UVM's Information Security Operations Team answers "Why?" Why?security

Stolen Devices and the Inconvenience of Time Travel

Since the beginning of 2010, UVM Police Services has sought ETS’s help in 104 device-theft cases pertaining to UVM students, faculty, and staff. One recurring theme is that there are two simple steps that users can take to reduce the impact a stolen device has on themselves and the institution, and that these steps can only be taken before a laptop, tablet, phone, or portable storage device goes missing.

  1. Enroll your portable device (laptop, tablet, or phone) in a “locate-and-wipe” service (e.g., Apple’s “Find My iPhone/iPad/etc.”, the Prey Project, LoJack[1]). These programs sport features that run the gamut from simply reporting the device’s location to wiping all data from its storage and even taking pictures using the device’s camera. In the best cases, these can help authorities recover your stolen property; at the very least a successful remote wipe[2] can prevent the (ahem) “new owner” from having access to your UVM (or personal!) data indefinitely.
  2. Encrypt the device’s storage to prevent unauthorized access to the data contained within it. This is another way of keeping the new owner’s grubby mitts off your grading spreadsheets, personnel reports, family photos, saved Amazon password (which leads to your saved credit card info), etc. Besides: Section 16.1 of UVM’s Information Security Procedures states that, “Digital storage devices and media that contain Protected University Information must be encrypted…” This also applies to external hard disks containing your backups and any removable devices you use to store Protected University Information.

    Note that whole-disk encryption only provides meaningful protection if the device is powered off or hibernating[3] when it’s stolen. You can maximize this technology’s defensive value by powering off your laptop when you’ll be in transit for more than just a few minutes, or away from it in a public place[4].

These are powerful defenses against the ill effects of losing your device and the data on it, and people using them are measurably better-off when things “grow legs”. But remember:

These technologies can only help if you start using them before your device is stolen.

If you need help with these techniques, ask your friendly local UVM technology professional or contact the Information Security Operations Team for assistance by emailing iso@uvm.edu.

Cheers,

Sam Hooker, for the ISO Team

[1] Please note that not all technology staff at UVM will have experience with these services. This is meant as a list of alternatives for your investigation, and doesn’t imply that your local tech pro will be willing to support your use of a particular package. When in doubt, ask them first.

[2] I say “successful” because the device must be connected to the Internet somehow in order to receive the “tell us where you are” and “erase your data” commands. If the thieves erase the device and reinstall fresh software, it won’t phone home looking for such instructions. But hey: At least your data is probably gone…maybe…

[3] Laptops (and technology pros) make a distinction between “sleep” and “hibernation”. If you’re not sure how to get your hardware to hibernate, ask your pet technologist for help.

[4] But really, consider taking it with you. I promise that stashing it in your bag for that trip to the restroom is way less of a hassle than filling out police paperwork and wracking your brain trying to remember whether or not you logged out of online banking. Leave the power cord behind if it helps you feel better.

Skip to toolbar