Educause Security Discussion mailing list archives

Re: Laptop encryption experiences

From: Allison F Dolan <adolan () MIT EDU>
Date: Tue, 16 Nov 2010 07:29:58 -0500

Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to 
encrypt personal data on laptops (and other portable devices)  and in other states, if the lost/stolen laptop has been 
encrypted, then you don't need to notify

......Allison  Dolan (617-252-1461)



On Nov 15, 2010, at 4:34 PM, Rich Graves wrote:

And don't forget that "suspend" or "hibernate" is *not* a power-off.  This
is particularly important for those laptop users who almost always suspend,
and only actually power off or reboot every few months, if at all.


If your encryption suite synchronizes passwords with login passwords, which
is true of most; and if you effectively enforce a policy of lock-on-sleep;
then I'm not sure how much real difference there is.

I don't consider cold-boot attacks a real-world threat against my class of
users. They require non-trivial preparation, expertise, and luck. Networked
attacks are possible, though it has been a while since there was a classical
remote exploit effective against our default desktop firewall policy. I'm
not sure how possible FireWire memory injection/extraction attacks are
nowadays.

For the thief, booting from an alternate OS is far less work, and usually
more effective, than any of the above attacks. Faced with a logon screen
that makes no reference to FDE, why would they go to the trouble of mounting
an online attack? I'd just pop in a boot CD, say "*&%@*@, it's encrypted,"
and wipe/resell the hardware.

If it's a targeted attack, they might have foreknowledge of the encryption
used. So we tell people to hibernate if they have top-secret data or if
they're going to an airport. Otherwise, I don't think it's worth waiting for
wake-from-hibernate every time they move between conference rooms.

If you balance the risk/benefits differently, why?
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

Attachment: smime.p7s
Description:

Current thread:

Laptop encryption experiences Alan Bowen (Nov 15)
- Re: Laptop encryption experiences Everett, Alex D (Nov 15)
- Re: Laptop encryption experiences Sherry Callahan (Nov 15)
  - Re: Laptop encryption experiences Shahra Meshkaty (Nov 15)
    - Re: Laptop encryption experiences randy marchany (Nov 15)
    - Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
    - Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
    - Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
    - Re: Laptop encryption experiences Rich Graves (Nov 15)
    - Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
    - Re: Laptop encryption experiences Allison F Dolan (Nov 16)
    - Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
    - Re: Laptop encryption experiences randy marchany (Nov 16)
    - Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
    - Re: Laptop encryption experiences Allison F Dolan (Nov 16)
    - Re: Laptop encryption experiences Rich Graves (Nov 16)
    - Re: Laptop encryption experiences Sherry Callahan (Nov 17)
    - Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
  - Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)

(Thread continues...)