Saturday, May 21, 2011

Securing your laptop Part 1

Most people view laptops as disposable items. Who cares if your laptop is stolen, you can just buy a new one....and hey....you can even get a faster one while your at it! However, most people don't realize how much of a hassle a stolen laptop can be until, unfortunately, it is stolen. A stolen company laptop can lead to a lost job, a stolen personal/home business computer can lead to a trashed credit history. Horror stories like this one are becoming commonplace, and the worst part is, they are easily avoidable.

The truth is, you don't have to have your entire customer database on your laptop. This is not only insecure, but unnecessary. If you have enough business to justify a database, you have enough business to justify a true VPN tunnel to access your database remotely. Having sensitive data on your laptop is the security equivalent of writing it down on a piece of paper and putting it in your purse or wallet. The best way to make sure important data doesn't get stolen is to keep it off of mobile devices in the first place, but in some situations you just have to (such as PII, as PII seems to end up everywhere). So what do you do?

When talking about security, especially mobile devices, encryption is the golden standard. If you think your data is safe with windows bitlocker....think again.....as a computer tech I am asked countless times to recover data windows has encrypted and while it isn't easy, it isn't as hard as it SHOULD be. So, I will discuss the system I use with my personal laptop in the hopes that I can help the less technologically prevent what could be a disaster.


So, first, as with anything involving security....you have to assess what information you have on your laptop and decide weather encryption is necesarry, and if so what kind of encryption. For this example I will be using truecrypt primarily because it is multi platform (making the sharing of encrypted data much smoother) but also because it performs very well which is important when you are encrypting your whole file system.

So, what data should I encrypt?

Put yourself in the shoes of someone that would benefit from stealing your laptop. What data will they be looking for? What damage could they do with said data?

Normally, data falls into one of the following categorys
PII (personal identifiable information), Authentication (logins for websites and such), Classified (such as documents that could damage your buisness interests should they fall into the wrong hands). Any data that an adversary (or attacker) could use to impersonate, harm, or gain an advantage over you should be considered sensitive data and should at the very least be encrypted.



Before you begin, It is important to know how your solution will affect you and anyone else who either uses your computer or has access to your data. In our example, our computer (my personal laptop) is a single user private computer. My laptop contains a lot of sensitive information in the form of private key hashes for my personal VPN as well as several services involving my personal network and work. Some of these are integrated into windows (such as the VPN information) and while it is encrypted, someone could attempt to brute force the service as a whole if they get my hashed key. I of course use a strong password, but I don't want this to be a single point of failure, and I wan't it to be as hard as possible to get the hash should my laptop be stolen. A good security solution protects data while compromising performance, a great solution is completely and totally transparent.

With modern processor technology, processors can actually encrypt and decrypt data on-the-fly. This is good for everyone who needs to encrypt file systems because it allows you to store the encrypted data in the computers hard drive and then decrypt it into the RAM as needed. This also keeps you swap files clear of all decrypted data. This makes it viable to use things like encrypted containers

Encrypted containers are like a .zip file only without compression (files inside are full size) and encrypted. This is the most convenient way of keeping files secure. They can be copied, deleted, sent, and shared just like any other file but contain no watermarks at all that they are in fact file containers. You can even name a file with another extension (such as .wmv or .mp3) and still decrypt it, making the system even more obscure and harder to detect. A talented hacker might get the idea it is a an encrypted volume, but thanks to TrueCrypt's lack of header or footer data it would be quite the feat.

But, when dealing with computers (which are notorious for leaking data into every nook and cranny) sometimes data that shouldn't be cached gets cached. Such as a recently opened file, or even the password to decrypt your file container. Programs like Truecrypt do their best to keep this at a minimum if not eliminate it completely, but this is a severe point of failure for many programs that use encrypted file containers. This also doesn't rule out an adversary putting a key logger on your computer and then using it to capture your key when you type it in to decrypt a file. At this point if the adversary manages to steal your computer, any encryption you have will be null and void. This, again, is a single point of failure (which we are trying to avoid if you don't see the recurring theme). While Its great to have sensitive files in encrypted containers, we want another layer of security.


So, how about encrypting the whole filesystem? Windows partition and all.

With programs like truecrypt, this is now very very easy. A truecrypt boot-loader is installed which will (again) decrypt the information on the hard drive on-the-fly. The bootloader will prompt you for your password whenever you start the computer, and then the hard drive will behave exactly like one that isn't encrypted. This won't stop someone from using your computer if you are already logged in, but when coupled with encrypted file containers it makes it extremely difficult to get at information. And if an advesary steals a computer that is turned off, the hard drive (with exception to the boot-loader) will look like gibberish.



So, first, download and install truecrypt from here and install it.

Once the program starts, select create volume and after selecting the "encrypt system volume" option, hit next. I wont re-invent the wheel here. The wizard for this program explains everything neatly and clearly and even someone who isn't tech savvy can very easily do this. I will make one note however:


As always, back up your important data. If the truecrypt bootloader is damaged and your recovery CD (which you will create during the wizard) is damaged as well, you will effectively loose access to all data on the hard drive you are encrypting. This is by design, obviously. And no, even if you remember your password, your master hash (which is both unique and hundreds of characters long) will no longer exist. It is very important that you make a flash drive or CD with your rescueCD files on it. Note that even with the rescue CD you still have to enter your password to decrypt the hard drive. However, in the 6+ months I've been doing this I have never had any problems with the bootloader, so don't let this discourage you. (you should have backups anyways)

If you perform this correctly, it will first restart the computer to test the bootloader (by entering your password) and then directly after that, start the encryption process. Note that on a 500gb computer this can take upwards of 10 hours as even the empty/slackspace on the hard drive is encrypted. After that process completes, every time you start the computer the bootloader will prompt you for your password. IF for some strange reason the bootloader doesn't work, don't panic, the rescue CD will allow you to permanently decrypt the drive should something go wrong.


After that step is complete, you should then create one (or several) encrypted file containers to secure any sensitive documents or data. Even though your whole hard drive is encrypted at this point, anyone who walks up to your computer while it is on will not notice (as the encryption is transparent) and will be able to use your computer like it isn't encrypted as long as they don't shut it down. Viruses will also still be able to access data like the drive is unencrypted.


A good guide for creating file containers is here, again truecrypt has awesome documentation and I will not re-invent the wheel. On one note though, it is important both for obscurity and security purposes that you do not cache either the file container location or password from within truecrypt. This will leave someone completely in the dark as to the location of the container and add an aditional layer of security. If you want to take this even further, check this out.



So, presuming everything works to plan, you now have a very secure laptop. What we have achieved is what is referred to as in defense-in-depth. We have created multiple layers of obstacles for a potential adversary to overcome, and hopefully keep your data out of the adversary's hands. Keep in mind though, that there is no such thing as absolute security....and if a laptop is stolen and not recovered it is important to assume that all data on it has been compromised however likely/unlikely that may be. One good solution is to purchase a subscription to a service like laptop lowjack, as once you recover the computer you can tell weather or not your data has been compromised in addition to retrieving the laptop.


Bear in mind though that this isn't an idiot proof system. This system relies both on the strength of your passwords (remembering 30 character passwords isn't hard, just get creative with it and make sure you use a full mix of numbers and characters such as / , . ' : ' " \ and etc) and the common sense of the administrator. If you have all of your passwords stickynoted to the top of the laptop, all security is null and void.


In either case, I hope this helps some people.....and happy computing!