• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Laptop with secret data, what to do to secure it?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
n707
Just Arrived
Just Arrived


Joined: 28 Feb 2007
Posts: 0


Offline

PostPosted: Tue Apr 03, 2007 9:49 pm    Post subject: Laptop with secret data, what to do to secure it? Reply with quote

What everything would you do, if you will have a laptop with secret data to protect the laptop and the data as well??

I can start: encrypt the data, use Kensington lockers to protect computer, make BIOS and harddisk password.

What else? Please write as many ideas you know.
Back to top
View user's profile Send private message
EOS
Just Arrived
Just Arrived


Joined: 24 Sep 2005
Posts: 1


Offline

PostPosted: Tue Apr 03, 2007 10:48 pm    Post subject: Reply with quote

FULL Disk Encryption

Physically secure the laptop at all times.
Back to top
View user's profile Send private message
bhavuk
Just Arrived
Just Arrived


Joined: 03 Apr 2007
Posts: 1
Location: New Delhi

Offline

PostPosted: Tue Apr 03, 2007 11:01 pm    Post subject: Reply with quote

try this open source tool
works quite well

http://www.truecrypt.org/
Back to top
View user's profile Send private message
n707
Just Arrived
Just Arrived


Joined: 28 Feb 2007
Posts: 0


Offline

PostPosted: Wed Apr 04, 2007 12:15 pm    Post subject: Reply with quote

EOS wrote:
Physically secure the laptop at all times.


Sure I know this rule but.. won't it destroy the hardware? I mean when I take it when I travel by buses, in traffic transport in underground, won't some kinds of shaking destroy my harddisk?

OK. So physical security and full disk encryption. What else? I am sure there are many more such things. So?
Back to top
View user's profile Send private message
hax0r26
Just Arrived
Just Arrived


Joined: 20 Feb 2007
Posts: 0
Location: United States of America

Offline

PostPosted: Thu Apr 05, 2007 9:30 pm    Post subject: Reply with quote

How about making sure your system is secure like FORT KNOX.


If they do somehow manage to breach your notebooks security, they still have to crack the encryption to even see the data on the system.

What OS are you running on this notebook?
Back to top
View user's profile Send private message Visit poster's website
stimpy99
Just Arrived
Just Arrived


Joined: 11 Sep 2005
Posts: 0


Offline

PostPosted: Thu Apr 05, 2007 10:05 pm    Post subject: Re: Laptop with secret data, what to do to secure it? Reply with quote

n707 wrote:
What everything would you do, if you will have a laptop with secret data to protect the laptop and the data as well??

I can start: encrypt the data, use Kensington lockers to protect computer, make BIOS and harddisk password.

What else? Please write as many ideas you know.


Full disk encryption. PGP FDE is great.

When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?
Back to top
View user's profile Send private message
n707
Just Arrived
Just Arrived


Joined: 28 Feb 2007
Posts: 0


Offline

PostPosted: Fri Apr 06, 2007 12:25 am    Post subject: Reply with quote

stimpy99 wrote:
Full disk encryption. PGP FDE is great.


Is sufficient to use TrueCrypt?

stimpy99 wrote:
When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?


That is Top secret degree, with many money (believe me - really many money) left in case of stoling or copying. Really.

hax0r26 wrote:
What OS are you running on this notebook?


Win XP pro. Is that important?

Moderator note: please do not use nested quotes - capi


Last edited by n707 on Fri Apr 06, 2007 10:51 am; edited 2 times in total
Back to top
View user's profile Send private message
hax0r26
Just Arrived
Just Arrived


Joined: 20 Feb 2007
Posts: 0
Location: United States of America

Offline

PostPosted: Fri Apr 06, 2007 4:27 am    Post subject: Reply with quote

Quote:
Win XP pro. Is that important?


Is that important? Laughing Seriously, you want *us* to give you information including different ways and methods to secure this notebook. However, you don't even give an OS.

Cheers, Hax0r26

Quote:
When you say "secret" do you mean Government Protectively Marked Secret (they will have there own rules - I know!) or this this just intellectual property that your company need to keep safe?


stimpy99 You work for the Government? Yes or No?

Laughing
Back to top
View user's profile Send private message Visit poster's website
Networkguy
Trusted SF Member
Trusted SF Member


Joined: 29 Apr 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Tue Apr 17, 2007 1:55 am    Post subject: Reply with quote

If this is really secret (as defined by the government) then you have made your first mistake by putting this data onto a laptop and taking out of a secure building.

Likewise, if this is gov then in the UK and the US then your local infosec team will be on hand to give you guidance.

If this is just sensitive commercial grade stuff however thn start with good full disk encryption. Others here have already pointed you at a few products so use these to secure the laptop whilst it is at rest.

This now means that even if your laptop is stolen, they can't just boot the thing up and even if they put the hard disk into a different machine, they still need to spend time breaking the encryption before they gain access.

And finally, if this is really SECRET, fill the RJ45 ethernet port with some sort of epoxy resin to avoid the urge to plug it into an unsecure network such as a college LAN or even the internet.
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Tue Apr 17, 2007 6:19 pm    Post subject: Reply with quote

In addition to what NetworkGuy has already said, do note that the majority of attacks against strong encryption do not occur against the algorithm itself, but against other vulnerabilities. In otherwords, why crack the encryption when a simple rootkit, trojan or vulnerability exploit can render your data compromised? Your connection to the Internet is your biggest threat. If the data you are trying to protect is as important as you make it out to be, take the advice of others from this posting and get guidance from industry level security professionals. Online postings can only help you so much, and the risk of misconfiguration in the security realm is incredibly high if you are not a seasoned professional.
Back to top
View user's profile Send private message
stimpy99
Just Arrived
Just Arrived


Joined: 11 Sep 2005
Posts: 0


Offline

PostPosted: Tue Apr 17, 2007 9:51 pm    Post subject: Reply with quote

hax0r26 wrote:
stimpy99 You work for the Government? Yes or No? Laughing

Work for a defence contractor, as their sec admin, that has upward links to "other areas" - nuff said
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Wed May 09, 2007 10:27 am    Post subject: Reply with quote

Protecting your data?...ehmm.... ok!

First of all , as networkguy mentioned , these data should never be out of the premises in the first place...

Anyway... lets give it a shot.

1-First of all encryption. Use PGP or other encryption program , capable of providing a 1024bit RSA key.

Take your keys now , created by PGP and store them into a usb stick which should be kept in a different place than your notebook. Without those keys , data are useless even from a physical attack.

2-Hide them. Use a security suite like Steganos and create a virtual drive with full encryption provided by the software. The complexity of getting the files cracked, should reach to max, if you think that you have first used PGP, then Steganos and then hide them all together into a file (virtual drive) which open only with a very strong alphanumeric password. Not to mention that you need to have this USB with the keys for the PGP program.

3-On top off all that you can use a biometric fingerprint usb device that will ask for the password and match it with your fingerprint.

So no matter if the attacker steals your notebook (which should be insured) he will never crack the procedure, cause he will be missing 3 things.

USB and keys of PGP, Password for Steganos , Fingerprint of yours along with the local password of your account. Even from a physical point of view , if he tries to "read" the HDD with another device/system he will get an encrypted file with 1024-RSA encryption (PGP) multiplied with the encryption strength of Steganos Security.

I do not have to mention though that this case , is valid and easy to use , only if the data you are reffering to , are not more than 500MB. Otherwise it might take you a period of 10-20mins , to encrypt-decrypt every time those files.

Your choice...


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
stimpy99
Just Arrived
Just Arrived


Joined: 11 Sep 2005
Posts: 0


Offline

PostPosted: Wed May 09, 2007 9:23 pm    Post subject: Reply with quote

n707
PhiBer wrote:
Online postings can only help you so much, and the risk of misconfiguration in the security realm is incredibly high if you are not a seasoned professional.


Good point. What I always ask people is "do you want The Sun Test? <insert your biggest selling newspaper here!>. Meaning if you fook up do you want your face on the front page of a newspaper saying "this was the guy that lost 45.7 million credit card details... leaked the personal detail of 40,00 veterens, lost a billion pound order because tender documents were lost..., etc <add you own headline in here!>.
Back to top
View user's profile Send private message
RoninV
Just Arrived
Just Arrived


Joined: 12 May 2007
Posts: 0


Offline

PostPosted: Sat May 12, 2007 6:22 pm    Post subject: It's not just security from theft Reply with quote

When it comes to full hard drive encryption, one is always weary that corruption will make the data unusable. Of course, this corruption would happen at the worst time (company meeting, conference). So for me, it's not just a security against data loss (via theft) question. It also has to do with reliable data access, once these security measures ar in place. So, I like the suggestions given, including Gandalf's meshing of them. Could someone bottom line the data access reliability factor?
Back to top
View user's profile Send private message
groffg
Just Arrived
Just Arrived


Joined: 16 May 2007
Posts: 0


Offline

PostPosted: Wed May 16, 2007 7:03 pm    Post subject: data security options Reply with quote

In response to the original post, I'd say that a layered security approach that is commensurate with the level of risk is entirely appropriate. A reasonable (rather than paranoid) approach to security is appropriate in most environments. First, it's good to divide security in terms of the computer being "live" as well as the computer (and data) being "at rest." Let's start w/ the first.

While the computer is on, you could face a variety of potential data-breaching scenarios. If you surf the web with your laptop, a single piece of malware on a rogue (or even legitimate) web site could render your machine owned (breached). At that point, you *might* have a data breach (or, your machine might simply be used as a spambot, not that that's a good thing). Regardless, being proactive is key to protecting your data. I won't regurgitate the "top 10 security tips" lists that are out there and readily available, but I'll say that 2 bafflingly seldom-mentioned suggestions are as follows:
* use a limited user account for daily computer use
* turn on DEP for all progs/services, and verify that your hardware supports marking pages in memory as "no execute" (NX, aka XD)

Logging in as a limited user will reduce your security "surface area" in the event that malware executes within the security context of your login. Regarding DEP, I strongly recommend using hardware that supports it. If your machine does not, then you could consider upgrading (i.e., purchasing) a new machine.

Now, in regards to data that is "at rest," I like the idea of FDE (full disk encryption). FDE encrypts everything on the disk, sector by sector, excluding necessary startup code residing in the MBR (master boot record). The idea of FDE is that, if someone steals your computer and attempts to read data directly off the disk, that data will all be encrypted and nearly impossible to access.

Given the availability of EFS (encrypting file system) in the "professional" or "business" edition of Windows, why not just use EFS? EFS is certainly an option, but non-Vista versions of Windows cannot encrypt the paging files and confidential files might appear in unencrypted form in the %temp% directory. One solution to both problems would be to 1) encrypt the %temp% folder & sub-folders (in addition to your "documents" directories or wherever your secret files reside) and to 2) not use paging at all (assuming your have a liberal amount of physical memory). Again, with FDE this is not an issue since file fragments, paging files, as well as temp files are all encrypted anyway, and furthermore, FDE is more "thorough" in that literally everything (well, almost) is encrypted, so for the paranoid FDE is a better route, but for the mere "security conscious" individual, EFS might be an acceptable solution.

Again, I'll skip the "top 10" lists that recommend such obvious suggestions as to use a firewall (that actually works), use AV, be judicious in your downloads, and so forth. I will say that, on a final note, good security is layered, such that if a breach occurs, the bad guy will not immediately have full access to your data, but will instead have to undergo at least one or two more hurdles.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Mon Jul 09, 2007 12:08 pm    Post subject: Reply with quote

Quote:
Could someone bottom line the data access reliability factor?


This is an issue which has all to do with your HDD life limit as hardware part. As long as your drive is spining right and your system can read all data from it, then you can work with 100% efficiency.

Since now , we are aware that as hardware it will certainly fail at some point in teh future, backup is another case that we need to examine. Backup should be made in a scheduled way as to have a 90-95% data integrity and availabillity.
Confidentiality however should be achieved in a more physical way , like for instance storing them in a remote place (e.g. safe box or bank deposit box) according to your data value. If you are a simple user, i think that a small locked cabinet would be enough to store any CD/DVD/USB sticks you might have to safe keep your files.
Keep in mind also that there are 2-4GB usb sticks out there with built-in encryption module and biometric devices on board. So you might feel a bit more safer with them.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register