Step 1: How it can happen

Laptops with sensitive data are getting stolen every day. Contributor Kevin Beaver says the best way to secure your laptops is to understand how they will be attacked. He provides the basic attack methods and a set of contingencies in this step-by-step guide.

Have you ever wondered how the people finding and/or stealing these unsecured laptops and other computers are breaking into those systems and gleaning sensitive information? Well, I haven't interviewed any criminals, but I'd venture to guess they've got their own tools and techniques. However basic it may seem, many people simply don't have passwords on their laptops. It doesn't take a computer engineer to crack that code, and I won't elaborate on security testing techniques and solutions for that problem. But what about those systems that do have passwords - how are the bad guys getting in?

The best way to approach this problem is to look at it from a malicious viewpoint. I'm not advocating or supporting criminal activity. I do, however, strongly believe the only way to truly secure your systems is to look at security issues from the bad guy's perspective. When it comes to laptop hacking, there are a few tests you need to run to see just how far you can get into the system and into your network.

Already logged-in with full access
A computer system can be stolen while it's still turned on. Laptops with well-charged batteries are especially convenient for the bad guys. There's no unplugging and trying to get in later -- they simply take the system and run with it to another location and see what can be gleaned off it.

Once they're in, anything's fair game. Many organizations have policies that state no sensitive information shall be stored on local hard drives or mobile devices. Yeah, right. I see it all the time. It's usually just a matter of looking at the person's desktop to find all sorts of word processing documents, spreadsheet files and other areas containing sensitive information.

Take a look and see for yourself. You can actually do this from the network if you have remote logins enabled and you're part of the local administrators group. Look under C:Documents and SettingsAll UsersDesktop and C:Documents and SettingsusernameDesktop. You can also load up Outlook or whatever email client the victim uses to see what's stored inside. Odds are your users use email as an information repository, and it's a gold mine for sensitive information.

Think about what could happen if any of this data was accessible by a criminal. That's a good reason to use short screensaver time outs, require users to lock their screens when leaving their computer unattended or to even use proximity sensors to automatically lock the screen when the user leaves.

Guessing Passwords
The next step a would-be criminal could take is to simply guess a login or screensaver password -- sometimes it's easy as 1-2-3. In this scenario, let's assume the laptop is powered on and the user has locked the screen with a screensaver. The hacker could enter the user's login ID (the last logon ID is likely displayed) as the password or append a 1, exclamation point, or "pass" to the end of it. It's actually pretty common. If the screensaver password doesn't work, simply reboot the system to see how it comes up -- you might not need a password to login to Windows.

If you reboot and you're prompted with a BIOS power-on password, that's yet another layer of defense, but it's no problem to get around. There are resources galore on how to reset those.

Laptop Hacking

 Home: Introduction
  Step 1: How it can happen
 Step 2: How to crack a laptop
 Step 3: How to secure a laptop
 Step 4: Laptop security summation

About the author:  Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance(Auerbach). He can be reached at [email protected].

Dig Deeper on Mobile Security