Auditors Report FBI Fails in Tracking Lost Laptops

An anonymous reader writes "The Department of Justice's Office of Inspector General is reporting that the FBI has lackluster performance when it comes to tracking data lost on missing laptops. In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information — in other words the FBI never knew what they lost. Some of these machines likely contained some of the most sensitive security information the FBI has, as there were several in the bunch that belonged to members of the Counterintelligence and Counterterrorism Divisions. But the FBI was never able to properly respond to these losses because someone didn't fill out the right paperwork. The OIG has a copy of the audit (pdf) for public consumption."

I wonder if most of these end up in pawn shops

[antifoidulus]

or is there an emerging criminal organization that targets laptops for the data they contain instead of for the hardware itself. It could be much more profitable to hold the data hostage rather than flip the laptop for whatever crappy amount you could get on ebay or at the local pawn shop.

Have there been any intensive studies that attempt to show what happens to stolen laptops?

Re:

[hazzey]

Have there been any intensive studies that attempt to show what happens to stolen laptops?

Something tells me that if they can't find the laptops and don't exactly know what was on the missing ones, then finding out what happened to them is pretty much impossible.

Alright....

[otacon]

Alright I can see how this could be a problem. But why is no one asking who the hell keeps losing their laptops or having their laptops stolen. I can see it happening, but those numbers seem kind of excessive, especially 10 with senstive data. For some reason I would't be surpised if they are being sold to some source. Because, I've never lost a laptop, nor has anyone I've ever known. I've broken them sure...but cmon.

Re:

[rbanffy]

Maybe some of them were damaged and misreported as stolen to avoid some penalty.

Re:

[Anonymous Coward]

The article indicates that the FBI's IT group manages more than 21,000 laptops at any given time. Assuming all 160 laptops were stolen/lost at the same time for the sake of argument, that's about 3/4 of a percent (0.75 %) of the laptops being managed. 160 laptops sounds like a lot of hardware to lose, but it's a small fraction of the total number in circulation.

Re:

[LurkerXXX]

I can see some being stolen. I've had friends lose laptops from their homes or businesses when burglarized. The thing is, all the sensitive data on those machines should be backed up, and encrypted, so that the only worry is about the insurance claim and the hassle of getting a new machine allocated and set up.

Personally I keep all my personal information (banking info, etc) stored in TrueCrypt files on my home machine, just in case my house gets broken into when I'm gone. The same goes for work (I'm in t

Re:Alright....

[B'Trey]

160 over three and a half years? Out of some 21,000? Doesn't seem overly excessive to me.

The article also fails to differentiate between NIPR (unclassified) and SIPR (classified) laptops. Regardless of your clearance, it's illegal to put classified information on a non-classified laptop. And classified laptops can not generally be taken home unless you have a certified storage location (a safe.) If they're not locked up, they should be in your direct possession at all times. If a significant number of classified laptops are missing, then it's a serious issue both in terms of the potential damage and in terms of users violating security procedures.

Non-classified laptops missing can be serious as well, particularly in terms of individual personal data being compromised and leading to identity theft or credit fraud. But the loss of sensitive-but-unclassified info is not nearly as serious in terms of the big picture as loss of classified data.

Re:

[sgt_doom]

Good Citizen otacon, what the hell kind of question is that??? I mean, after all, the next question you'll probably be asking is why didn't the FBI release any of the many tapes showing a visual of that commercial flight that was supposed to have flown into the Pentagon? Could it be because it wasn't that specific flight they claimed, but the one which was supposed to have flown into one of the WTC towers, but instead was tracked by NY ARTCC to the Pentagon's airspace???

Oh no....that might be in the real

Re:

[TheNinjaroach]

I'm sure the FBI has more laptop-armed employees than the business I worked for, and they lost laptops almost every day. Airports are the best (or worst) way to lose a machine quick. I also don't think these are targeted attacks at the FBI, instead I think they are aiming for careless business travelers. I don't think most thieves ever realize the potential value of the laptop data, they probably just sell the hot item as quickly as possible.

FUD.

[EveryNickIsTaken]

"So what we suggest is having an encryption solution (and) having a tracking and recovery solution so that if you do get into trouble you can do something after the fact." - CEO of some company that will *gladly* sell you this.

Re:

[ednopantz]

"So what we suggest is having an encryption solution (and) having a tracking and recovery solution so that if you do get into trouble you can do something after the fact." - CEO of some company that will *gladly* sell you this.

What's so fuddy about that? If you have sensitive data on a laptop, you better encrypt it. Sounds like common sense to me.

And I'm *not* in the portable encryption business.

Is it an unspeakable crime to sell useful services and advocate for wider adoption of those services?

Re:

[MMC Monster]

Is recovery software so hard? At the very least, each government laptop should ping a particular site on every bootup (maybe via custom BIOS). If pings come from an unauthorized IP address, start looking for it.

Heck, my desktop has a name via DynDNS. If someone manages to steal it and connect it to the internet without wiping the drive, I would have a start at where to look for it.

Re:

[Dog-Cow]

What would be an unauthorized IP for a laptop?

Re:

[MMC Monster]

Well, for a laptop containing potentially classified information, maybe any IP address not on a white list.

Re:

[El Torico]

Is it an unspeakable crime to sell useful services and advocate for wider adoption of those services?

In the People's Republic of Slashdot it is.

Lost Laptops Scare Daylights Out Of My PHB's

[8127972]

That's why They've begun to issue a remote access product called the MobiKEY [route1.com]. It is a USB token with a smart card that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. The beauty of this is that all the corporate data stays behind the co there's no data to lose. If you do lose the token, the human that has it has four attempts to guess the password before the SIM fries itself. So assuming your password isn't "password" or something stupid like that, it's secure.

Re:

[value_added]

The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection.

Well, I can't comment on how well that product works, but securing network connections doesn't address the issue of securing the data that exists on the laptop.

IIRC, the Veterans Affairs laptop that went missing a few months ago contained a database of records that the VA employee used to perform her claim administration work while visit

Re:Lost Laptops Scare Daylights Out Of My PHB's

[hackstraw]

Lost Laptops Scare Daylights Out Of My PHB's

I'm not a PHB, but I have the strong opinion that NO, ZERO, ZIP, NADA data should be stored on ANY portable device. This includes CDs, floppys, USB sticks, laptops. Whatever.

Important data should reside on a backed up, physically secure place like a data server. Remote access to that should be through encryped and secure channels.

I'm not asking for instances of moronic behavior here, but would anybody in there right mind carry around a filing cabinet that has things like your mother's maden name, SSN, passwords, copies of keys to your house, car, safety deposit box, etc, etc, and then get concerned if you lose the thing or it gets stolen?

No sane person would do that. But apparently this is status quo with government agencies and businesses.

In a recent 44-month audit (ending in Sept. 2005), the FBI reported 160 lost or stolen machines. Of those, ten were confirmed to have sensitive info. A startling 51 of these machines had unknown information -- in other words the FBI never knew what they lost.

I just crumpled up my tinfoil hat and threw it away. I'm more scared of little sister kicking me in the balls than whatever "big brother" could do.

These guys remind me of a quote by a psychologist that said something like "We don't know what we are doing, but we are doing it very carefully".

Re:

[spun]

Back in the early '90s when I was sysadmin for secure systems, we used removeable hard drives. These were kept under lock and key, and had to be checked out. They were only for use in secured computers in a secured environment. The computers were checked over and sealed with a tamper-evident seal. They had no removeable media except the removeable hard drives. The secure environment was electromagnetically sealed and not connected to any network. You could only check the hard rives out for a day at a time.

Rummy's Reply

[Aqua_boy17]

Too bad Rumsfeld's not in a position to announce this to the public. I can hear the press conference now: "There are the ones we know we lost, then there are the ones we don't know we lost, then are are the ones we know are not lost....."

Re:

[physicsboy500]

Too bad Rumsfeld's not in a position to announce this to the public. I can hear the press conference now: "There are the ones we know we lost, then there are the ones we don't know we lost, then are are the ones we know are not lost....."

"I'd continue on but I just lost my speech outline"

I wonder ...

[richg74]

Did they check that closet in the cellar where J. Edgar Hoover kept his frocks ?

Lost Stolen

[fluffy99]

Unlike most, I at least skimmed through the IG report. Only a handful of those laptops were confirmed as stolen, the rest are simply lost. In my experience, lost usually means: another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done. Thefts do happen, but it's just a likely that the employee took it home and his kid is playing pac-man on it.

Re:

[mdm-adph]

Thefts do happen, but it's just a likely that the employee took it home and his kid is playing pac-man on it.

...which is totally an A-OK explanation in a scenario of national security? Ever see Wargames? Pac-man my ass. That "Pac-Man" that 5-year-old is controlling could actually be the new M-100 People Eater, busily chomping its way down a crowded Baghdad street.

Re:Lost Stolen

[LilGuy]

The point is you would think an agency charged with highly sensitive information relating to national security would have their shit locked down airtight.

I've worked for some major corporations dealing with financial information that would've castrated people one by one until this was no longer a problem. I find it very hard to believe the FBI is this relaxed about the problem.

Re:

[spun]

This is the FBI we're talking about, not the CIA or the NSA. They're cops, not spies.

Re:

[Moofie]

I say "No more guns for you until you can secure this sensitive data."

Re:

[LilGuy]

I agree. No more sensitive data either!

Re:

[dbIII]

Come on now - these guys use the invention of the wonder woman comic artist in law enforcement to read people's minds by measuring skin resistance. Why do you expect professionalism in every aspect of their operation when they are an international laughing stock in another aspect?

Re:

[HikingStick]

Thefts do happen, but it's just a likely that the employee took it home and his kid is playing pac-man on it.

Which is probably alright for now, until the kid is older, starts nosing around the old files, or starts using some recovery tools. Then the data may be old, but it would still be fairly valuable to some parties, and it would be a just a bit more embarassing than being found in your boxers at the prom.

Re:

[Mike1024]

In my experience, lost usually means: another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done.

All these things are true. However, if the system for tracking laptops is broken, it should be fixed or thrown away (i.e. if we're gathering bad data and no-one cares, there's no point in gathering data).

For example, if inter-agency

Another perspective from someone who works on this

[BenEnglishAtHome]

I've decided to comment instead of mod since I feel sure you'll get to 5 without me. This:

another agency or department has it and the agency that originally procured it lost track of it; it was an ancient laptop and its in the bottom of a closet somewhere; or it was scrubbed and disposed of without the proper paperwork being done.

is the most insightful thing anyone is going to post on this topic. I'm in the middle of assisting with inventory issues in a major TLA. "Missing" laptops (Katrina/flood losses aside) are always explainable in these ways. Last week, a laptop that had been "lost" for over 5 years was found in a cabinet during an office move. Years ago, that laptop went on a public report as "lost." Our inventory tech had to fall on his sword and file paperwork removing it from active inventory because we couldn't find it. It wasn't taken home by anyone, stolen, or improperly passed on to another agency. It was simply misplaced.

Add to this the pallets of used equipment that get diskwiped and then donated to schools, a process often involving running around, looking for every unissued piece of obsolete equipment we can find and quickly doing whatever is necessary to get it onto the pallet, and you have a situation where laptops become "lost" in too-big numbers but without any real threat to anybodys security.

I would only be concerned, really, about two classes of losses. First is the handful (less than 10) that were stolen apparently due to negligence. However, in most of those cases, the data was routinely encrypted and, again, there's no security threat. Second are the 4 laptops that went home with employees when they retired. That's just inexcuseable.

Overall, 150 or so lost laptops in an organization that size is pretty damn good performance.

Re:

[sgt_doom]

The problem with your train of though, fluffy99, is that this organization is one plagued by past turncoats who's sold information, be it to foreign powers or to organized crime, has resulted in numerous murders and deaths.

No, this is a REAL problem when unknown data has fallen into unknown hands. While the "it's just the government at work excuse" has worked in the past for Reaganites and assorted neocons, it just doesn't suffice where life and death are concerned. Accountability should not be a thing o

I Know

[ReidMaynard]

A startling 51 of these machines had unknown information -- in other words the FBI never knew what they lost.

Playboy.com : Girls of the FBI

What scares me more

[Shivetya]

is that many people want the government to have even more control over our lives, mainly health care and retirement. Look, this is the FBI, if they cannot keep track of sensitive data how in hell can we trust another government organization to do better?

The problem with government entities is that Congress never writes laws that punish them. Corporations sure, if a corporation lost "sensitve customer data" you can be sure of howls in Congress and a rash of new laws punishing "evil" corporations. When its the government they turn their heads.

Accountability is the one thing the government has always lacked and the one thing they seem to want from everyone else, you, me, and any other non-government entity.

They should be held to higher standards than ANY corporation, school, or private organization. We entrust them with our lives, shouldn't they be required to prove they can handle that trust?

Re:

[xs650]

"is that many people want the government to have even more control over our lives, mainly health care and retirement. Look, this is the FBI, if they cannot keep track of sensitive data how in hell can we trust another government organization to do better?"

It looks like 1 in 200 FBI laptops went missing. I wish private medicines or medical insurance companies serious error rate were that low.

Re:

[geekoid]

They won't turn there heads, and I can gaurentee you that the axe has fell.
IT's done differently because corporation aren't entities of the government, so they get punished in a completly different manner.

"Accountability is the one thing the government has always lacked and the one thing they seem to want from everyone else, you, me, and any other non-government entity."

I would like to point out that it's this same government that is telling us there is a problem.
This is accountability.

Re:

[ubrgeek]

> you can be sure of howls in Congress and a rash of new laws punishing "evil" corporations.

So far I primarily hear crickets from Congress on this issue ... The states are doing more than the federal government.

Re:

[hany]

They should be held to higher standards than ANY corporation, school, or private organization. We entrust them with our lives, shouldn't they be required to prove they can handle that trust?

They are proving it (or trying to) when thay are pleading you to vote for them.

So for example when you vote for president, you should make sure he proves to you you can trust him plus make sure he proves to you that you can trust also the people he's going to appoint (to positions which are not granted based on electio

USA - Technology Backwater

[99BottlesOfBeerInMyF]

Come on. This is 2007. A government agency with classified data does not mandate encryption for their portables? It's been a built in feature for user accounts on OS X for more than three years now. It's been built in on OS X for an encrypted disk image for more than 7 years now. It's been available on Linux for longer yet and there have been third party tools for Windows to do this as long as I can remember.

Re:

[Joebert]

So much for "leaking" info into the hands of terrorists, thanks alot Captain Obvious.

Re:

[DarkVader]

Don't encourage them. This is 2007, better that unencrypted data is on there, and whatever nastiness the government is trying to pull this time ends up on the front page of NYTimes.com.

Re:

[dave420]

You've always been able to do this natively in XP, since its release. Same for 2000 and 2003 server. just fyi.

Re:

[sgt_doom]

Come on. This is 2007.

Come on???? Next you'll claim that Senator Obama is dangerous because his name rhymes with Osama??? Oops, sorry, that's a neocon talking point - the only time they remember about someone named Osama bin Laden is when a dem's name rhymes with it??? Guess that's what they mean by security and what the feebs of the FBI mean by security, huh????

How does this compare?

[planetmn]

How does this compare to other agencies and companies? 160 over an almost four year period sounds like a lot, but the FBI has over 21k laptops according to the story. That's about 0.76%, or about 0.19% per year. Is this higher than what most companies lose?

The data on the laptops is more worrying. But I wonder when they use the term "sensitive" exactly what that means? Does having the name of the agent on the laptop mean it's sensitive? It'd be different if they spelled out whether the information was classified and to what level.

-dave

Re:

[sparkane]

But I wonder when they use the term "sensitive" exactly what that means?

It means one cries easily. Or something that causes one to cry easily.

Re:

[Samrobb]

How does this compare to other agencies and companies?

I'd also like to know what their usage pattern is. I suspect that a lot of FBI employees have laptops because they're, you know, pilferable... I mean, portable. An FBI special agent hauling a laptop around the state from crime scene to crime scene is a little bit different from me hauling my laptop from work to home and back. Not to mention that my job doesn't require me to be in the vicinity of known and suspected criminals on daily basis. All to

are they stolen or are they lost in bureaucracy

[Joe The Dragon]

when you have lots of contractors and sub contractors thing's are easy to get missed placed or used with out filling out the need forums.
Like that one contractor that used a FIB agent login to get about the long time it was taking him to get the ok do to simile stuff like add a printer for the new systems that he was setting up. That was all ready running late and over budget.

Re:

[samwichse]

Like that one contractor that used a FIB agent login to get about the long time it was taking him to get the ok do to simile stuff like add a printer for the new systems that he was setting up. That was all ready running late and over budget.

I'm afraid I don't speak gibberish [hutman.net]

Re:

[VWJedi]

...to get the ok do to simile stuff like add a printer...

Your post was as clear as mud. That is how you do simile [m-w.com] stuff!

of course they failed

[night_flyer]

tracking lost laptops, cause if they were tracking them they wouldnt be lost!

cant help it

[thorkyl]

If they cant find a laptop in their own building how can they find a crook...

oh wait, the laptops cant vote...

All the more reason

[andreMA]

...to decline to speak to them. Not only has the FBI looked the other way when informants murdered people, they can't even (apparently) keep confidential the identity of informants. If I knew of a crime occuring and feared for my safety in reporting it, the FBI would be the last organization I'd approach.

Self destruct?

[owlstead]

I think the CEO of Oakley Networks has seen too many Inspector Gadget cartoons:

... or have some way of ensuring that certain types of activities indicative of somebody trying to break into the data would result in an automatic destruct.

Maybe they should order some old Dell laptops and short cirtuit the battery after too many bad logins to the hard drive encryption.

Oh, and they are considering using encryption to protect their data? Can someone please send these guys a clue-stick?

No problem

[SydBarrett]

Good thing we hired contractors to do all the IT stuff, we can just blame them for all the fuckups around here.

How many is too many?

[carpeweb]

Of course, one is too many, if it has the wrong/right data on it. But this left me with a lot more questions than answers.

TFA mentions that the FBI has "more than 21,000 laptops at any given time". The loss or theft of .76% (160) in 44 months is .21% per year. Is an annual disappearance rate of 2/1000 laptops high? What's the benchmark for the private sector, and how much lower should the tolerance be for the FBI or similar organizations? I gave up after following numerous Google and Ask links; all I found were USAToday-type figures, which didn't give rates and often didn't seem credible. (One link cited an "FBI statistic" that one in 8 laptops will be stolen ... I wondered if they were just trying to make themselves look good!)

How much should we care about the distinction between lost and stolen? I note that the loss rate has gone down while the theft rate has gone up, although about three fourths of the disappearances are classified as losses. I'll bet it's more socially acceptable in the FBI (as elsewhere) to say "my laptop was stolen" ("it broke ... uh, I mean ... there were these three big guys ...") than "I lost my laptop". The audit points out the the reporting of losses and thefts didn't seem to follow required procedures, including 38 that were reported more than 10 days after loss. There's a lot of ass-covering that can go on in 10 days, I suspect.

Also, the audit says the FBI had a total of 26,166 laptops. Assuming this does not contradict "21,000 at any one time", that seems to mean that the FBI turns over about a quarter of its laptops in three and a half years. (Rough math seems appropriate because "more than" isn't very precise.) That actually seems like a slow replacement cycle, compared with large corporate environments, but the replacement rate isn't particularly relevant here. What might be relevant is an audit of what happens to an FBI laptop when it is taken out of service. If these aren't securely managed, then we have a bigger security threat, by far, from replacement of laptops than we do from lost or stolen ones. Five thousand routine disposals vs. 160 "non-routine disposals". (I'm kind of surprised some bureaucrat didn't categorize them that way.) If the procedures aren't tight, I'd be a lot more worried about those.

As an aside, I'm shocked -- shocked! -- to see that TFA has several plugs for commercial "solutions" to the problem.

Computrace

[PoitNarf]

Sounds like the FBI needs to invest in tracking software such as Computrace: http://www.absolute.com/ [absolute.com]

We use this software at my job and have used it to successfully track and recover stolen laptops several times already. Many laptops from manufacturers such as Lenovo, Dell, Gateway and several others actually can store the tracking agent within the BIOS itself so that it cannot be removed (unless you change out the motherboard). If a new hard drive is installed into the laptop, the agent will reinstall itself onto the hard drive from the BIOS. It also has the ability to wipe the hard drive clean remotely if the laptop is found to be stolen.

yummy

[towsonu2003]

The OIG has a copy of the audit for public consumption.

But I'm on a diet...

Beggs the question...

[ElefantPhungus]

If they were successful at tracking lost laptops would the laptops still be lost?

They deserve it , what a poor informtion design

[PermanentMarker]

Why should such data be on a laptop ???? or on a usb STICK ????? duhhhhh Get it al secured let them work trough an encrypted citryx metaframe connection to a central cluster of applications.. Laptops becomes toys and nightmares if you put sensiteve data on it. Duhh do i need to tell such things ? No i shouldnt but sadly i do because ik keep fun in simple reminders to high end security IT personal.. Every dumbo could have thought about this.. ahh what a looooooooooooooooooosers Ehm and if you had windows

Re:

[CohibaVancouver]

Get it al secured let them work trough an encrypted citryx metaframe connection to a central cluster of applications

This isn't always pratical. For example, FEMA collects personal data on laptops after hurricanes and other disasters. Often there's no network to connect to. Last week I was at an airport for three hours - Only signal I could get was a 10kb Wifi connection.

Re:

[RobertLTux]

thats why somebody needs to create a satcom /wifi commo package that could be WCS be airdropped into an area (hmm give it a battery system that will power it for say 6 hours and assume that somebody will hook a generator to it by then) and is cheap enough to thermite if we need to (or some sort of AOG breaks it)

Coming soon to a bloated government near you

[AIfa]

The Federal Bureau of Laptop Keeping Track Of. With a multimillion dollar budget

The solution is quite simple...

[WrongDecision]

I have a community association pool/tennis court key. I had to make a $100 deposit to get that key. You better damn well believe I'll NEVER lose that key. A $1000 deposit on a laptop doesn't sound unreasonable to me.

Re:

[Magada]

You won't lose it, ever. It will get "stolen" ... by "angry rioters" with... um... "guns!". Yea, that's the ticket. Can you spell "force majeure"?