BreachExchange mailing list archives
Re: (article) "We recovered the laptop!" ... so what?
From: sawaba <sawaba () forced attrition org>
Date: Wed, 14 Feb 2007 21:53:02 -0500 (EST)
I did some analysis on this for the company I work for, when we adopted a "full disk encryption" product. The two most significant things that came out of my research are: 1. This may not be the case with all disk encryption products, but you have to make sure you select "full encryption", as there may be a feature that, when selected, will only encrypt "active" data. How they word the option could be tricky as well. The "fast" encryption option may only encrypt active data. What they mean by "active" data is that it will only encrypt data that is not marked for overwrite (non-deleted data). This is a huge problem, because the last 1GB of data you deleted could potentially still be accessible if your drive/laptop is stolen! 2. If configured to encrypt EVERYTHING on the drive, it is Jericho says. The only way to steal the data is to grab the system while it is turned on and booted up with the OS running. For those interested, hibernating = turned off. I checked, and even hiberfil.sys is encrypted. --Sawaba On Tue, 13 Feb 2007, security curmudgeon wrote:
For the sake of argument, I'll disagree here. : Ok, so youve got a copy of an encrypted disk to crack at your leisure. : The data is still compromised and in someone elses hands, and they have : no idea if its secure or not. That still counts as a loss in my book. My work laptop has PGP desktop installed. A multi-gig partition is set up using PGP for protection, and upon every bootup it requires I enter my passphrase (more than thirty characters, using mixed case and special characters). If the machine is powered off or rebooted, you must enter this password to get access to my e-mail, client information or anything else work related. As far as I can tell, unless you grab my laptop while it is powered on, the data on it is relatively secure. There may be some residual information in the browser history/cache, but it will be specific to my company, not my company's clients. That said, can you describe a scenario other than what I described above as a viable way to get to the client data on my laptop? Other than snatching it while the power is on and copying the data off, which would be a huge warning flag to me to report said data as compromised, how an attacker could realistically get to the data? Jericho _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 148 million compromised records in 573 incidents over 7 years.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 148 million compromised records in 573 incidents over 7 years.
Current thread:
- Re: (article) "We recovered the laptop!" ... so what?, (continued)
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 13)
- Message not available
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 17)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 19)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? security curmudgeon (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)