Secure Zone a Security Risk?

Discussion in 'Acronis True Image Product Line' started by TonyTech, Nov 8, 2006.

Thread Status:
Not open for further replies.
  1. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    A reason not to use secure zone is because you can't manage or wipe images that you create there and that is a potential security issue. Someone could restore a past image and get data that you thought was gone.
     
  2. jaycee

    jaycee Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    186
    You CAN manage secure zone.

    You have to change the "format" to regular FAT32, and there you go...

    You can also once in a while wipe it by undoing it, and again.

    Jaycee
     
  3. Xpilot

    Xpilot Registered Member

    Joined:
    May 14, 2005
    Posts:
    2,318
    In answer to TonyTech, The biggest security risk to a PC system is allowing physical or remote access to the computer in the first place. Why worrry about someone having access to the secure zone if the whole of the computer set up is sitting there waiting to be read copied or whatever. One can of course delete a secure zone and all it's contents at any time at the whim of the user or anyone else with access.

    jaycee, can you explain further the point you are making? A secure zone is by design formatted in FAT 32 from it's inception. So what exactly would you be changing and what difference would it make ?


    Xpilot
     
  4. TheWeaz

    TheWeaz Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    1,562
    It's the type, not the file system, that needs to be changed.
     
  5. jaycee

    jaycee Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    186
    sorry, too much beverage, it is effectivly the type of partition, not the format that should be changed...
    This topic has been discussed in this forum.

    I think effectivly people should start and think about security miles away from secure zone, start by physical access, then social engeneering, and so on...

    Thanks for those who follow ;)

    Jaycee
     
  6. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    I know from previous posts that Xpilot has a setup in which he utilises the Secure Zone to good effect for his purpose - and that is OK for someone who is somewhat technical and understands exactly what they are doing.

    The most appropriate use of the Secure Zone is in a situation where the user has (for whatever reason) access to only 1 hard disk - typically a Laptop - where the source files and backup files reside on the same physical hard disk.

    In such an environment the Secure Zone is a good utility because in the event that the system won't boot the user may be able to restore the system via the Startup Recovery Manager and the Secure Zone. This is a relatively easy procedure which even a non-technical person should be able to achieve.

    For this situation I score Acronis an A+ for a clever solution to a difficult problem.

    However, in any situation, other than the one described above, I cannot think of any valid reason for incorporating the Secure Zone into a backup strategy.
     
  7. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Tabvla

    Exactly my position and TI 8 came to the rescue just the other day.


    Wholeheartedly agree :thumb:
     
  8. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    You CAN manage secure zone.

    How?


    You have to change the "format" to regular FAT32, and there you go...

    I think the SZ is FAT32 by default and the only way to have it? That doesn't help matters any though.


    You can also once in a while wipe it by undoing it, and again.

    You'd have to delete the SZ then wipe all the free space on the partition. Not typical end user stuff. For us techies OK, but still a pain. Also, what if there are images that one wants to keep but others one wants to wipe?
     
  9. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    Just deleting the SZ is not a secure operation. Sure, it would be difficult to retrieve old data from a drive in which the SZ was deleted, but hardly impossible (I couldn't do it, but I'm sure the CIA could!).
     
  10. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    Microsoft doesn't allow anyone but tier 1 OEMs to bundle configured-as-delivered OS images on removable media. They do allow a hard drive image though (useless if the drive fails, but at least a user can always get back to as-delivered state).
     
  11. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    I'd have to split hairs with you on the difference between a default factory installation and a backup. I personally see having the original installation available on a proprietary partition as distinct to a repository that a user would use to regularly backup data to.

    F.
     
  12. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    Am I missing something relevant here? I am uncertain how this relates to the discussion on the adviseability, or not, of incorporating the Acronis Secure Zone functionality into a backup strategy.

    Laptop vendors in particular have incorporated the "hidden" partition concept to quickly restore a machine to a "factory state". If your machine goes to blue-screen heaven after say 2 years of use, who in their right mind (except a masochist!) would want to return their machine to its "factory fresh" condition?

    Microsoft does not have a problem with users creating a mirror image disk providing that the mirror disk is only used in the same machine as the source disk and that only the source OR the mirror are present at the same time.

    If you use ATI to deploy duplicate installations then you MUST use Sysprep or Microsoft will not provide support. See below....

    Having said that..... if we are going to continue this discussion we need a new thread because this is now far from the Title of this thread! :ouch:
     
  13. bodgy

    bodgy Registered Member

    Joined:
    Sep 22, 2005
    Posts:
    2,387
    Location:
    Qld.
    The SZ is FAT32, what needs to change to make it visible to Explorer, and hence then can run all your other disk cleaning utilities is the partititon type, exactly the same as in 'nix, the swap file is actually a partition with a special type number (82, I think, been some time since I installed Solaris or Linux).

    Colin
     
  14. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    Am I missing something relevant here? I am uncertain how this relates to the discussion on the adviseability, or not, of incorporating the Acronis Secure Zone functionality into a backup strategy.

    I tend to think in terms of the overall picture which starts from the as-delivered (or initial setup) PC state. Legally, I think, MS only allows a user to make one complete copy of the OS, and I don't think that means one copy of the original media disk either. So technically (legally) more than one full image (on removable media?) is a no no. But read the EULA rather than what I think.


    Laptop vendors in particular have incorporated the "hidden" partition concept to quickly restore a machine to a "factory state".

    A lot (most?) tier 1 OEMs include a restore partition. I've seen a lot (all) of HPs and Dells with them.

    If your machine goes to blue-screen heaven after say 2 years of use, who in their right mind (except a masochist!) would want to return their machine to its "factory fresh" condition?

    If you sell or give the PC to someone else you might wanna do that. The typical end user may want to give that a try and do all the updating as that is within the capability of the non-techie while setting up Windows from scratch is too involved to do "right".

    Microsoft does not have a problem with users creating a mirror image disk providing that the mirror disk is only used in the same machine as the source disk and that only the source OR the mirror are present at the same time.

    That one copy one limitation is probably violated a lot (especially those using imaging software and creating full images).

    If you use ATI to deploy duplicate installations then you MUST use Sysprep or Microsoft will not provide support. See below....

    If you are sysprepping, then MS won't supprt anyway. The sysprepper becomes the OEM and the OEM is required to provide the support.


    Having said that..... if we are going to continue this discussion we need a new thread because this is now far from the Title of this thread! :ouch:

    Create one if you want. I think any discussion about the SZ is all related at this time because its usefulness is constantly being debated. In its current incarnation, I'm leaning toward not using it personally. But for OEM installs, maybe.
     
  15. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    I hear ya. I'm concerned with both.
     
  16. Xpilot

    Xpilot Registered Member

    Joined:
    May 14, 2005
    Posts:
    2,318
    In my simple mind I take this to be an Acronis support forum.

    If Tony Tech has a problem with whatever version of TI that he is using I am sure that it can be sorted out here.

    Remember that a secure zone is one of many options available to users.

    The point that has been raised concerning security of the secure zone is to put it kindly...utter rubbish.

    Xpilot ( on a short fuse day)
     
  17. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    Well what I just did this week was: delete the secure zone, then wiped the free space on the drive (7 times). So obviously I don't think having remnants of SZ is secure, less so having an unmanaged SZ. Call me paranoid if you want, but I see it as either secure or not. (Not that I think encrypted SZ would help, since given any encrypted hard drive, it's just a matter of time to brute force a way into some of the original data). The point is, if I DON'T use the SZ, I can better manage the security of the imaged data than if I use the SZ.

    Is the SZ secure? I think not. Else I'd want proof of it (like government acceptance of its security). "Secure Zone" may indeed be a point of contention for Acronis.
     
  18. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Hi TonyTech,

    IMHO this is where all your problems start. Security is not a discrete concept. Security is largely about perception, if you think something is either secure or not secure you are in trouble.

    Just because you cannot manage encryption on a filesystem in a proprietary partition type, it does not mean the data is "not secure". The best you might argue is that it is less secure than data on sister partitions which is encrypted.

    If you need industrial strength security then don't use the SZ. Also change the locks on your doors and windows, and recruit extra security guards.

    Security is holistic and involves much more than a disk partition. Please get over it.

    F.
     
  19. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    At last I am starting to make some sense of this thread!! How is that for waking up with a clear head on a Saturday morning :p

    For the benefit of Newbies and non-technical members of this Forum let me try to clarify.....

    TonyTech raised the issue of whether the Acronis Secure Zone is "secure" which resulted in some discussion around the "security" of the ASZ. It is actually a question more closely related to semantics than technology.

    TonyTech has interpreted the word "secure" to mean that the data in the ASZ is safe from anyone who may want to gain access to it. That is definately NOT what Acronis mean by "secure" in this context.

    Acronis mean by the word "secure", in the context of the ASZ, that this "zone", or more correctly, partition, is safe from data corruption; viruses; boot failures; rootkits; and user errors. Which, in the case of a single-disk system (e.g. laptop), it affords the user a safe route to disaster recovery. A clever solution to a difficult problem, namely, "how do you backup and recover a single-disk system?" The ASZ provides a unique solution to this problem which has been a real pain-in-the-b--- for laptop users.

    Acronis do NOT mean that data left in the ASZ is secure when you sell your computer or hand it in for repair.

    :cautious:
     
  20. TonyTech

    TonyTech Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    In the time where one can buy notebook hard drives that have built-in whole disk encryption, it would probably be best for Acronis to change the name of the Secure Zone to something else. Though I am aware of what the SZ was, a lot of non-technical users may misinterpret what it is. My original point still holds though: it's easy to forget about the images in the SZ and hard to manage them, especially if you like to keep your data tidy and secure to some degree.
     
  21. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Not sure that it is correct to say that ASZ is a "unique" solution. I must admit I have never tried ASZ so am probably missing something. On 2 laptops all I have done is use DiskDirector to make 3 partition - C: for xp and programs F: for data and G: for Images. I then simply image C: and F: as required to G: and eventually cut and paste these images to DVD or external USB. Taking a 2 step approach is much quicker than imaging direct to my external drives or DVD.
     
  22. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    When you logon to a Windows machine and then connect to the Internet you are potentially vulnerable. If Windows is not up-to-date; if you haven't installed the latest patch on your web browser; if your Firewall has a hole in it; if your AV is not updated every few hours - you are at risk. If a hacker breaches your defenses then potentially they have the same rights as the logged-on user.

    This is one of the key technical benefits of the ASZ, because it can only be accessed by ATI it is invisible to any intruder. If your system becomes infected with something really serious like a Rootkit; boot sector virus or some destructive malware; you could potentially lose everything on all your visible partitions. Even in extreme cases of corruption - including Track 0 and the MBR - you will be able to rebuild a completely trashed system partition from the ASZ.

    Obviously the ASZ cannot save a situation where the disk has suffered mechanical or electronic component failure. That is why it is always preferrable to have a mutiple disk solution. But, for users who have only a single disk the ASZ provides an important additional level of safety.

    :)
     
  23. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    Or one where a virus has been written to be specifically sensitive to the possibility that a SZ might exist.

    F.
     
  24. Tabvla

    Tabvla Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    649
    Location:
    London, England
    An interesting thought. I wonder if that has ever happened? Anyone on the Forum experienced a ASZ-specific virus?

    o_O
     
  25. foghorne

    foghorne Registered Member

    Joined:
    Sep 27, 2005
    Posts:
    1,389
    Location:
    Leeds, Great Britain
    It would have to be written by someone with far too much spare time on their hands, and I think it is unlikely to happen. I was just pointing out that that technically it would be simple to do.

    F.
     
Thread Status:
Not open for further replies.