Laptop Anti-Theft Measures

Question

A law firm I've been in contact with has recently been broken into 3 times in the past 4 months. In spite of a number of laptops and other equipment containing sensitive information being stolen, the tech support company occasionally doing work for them has done nothing to safeguard against future theft. I proposed installing anti-theft software (such as Prey) and later considered establishing one system as an information-gathering honeypot with hidden keyloggers sending information to a number of email addresses.

All physical security best practices aside, what other measures could possibly be implemented here? These are all Windows systems. I don't doubt the separate incidents are linked and being carried out by connected if not the same criminals.

The firm has already been in contact with the local authorities. However due to a lack of documentation on the stolen items, there are no serial numbers or additional helpful information on the missing devices besides make and model, so recovery seems a dead end but at the least they're aware of the incidents.

Answer 1

Consider getting a software product which fully encrypts your hard drives. Such a software will prompt the user to enter the password used to encrypt the hard drive during boot. Without the correct password, the hard drive (including both the OS and any data) can not be decrypted, the system won't boot and the user won't get any access to the data.

In that case a thief might still be able to sell the hardware by nuking the disks, but won't have access to any sensitive information stored on it.

The default solution for Windows is Microsoft BitLocker, which is already available out-of-the-box in some editions of Windows. There are also other products on the market like Sophos Safeguard or Truecrypt. For recommendations which product to use, consult Software Recommendations Stackexchange.

Answer 2

Rule no.1: Contact law enforcement.

Rule no.2: If the firm itself doesn't seem to care, nor does it want to contact law enforcement, please consider stopping doing whatever business you have with them.

Rule no.3: Think about the attacks in their broad context, and do not limit yourself to technical measures.

Rule no.4: Installing keyloggers is unlikely to be helpful. Instead of preventing theft or uncovering attackers you open wide a backdoor which can be exploited by the attackers.

Answer 3

If the laptops don't need to be used offline, store no data on the laptops. Use the laptops as thin clients. This can then allow you to require multi-factor authentication, set up access hours, and many other additional improvements over storing the data locally.

Answer 4

Apart from using tracking software and full disk encryption, the company may invest in educating the concerned people to use their laptops only to connect to virtual private servers (VPS) where they must save their data. That way, if a laptop of a given worker is stolen, no data could be found within it (I take in account the fact you stated good safety practices are known). A similar goal can be achieved if they can invest to buy their own -physical- servers.

Answer 5

In the cases of companies with sensitive information on their mobile devices, most companies i've dealt with do not take measure to recover. It is strictly about making sure the devices are useless if stolen. The companies where security really mattered, didn't bother with some of the other suggestions mentioned here, like saving data only on VPS (hard to enforce), BIOS passwords (useless), OS based password/encryption (useless). They just simply had full disk encryption with something like LUKS, which is unlocked by the bootloader. Very straightforward, and effectively bricks the machine if stolen.

You should tell your employer that this is an effective solution, and that you're not in the business of recovery, that should be the insurance companies job. You should let him know that 'honeypotting' could lead to an imperfect solution that causes data leakage. Assuming these thefts are most likely data theft related (repeat B&E, lawyers offices) that should be their first priority.

Answer 6

I feel that you are limiting yourself to the tech side too much. first you need to lock up the laptops at the end of the day in a secure room. I mean secure room as the easiest way to the room is through a locked door which lock can be easily changed. in the room put some sort of security camera for in the case the thief gets into the room. that way you will have an idea of who got in the room.

this change itself would make any thief lot less motivated to get to the laptops. and finally after employ full disk encryption

Answer 7

Except the softwares mentioned above, I recommend you to use Remote Administration Tools. They are efficient controlling your computer from whenever in the world you are.

Prey Anti-Theft (free) lacks when it comes to record audio, view webcam, etc.

Thus, you'll be able to monitor your computer, get information about the thief, track its location and so on.

Then, you know what to do :-)

Answer 8

Anti-theft software installed after the laptop is purchased can be bypassed if the thief begins by reformatting the hard drive. If you choose to implement it as part of an overall defense system (as Philipp said you should be starting with encrypting the disk). You'd be more likely to get useful data back if you bought laptops that have it pre-installed and that are using MS provided tools to have the BIOS re-inject it into the OS if the drive is wiped/replaced. They recently came into the news when Lenovo abused them to install crapware, but used as intended they make it significantly more likely that you'll be able to get information that could lead to the laptop being recovered.

Obviously it's not foolproof, if the thief (and all future users) only install a different OS they can bypass it entirely; but typical buyers of used laptops will generally want to keep using what they're familiar with and that's statistically far more likely to be Windows than Linux/etc.

Answer 9

Bios Level Passwords prevents anyone from even turning on the computer without a password, but this doesn't prevent them from putting the hard drive into an extrenal enclosure.

Bitlocker full drive encryption built into windows prevents them from reading the information entirely unless it is in that computer.

Even with/(out) all of this encryption private, harmful, and secret information should still be stored in an encrypted & password protected folder.

At this point if a person steals the laptop, good luck EVER getting data off of it. Of course this also runs into the problem that now if someone forgets the passwords you up a creek, and so you need to run an in house password and username lookup system that is secure and safe. But that's the nature of security. The more secure you are, the less useable it is.

The most secure computers are buried six feet underground, have no network access, are turned off, and destroyed.

Of course if Bitlocker is overkill, the are other options for encrypting anything.

Another route to go is the thin client architecture that would mean no sensitive data would be stored on the laptop at all. This however requires a server to log into and store files on, and client and server setups, and VPNs that need to be encrypted as well.

Answer 10

As others have mentioned, I think you need to consider the physical security first. At the end of each day you collect the laptops back and lock them in a filing cabinet in a locked room.

I would set up an asset register to log the makes, models and serial numbers of the laptops and other IT equipment. This doesn't need to be anything fancier than a spreadsheet. This would give you something to hand over to the insurance company and police in the event of theft.

A seperate spreadsheet could be used to log the users of the laptops. They come to you and request a laptop, you enter their name in the sheet with a datestamp. If the laptop doesn't come back you know who to go and shout at.

If the laptop needs to leave the premise (to go to the courtroom in this instance) make sure the user is aware that they are financial responsible for it if it gets damaged, lost or stolen. People are a lot more careful with equipment if they know they might have to pay to repair/replace it.

When I worked for a tech support company several of our customers were solicitors. They got round the potential data loss issue by having a terminal server and their remote workers could only access email and client information through that. The laptops effectively became dumb terminals. This also meant that all the heavy processing was done on the server so cheaper laptops could be purchased.

Once the physical security is dealt with they can start to consider drive encryption and geo-tracking of laptops. We had great success with services like AirWatch. We only ever had one device go missing with AirWatch installed on it and the field engineer was able to retrieve it with our guidance via GPS. I felt like a spy, it was great! :)

Answer 11

Firstly encrypt the hard disks to protect the information on the laptops.

You need to make it easier for the police to find the people and easier for put them in jail.

There are modifications to the bios of laptops that make then ping an IP address whenever they connect to a network. You can then look at the source address on the pocket and get a court order for the given ISP to tell you where the laptop is. www.absolute.com is one company that sells such a system that allows an device to be remotely disabled as well as tracked.

I would also think about having alarm that activate a smart water spray when it goes off, that way it is easy to prove that someone was in the building at the time the alarm went off.

Upon activation the SmartWater Forensic Spray System sprays intruders with an invisible liquid, marking their skin and clothing. The liquid can only be seen under UV light, remaining on skin for weeks and indefinitely on clothing. It can be used to link a criminal to a particular crime scene, remaining detectable long after the crime has been committed.

I would be incline to do the above without putting up any warning notices with as few people knowing about it as possible. It is better to put people in jail, then just get them to rob the next office instead of yours.

Answer 12

What measures to take depends on which of the inconveniences from the theft you want to protect against:

• Loss of data: Keep backups. Data which exists only on the laptop can of course not be avoided while the laptop is offline. But as soon as it is online with a decent connection the data need to be backed up.
• Leaks of data: Encrypt the entire disk. If the encryption solution is unable to wipe the keys from memory when the screen is locked or the laptop is suspended, then shut it down completely instead.
• Financial loss: Losing the hardware means a financial loss. The way to protect against that is by having an insurance.
• Make it less attractive to steal: There are two approaches to this. Increase the chance of getting caught by tracking the device. Make the hardware unusable to the thief. Making the hardware unusable is something which cannot be done with just software, it requires certain protections built into the hardware itself. My recommended way to measure the value of any measure to make the hardware less attractive to steal is: how much of a discount is the insurance company willing to give you.

One nice to have feature which doesn't fit into the above list is backups that works after the laptop was stolen. While the laptop is working offline and cannot backup immediately, it is possible to create incremental backups which are encrypted and signed, and then store those on the disk. This can be done in such a way that the encrypted and signed incremental backup can be send to a server without needing the disk encryption key to be provided. This is however a fairly complicated feature because it spans areas that are usually kept separate, so I wouldn't put it high on the priority list. In particular there is a significant risk of messing up the security of the disk encryption while adding such a feature.

Answer 13

It's going to depend a lot on the sophistication of the thieves. In addition to the ideas mentioned here, what about a physical tracking device like thetileapp? (I don't know what other similar options exist, as my experience is limited to Tiles.) If you're handy you could possibly hide one of these inside the chassis of the laptop. Maybe slip another in the laptop bag? At $25 a tile it might be a cost effective security measure and then you're relying on something that is virtually undetectable if it's inside the laptop.

Answer 14

You can consider modern solutions like UEM (Unified Endpoint Management) solutions. It comes with a whole range of features to manage Windows devices (mobile and PCs) along with other platforms. In your situation, you can always use the remote tracking option or if you are also concerned about the data, you can remotely wipe them too. And also, when you enroll a device in UEM, it automatically captures its details which once exported can also be treated as an inventory of all devices you are managing.