Encryption for Laptops

Posted by Eric Jacksch on Nov 24, 2008 in Business, Security | 8 comments

Having your laptop stolen can ruin your whole week. Hopefully, by now, you’re backing it up regularly and you know that there’s software available that can dramatically improve the odds of getting your computer back. But perhaps the creepiest aspect of having your laptop stolen is that someone might be going through the information you have on it: Email, contact lists, web browsing history, passwords, financial information, family photos and, if you use the computer for work, potentially sensitive business information.

Just imagine a drug addict (they steal computers and sell them to buy – you guessed it – more drugs), a competitor (they’d like to know what you’re up to) or a nosy, unethical employee where you work (70 per cent of thefts are committed by insiders) sitting there looking at everything on your notebook, including some things that even have been deleted.

And then there are overzealous governments, criminals, and other prying eyes who might enjoy rifling through your notebook hard drive or even copying every bit on the hard drive for a detailed forensic analysis when you’re not around.

If none of that would bother you, no need to read further. But, for the rest of you…

There are a lot of different encryption products available to protect data on your laptop. But, sadly, many of them dive quickly into technical details and scare most people off. So, while I’d be happy to answer your technical or security questions , I’m going to avoid all that and just tell you what you need: Full disk encryption software or FDE, for short.

Once installed, FDE software protects your entire hard drive and is very simple to use: You turn on your computer, type in your passphrase, and then the computer boots as usual. Some people confuse their computer’s BIOS password with FDE. but the two are quite different. BIOS passwords can be easily bypassed but, if you forget your FDE passphrase, the same mechanism that stops an intruder from getting your data will apply to you. If you’re using a corporate FDE solution, your company will almost always have a system that allows them to recover your passphrase or decrypt your hard drive. If you’re using a stand-alone solution, make sure you understand the recovery options availible. For example, many products will allow you to create a recovery disk to keep somewhere safe in case you forget your passphrase.

There are several good products on the market, including SecureDoc from WinMagic, Check Point Full Disk Encryption (formerly Pointsec), McAfee Endpoint Encryption (formerly SafeBoot), DriveCrypt, from SecurStar, and TrueCrypt.

The WinMagic, Check Point, and McAfee products cater primarily to corporate and government clients. These products emphasize enterprise management of encrypted drives and are generally too complex and expensive for individual users.

DriveCrypt is available as an online purchase from Germany, and TrueCrypt is a free, relatively easy-to-use open source product with a huge following. Both offer some interesting features, including the ability to hide one operating system inside another. While there are some catches, the feature is intended for situations where one may be (or feel) compelled to disclose their FDE passphrase. Without going into technical details, it basically gives the user two passphrases. One provides access to their “real” system, while the other provides access to a decoy.

While each of the products has its strong points, TrueCrypt is hard to beat for individual users. I’ve tested it on several laptops with great success. Corporations, of course, should compare the commercial products so that they can retain control of their encrypted information and assist users should they forget their passphrase. When purchasing a new notebook, both individuals and businesses should also consider a “self encrypting hard drive” if offered by the manufacturer. (More on hard drives with built-in cryptography in another article.)

No matter which product you choose, there are three very important things to remember:

• Pre-boot authentication is a MUST. In other words, if you can turn on your computer and it boots into Windows (or whatever operating system you are running), your data is not protected.
• You must choose a complex (i.e. difficult-to-guess) passphrase and it must not be written on your computer, in your laptop case, or anywhere else someone is likely to find it. The best passphrases are created by creating a phrase that is easy for you to remember and difficult for others to guess. For example “elephantseatbreakfastB4readingtheTLP” would be very difficult to someone to break. Chances are you’ll only be typing it once or twice a day, so make it long!
• Take the time to understand the recovery capability your product provides. If it offers to create a recovery disk, do so and store it safely. Never store it with your computer!

Protecting your data in the event that your laptop is stolen is easy and, in the case of TrueCrypt, it’s also free. Speaking of free, I also should mention that some of the easiest ways of preventing laptop theft are free: Don’t leave it unattended in hotels, airports or meeting rooms — even for a few minutes — and make sure it is not visible if you leave it in your car.

Get your stolen computer back

Posted by Eric Jacksch on Nov 17, 2008 in Business, Products, Security | 0 comments

Last week, I wrote about the importance of backups in preventing data disasters but that’s only one of the things I worry about. Even if you can recover your data from a recent backup, a few questions remain: Who has your data, what can you do about it, and can you get your computer back?

A few weeks ago, at GTEC, I met up with Stephen Midgley, Senior Director of Marketing for Absolute Software, a successful Vancouver-based company that specializes in laptop recovery and asset control.

Absolute Software’s consumer product, Computrace LoJack, installs on your notebook. About once a day, when connected to the Internet, it transmits a message to Absolute Software. If your computer is stolen, you contact the police, get a report number, and then call Absolute Software. They flag the notebook as stolen in their system. Next time it checks in, they not only know the IP address of the notebook at the time of the check-in, but they also send it an instruction that will cause it to begin reporting in every 15 minutes. Absolute Software then works with the police to help recover your notebook.

I had certainly heard about the product but I must admit that, before meeting Stephen, I didn’t understand why people would buy it. I figured that the thief would simply format the hard drive or install a fresh operating system and that would be the end of it. However, I was wrong: Absolute Software has worked with a number of leading notebook vendors, including IBM, DELL, HP, Toshiba and Acer, to embed an agent right into the BIOS. Assuming your notebook is supported, once you install the software, it activates the agent in the BIOS and even formatting your hard drive will not stop the notebook from reporting in the next time it is connected to the Internet.

Computrace LoJack has some other interesting capabilities. For example, if you have sensitive information on your laptop (which really should be encrypted, but that’s another article), Absolute Software can initiate remote deletion of the information once the stolen notebook connects to the Internet and checks in. The company also has a suite of offerings for corporate use that, in addition to the consumer features, helps companies keep track of their notebook fleet. Since many larger companies lease their laptops, knowing where they are at the end of a lease can save them a lot of money.

According to Midgley, 70 per cent of laptops are stolen by insiders, and across the industry approximately 3 per cent of stolen laptops are recovered. In sharp contrast, with tracking software and the BIOS agent, Absolute software’s recovery rate is around 75 per cent. He also shared some great stories about how police have executed a search warrant to recover a stolen laptop and ended up finding a lot more.

Computrace LoJack is available online for just under $40/year, and that will be an issue for some users. However, when my laptop was stolen the insurance deductable was $500, and it’s hard to put a price on the opportunity to remotely delete sensitive data, recover the notebook, and hopefully put the thief in jail.

Next Monday, I’ll conclude this three-part series with how to protect your data from thieves, overzealous governments and other prying eyes.

Preventing data disasters

Posted by Eric Jacksch on Nov 10, 2008 in Business, Security | 0 comments

Imagine you’re at work and the phone rings. It’s your alarm company, your home has been burglarized. You arrive home and, among other possessions, your computer is gone. To make matters worse, so are your accounting files, several years worth of email, and every digital photo you have of your kids. If you’re lucky, your computer will just be sold for quick cash to support someone’s drug habbit. But if you’re unlucky, some scumbag will be rifling through the personal information on your hard drive.

Sadly, this isn’t just imagination. Computers, especially laptops, are easily stolen and face other threats like being dropped or accidentally left in a taxi. Of course it could all be much less dramatic: Your hard drive could just fail causing you to loose everything on it. The good news it that protecting your data is easier today than ever before.

There are several ways to protect your data. For example, I burn my original digital images to DVD and store them separately from my computer. External USB hard drives are also large and inexpensive, last I looked you could pick up a 250 GB drive at Costco for around $100. The more technically inclined can also purchase a Network Accessible Storage (NAS) device and backup across your network. All of these options protect against hard drive failures, and they might protect you against theft if you hide them or store them off-site. But the problem with these methods is that most people don’t automate them and they forget. And with DVD or USB drive backups, automating it requires that you leave the media connected, where it is likely to be stolen along with the computer.

Fortunately there’s a better option for most home users: Internet backup services. A few years ago when I looked at some of the services they were too expensive and complex to recommend. But times have changed, and services like Carbonite have become cheapn ($50/year for unlimited backup space) and very easy. Carbonite integrates into Windows so that you can simply right-click on files and folders to set whether they should be backed up. I configured the product to automatically back up my desktop and documents and worked great. The reason I’m starting to recommend these types of services is that they are simple and automatic. Once configured, Carbonite automatically backs up files in the background as they change. The first backup may take a while, even a few days, but then it only uploads changes. From a security perspective, the product offers advanced users the ability to maintain their own cryptographic keys. If you choose this option nobody at Carbonite will have access to your files, but if you loose your key neither will you.

For more advanced users, or those who want more control over the backup process, another great product is Jungle Disk. Jungle Disk leverages Amazon’s S3 storage product. In fact, you open your own account with Amazon, pay $20 for Jungle Disk (you can try it for free for 30 days), and within minutes you’re able to back up data to Amazon’s ultra-reliable storage service for $0.15 per GB per month (storage) plus $0.10 per GIG for data transfers and a few other small fees. Put in perspective, tranfering one GB of data to S3 and storing it for a month will cost you about thirty cents. Jungle Disk’s backup capability is more traditional, meaning that you define and schedule back-up jobs within the application. If your computer isn’t turned on (such as if often the case with a laptop), you’ll probably need to remember to run it manually, and for that reason Carbonite is probably a better bet for most laptop users. However, Jungle Disk also allows you to create a storage container (called a “bucket”) on S3 and map it to a drive on one or more of your computers. You can use the drive like you would a local drive, and uploads to S3 occur in the background. Advanced users can use this functionality with their existing backup software or even manually transfer files to it.

Jungle Disk communites with the Amazon S3 service using HTTPS, so it will work from almost anywhere. It also supports optional encryption using 256-bit AES. Enabling this option and typing in a passphrase allows you to have all files encrypted prior to being transfered to S3, giving you a second layer of security.

Next week I’ll have a look at how having the right software on your computer can help you get it, and maybe even your other stuff, back if it is stolen.

Facebook safely

Posted by Eric Jacksch on Nov 3, 2008 in Privacy, Security, Social Media | 0 comments

Facebook (along with other social networking sites) has been around for a few years, and a lot has been written about the security issues involved. Googling “facebook security” yields about 20,500 hits. But what do users really need to know?

Information about Facebook users can be broken down into several categories:

• Personal information: Facebook allows users to enter personal information such as their date of birth, home town, relationship status, sexual orientation, religious views, email address, telephone number, educational background, and employer.
• Friends: The point of social networking is to connect with “friends”. Facebook users send requests to add friends, and if the potential friend agrees, they are connected on facebook. Any user who can view either of the “friends” profiles can see that they are connected. Some people allow anyone to see who their “friends” are, so social networks can be mapped.
• Photos: Facebook users can upload photos and tag people in them. For example, if a friend uploads a photo that you are in, they can tag you in the photo. Another user viewing the photo can see your name associated with the photo.
• Facebook Applications: Facebook applications allow users to post information on their profile, other user’s profiles, etc. Whether other users can see the information depends on your privacy settings (more on that later).
• Third Party Applications: Facebook and third party applications that you enable have access to information in your profile. While there are some privacy restrictions in place, you should assume that all your personal information is available to any application you add.

So how do you stay safe on Facebook? The various applications and privacy settings may be overwhelming, but the answer is simple:

1. Don’t enter unnecessary personal information into Facebook in the first place. While they require that you provide your date of birth (although they have no way to verify that you are providing correct information), virtually all the other personal information is optional. If you wouldn’t be comfortable answering the same question posed by a stranger or at a job interview, don’t type it into Facebook.
2. Do not supply information about your school or employer. While you might not consider your employment details particularly sensitive, doing so may give your employer a legitimate reason to object to what you have written since it may reflect on them. Unless you use Facebook for business purposes, keep your employer out of it.
3. Configure all privacy settings for your profile (Settings > Privacy Settings > Profile) to ‘Only Friends’. This makes it more difficult for people who don’t know you to obtain personal information about you. You can always change this later if there is specific information you wish to share with a wider audience.
4. Don’t blindly accept friend requests. Identity thieves and unscrupulous marketers may send large numbers of friend requests. If you’re not comfortable simply ignoring requests from people you don’t recognize, you can always send them a message back politely asking, “Can you remind me where I know you from?” Just remember that sending someone a message on Facebook gives them access to some information in your profile.
5. Think before you post. As a general rule, don’t post anything on Facebook that you wouldn’t want posted on the Internet. You may think that only your ‘friends’ can read it, and today you might be right. However, your words may hang around Facebook for a long time. Also, you have no way to prevent a ‘friend’ from copying, printing or creating a .pdf and sharing it with others.

Facebook is a great way to keep in touch with friends. By following a few basic rules and considering the potential consequences before giving Facebook information you can keep it safe.