Re: (article) "We recovered the laptop!" ... so what?

[sawaba <sawaba () forced attrition org>]

I did some analysis on this for the company I work for, when we adopted a 
"full disk encryption" product. The two most significant things that came 
out of my research are:

1. This may not be the case with all disk encryption products, but you 
have to make sure you select "full encryption", as there may be a feature 
that, when selected, will only encrypt "active" data. How they word the 
option could be tricky as well. The "fast" encryption option may only 
encrypt active data. What they mean by "active" data is that it will only 
encrypt data that is not marked for overwrite (non-deleted data). This is 
a huge problem, because the last 1GB of data you deleted could potentially 
still be accessible if your drive/laptop is stolen!

2. If configured to encrypt EVERYTHING on the drive, it is Jericho says. 
The only way to steal the data is to grab the system while it is turned on 
and booted up with the OS running. For those interested, hibernating = 
turned off. I checked, and even hiberfil.sys is encrypted.

--Sawaba

On Tue, 13 Feb 2007, security curmudgeon wrote:

> For the sake of argument, I'll disagree here.
>
> : Ok, so youve got a copy of an encrypted disk to crack at your leisure.
> : The data is still compromised and in someone elses hands, and they have
> : no idea if its secure or not. That still counts as a loss in my book.
>
> My work laptop has PGP desktop installed. A multi-gig partition is set up
> using PGP for protection, and upon every bootup it requires I enter my
> passphrase (more than thirty characters, using mixed case and special
> characters). If the machine is powered off or rebooted, you must enter
> this password to get access to my e-mail, client information or anything
> else work related. As far as I can tell, unless you grab my laptop while
> it is powered on, the data on it is relatively secure. There may be some
> residual information in the browser history/cache, but it will be specific
> to my company, not my company's clients.
>
> That said, can you describe a scenario other than what I described above
> as a viable way to get to the client data on my laptop? Other than
> snatching it while the power is on and copying the data off, which would
> be a huge warning flag to me to report said data as compromised, how an
> attacker could realistically get to the data?
>
> Jericho
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
> Tracking more than 148 million compromised records in 573 incidents over 7 years.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 148 million compromised records in 573 incidents over 7 years.