off; a $100 million incident is a different story.


This is why computers with sensitive data must be encrypted, laptop or otherwise, using strong encryption provided by companies such as AlertBoot.  It will ensure that equipment theft is relegated to the price of the equipment, and won’t balloon into a national incident involving negative press, fines, and lawsuits.


When you think about it, laptop encryption cures many ills: it mitigates the effects of theft, to begin with.  It might also mitiage theft itelf, since there will be people interested in stealing laptops for the data, not the hardware per se.  Plus, there will be no need for the IT department to ensure that the data is wiped correctly before discarding it due to age.  They can just toss the harddrive in its encrypted state, and leave your IT department to do something more productive.

Comments (0)

Let us know what you think