Shostack + Friends Blog Archive


Do Lost Computers Matter?

Over at Concurring Opinions, Dan Filler asks a question that a lot of people are asking:

We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I suspect that, in most cases, the ultimate recipient of the computer was seeking, well, a computer.

I suspect that people’s intuition is mostly right: Most thieves are seeking the value of the computers. Most of the DVDs and CDs that Earnst Ernst and Young employees leave on airplanes are either in a landfill or returned.

It would be a mistake to assume the situation is static. Thieves read the same press as the rest of us, and learn. We can expect that the rate of exploitation will rise. So should we sweep the problem under the rug, and stop talking about it? If the attacker was required to physically show up, possibly. (Following Swire’s argument. But the initial thieves, of laptops are already showing up. (Or those in the highly secured atmosphere of airplanes.) We’re now discussing the impostors who commit fraud. For the simpler frauds, mail is all you need, often with a house or apartment where the residents are on vacation. More involved frauds may involve going in front of a state employee to get ID, but perhaps not. All of the data formats on a card are known (and must be known), and so entrepreneurs can provide you with duplicate cards for the identity of your choice. You know, in case some over-zealous bartender takes one away. But I digress.

Over time, the number of thieves and fences interested in imaging disks before sending them along should rise. This will be indicated by an increase in disk recovery and forensics outsourcing firms, along with increased sales of disk duplication hardware. The latter two are already happening, to judge by the wares on offer at security conferences. (I’m not claiming causation here.)

In the longer run, the weakness of authentication mechanisms is going to have to be addressed. If it wasn’t lost computers, it would be something else.

Lost puppy photo by RenGuerra.

2 comments on "Do Lost Computers Matter?"

  • lyger says:

    It would appear to be a matter of economics. If a laptop is stolen, would the thief gain more by attempting to recover data for the purpose of fraud or by simply selling the laptop from a truck, to a pawn shop, or through a newspaper ad? Perhaps imaging and stealing confidential information will rise, but in the end, I’d still bet that most laptop/computer thieves will stay in it for the quick and easy buck.
    P.S. Adam, it’s “Ernst”. 🙂

  • Paul says:

    I noted your attendance at the Security 360 conference last October. Your readers or clients may be interested in the following domain names for sale

Comments are closed.