Credant says MoD laptop theft highlights dangers of lax crypto security

by Michael Smith (Veshengro)

Reports that the Ministry of Defense was investigating, in the second week of December 2009, the theft of a laptop – together with a security key used to decode the data on the notebook – is jaw-dropping in its apparent lack of common sense, says Credant Technologies, says Credant Technologies.

"It's one thing to have excellent encryption on a laptop, but it's entirely another to have the security key - presumably a USB stick or similar - located along with the machine," said Sean Glynn, the endpoint security specialist's product manager.

"This smacks of lax security on a scale that is breathtaking in its crassness. There is little or no point in having encryption on a portable device if the authentication key is stored with the machine," he added.

According to Glynn, this is the encryption equivalent of leaving yellow sticky notes detailing user passwords on the edge of a PC monitor, and then wondering why the machine's security is compromised.

Even if the computer is stored in a highly secure building, as appears to have been the case with the MoD laptop, there is still every chance that the machine can go walkabout, as rogue employees are rapidly becoming just as much a threat to the data of organizations as external hackers and malware, he explained.

Credant's product manager went on to say that the fact that the laptop was stolen from the MoD's headquarters in Whitehall, and appears to be one of several similar thefts from the building is extremely disappointing.

Thefts like this are little like the time when Scotland Yard lost basically all its typewriters from the typing pool to a service company (well, that's what it looked like when they walked past the security desk). Oh, how embarrassing but also, in the case of laptops and USB thumb drives, dangerous.

"If the MoD can't vet its own staff and stop these thefts happening – and also fail to implement an understanding of why and how security systems operate in its staff – then what hope is there for civilian organizations?," he said.

"To say I'm gob-smacked is an understatement. This is one of the worst lapses in government security since the infamous loss of the two child benefit disks containing the records of millions of UK citizens in late 2007 (," he added.

I think gob-smacked must be an understatement and I cannot understand how people in organizations that are supposed to protect the security of the real can be so stupid, for that is the only word one can use here unless one would use “criminal negligent”, to do what they did here. How many more MoD laptops and PCs are thus “secured”, one can but wonder.

Also, it would appear that the security in civilian organizations is better than that at MoD and SIS for instance. I mean, let's face it: if you park your car somewhere in a street near that green building at Vauxhall Cross and leave a laptop on display you must be an MI6 agent.

Losses such as that, in the same way as the lost unencrypted USB drive in Colombia by a British agent (I will not prefix that with intelligence) that compromised an entire anti-drugs operation just should not happen and cannot be allowed to happen. Each and every times heads should roll, even when not literally.

For more on the MoD encrypted laptop fiasco:

For more on Credant Technologies:

© 2010