Recently there was a vivid discussion on a security mailing list I subscribe to regarding full disk encryption and just Folder encryption. The reasoning behind it being: why pay for a full disk encryption program if you can get Folder encryption for free since it is included in Windows XP.

Now, most corporate laptops have some kind of encryption, namely Pointsec ( the nice people that also provide software to fully encrypt your Nokia phone) , Utimaco and Truecrypt. Of course everyone agreed that full disk encryption on a corporate laptop is a necessity and should be a policy item in every company since, remember, every one of your unencrypted, lost laptop is a huge threat to your company. It can be accessed by just connecting the drive as a slave to another machine. The procedure is so simple, any tech support can do it. Of course with disk encryption you have to authenticate at the boot to decrypt and start your operating system. That is a huge deterrent to the casual data thief and even the hardcore one since you really cant do anything with the disk but format it, and if IBMs security features are implemented, you are out of luck there too. Still you throw away the disk, you still got a nice laptop (Seagate ahas announced harddisks that will do encryption on the hardware level but its still full disk).

Of course there is one little issue. Traveling business people are the likely target for data theft and what do you do when you travel, particularly nowadays with the heavy security checks at airports? - That’s right you put the laptop into suspend mode. And what do most travelers carry in their laptop bags? - Correct! A charger. Now a thief steals your laptop bag and has your computer and a charger, so the machine won’t run out of juice. Good, (well bad but still) he opens the machine and is greeted with a login prompt… great. Nothing he can do, technically he can brute force his way in but that’s not really feasible since if the machine has been configured well, there is a lockout for tried attempts. Even when you are not connected to the network.

So you think that the attacker will just give up? Think again.All he/she needs is a USB stick and a little luck. Luck in the form that Windows’ autorun/autoplay feature is still on. It is in most company laptops I have encountered. Cool, so he sticks his memory stick in, with a special ?autoplay? file, which runs and executes a program on the USB stick to either collect all documents it finds on the disk or run a cracker or anything really (hint this also works on any corporate laptop that is just sitting, LOCKED, in a classroom or meeting room). And for those of you that use Finderprint indetification to log in. It is very easy to fake the fingerprint if you have the correct ?fingerprint? somewhere
. But you may ask, how will they get my fingerprint? Well in most cases I would say: look at your screen, can you see a few prints and smudges? If not, how about the keyboard, have you pushed any keys lately?

Now this is for the scenario of someone stealing your laptop.. however here is a better one, since it involves social engineering, nothing more. Say you have a meeting with your competitor, and you are sitting in a meeting room and you are about to start a presentation, when your laptop ?fails?. Luckily you have your presentation on a USB stick and ask if one of the parties present would mind opening it. Of course they won’t (if you ask the right way). Here is the thing, with the autorun.inf file you can craft a menu item that adds itself to the ?run with what program? in the autoplay menu that you get when inserting a USB drive to XP. The cool part is you can even give it an icon so it could be something like : run contents with Powerpoint and it looks like Powerpoint and Powerpoint even opens your presentation. However while everyone is watching it, in the background a nifty program is crawling through your competitors laptop and copying files to the USB drive.

Perfect! He gives it back to you says thank you for the presentation and you have some, if not a lot of their sensitive data. Hell you could even data-mine their outlook address book . The possibilities are ENDLESS. How do I know? I tried it with a client of mine and it worked like a charm. I then told them about it though. Since then they have auto play disabled on ALL laptops and USB sticks from ?other entities? are not allowed

Anyway back to the context of full disk encryption, the best suggestion I have seen to safeguard your data even if you have ful disk encryption but the machine is ?just locked? is to also implement encrypted folders or Volumes for data protection. The problem is, this involves a lot of user training, and a nice support structure (a functioning one) in case something goes wrong. However if you have travelers with highly sensitive data, it might be worth the hassle since the risk is quite high.
I mean , come on, would you refuse to play someones presentation after the poor guy’s laptop failed miserably and the poor guy is blushing and totally embarrassed..?

Popularity: 4% [?]