The Hamilton County Sheriff’s Department in Ohio has issued an alert (and sent letters to the affected) that a laptop is missing, and people are at a higher risk of identity theft. The laptop contained private information, including Social Security numbers. It’s not mentioned whether drive encryption software like AlertBoot was used to protect the contents of the stolen laptop.
Who Protects the Sheriff?
If one needed any proof that physical security is not the same as computer security, this story is it.
There are no details on how the theft occurred, but suffice to say that whether the laptop was stolen from the Sheriff’s Department or lost while it was being transported, big men in uniforms carrying guns weren’t able to prevent a data breach.
This is one of the reasons why, if a company or organization believes that their data needs to be protected, they need to have other data security measures in place, such as full disk encryption (FDE) on laptops and desktops, or document encryption protecting electronic files.
There are different ways to breach data, so obviously the presence of encryption software alone is not enough, although it goes a long way, especially in the above case.
Encryption Defeated In An Hour or So?
The above story has led to quite a lively discussion at www.local12.com, where a commentator has claimed that, regarding encryption on laptops,
“…if the person that stole the laptop has even a fraction of the knowledge that I and many others like me possess in IT security, it should only take them about an hour or so at the most for them to gain access to everything on the computer if that’s what their [sic] after.”
In other words, disk encryption works, but not if the computer is stolen by some guy in the IT security field. I wish I was putting words in some guy’s mouth, but I’m not; there’s just no other way to interpret what he wrote.
In an hour or so? That’s a heck of a statement. Makes one wonder why the US even has the National Security Agency if that’s true. Why, the US could have a bunch of IT security guys break encrypted machines on their spare time while munching doughnuts, instead of throwing money at an organization so secret that their annual budget is classified.
The truth of the matter is, well-designed encryption cannot be easily broken, if it can be broken at all. About the only way to do so would be via a backdoor (which, by definition, means it’s not well-designed. Also, it’s quite unlikely our friend above would know about it), or via brute-force, which would definitely take longer than an hour or so (three thousand years would be more typical, and I’m begin extremely generous; the other end of the spectrum is millions of years).
Related Articles and Sites: