Security Basics mailing list archives
RE: Encryption on Laptops?
From: "Kathmann, Nicholas" <Nicholas.Kathmann () KaiserAl com>
Date: Fri, 19 Mar 2004 00:24:49 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some suggestions that will make this all the more complicated for a hacker to get in. 1. Keep system up to date with patches 2. Strong password policies and enforce them 3. Disable all but boot from Hard Drive in BIOS, then password protect BIOS. Items like the NT Crack Diskette won't work if you can't boot to them. Also make sure you have a list of the serials of those laptops. If they are stolen, report them immediately. 4. You can use a cheap Biometric device (anywhere from $29, some laptops have them built in) 5. A good place to start with the system settings is the NSA guidelines. Items like strong passwords, hide last known username, clear pagefile on exit (caution: takes forever), etc will provide you with a lot of useful settings 6. There are several products which lie (supposedly) within the BIOS that send out heartbeats to managed services. These products are supposed to have the capability to track down stolen laptops and report them to the police even if the HD is removed. I know Dell and Gateway offer these types of products for like $30-80 at the time of purchase. If a hacker gets physical access to the machine, and can slave the HD to another machine, there may be little you can do to stop him. EFS will provide another roadblock, but has it's weaknesses (doesn't delete the original data, rather removes the pointer, etc). Remember, the goal of security is not to make it impossible to get in (next to impossible), but to make it hard enough that even the most persistent hacker will give up before he gets close. Good Luck Thanks, Nicholas Kathmann, CISSP Security Engineer, Sr. / Technical Architect Kaiser Aluminum : Global Commodities Business Unit Desk - 225.869.2476 Cell - 225.268.8927 nicholas.kathmann () kaiseral com - -----Original Message----- From: Simon and Sara Zuckerbraun [mailto:szucker () rcn com] Sent: Thursday, March 18, 2004 12:49 AM To: 'Shanafelt, Gabe'; security-basics () securityfocus com Subject: RE: Encryption on Laptops? Honestly, protecting data on a laptop is very, very hard to accomplish. Once an adversary gains physical control of a machine, there's not much that can stop him from also gaining access to the data. I wish there were some simple answers I could give you, but there just aren't. It's a tough subject. If you enable EFS on Windows XP, this provides you with 128-bit encryption. This type of encryption is strong enough so that it can not be defeated directly using any technology currently known to man. But consider: it's usually not very hard for an adversary to examine the hard drive and run a program that will crack (figure out) the password. Then he can simply turn on the laptop and log in, gaining access to all files. Bottom line: It's highly unlikely that Windows XP's encryption is the weakest link in your laptop defense. And unless you're addressing the weakest link, you're not really affecting security. A couple of things that can help are: 1. Strong password policies, that ensure that users are choosing passwords that are complex and difficult for an attacker to decode. 2. Smart cards, which act like a physical vault for storing passwords (this is a bit of a simplification but essentially accurate.) For example, the SPYRUS Rosetta USB: http://www.spyrus.com/content/products/RosettaUSB_N7.asp Securing data on a laptop is one of the very hardest things to accomplish, so depending on what's at stake, it may well be worth hiring a security professional to analyze your needs and recommend appropriate solutions. (Also to ensure that the proper safeguards are in place so that you don't accidentally get permanently locked out of your own data, which is all too possible when strong encryption is in use...) Simon - -----Original Message----- From: Shanafelt, Gabe [mailto:SHANAGG () dshs wa gov] Sent: Tuesday, March 16, 2004 10:27 AM To: security-basics () securityfocus com Subject: Encryption on Laptops? If one wanted to encrypt data on a laptop but the enhanced cryptopack for Windows XP isn't strong enough, what products would you recommend? Preferably low cost or free products? Thanks, Gabe - ---------------------------------------------------------------------- - ----- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html - ---------------------------------------------------------------------- - ------ - ---------------------------------------------------------------------- - ----- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQFqSP/NUBvylbfzcEQJskgCfYIh3oZnkqwMraRM/FAT6I79qtY0AnRJ4 0dOsIo5TxIibBZUTVXiA4u15 =egD/ -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Encryption on Laptops?, (continued)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 18)
- RE: Encryption on Laptops? Aaron (Mar 18)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 19)
- RE: Encryption on Laptops? Bart . Lansing (Mar 22)
- Re[2]: Encryption on Laptops? Alexander Lukyanenko (Mar 26)
- Re: Re[2]: Encryption on Laptops? Bart . Lansing (Mar 26)
- RE: Re[2]: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 29)
- RE: Encryption on Laptops? Aaron (Mar 18)
- RE: Encryption on Laptops? Simon and Sara Zuckerbraun (Mar 18)