Have you ever wondered how the people finding and/or stealing these unsecured laptops and other computers are breaking into those systems and gleaning sensitive information? Well, I haven't interviewed any criminals, but I'd venture to guess they've got their own tools and techniques. However basic it may seem, many people simply don't have passwords on their laptops. It doesn't take a computer engineer to crack that code, and I won't elaborate on security testing techniques and solutions for that problem. But what about those systems that do have passwords - how are the bad guys getting in?
The best way to approach this problem is to look at it from a malicious viewpoint. I'm not advocating or supporting criminal activity. I do, however, strongly believe the only way to truly secure your systems is to look at security issues from the bad guy's perspective. When it comes to laptop hacking, there are a few tests you need to run to see just how far you can get into the system and into your network.
Already logged-in with full access
A computer system can be stolen while it's still turned on. Laptops with well-charged batteries are especially convenient for the bad guys. There's no unplugging and trying to get in later -- they simply take the system and run with it to another location and see what can be gleaned off it.
Once they're in, anything's fair game. Many organizations have policies that state no sensitive information shall be stored on local hard drives or mobile devices. Yeah, right. I see it all the time. It's usually just a matter of looking at the person's desktop to find all sorts of word processing documents, spreadsheet files and other areas containing sensitive information.
Take a look and see for yourself. You can actually do this from the network if you have remote logins enabled and you're part of the local administrators group. Look under C:Documents and SettingsAll UsersDesktop and C:Documents and SettingsusernameDesktop. You can also load up Outlook or whatever email client the victim uses to see what's stored inside. Odds are your users use email as an information repository, and it's a gold mine for sensitive information.
Think about what could happen if any of this data was accessible by a criminal. That's a good reason to use short screensaver time outs, require users to lock their screens when leaving their computer unattended or to even use proximity sensors to automatically lock the screen when the user leaves.
The next step a would-be criminal could take is to simply guess a login or screensaver password -- sometimes it's easy as 1-2-3. In this scenario, let's assume the laptop is powered on and the user has locked the screen with a screensaver. The hacker could enter the user's login ID (the last logon ID is likely displayed) as the password or append a 1, exclamation point, or "pass" to the end of it. It's actually pretty common. If the screensaver password doesn't work, simply reboot the system to see how it comes up -- you might not need a password to login to Windows.
If you reboot and you're prompted with a BIOS power-on password, that's yet another layer of defense, but it's no problem to get around. There are resources galore on how to reset those.
Step 1: How it can happen
Step 2: How to crack a laptop
Step 3: How to secure a laptop
Step 4: Laptop security summation
About the author: Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance(Auerbach). He can be reached at [email protected].