securing a laptop in case of theft?

Discussion in 'other security issues & news' started by silverfox99, Jul 14, 2006.

Thread Status:
Not open for further replies.
  1. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Another option for backing up is to use Mozy (www.mozy.com). It does online backup and gives you the option of using your own encryption key (passphrase). Two GB for free, more for relatively cheap. I use it and am quite happy, although I use a network backup to copy everything to one machine first, then back that all up with Mozy. It's beta but stable, glitches have been purely graphical (not animating correctly type of thing).

    I've not used full disk encryption, but one thing that I've heard is that it can have a performance impact that can be noticible, so it's another reason to give it a test run before deciding.

    Another idea to throw out there is USB keys with biometric authentication. There's some for pretty cheap, although I like the Sony MicroVault the best (around $70-$90). These also usually come with encryption software, although you can use your own, of course. There are also external hard drives with fingerprint access, but if you keep the USB key on your keychain (or whatever), then it's likely not going to be in the same place as the laptop if the laptop gets lost. I also use the MicroVault with Dekart Logon for biometric authentication to the laptop, although I'm not done securing the rest (which makes this thread of interest to me, so thanks :) )
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I've just done a confirmation on this - no problem whatsoever.

    Clean XP Pro Original + NOD32 + DCPP --> SP1 --> SP2 = Sweet as pie :)

    Of course standard discalimer applies - have current backups.... :D

    Cheers :)
     
    Last edited: Jul 21, 2006
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you. Then we should confirm the compatibility our backup image program with DCPP before we purchase DCPP. Backup is a critical element in a secure setup. Be a shame to have the backup or restore process fail because it wasn't compatible.

    Are you saying Ghost (which version?) can successfully backup and restore the OS partition and drive that is using DCPP if the Ghost image is not compressed?

    If you do any backup/restore tests with various imaging programs and DCPP, please let us know the results.
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks NOD32 user for looking into it.

    Then the statement made at mysecuredoc
    Does not apply to DCPP.


    This statement sounds like hype to me
    Cause viruses to spread between partitions and drives? :rolleyes:
    You will get the virus while you are logged into the OS on the encrypted drive!

    The product may be great, but I think they should concentrate on their own features, benefits, and bringing the product to market rather than making incorrect statements.
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Interesting option.
    Are you able to backup and restore the OS partition, or is it mainly for data?


    I've been looking into this for some time now. It's a good idea because you could store your encryption keyfiles on it which would be protected by fingerprint. If thieves watch you type the password, steal the laptop , and UFD (USB Flash Drive) they still wouldn't get the data. I'm not concerned about gummy bears or lost finger digits. ;)

    From my limited research, the current wave of UFD fingerprint scanners appear somewhat fragile and prone to failure. Fortunately, most have password access in case the scanner fails. It would be a good idea to make backups of the UFD data and store in a safe place.

    They also don't seem to have the best FRR (false rejection rate) where you have to scan your finger multiple times to authenticate. On some you need to scan 2-5 times before they authenticate. Next time you buy something in person see if they use a fingerprint scanner and ask them how many times they have to scan before it accepts them. Many don't use it at all, they just bypass it with a password.

    Most of the Single Sign On software (similar to RoboForm) only support IE.
    So far this is the only one I found that supports Firefox: ClipBioPro
    It's pricey and I haven't tried it, but it is also compatible with USB 1.1 and USB 2.0.

    Here's something to look forward to: Fujitsu's PalmSecure
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Just for data, I still use disk imaging for the system partition.

    These are all the reasons I am happy with the Sony MicroVault :) It's got the big touch sensor (just press your thumb onto the square), rather than the thin swipe sensor (thin strip that you swipe your thumb/finger across). I have a cheapy one with a swipe sensor, and it's really hard to get it to work right, but the Sony works beautifully (works the first time nearly every time). The trick is that when you enter your fingerprints, put the whole thing down and pick it back up each time, that way you get slightly different angles each time (you have to register the same fingerprint multiple times). And yes, you then have extra storage on it, too, which makes it worth that much more. It also has the little case/adapter with a slide cover to protect the fingerprint sensor. It also happens to be the only USB key w/ fingerprint sensor that I know of that works with Dekart Logon, and it's cheaper than the dedicated fingerprint scanner only units. It's probably the best deal all the way around.. just look on froogle.com for deals.

    You can set Dekart to *only* log on with the key with biometeric authentication, but I will want to get a backup one before doing that.. otherwise you know it'll break a week later, when I'm travelling or something.

    That looks interesting, although pricey, like you say. If you keep your browser profile encrypted, however, you could just use the built in password manager.

    Nice, that is interesting.. the only thing I wouldn't like about it is the size.. space here is at something of a premium, just USB cables are hard enough, although I suppose you could use a patch cable to keep it out on the desk. I'm really kind of surprised that there aren't more laptops (excuse me, notebooks) with biometric authentication built in. There are some, but they tend to be the more expensive ones.
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the info Notok! :thumb:
     
  8. securityx

    securityx Registered Member

    Joined:
    Dec 1, 2005
    Posts:
    149
    As with all of this, a threat-assessment is in order to determine what kind of attack-model concerns you. A biometric fingerprint scan is only good in a high-threat model if it is used in a multi-authentication scheme. As a single encryption device, its major weakness is that you cannot "forget" your fingerprint, or even delay with a fingerprint - it's like holding the key to the safe in your hand. An intruder with physical access to you can simply force you to place your fingerprint on the device. No room for remembering, thinking, buying time, etc. You put your fingerprint on the device or else.

    Everyone, however, does not require security and encryption that is at high risk for physical intrusion. Again, threat-model means everything.

    ----securityx----
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Just a little follow up from the weekend testing.

    In my test here, it is not possible to use Ghost 2003 in the normal way - starting a backup operation from within Windows then rebooting, although it was quite easy in my case to recover completely by using a DCPP bootauth floppy disk.

    I'm planning tonight (maybe tomorrow) to test the operation of Ghost 2003 from a boot disk instead to make a backup of the encrypted partion rather than operating inside the decryption mechanism.... Will let you know.

    Cheers :)
     
    Last edited: Jul 24, 2006
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    All attempts so far to use Ghost 2003 on a DCPP encrpted volume have failed - I guess that doesn't mean it can't be done, but then how?

    Normal file based backups work perfectly though so I don't see how it would present any issue normally, but that's the result so far.

    Still, like at any other time, for backups it is well advised to prove the method for yourself before relying on it.

    Cheers :)
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    NOD32 user,

    Thanks for testing it and telling us the results.
    I assume you used no compression in your Ghost 2003 tests?

    It seems that the issue of reliable encrypted drive image backups for FDE programs will need to be addressed in the future by all FDE providers.
    If one makes the effort to run an encrypted OS (with FDE) one would certainly want the backups to be encrypted as well (not just password protected).
     
  12. securityx

    securityx Registered Member

    Joined:
    Dec 1, 2005
    Posts:
    149
    I was told by Winmagic (MySecureDoc) that IFD (Image For Dos) will probably work fine with their FDE program. They had not tested it, but after looking at the tech specs for IFD from Terabyte's site, they felt pretty confident it would work. I wonder.......

    Just thought I would pass that along if someone has both programs.

    ----securityx----
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I cloned the encrypted disk straight to another which then wouldn't boot, and then ran out of testing time.
    Later this week I will try another couple of variations.

    If you use file based backups then no problem - just put them into an encrypted container :D

    Cheers :)
     
  14. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you NOD32 user and securityx.

    It is a lot better to know what to expect with a FDE back up before than to have a surprise when you actually need it.

    NOD32 user,

    Do you think DCPP would work with this: Image for DOS?
    They have a free trial.
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Not sure but I did find this and this today in the SecurStar Knowledge base so I'm guessing this technique should work for more solutions than just those that have been mentioned.
    It makes more sense if you read 'Operating System' in place of 'SO'
    And sorry for the extra slow reply....

    Cheers :)
     
    Last edited: Sep 2, 2006
  16. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you NOD32 user for this helpful info.
    I have never heard of a more hair-brained backup plan than this! :D
    The ridiculous idea of having to use a third hard drive with an extra OS installed JUST to make a backup led me to look for some answers, which I found.
    For clarity I will refer to: Inside the DCPP encryption mechanism as DCPP drive mounted.
    Outside the DCPP encryption mechanism will be referred to DCPP drive dismounted.

    A much better solution would be to make a Bart's PE Bootable CD/DVD with Ghost 9 with some of the above parameters. Probably the most important parameters are Disable Smart Sector, Ignore Bad sectors copy, and Copy MBR.
    This way you could boot from the CD with the DCPP drive dismounted and do the backup/restore.

    Ghost 9, Ghost 10, and Norton Save & Restore are all based off the PowerQuest's Drive Image and require Windows (and MS .NET) to be installed before you can backup.
    They backup the OS within Windows (so called Hot Imaging or on the fly imaging).
    So unless you boot from a BartPE CD (which is a stripped down version of Windows), you will NOT be able to backup the encrypted drive with these on the DCPP drive dismounted (which would make your backup image encrypted).

    Some notes:
    Ghost 9 includes Ghost 2003.
    Ghost 10 = Ghost 9 + Encryption (AES 128-bit, 192-bit, or 256-bit)
    Save & Restore = Ghost 10 + "File and Folder" backup (Ghost2003 NOT included).

    This means that Ghost 10 maybe will work with the DCPP drive mounted.
    Save & Restore (in drive imaging mode) also may work with DCPP drive mounted. They both can make an encrypted image backup. The backup would be encrypted by AES with the Norton product not DCPP.
    If for some reason the DCPP FDE became corrupted, you could restore from the encrypted backup. The restored image would be decrypted unless you restore within a newly created DCPP drive mounted.

    Would it be faster to restore the backup decrypted to the hard drive and then run DCPP to encrypt it, or make an empty FDE DCPP drive mounted and restore the backup within the DCPP drive mounted?

    Save & Restore also has the ability to backup just "Files and Folders" with the DCPP drive mounted.

    This statement doesn't inspire confidence that it works. :)
    ATI may work with DCPP drive dismounted using the Recovery CD. Using the Recovery CD would back up the DCPP drive dismounted in Sector-by-Sector(Raw) mode. ATI switches to Sector-by-Sector mode when it can not detect the file structure. The backup would be encrypted this way. I haven't tested this so I don't know for sure if it will work.

    ATI would also work in "Files and Folders" mode within the DCPP drive mounted by backing up to an encrypted destination like a TrueCrypt File Container, Dynamic Volume, or Partition.


    Probably the DCPP pre-boot environment does not like the way Ghost 2003 "drops down to DOS" (reboots). I think Ghost 2003 uses something like a temporary RAM disk to allow it to run from DOS without needing a floppy or CD.
    Based on your tests, Ghost 2003 will NOT work with the DCPP drive mounted.
    You either boot from the Hard Drive (DCPP mounted) or you boot from the floppy (DCPP dismounted).
    Note: Image for DOS also boots from a floppy, so it won't backup the DCPP drive mounted either.
    There is still hope for Ghost 2003 (and IFD) to backup the DCPP drive dismounted.
    Boot up with Ghost boot disk. The DCPP drive will be dismounted.
    Run Ghost.exe from the command line with some of these switches:

    You may need only one switch or a combination of switches.
    The only way to find out is if you test some more.


    There seems to be common threads concerning encrypted backups and encrypted partitions/drives regardless of the encryption program and backup program used.
    The encrypted partition has data randomly scattered all across it.
    Most image backup programs want to backup just the data rather than the entire partition as is.
    If you want to backup the encrypted partition dismounted, you will need to backup the entire partition (both the used space and the unused space).
    Different backup programs have different names for this mode of backup like Sector-by-Sector, Raw, Disable Smart Sector.
    On the positive side, this method of backup will mean that the backup is encrypted and there is no need to create another encrypted volume to hold the backups.
    On the negative side, the backups will be bloated and much slower because you also have to backup the unused areas of the partition in order to get all the encrypted data.
    If your partitions are large, each backup will take an enormous amount of time and space.

    The other way is to backup the encrypted partition mounted to an encrypted destination.
    This encrypted destination is just re-encrypting the data to another location.
    On the positive side, this method will mean the backup is encrypted and only the data being used is backed up, so backups will be fast, small, and secure.
    On the negative side, if the backup program doesn't offer encryption, you will need to create an encrypted volume to receive the backups. And that requires a little more setup.


    References:
    http://ghost.radified.com/
    Ghost 2003 help file
     
    Last edited: Sep 3, 2006
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.