CASE.EDU:    HOME | DIRECTORIES | SEARCH
case western reserve university

INFORMATION SECURITY

 
 

What do I have to think about for laptop security?


Mobility

Laptops are becoming the primary mode of computing devices used on campus.  Case has a special environment with the significant coverage of the CaseGuest network, which is being extended by the Cleveland Wi-Fi MESH project.  This means you need to address two main security issues:

  1. Loss or theft of your laptop and the data
  2. Wireless eavesdropping and attacks on the wireless configuration.
Loss and Theft

Case Protective Services maintains a Daily Crime Log with monthly reports.  These logs show that for the time frame between September 2005 and September 2006,

29 laptop computers


were reported stolen from various buildings on campus (and two computers were stolen from buildings- not so portable!).  All of these cases are open, meaning the none have been returned.  The majority of these stolen laptops were left unattended, but some were in locked rooms.  The following map shows the locations of the thefts.  Some of the thefts were Case property, some were personal property of students.  The impact of these losses have not been determined, but the users definitely had to bear the costs of:

  • Loss of email and electronic communication capability
  • Loss of of your work, papers, research, dissertation, could represent hundreds of hours of work
  • Potential disclosure of your Case ID, account credentials, financial aid applications, other personal information that could lead to identity theft.
  • Cost of replacement of the system.
There have been no reports of sensitive University data being stored on these laptops, which is a major concern for the University community since data breaches constitute a large number of the reported data losses that affect individuals.  If you view this report of data breach chronology, you will agree that very many of them are from lost or stolen laptops that were being used to manage sensitive or private data (note the number of universities).  Case is obligated to report any losses of data under Ohio HB-104.

Effective countermeasures to prevent laptop loss or theft:

  • Never leave your laptop unattended in a public area, such as one of the libraries, etc.
  • Buy a locking cable for your laptop, and secure it to your furniture in your room,  office, or laboratory.  Case Protective Services (368-6811) can sell you a cable from any of their offices.  They are also available in the Case Bookstore, or online.
  • Mark your laptop like other personal belongings.  Case Protective Services will loan an engraver to people to  add permanent identifiers to your laptop.   Case is also distributing labels (Tag It!) for laptops- 'powerful pink' for faculty/staff, 'yowza yellow' for student laptops.  You can get the labels at any PercptIS Walk In Center.
  • Purchase tracking software to track your laptop in case it gets lost or stolen.  Some vendors include CompuTrace, SecurIT, and ZTrace.
To protect data in case of loss or theft:
  • Make sure you have a screen-saver password, and never have any autologin feature disabled.  This keeps the novice thief out of your computer.
  • Use the encryption built in to Windows XP and MacOSCaveat emptor, if you lose your passphrase, you could also lose access to your own data!
  • Purchase PGP, or use GPG freeware to encrypt your sensitive files.
  • Make sure you do not keep sensitive data on your laptop.  Keep it on a central or department file server, and wipe your disk free space after you delete working copies from your hard drive.
  • Back up your hard work and data to a CD or DVD, and keep it apart from your laptop (not in the laptop bag!) so you can avoid starting from the beginning on that semester-long project.

Wireless countermeasures to prevent eavesdropping

The CaseGuest network is designed to be an easy access, high availability network for the benefit of both the Case and University Circle communities.  It does not use encrypted communications between the the laptop and the access points.  Anybody within range of your computer can eavesdrop or 'sniff' your connection and data.  Wireless sniffing can result in the disclosure of your Case ID and password if your email client connects to the mail server in clear text and your are on the wireless network. The CaseGuest network also terminates outside the Case network (no internal network connections), so you cannot reach some Case only network resources, such as some parts of the Kelvin Smith Library site.

The solution for this is to use encrypted communications.  Many Case IT systems (e.g: my.case.edu,  mail.case.edu, calendar.case.edu, blackboard.case.edu) use SSL (secure sockets layer) encryption to protect the communications between your browser and the web site.  Look for the 'https://' in the URL and the lock icon in your browser.  The CaseVPN client can also be used to encrypt your connection between your laptop and the Case internal network.  This also give you an internal network connection, permitting you to reach Case only systems from the CaseGuest network.


Wireless configurations to prevent attacks

The CaseGuest network is for everybody, and not all of the users are nice.  Of particular interest are AP Phishing and EvilTwin AP attacks.  AP Phishing is where a client in the wireless network pretends to be an Access Point (AP), a phony portal, or web server to gather user ID/passwords and credit card numbers.  EvilTwin AP attack is the same scenario where a client will broadcast the SSID of the CaseGuest network, and try to get you to connect your SSL traffic through them, and they can perform a 'man in the middle' attack on your SSL connections.  In these events your browser will identify an 'invalid certificate' that you had better read and not click 'OK' if it is not the correct credential.  The EvilTwin is complicated by the Microsoft Wireless Zero Configuration (WZC) service, which automatically selects the AP with the strongest wireless signal.


The solution is to review your wireless connection settings, which have been updated to reduce the probability of a successful attack of this type by making sure you avoid 'ad hoc' networks:

http://help.case.edu/connect/wireless/howto/wireless/view

Another solution is to use a firewall utility with an integrated connection manager.  These can be setup to prevent connections to anything other than preferred networks (CaseGuest).  Examples are:

AirDefense Personal

Zone Alarm Wireless



Software Updates for Wireless

When vulnerabilities in services and drivers appear, particularly for wireless, vendors deploy updates.  Recently Apple released an AirPort Security Update addressing issues with the third-party wireless drivers.  Unfortunately, Microsoft will not address the WZC issue until the OS formerly known as Longhorn, Windows Vista.


Case Paranoid Geek Tip: Make security a habit!

If you care about your laptop and your data, some healthy paranoia is just the ticket. Get in the habit of using the locking cable whenever you leave it unattended anywhere. Use common sense when you have it in a backpack, and try to stay in physical contact with it at all times.