|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Max Hozven (mhozven
tealeaf.com)
Date: Tue Jan 27 2009 - 11:10:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I know we've had this thread before, but I'll pose the question again to
see if there are any new comments on this.
I think that if a Windows computer's hard disk is removed, then moved to
a system that is booted with a different operating
system and mounted read-only, I don't know of a way to determine if the
data was accessed once the disk is
put back in the original system. For example, if the laptop's disk was
removed, put in a computer running Linux or
booted to a Symantec Ghost (or similar product) disk and all of the data
was extracted. Or you could just boot
the laptop to a Linux/Ghost disk and extract the data that way (I don't
know if any computer has a BIOS that
track's last-boot-time, so the first method above would be the most
failsafe for detection.
My general feeling is that when authorities say that data was not
accessed, they mean that when they booted the computer,
the Windows logs are reviewed to see when the last login was, when the
last files were modified, etc.
-Max
________________________________
From: dataloss-bouncesdatalossdb.org
[mailto:dataloss-bouncesdatalossdb.org] On Behalf Of Sean Steele
Sent: Tuesday, January 27, 2009 7:01 AM
To: Stefan Wahe
Cc: datalossdatalossdb.org
Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered;
workers' personal data not accessed
Stefan, it appears I've hit a nerve.
I wasn't disparaging anyone personally or professionally, and with
regard to your comment regarding my professional responsibilities, I
believe it to be exactly my duty and our duty -- as IT security
professionals -- to remain skeptical and to call to account anyone in a
position of authority able to declare a data breach essentially "null
and void" becuase they believe the situation to be sufficiently
controlled and controllable.
Any ocassion where senstive data, unencrypted, makes it into the wild
should and needs be a serious moment for introspection and analysis.
We all know it can be very difficult if not impossible to ascertain
without reasonable doubt whether data has been accessed on a device.
I'm all for dialogue on this issue, as long as we can agree not to call
each other names.
--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
703.504.9000 x219 direct
202.270.8672 mobile
ssteeleinfolocktech.com
________________________________
From: Stefan Wahe [mailto:smwahewisc.edu]
Sent: Tuesday, January 27, 2009 9:38 AM
To: Sean Steele
Cc: datalossdatalossdb.org
Subject: Re: [Dataloss] follow-up: Stolen city laptop recovered;
workers' personal data not accessed
Living in Madison and working in IT Security, I do know that Madison
Police Department has a unit that conducts IT forensics on electronic
devices. They have the appropriate staff, resources and training to make
such determinations. Additionally they have state and university
resources at their availability with more than adequate training and
experience in IT forensics. I am aware of this because I have had the
opportunity to observe and work with them on other IT Security related
issues.
I hope this addresses your questions regarding the professionalism of
the Madison Police Department. Please remember that this is a public
forum and casting such doubts is not beneficial for those who are
working towards solutions in preventing data loss. As a CISSP I hope
that you are supportive of your colleagues in these efforts.
My question is if the thief was interested steeling sensitive
information off the device, would they then leave the device on city
bus? What is their motivation in that action?
Stefan Wahe
_________________________________
Stefan Wahe
University of Wisconsin - Madison
DoIT Applications and Information Security
smwahewisc.edu
On Jan 27, 2009, at 6:21 AM, Sean Steele wrote:
Am I the only one who feels a bit dubious about a local police lab's
declaration -- based on their exhaustive computer forensics
investigation one s'poses -- that a machine's "sensitive information"
has not been accessed?
Hmmm.
--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
703.504.9000 x219 direct
202.270.8672 mobile
ssteeleinfolocktech.com
________________________________________
From: dataloss-bouncesdatalossdb.org [dataloss-bouncesdatalossdb.org]
On Behalf Of security curmudgeon [jerichoattrition.org]
Sent: Tuesday, January 27, 2009 6:07 AM
To: datalossdatalossdb.org
Subject: [Dataloss] follow-up: Stolen city laptop recovered;workers'
personal data not accessed
---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>
http://www.madison.com/wsj/mad/latest/434816
By Dean Mosiman
Madison.com
Jan 26, 2009
An oversight by the city of Madison's personnel office is why Social
Security numbers of 300 to 500 city employees were stored on a laptop
computer stolen Friday from an office in the City-County Building.
The laptop was found about two blocks from the City-County Building on
South Hamilton Street and turned over to police Monday morning, who
determined late in the afternoon that no sensitive information was
accessed.
The theft, however, put a scare into many and raised questions about
city
security of personal information.
Mayor Dave Cieslewicz expressed concern about the incident and ordered a
review of security specific to the situation, spokeswoman Rachel
Strauch-Nelson said.
The city laptop was taken from a "relatively secure location" in the
fifth-floor Human Resources Department offices in the City-County
Building, Wirtz said.
[...]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]