wilo300zx

Securing a Laptop with its Files

22 posts in this topic

I not long bought a new Asus laptop (N50V Series). As most of us are, i am paranoid about security. I try to implement the best security measures as possible. I work for a small wireless ISP and their are allot of files on this laptop i shiver at the thought of losing/misplacing.

I have a dual boot on this laptop with:

1) 64bit vista ultimate with a Vm of Ubuntu 8.10

2) FreeBSD 4.2 with Vm of Server 2008 32bit

Measures i have taken so far:

I have removed all accounts on the windows machine except for the user account and administrator account. Both have upper and lower case, alpha numeric and symbol passwords. Each password on each account for windows/*nix are different and consist of 15 characters. For vista and ubuntu, i have thumb print scanning as well. Very effective - have not managed to beat this yet.

I have disabled all the services i can on my o.s's and installed zonealarm (spi software firewall) for windows o.s and firestarter for ubuntu and freebsd.

I use NTFS filetypes for windows and Ext32 for *nix.

I have set a password on the BIOS, and the laptop wont boot any devices or drivers until this password has been entered.

My next phase of security

I want to somehow hard code the bios password into the flash rom for the bios. So even if the cmos battery is removed and reset, the bios password will still remain.

I also want to lock down my hard drive more, maybe some form of raid, where one half of the image is stored on a external hdd that i carry on me, so if the laptop was stolen, the data could not be read unless they had the external hard drive as well.

I don't want to sound too paranoid, and i acknowledge that no system will ever be 100% secure, but i want to make mine as secure as possible.

What measures have you taken to secure your files? Any recommendations, any ideas?

Thanks

K1LL9

0

Share this post


Link to post
Share on other sites

I didn't see anything on there about encrypting the files.

I avoid using the encryption solutions that come with Windows, instead favouring a more portable solution. I personally use TrueCrypt.

0

Share this post


Link to post
Share on other sites

Yeah, your laptop isn't very secure, I could access your files just by removing the harddrive.

0

Share this post


Link to post
Share on other sites

most newer laptops have the password hardcoded to the motherboard and removing the cmos battery or shorting the mobo wont work. in addition to that your bios should have options for a system password and a harddrive password, so that if someone removes the harddrive and tries to plug it into another computer it wont recognize the drive, even if you connect it with an external enclosure. i wouldnt be too uber paranoid about getting all of your data super CIA secure. just the bios password is more than enough to thwart the average thief. unless you have some TOP S33KRIT govt documents i wouldnt bother with triple encrypting, bios locking, lojack installing, thermite riggin up your laptop too much, it becomes more of a pain in the ass entering 8 different passwords just to logon and get to some simple files and apps.

0

Share this post


Link to post
Share on other sites

To much security can slow you down.

0

Share this post


Link to post
Share on other sites

Since you work for an ISP (so, always on Internet accessible Network), and security/encryption is the goal if the laptop is lost, treat it like a thinclient.

No (data) files on the laptop itself. Just the apps you need, and VPN to your work network and access/store the files remotely. Someone gets your laptop, they have a nice laptop, but no data.

Additionally, you can treat it like a complete thinclient, and even access the apps over the VPN (Like X-11 Forwarding), so the files never touch your laptop. THe apps and files stay on the work server you securely access, and the only information you laptop ever sees is GUI images.

0

Share this post


Link to post
Share on other sites
Since you work for an ISP (so, always on Internet accessible Network), and security/encryption is the goal if the laptop is lost, treat it like a thinclient.

No (data) files on the laptop itself. Just the apps you need, and VPN to your work network and access/store the files remotely. Someone gets your laptop, they have a nice laptop, but no data.

Additionally, you can treat it like a complete thinclient, and even access the apps over the VPN (Like X-11 Forwarding), so the files never touch your laptop. THe apps and files stay on the work server you securely access, and the only information you laptop ever sees is GUI images.

How exactly do you treat your laptop as a thinclient?

What in the world are you talking about?

0

Share this post


Link to post
Share on other sites
Since you work for an ISP (so, always on Internet accessible Network), and security/encryption is the goal if the laptop is lost, treat it like a thinclient.

No (data) files on the laptop itself. Just the apps you need, and VPN to your work network and access/store the files remotely. Someone gets your laptop, they have a nice laptop, but no data.

Additionally, you can treat it like a complete thinclient, and even access the apps over the VPN (Like X-11 Forwarding), so the files never touch your laptop. THe apps and files stay on the work server you securely access, and the only information you laptop ever sees is GUI images.

How exactly do you treat your laptop as a thinclient?

What in the world are you talking about?

Exactly how I described it. By having all data (and apps if you want to get hardcore) on a server in a secure location. The data should not be stored on the laptop. The laptop should only act as a terminal or monitor.

0

Share this post


Link to post
Share on other sites

I've recently played with TrueCrypt, and it's pretty awesome. Some thing to remember when using TrueCrypt though. Don't leave the computer on and unattended. Similarly, don't leave the computer in suspend mode unattended. Any encryption you have can easily be defeated by walking off with the laptop at just the right time. Also, be careful of keyloggers and the like, though that's less likely with a laptop keyboard. TrueCrypt also doesn't protect Windows of any of the applications themselves, so you're on your own there. Though if someone walks off with it, it's about the only way to guarantee your data's safety (besides not having the data on the laptop itself).

0

Share this post


Link to post
Share on other sites

Truecrypt is the best method for keeping your data secure, I wouldn't recommend a thin client.

Edited by R4p1d
0

Share this post


Link to post
Share on other sites

Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Edited by army_of_one
0

Share this post


Link to post
Share on other sites
Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Just as long as you don't lose your truecrypt encryption key. :P

0

Share this post


Link to post
Share on other sites
Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Just as long as you don't lose your truecrypt encryption key. :P

From personal experience, I can't emphasize enough to choose a memorable, strong password. Pass phrases are a good idea here.

0

Share this post


Link to post
Share on other sites
Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Just as long as you don't lose your truecrypt encryption key. :P

From personal experience, I can't emphasize enough to choose a memorable, strong password. Pass phrases are a good idea here.

I'm glad you're starting to understand the importance of good passwords/passcodes that can be memorized, because losing such a code could render hundreds of gigabytes of priceless sensitive data to be lost.

I'm sure there isn't an idiot in the world who would allow themselves to lose such a valuable asset. :cuss:

Edited by R4p1d
0

Share this post


Link to post
Share on other sites
Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Just as long as you don't lose your truecrypt encryption key. :P

From personal experience, I can't emphasize enough to choose a memorable, strong password. Pass phrases are a good idea here.

I'm glad you're starting to understand the importance of good passwords/passcodes that can be memorized, because losing such a code could render hundreds of gigabytes of priceless sensitive data to be lost.

I'm sure there isn't an idiot in the world who would lose such a thing though. :cuss:

One should also consider failures of OS or encryption software. If they store keys in one master container, then they should probably have a few copies of it. Using a different [mature] encryption program for each one might also be advantageous. TrueCrypt, GPG and FineCrypt come to mind.

0

Share this post


Link to post
Share on other sites
Actually, I recommend both TrueCrypt and a thin client if possible. TrueCrypt System Encryption via AES (very optimized) is what you want there. You can protect the whole system with that, and further protect critical files with truecrypt volumes if you choose. Protecting the whole system is important because information can leak out of encrypted volumes in various ways, from MRU lists to temp files. PGP can also provide protection, with the added benefit of communication security.

Thin clients with VPN's are nice if your able to pull it off. A relatively simple setup might be remote networking over VPN, and ensuring data storage is only temporary. I use a ramdisk for temporary storage of relatively small files. You could VPN into your network, have active files copied to RAM disk, upload any changes, and purge RAM. That's most secure version, but TrueCrypt with Ohm's additional suggestions should protect the data at rest well enough.

Just as long as you don't lose your truecrypt encryption key. :P

From personal experience, I can't emphasize enough to choose a memorable, strong password. Pass phrases are a good idea here.

I'm glad you're starting to understand the importance of good passwords/passcodes that can be memorized, because losing such a code could render hundreds of gigabytes of priceless sensitive data to be lost.

I'm sure there isn't an idiot in the world who would lose such a thing though. :cuss:

One should also consider failures of OS or encryption software. If they store keys in one master container, then they should probably have a few copies of it. Using a different [mature] encryption program for each one might also be advantageous. TrueCrypt, GPG and FineCrypt come to mind.

You're right, there should be multiple copies of encryption keys made, but I doubt an average everyday idiot would realize the importance of this until it was to late. :pissed:

0

Share this post


Link to post
Share on other sites

Under linux, is it possible to install your programs (IE: Firefox, thunderbird, etc) INSIDE of a truecrypt volume? So you would have to Mount the volume everytime you need to use these programs?

0

Share this post


Link to post
Share on other sites

If your laptop has firewire, you've already lost the battle.

Also, encryption isn't the end-all-be-all of security. Most information can be "stolen" just by asking for it. Encryption _ONLY_ provides security on a cold system. Even then, the system has to be fully cold (battery removed, power cable unplugged) for a good amount of time (I'd say ten minutes).

0

Share this post


Link to post
Share on other sites

The SDRAM issue isn't much of one. Yes, data can be recovered by removing the memory module from a laptop just after it's been turned off, or booting a USB key that dumps the memory to the USB key. However, it does decay quite quickly. The images they used showed distortion and noise pretty quickly after removing the module, though they did remain rather intact for a surprisingly long time. But when you're talking about an encryption key, not a single bit can have changed or it won't work.

This is also a really specialized and elaborate attack. Someone has to know that you are carrying information worth something and to be prepared to do this as soon as the laptop is stolen. They also have to steal it while it's on which, if you're careful, won't happen. It seems that if someone is going to go through this much trouble, perhaps you shouldn't be carrying this data around in the first place.

0

Share this post


Link to post
Share on other sites
Under linux, is it possible to install your programs (IE: Firefox, thunderbird, etc) INSIDE of a truecrypt volume? So you would have to Mount the volume everytime you need to use these programs?

I know that in Windows, you can use TC to encrypt your entire drive, requiring a password on boot. Not sure if this is possible with linux, though.

0

Share this post


Link to post
Share on other sites

Security a Laptop.

I saw this and the first thing I thought of was Physical Security Fail already. :lol:

0

Share this post


Link to post
Share on other sites
Under linux, is it possible to install your programs (IE: Firefox, thunderbird, etc) INSIDE of a truecrypt volume? So you would have to Mount the volume everytime you need to use these programs?

TrueCrypt supports hidden OS partitions. It's one of the successful ways to deal with OS-level leaks: the OS runs entirely inside the hidden encrypted partition. Your basic, day-to-day activities would happen on the main system-encrypted drive. Sensitive tasks would involve booting up from the hidden OS volume. This prevents data leaks. Another poster was right about firewire: I never have it in my laptops for that reason. Avoid journaled filesystems as well.

You can also modify the system to quickly fill up memory with random data upon shutdown or hibernation to defeat memory recovery attacks. It's even easier to put this in the bootloader as a boot option. Upon shutdown, power it on, wait a few seconds, power it off before OS is launched. Done. It can be made mandatory or optional. These aren't much of an issue though: Ohm correctly pointed out that the memory fades and degrades quickly. Keys are quite frail, and while I don't need every bit to decrypt your volume, loosing even 20 makes it a daunting challenge. Additionally, the attacker doesn't know which bits have errors, because the key looks random to begin with.

Info on TrueCrypt hidden OS volumes

http://www.truecrypt.org/docs/ (see "Hidden Operating System" section)

Schneier on TrueCrypt Weaknesses: http://www.schneier.com/paper-truecrypt-dfs.pdf

(Note: Paper is on earlier version. I can't find link ATM, but he has said the hidden OS partitions prevent many leak issues.)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now