WASHINGTON -- With the recent rash of high-profile data breaches involving lost or stolen notebooks, it seemed fitting that one of the first sessions of the 2006 Gartner IT Security Summit focused heavily on attacks that could be levied against portable devices, including PDAs, cell phones and wireless-enabled notebooks.
The Department of Veterans Affairs admitted a couple of weeks ago that an employee's notebook PC containing 26.5 million veteran identities, including names, Social Security numbers and dates of birth of the veterans and some spouses was stolen in a burglary. Meanwhile, the travel booking site Hotels.com recently informed roughly 243,000 customers that their names and credit card numbers were stored on a laptop that was stolen from an Ernst & Young accounting firm employee.
The first demonstration in a session called "Hacks Live," conducted by Stamford, Conn.-based Gartner Inc. analysts John Girard and Rich Mogull, revealed just how simple it would be for even an untrained crook to steal sensitive data from stolen computers.
The analysts said it is possible to use a Windows recovery CD-ROM to reset any administrative password on a stolen system. Then the attacker can log in as administrator and load any number of readily downloadable password crackers to gain access to user account passwords.
For part of the demonstration, the analysts used the widely-known commercial SAMInside password recovery tool, yet the analyst said any number of downloadable password recovery tools would enable a malicious person to the job done in seconds to minutes, depending on the strength of the target's password.
From there, they said it's fairly simple to log in as that system's user and gain access to encrypted files, as well as any saved credentials used to log into the corporate VPN or Web sites. And with the help of additional cracking tools, any protected databases, Word documents, or Excel worksheets can be easily opened.
The lesson, said Girard and Mogull, is that the best defense against data thefts from stolen equipment is full-disk encryption. Also, they said organizations should require end-users to employ long passwords, or better still make use of two-factor authentication.
Most of the audience at the show, which is aimed at senior IT security execs, would already be well aware of the dangers that lurk behind weak passwords, considering the never-ending flow of headlines surrounding lost customer data, said Lloyd Hession, CISO at financial services BT Radianz. However, he said, a gentle reminder of best practices doesn't hurt.
During another demonstration, using a freely available tool dubbed Car Whisperer, the analysts showed just how simple it could be to eavesdrop on in-car phone conversations taking place over a Bluetooth-enabled headset. Using the software and a directional antenna, they revealed how anyone overhear and even broadcast audio to a vulnerable device in a nearby vehicle.
While such an attack could enable the eavesdropping of Bluetooth conversations held using in-car headsets -- and could even startle the unsuspecting motorist with unexpected messages booming from their car stereos -- the attacks don't pose great risks to corporate information. The analysts also said they have not seen any evidence that these types of attacks are underway in the real world.
Nonetheless, they do advise the shutting-down of all default Bluetooth services on devices and limiting strict pairing to only trusted Bluetooth peripherals.
George V. Hulme is a freelance writer based in Minnesota.