Laptop Security - harddisk encryption necessary?

Hi,

There are few cases that a corp lost their laptop with customer
private information - in which case all the countermeasure of security
within a corp are not applicable such as your firewall, IDS, auti-
virus, anti-middleware etc.

Then it sounds fair enough to intruduce harddisk encryption. However
there 2 layer protection already there - BIOS level and OS - Windows
user level authentication. now my questions are how week are they? how
the stealer of the laptop exploit the data?

Many thanks,

Re: Laptop Security - harddisk encryption necessary?

In article <1174346802.334620.327270@p15g2000hsd.googlegroups.com>,
"Jackie" wrote:

> Hi,
>
> There are few cases that a corp lost their laptop with customer
> private information - in which case all the countermeasure of security
> within a corp are not applicable such as your firewall, IDS, auti-
> virus, anti-middleware etc.
>
> Then it sounds fair enough to intruduce harddisk encryption. However
> there 2 layer protection already there - BIOS level and OS - Windows
> user level authentication. now my questions are how week are they? how
> the stealer of the laptop exploit the data?

Take the disk out of the stolen computer and connect it as an auxiliary
disk on some other computer.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: Laptop Security - harddisk encryption necessary?

"Jackie" writes:

>Hi,

>There are few cases that a corp lost their laptop with customer
>private information - in which case all the countermeasure of security
>within a corp are not applicable such as your firewall, IDS, auti-
>virus, anti-middleware etc.

>Then it sounds fair enough to intruduce harddisk encryption. However
>there 2 layer protection already there - BIOS level and OS - Windows
>user level authentication. now my questions are how week are they? how
>the stealer of the laptop exploit the data?

Both are trivial to get around. If absolutely necessary you remove the hard
disk from the laptop and read it on another machine.


>Many thanks,

Re: Laptop Security - harddisk encryption necessary?

Thanks, you are right.

I heard there are two popular tools for harddisk encryption - from PGP
and Utmaco, do you have experience on them? beside whole disk
encryption, do they support logical drive/directory/file level? do
they have evaluation version?

Re: Laptop Security - harddisk encryption necessary?

Jackie wrote:
> Thanks, you are right.
>
> I heard there are two popular tools for harddisk encryption - from PGP
> and Utmaco, do you have experience on them? beside whole disk
> encryption, do they support logical drive/directory/file level? do
> they have evaluation version?

Google "hard disk encryption."

The first 10 or 15 hits should point you in the right direction.

--
Notan

Re: Laptop Security - harddisk encryption necessary?

Thanks, I tried, but I wonder how to rank them for different vendors,
does google do it? is first appeared the best/most popular?

Re: Laptop Security - harddisk encryption necessary?

Post removed (X-No-Archive: yes)

Re: Laptop Security - harddisk encryption necessary?

In article <1174346802.334620.327270@p15g2000hsd.googlegroups.com>,
Jackie wrote:
>Hi,
>
>There are few cases that a corp lost their laptop with customer
>private information - in which case all the countermeasure of security
>within a corp are not applicable such as your firewall, IDS, auti-
>virus, anti-middleware etc.
>
>Then it sounds fair enough to intruduce harddisk encryption. However
>there 2 layer protection already there - BIOS level and OS - Windows
>user level authentication. now my questions are how week are they? how
>the stealer of the laptop exploit the data?
>

Authentication depending solely on what's in the box itself is worthless
when the attacker has complete access to everything in the box. If the
data is not encrypted with the key *not* on drive, an attacker can
trivially retrieve every bit of data on it.

a) the computer can be booted from the attacker's CD or USB thumb drive,
bypassing your OS.
b) BIOS protections are trivial to defeat. There are often backdoor
entries to bypass them, and if all else fails, the attacker can
simply remove the CMOS battery, returning things to their unprotected
factory default.
c) If all else fails, the attacker can simply remove the hard drive
from the target machine and put it in a box of his own, and read
it there.

--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

Re: Laptop Security - harddisk encryption necessary?

Jackie wrote:
> Thanks, I tried, but I wonder how to rank them for different vendors,
> does google do it? is first appeared the best/most popular?

no, don't trust google for making your decisions :-)

I like truecrypt and I think it is pretty well documented, and it's free.
how hard it is to be cracked?
I am sure some of the experts here will tell you.

M

Re: Laptop Security - harddisk encryption necessary?

"Jackie" (07-03-19 22:29:19):

> Thanks, I tried, but I wonder how to rank them for different vendors,
> does google do it? is first appeared the best/most popular?

No, Google does not. And there is one fundamental rule in choosing
products anything farly related to security: It must be fully open
source, and it must provide full documentation, including but not
limited to the algorithms and techniques used.

Many operating systems come with HD encryption facilities by themselves.
For Windows, which does not provide any security at all by itself, there
are basically two alternatives: FreeOTFE and TrueCrypt. Try both and
choose the one you like better.

By the way, you don't need to encrypt your entire HD. This is overkill
in most cases. Create an encrypted container for your personal
directory, whereever it is.


Regards,
E.S.


--=20
=46rom the fact that this CGI program has been written in Haskell, it
follows naturally that this CGI program is perfectly secure.

Re: Laptop Security - harddisk encryption necessary?

Post removed (X-No-Archive: yes)

Re: Laptop Security - harddisk encryption necessary?

In article , Ertugrul Soeylemez wrote:
>
>By the way, you don't need to encrypt your entire HD. This is overkill
>in most cases. Create an encrypted container for your personal
>directory, whereever it is.
>
>
You also need to encrypt your swap file or partition, to prevent
the reading of sensitive information held in memory that might
have been paged out. If the attacker is particularly lucky, he
might even get the decryption key he needs to read the encrypted
parts of your disk. You should also encrypt your temp directories
for the same reason, although that's less critical (an attacker
won't get your decryption keys there unless the encryption program
is incompetently written, for example). And in Windows especially,
it's difficult to be sure where sensitive information may wind up
stored or cached; some programs keep stuff outside of your personal
directory (which is why so many programs need you to be
Administrator).

--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

Re: Laptop Security - harddisk encryption necessary?

Sebastian Gottschalk (07-03-22 07:39:46):

> > Many operating systems come with HD encryption facilities by
> > themselves. For Windows, which does not provide any security at all
> > by itself,
>
> Maybe you should stop talking nonsense.

You know, Microsoft is not my best friend. I've lost lots of valuable
data and money because of their buggy $SOME_PROFANITY. Probably not an
issue here, but sometimes I just can't keep it.


> > there are basically two alternatives: FreeOTFE and TrueCrypt. Try
> > both and choose the one you like better.
>
> What about PGP Desktop Workstation?

Not that I know of. I have only found informations about PGP Desktop
_Enterprise_, which isn't free. For _Workstation_ Google returns only a
few links.


> > By the way, you don't need to encrypt your entire HD. This is
> > overkill in most cases. Create an encrypted container for your
> > personal directory, whereever it is.
>
> Encrypting the entire HD solves a certain problem...

I know which problem you're refering to, but I don't know how this could
be done in Windows without using expensive software. At least I haven't
found anything free so far. The two programs I mentioned don't support
that by themselves, AFAIK.


Regards,
Ertugrul Söylemez.


--=20
=46rom the fact that this CGI program has been written in Haskell, it
follows naturally that this CGI program is perfectly secure.

Re: Laptop Security - harddisk encryption necessary?

syscjm@sumire.eng.sun.com (Chris Mattern) (07-03-22 12:15:50):

> > By the way, you don't need to encrypt your entire HD. This is
> > overkill in most cases. Create an encrypted container for your
> > personal directory, whereever it is.
>
> You also need to encrypt your swap file or partition, to prevent the
> reading of sensitive information held in memory that might have been
> paged out. If the attacker is particularly lucky, he might even get
> the decryption key he needs to read the encrypted parts of your disk.
> You should also encrypt your temp directories for the same reason,
> although that's less critical (an attacker won't get your decryption
> keys there unless the encryption program is incompetently written, for
> example).

Of course.


> And in Windows especially, it's difficult to be sure where sensitive
> information may wind up stored or cached; some programs keep stuff
> outside of your personal directory (which is why so many programs need
> you to be Administrator).

One more nasty design flaw.


Regards,
Ertugrul Söylemez.


--=20
=46rom the fact that this CGI program has been written in Haskell, it
follows naturally that this CGI program is perfectly secure.

Re: Laptop Security - harddisk encryption necessary?

Post removed (X-No-Archive: yes)

Re: Laptop Security - harddisk encryption necessary?

On Mar 24, 2:24 pm, Sebastian Gottschalk wrote:
> Ertugrul Soeylemez wrote:
> >>> there are basically two alternatives: FreeOTFE and TrueCrypt. Try
> >>> both and choose the one you like better.
>
> >> What about PGP Desktop Workstation?
>
> > Not that I know of. I have only found informations about PGP Desktop
> > _Enterprise_, which isn't free. For _Workstation_ Google returns only a
> > few links.
>
> http://www.pgp.com/products/packages/desktop_pro/index.html
>
> >>> By the way, you don't need to encrypt your entire HD. This is
> >>> overkill in most cases. Create an encrypted container for your
> >>> personal directory, whereever it is.
>
> >> Encrypting the entire HD solves a certain problem...
>
> > I know which problem you're refering to, but I don't know how this could
> > be done in Windows without using expensive software.
>
> CompuSecFree, but it's totally insecure...
>
> > At least I haven't found anything free so far. The two programs I mentioned
> > don't support that by themselves, AFAIK.
>
> TrueCrypt partially tangles the problem with a GINA dll and a specialized
> driver for encrypting the swap file.

Why do you say that CompuSec FREE is totally insecure?

Re: Laptop Security - harddisk encryption necessary?

Post removed (X-No-Archive: yes)