RE: Encryption on Laptops?

["Kathmann, Nicholas" <Nicholas.Kathmann () KaiserAl com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some suggestions that will make this all the more complicated for a
hacker to get in.  
1. Keep system up to date with patches
2. Strong password policies and enforce them
3. Disable all but boot from Hard Drive in BIOS, then password
protect BIOS.  Items like the NT Crack Diskette won't work if you
can't boot to them.  Also make sure you have a list of the serials of
those laptops.  If they are stolen, report them immediately.
4. You can use a cheap Biometric device (anywhere from $29, some
laptops have them built in)
5. A good place to start with the system settings is the NSA
guidelines.  Items like strong passwords, hide last known username,
clear pagefile on exit (caution: takes forever), etc will provide you
with a lot of useful settings
6. There are several products which lie (supposedly) within the BIOS
that send out heartbeats to managed services.  These products are
supposed to have the capability to track down stolen laptops and
report them to the police even if the HD is removed.  I know Dell and
Gateway offer these types of products for like $30-80 at the time of
purchase. 

If a hacker gets physical access to the machine, and can slave the HD
to another machine, there may be little you can do to stop him.  EFS
will provide another roadblock, but has it's weaknesses (doesn't
delete the original data, rather removes the pointer, etc). 
Remember, the goal of security is not to make it impossible to get in
(next to impossible), but to make it hard enough that even the most
persistent hacker will give up before he gets close.

Good Luck

Thanks,
 
Nicholas Kathmann, CISSP
Security Engineer, Sr. / Technical Architect
Kaiser Aluminum : Global Commodities Business Unit
Desk - 225.869.2476
Cell   - 225.268.8927
nicholas.kathmann () kaiseral com

- -----Original Message-----
From: Simon and Sara Zuckerbraun [mailto:szucker () rcn com] 
Sent: Thursday, March 18, 2004 12:49 AM
To: 'Shanafelt, Gabe'; security-basics () securityfocus com
Subject: RE: Encryption on Laptops?

Honestly, protecting data on a laptop is very, very hard to
accomplish. Once an adversary gains physical control of a machine,
there's not much that can stop him from also gaining access to the
data. I wish there were some simple answers I could give you, but
there just aren't. It's a tough subject.

If you enable EFS on Windows XP, this provides you with 128-bit
encryption.
This type of encryption is strong enough so that it can not be
defeated directly using any technology currently known to man. But
consider: it's usually not very hard for an adversary to examine the
hard drive and run a program that will crack (figure out) the
password. Then he can simply turn on the laptop and log in, gaining
access to all files. Bottom line: It's highly unlikely that Windows
XP's encryption is the weakest link in your laptop defense. And
unless you're addressing the weakest link, you're not really
affecting security.

A couple of things that can help are: 1. Strong password policies,
that ensure that users are choosing passwords that are complex and
difficult for an attacker to decode. 2. Smart cards, which act like a
physical vault for storing passwords (this is a bit of a
simplification but essentially
accurate.) For example, the SPYRUS Rosetta USB:

http://www.spyrus.com/content/products/RosettaUSB_N7.asp


Securing data on a laptop is one of the very hardest things to
accomplish, so depending on what's at stake, it may well be worth
hiring a security professional to analyze your needs and recommend
appropriate solutions. 

(Also to ensure that the proper safeguards are in place so that you
don't accidentally get permanently locked out of your own data, which
is all too possible when strong encryption is in use...)

Simon


- -----Original Message-----
From: Shanafelt, Gabe [mailto:SHANAGG () dshs wa gov]
Sent: Tuesday, March 16, 2004 10:27 AM
To: security-basics () securityfocus com
Subject: Encryption on Laptops?

If one wanted to encrypt data on a laptop but the enhanced cryptopack
for Windows XP isn't strong enough, what products would you
recommend? Preferably low cost or free products?

Thanks, Gabe



- ----------------------------------------------------------------------
- -----
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off any course! All of our class sizes are guaranteed to be 10
students or less to facilitate one-on-one interaction with one of our
expert instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking
lab. Master the skills of an Ethical Hacker to better assess the
security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
- ----------------------------------------------------------------------
- ------



- ----------------------------------------------------------------------
- -----
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off any course! All of our class sizes are guaranteed to be 10
students or less to facilitate one-on-one interaction with one of our
expert instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking
lab. Master the skills of an Ethical Hacker to better assess the
security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQFqSP/NUBvylbfzcEQJskgCfYIh3oZnkqwMraRM/FAT6I79qtY0AnRJ4
0dOsIo5TxIibBZUTVXiA4u15
=egD/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------