Security for those who know they can't win the security war In a post-Snowden world most IT people are painfully aware that most of us would not win a fight against a well-funded organisation, or government, that wants the data on your network, laptop or device. When someone is targeted by such an entity, they won’t go for the ever-popular “spooks” style secret bugging or custom zero- …
"The bottom line? The measures you take should mirror the sensitivity of the files you want to protect."
This is fantastic advice, unfortunately the rest of the article sounds more like "go to enormous lengths to protect everything 100%".
I don't think I could realistically operate such an intense regime on my ordinary daily stuff. No good having a secure backup if you can't remember the 30-character password allowing you to mount your Truecrypt volume so you can enter your other 30-character password etc.
Indeed. What kind of security precautions are advisable for people with sensitive files to keep but horrible memories, such that even "CorrectHorseBatteryStaple" is too hard to remember (Was that "HorseBatteryCorrectStaple" or was it "DonkeyWrongPilePin")?
...Or was it the 12th sentence on page 97? Oh wait, that's an illustration! Was it the caption on that page. Wait, where's the book?!
THAT's the level of horrible I'm talking about. About the only way many of these types of people survive is by muscle memory, but here even that gets tangled up with all the websites one visits regularly. Plus, in the case of the password safe, the computer may be shared.
This post has been deleted by its author
No good having a secure backup if you can't remember the 30-character password allowing you to mount your Truecrypt volume so you can enter your other 30-character password etc.
Agreed, particularly
Make sure that the encryption phrase used is strong and lengthy. I typically run to thirty characters including the whole range of non-alphanumeric ones.
I don't disagree that password strength is important, but it can also be extremely counter-productive.
In a previous job, unencrypted laptops being returned from abroad had to be escorted to ensure foreign eyes couldn't peruse any data that might be on there. Encrypted laptops could be sent unescorted (the particular encryption software/mechanism was mandated etc).
The reset procedure for a laptop that had been locked out by too many (>3 IIRC) tries of the decryption passphrase was to return it to base, a real PITA for everyone involved - especially if the user's posting was in the back-end of nowhere.
So, encrypted laptops started turning up, unescorted, with the encryption key written on a sticker just above the keyboard. In other words, for anyone laying hands on the kit, they effectively weren't encrypted and should have been escorted. Those stickers had, of course, materialised because the boys on the ground were fed up of having to return the laptop to the UK so regularly.
Had the decryption phrase been a bit more memorable, those stickers wouldn't have been needed, and the security - whilst technically weaker than with the longer phrase - would have been more robust.
So, personally, when dealing with real-world users, having an immemorable 30-char decryption phrase represents a weakening of security because the requirements it imposes on the user almost guarantees they'll find an insecure way to work around it.
This is fantastic advice, unfortunately the rest of the article sounds more like "go to enormous lengths to protect everything 100%".
I hate to criticize writing style as I do not want to come across as making an ad hominem attack, but it is pertinent here. This entire article amounts to a collection of personal anecdotes. for example, "Lesson well and truly learned: most laptops that are stolen are by opportunistic thieves." A single sample study? The article purports to address personal security practices aimed toward protecting personal data both from unauthorized access and from accidental loss. I am not entirely sure if this was the case, which is where the writing style issue comes in for me.
Rather than continue in this vein, perhaps it would be instructive to point out a few things. First, what we are discussing here is personal security, not corporate. This implies both a comparative lack of resources, as the author rightly pointed out, and a greater need to customize the solution to the needs of the person. For example, the point about encryption of everything is rendered moot if you consider that one of the devices someone might have is a home media server. Perhaps placing it behind a firewall and setting up a cloud backup schedule for updated files only might be appropriate. Or simple offsite storage of a copy of the drives to be updated monthly would be more cost and time effective given that cloud storage might become prohibitively expensive as the library grows. What would encryption bring to the party here?
This brings up the issue that security beyond the endpoint was hardly addressed. A typical household that has internet connectivity probably has a phone per resident and perhaps a similar number of desktops, laptops, tablets or similar. It increasingly has other devices that connect to the internet. If you have a new TV or recording device or BR player or... the list goes on... you should at least understand how they work and how someone else might take advantage of them. You should take some basic precautions with your home router, perhaps setting up a separate network with your own kit and your own firewall. Put simply, the data on your devices is not the only thing you should be concerned with; there is plenty of sensitive data that can be pulled from your devices beyond your Word and Excel files.
Also lacking was how to act when outside the home. Should you connect to your hotel's wifi? If so, what kind of info should you trust to flow across their network? OK, trick question there, but the point is that it is not all about equipment. It is arguably more about behavior than anything else. Social engineering has probably compromised more data than attacks that do not make use of it. I would argue that a mandatory course in good online behavior and online risks would do more to ensure personal security than setting up encryption for all the drives in the world.
Personal security should be tailored to the individual's needs and situation, it does not stop with their files and one or two of their devices, it varies depending on situation and location, and good behavior is more important than everything else.
for example, "Lesson well and truly learned: most laptops that are stolen are by opportunistic thieves." A single sample study?
Agreed. What it should have said is "In the studied sample (N=1), a majority (1.0) appear to have been stolen by opportunistic thieves (p < 0.5)."
Of course, even then the methodology is bogus. The anecdote, unless I've misread is: Laptop goes missing. Laptop tracking software later reveals it to be probably in London (assuming the user isn't employing a VPN or other mechanism that confuses IP geolocation). User's activities (including installing something called "MattLab", which I suppose is like MATLAB but for simulating people named Matthew rather than performing numerical computation) suggest the user is a student. From that we leap to the conclusion that the laptop was "stolen by [an] opportunistic [thief]" - which doesn't appear to be any better supported by the evidence than, say, that it was deliberately stolen, scanned offline for corporate secrets, and then sold to a student.
The article's a collection of anecdote and idle musing. It's not terrible but it doesn't have much substance.
Not really, if you consider having each time to remember to dig out the drive, connect it, wait for it to mount, run your backup, then disconnect it and put it away again.
If you leave it "external" but connected, you're no better off than without (from a security/malware PoV; it'll help with disk failure though)
Not really, if you consider having each time to remember to dig out the drive, connect it, wait for it to mount, run your backup, then disconnect it and put it away again.
Really? When I travel, I use a 2.5" SSD in a USB3 connected case. It has been set up encrypted on the Mac, but as the Mac has that key in its keychain that crypto is transparent to it (backup key in a safe). When I connect, Carbon Copy Cloner spots the drive as part of a failed backup and starts, with a backup process that usually takes somewhere in the region of 5 minutes. Once a week it does a full bore file checksum comparison on anything that's on the disk vs. the source (just in case there's any corruption), and yes, that takes an hour so it requires some planning.
Now, that is my bare metal backup - I can boot and run the machine from that drive. In addition it runs Time Machine, which continues to back up on the hard disk if it cannot see the drive connected. This is wholly automatic, including spooling the local backup to storage once it is in range again of the drive.
I've had my rear end saved a few times through a backup, which is why I run two separate ones, but I also know it's a pain to do, which is why I automated to a point where I can give this to anyone and not be worried they fail to back up. I leave Carbon Copy Cloner to whinge on screen if a backup has been missed, and especially the fact that it's so easy to do and takes little time seems to encourage even the most inept user to do the right thing.
The CCC backup also mounts and unmounts the drive, so the system doesn't see it normally.
On Windows it's a bit more involved, but here I found Acronis True Home to be helpful. It's easy, and combines bare metal recovery with the ability to recover an individual file. However, I must admit that I don't know how strong their backup encryption is. The real sensitive stuff lives in a Truecrypt container although Im looking at full disk crypto. The problem with full disk crypto is that it doesn't work unless the OS is fully powered down (Apple's FileVault has the same issue) and that's hard to teach to a non-tech..
> Not really, if you consider having each time to ...
I'd lose more than 20 years of work if I'd lose my data, so in my case I do these steps (and a couple more) every single day. Once lost about 18 month of work even though the setup seemed near perfect, NOT nice!
> ...it'll help with disk failure though...
I have seen too many external disks dead (especially in warm climate) to even consider this an option.
This post has been deleted by its author
Agree with what you are saying.
> ...or waiting 25 minutes ...
That's either a big backup or someone who has not heard of rsync.
Seen twice in the last few years: extensive portions of the PhD (oh, yes) being lost because respectively laptop fell form table/was stolen. Fell from table version was "fixed" using 3000 Euros for data recorvery. Stolen stubbornly kept being stolen.
Amount of master/bachelor thesis lost in similar ways: I stopped counting.
Considering how many people don't even wisen up _after_ mentioned events makes me think of rusty spoons and eyeballs.
Rocket science icon, because it is not.
"Also interesting is the fact that few people seem to care about encrypting their backups, including people who use full disk encryption on the live machine."
It's quite fun to watch the panic setting in when someone needing to restore a perfectly good (but encrypted) backup realises they have no idea what the passphrase is, considering they never once had to use it again since they first started doing backups*. Unless the poor bloke having said problem happens to be you, natch.
* I know of at least one backup software that never asks you for the passphrase when _creating_ backups - I suppose it's possible it would also _restore_ without it (never had to try), but that won't help when all you're left with is the encrypted archive and a generic de-archiver software politely enquiring about the passphrase it should use to access it.
"Make sure that the encryption phrase used is strong and lengthy. I typically run to thirty characters including the whole range of non-alphanumeric ones."
Good luck with that if you use a non-US keyboard and Windows 8.1.
Yes, I'm looking at you BitLocker. It assumes a US keyboard.
> ...but all that TrueCrypt and disk ...
That is certainly addressed to people who carry any sort of confidential/secret information on their devices. I have neither on my system so not encryption here either.
One thing I have witnessed for people who travel (IMO a good idea): only take a pristine system, no data on it, have your data on some encrypted server. Slurp data when needed. Do not forget do remove data (actual remove, not just unlink) before crossing border again.
The other approach is simply to not store any sensitive information on the device itself. All data is stored on the company's servers and accessed via VPN / RDP to a suitable terminal server. That way, if you lose the hardware, that's all you've lost.
The downside is that you need connectivity to do any useful work, but since for the vast majority of laptops, the "offsite" work is actually "at home", where there's low-cost connectivity, that usually isn't an issue.
For the road-warrior salesman it might be more of a problem, but if you consider how much information someone *needs* to take off-site, rather than how much is *convenient* to take off site, quite often it's surprisingly little.
This post has been deleted by its author
"Most modern devices and operating systems come with the option to enable inbuilt FDE."
Apart from Windows 8 home, for which Truecrypt cannot do full disk encryption when it's been set up with GPT partitions. Microsoft will gladly let you upgrade to the pro version for £100 though to use Bitlocker. :headshot:
I just have 4 physically seperate machines at my desk and a hardware kvm solution but as a km switch only. I only use secure machine with its encrypted drives and special regimes for certain tasks, machine 2 for general web browsing and ebay etc, 3 for vpn and research stuff and 4 for email only
I use a smattering of virtual machines too for when something demands a certain os or variant.
Whats really paranoid is that I use a mix of hardware arch's too. intel, ppc and arm...
AFAIK, no there's no time limit. And forget about the self-destruct sequence. First, they can image the system and time-machine it to make sure time bombs don't go off. Furthermore, if the evidence actually does get destroyed, that's a separate charge right there (destruction of evidence).
"But is the private key actual evidence? I'm not talking about wiping the encrypted data, just removing the ability to decrypt it."
IIRC, enablers, like keys to a locked safe, DO count as evidence since they count as leads much like a witness testimony can provide a lead to other evidence. Destroying the lead denies access to the other evidence, so the charge is usually destruction of evidence.
"Some form of HSM that only works if unlocked within a specific time frame for example?"
Like I said, plods are savvy to time bombs so will image the entire system and keep them in a system where the time stays within a narrow range of the point of confiscation.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
