BreachExchange mailing list archives
How protected does laptop encryption leave you?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 28 Apr 2015 19:49:14 -0600
http://fortune.com/2015/04/28/laptop-encryption-protection/ Security tips and busted myths about full disk encryption. Want to protect your personal data? Try full disk encryption—a means of locking down your computer files so that no one else with access to your machine may pry inside. To the uninvited inspector, encrypted hard drive data looks like alphanumeric gobbledygook. To those with the right passphrase, it looks and acts as normal. “Everyone should be running full-disk encryption on their laptops,” implores The Intercept before supplying a user-friendly tutorial on the technology. “[I]t’s the only way to protect your data in case your laptop gets lost or stolen, and it takes minimal effort to get started and use.” Without disk encryption, your laptop is a sitting duck, Micah Lee writes: If someone gets physical access to your computer and you aren’t using disk encryption, they can very easily steal all of your files. It doesn’t matter if you have a good password because the attacker can simply boot to a new operating system off of a USB stick, bypassing your password, to look at your files. Or they can remove your hard disk and put it in a different computer to gain access. All they need is a screwdriver, a second computer, and a $10 USB enclosure. That’s right. Hacking an unprotected hard drive is that simple. So make no mistake: Disk encryption is a good practice. But beware! It will not protect you against everything. Motivated hackers, wandering-eyed shoulder surfers, compressed air can-wielding operatives, and tech-savvy “evil maids” may still all unlock your precious data, in spite of encryption’s sureties. To help illuminate the limitations and liberations of the technology, Fortune dissected The Intercept’s guide into a taxonomy. Here’s a quick list of what disk encryption does and does not protect against. You’re safe from… Undesired physical access due to misplacement, thievery, or government seizure. “Encrypting your disk will protect you and your data in case your laptop falls into the wrong hands,” Lee writes. Insistent border agents. At their edges, travelers to different countries enjoy no right to privacy. You’re vulnerable to… Internet surveillance and spies. Think National Security Agency. Trick malware downloads. Be careful when choosing whether to open email attachments. Bug exploitations. No software is perfect. Traffic hijackers. Visit only websites that use encryption—”hypertext transfer protocol secure” (aka HTTPS)—to secure incoming and outgoing traffic. Faulty memory. Do not forget your password. Failure to lock unattended devices. Power off when you’re absent. Weak passwords. “Password” is not a good password. “Th1sIsN0tMyRe@lPas$wordHackz0rz” is better. Guest account workarounds. Cut off the other ways to access your laptop. Direct memory access attacks. Malicious devices can be used to manipulate or read your computer’s RAM, aka random access memory storage, when your machine is unlocked. Cold boot attacks. Using little more than a screwdriver, compressed air-can, and the laws of thermodynamics, a crafty hacker can freeze and eject your RAM after use, and then load its contents onto another disk. “Evil maid” attacks. A bad actor can load malware onto your operating system that triggers once your machine has been unlocked—so don’t let your computer out of your sight, paranoid people. Deprecated encryption software (like TrueCrypt). If a flaw is discovered in the program, which is all but inevitable, you’ll want someone to patch it immediately. Shoulder surfers (who peak at passwords and PINs) and other up-to-no-gooders… “The different ways you can get hacked or surveilled are too numerous to list in full,” Lee writes. For the “How to,” including best practices and the like, head over to The Intercept where you’ll learn how you—yes you, too—can encrypt your Windows, Mac OS X, or Linux disks. It’s easy. Now all you need is a dab of glitter nail polish.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- How protected does laptop encryption leave you? Audrey McNeil (May 05)