Some computers are too important to be networked

There is a common defensive computing thread in two recent stories.

In the first story, Newsweek reports that both presidential candidates had their campaign computers hacked from afar. As they put it:

The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." ... Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information... "

The second story involves a former Intel employee who allegedly stole trade secrets. As CNET's Stephanie Condon writes, the employee resigned, yet continued on the Intel payroll for a few weeks (perhaps working off vacation time). During this transition period, he started working for Intel rival AMD, yet he remained in possession of his Intel laptop and still had access to Intel's computer network. The FBI later found him in possession of "top secret" Intel files worth more than $1 billion in research and development costs.

The lesson is clear. If you have really valuable or sensitive files, don't make them remotely accessible. Cut the wire. Some files should never be available off-site.

If this means buying a new computer just to hold really sensitive files, it's money well spent.

A couple years ago, I heard someone from the hacker group 2600 give out this same advice on their radio show, Off The Hook. It made sense back then and makes even more sense now.

Windows passwords are easily hacked. Instead of relying on a Windows password for local physical security, set both a power-on password and, if the computer supports it, a hard disk password. Whole disk encryption is another option, but one that involves much more work to implement.

If you put sensitive files on a laptop computer, then consider storing it in a safe when not in use. If you have a small safe, get a small laptop or a Netbook.

Laptops need more than just cutting the Ethernet wire. To begin with, turn off the Wi-Fi radio (there is probably a switch or a function key for this). If the laptop has Bluetooth, physically turn that off too.

Then, turn off the networking features in the operating system.

On Windows, turn off file sharing for every network adapter and turn off every network protocol. Then, disable all the network adapters.

Finally, disable the underlying Windows services that handle networking. On Windows XP this would be: Wireless Zero Configuration, Server, Computer Browser, Workstation and SSDP Discovery. Then since, the machine will be off-line forever, there are quite a few other Windows XP services that won't be needed and can be disabled: Automatic Updates, Distributed Link Tracking Client, Distributed Transaction Coordinator, Net Logon, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, Network Location Awareness (NLA), Network Provisioning Service, Remote Desktop Help Session Manager, Remote Registry and WebClient. The laptop I'm writing this on also has an Infrared Monitor service. I don't know what it's for, but I keep it disabled.

All told, this isn't much work and doesn't involve much expense. Yet, it's great insurance and can leave your sensitive files better defended than those at Intel and each presidential campaign.

See a summary of all my Defensive Computing postings.