laptops and security

Lynne Desrochers · September 26, 2011, 01:23:15 PM

I got a laptop for the Personal Lines Producer. I've been reading on the security for it and everyone says "make sure data isn't stored on it". Well how do I do that? Or is the answer, if you have to ask you have no hope. My thoughts are she would connect via citrix while out at a client.
Thank you everyone.

Bloody Jack Kidd · September 26, 2011, 01:26:49 PM

It could be as simple as providing the mobile user(s) with an IronKey. They keep all docs etc. on that and not on the notebook hard drive.

https://www.ironkey.com/personal

Depends on how the device is used.

Jeff Zylstra · September 26, 2011, 01:29:22 PM

I wouldn't get too concerned about it, as long as you don't store anything like drivers license, social security or credit card numbers on it. Your proposals and/or power point presentations aren't probably on anyone's desired reading list. Sorry.

Alice · September 26, 2011, 01:50:25 PM

Not saying this is a good thing or a bad thing...just mentioning what they do here.

They lock the laptops down so hard that nothing can be accessed except IE to connect to the Citrix Xenapp server. Everything they need to do their job is there. But here's the thing...all laptop users need to make an appointment to bring them in to:
- install Windows updates
- install virus updates
- install printer drivers
- anything that requires local files be updated/installed/changed.

I'm not involved with all that...seems like a pain in the butt for the user, especially if they live/work 60 - 90 minutes away. And we all know that producers never complain about anything...right?

Mark · September 26, 2011, 04:24:57 PM

IronKey is slick, but I would just not have them use the laptop for anything other than connecting back to the office. It's as simple as that. All the laptop should be is a portable remote access tool. Get a 3G/4G card for it if you're worried they may not always have an Internet connection wherever they go, or if you don't want to bother the client with connecting to the Internet.

Kevin Crow · September 26, 2011, 04:36:33 PM

We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Jeff Golas · September 26, 2011, 05:01:48 PM

What Kevin said - that way they can use it as they would any other computer and the data is safe.

Bloody Jack Kidd · September 26, 2011, 06:31:46 PM

Quote from: Kevin Crow on September 26, 2011, 04:36:33 PM
We use TrueCrypt (www.truecrypt.org) to encrypt our laptops at the system level. ALL data on the laptop is AES 256 bit encrypted (1 of 8 encryption options). You can't boot Windows without first entering the password to unlock the volume. We also changed the password prompt to "HARD DRIVE NOT FOUND" to throw off the would-be thief (customizing the password prompt is a nice feature of TrueCrypt).

Had this done at one time, but had some disk errors and the entire thing became unrecoverable - was unpleasant. I now use a TrueCrypt "drive" that uses keyfiles instead of a password, and the keyfile is on my AES encrypted IronKey.

I joke that it's 4-factor since you need to know I have a TrueCrypt drive in the first place (isn't mounted at boot), you need to know it's keyfile-based, you need the IronKey and the IronKey password. You also need to know which file on the IronKey I used as the keyfile.

Mark · September 26, 2011, 06:36:19 PM

Quote from: Bloody Jack Kidd on September 26, 2011, 06:31:46 PMYou also need to know which file on the IronKey I used as the keyfile.

I wonder if something like trid would be able to tell me which file is the keyfile.

Bloody Jack Kidd · September 26, 2011, 08:34:46 PM

not sure - you can actually use anything as a keyfile, but I believe mine is cryptographic, which could be a bit of a giveaway.

Mark · September 27, 2011, 08:40:11 AM

trid just ID's file types.

Kevin Crow · September 27, 2011, 09:44:35 AM

We encrypt the whole drive because a lot of data goes to the system volume (browser and other temp files, Outlook cache files, etc). It's a lot of work to reroute all that to the TrueCrypt volume and I wouldn't be confident we got it all.

Also, the key file can be any file but it's very specific. The TrueCrypt web site warns about using an MP3 because if you rate the song (which changes the metadata) it won't unlock your volume any more.

Our users are told that nothing on their computer is backed up, so if it's lost, it's lost. All important data is to be stored on the network and cached to the laptop for offline access.

Mark · September 27, 2011, 09:48:24 AM

Hey Kevin,

I heard you talk about this probably a few years ago, but since hardware is constantly evolving, could you talk about the performance hit that you see on these TruCrypt'd laptops?

Jeff Golas · September 27, 2011, 09:55:08 AM

I use Truecrypt and its not too bad, but doing it on a 5400rpm drive may be a bit slow.

I've heard of other people using it on SSDs but there's issues in doing so, particularly if the SSD was already in use before encrypting (as the wear leveling may leave data outside the encrypted realm), and the fact that the entire drive gets filled/encrypted thwarts the wear leveling mechanics.

Long story short although anything can happen, I think the key thing is protecting the drive if someone grabs the laptop. I'm not sure how many laptop thieves put an SSD under a microscope, but anything's possible.

Kevin Crow · September 27, 2011, 10:32:06 AM

Personally, I haven't noticed a performance hit and my laptop's 3 years old. I think for business purposes, CPU, memory and disk speed far exceed our needs these days. If you were running a gaming machine with an encrypted drive you'd probably feel some loss of performance.

Bloody Jack Kidd · September 27, 2011, 02:45:07 PM

Thou shalt not impede performance of thy gaming rig!

Lynne Desrochers · September 27, 2011, 02:51:05 PM

Thank you everyone. Plenty to go off of. I appreciate the help. The user better not be doing any gaming.

Gene Foraker · September 28, 2011, 11:38:59 AM

A year ago, I looked into Lojak and a competitor and wrote a small white paper on it for another association. Lojak's big advantage is that you can send a signal to a stolen PC and have it delete designated files or folders. One version's software even sent you back confirmation of the data deletion that you can show regulators. Most laptop manufacturers even load Lojack into the bios so reformatting or replacing the HD won't get rid of it.

When I speak of the features of Lojack, I am really referring to their business product, Computrace. Some of the features are still in Lojack, but the Computrace has a bit more. You don't have to buy it new from the computer manufacturer to have it connect with the system bios, most laptops have that feature built into all of their laptops.

Kevin Crow · September 28, 2011, 04:09:20 PM

We used CompuTrace before switching to TrueCrypt. The flaw in CompuTrace is that if the lost or stolen device doesn't connect to the internet, the erase commands are not delivered and the data remains on the device. If that data isn't encrypted, it's easily accessed.

Gene Foraker · September 29, 2011, 11:41:52 AM

Very true, but what laptop computer doesn't ever connect to the internet? If it has a broadband wireless card, Computrace can have you issue a remote command to wake it up and connect on it own.

Still, lots of data could be accessed before it is even reported missing or the disk could be removed and read for data on another computer. If they steal the laptop to get the data, Computrace is not as effective as if they steal the laptop for the laptop. I did think the report log for the deleted data was kinda cool, though.

TrueCrypt is a better solution for extreme data security. I'd never encrypt the entire drive on my netbook, though. It is slow enough already!

Mark · September 29, 2011, 11:50:58 AM

If the laptop is locked when it's turned on (as it most likely is -- or at least SHOULD BE!) then there is no way it's going to connect to a wireless Internet connection unless you have LinkSys unsecured saved to automatically connect -- and even that is pushing your luck. Who the heck is going to plug in a laptop to the Internet if they can't even unlock the screen?

A 3G or 4G card might be a different story, but even for those, don't you usually need a login to access the Internet?

Kevin Crow · September 29, 2011, 03:00:06 PM

Quote from: Gene Foraker on September 29, 2011, 11:41:52 AM
what laptop computer doesn't ever connect to the internet?

As you say, if they know to go after the data by removing the drive, CompuTrace is no help.

With TrueCrypt and a screen locking policy in place, I know that if it goes missing, unless the thief or finder has the employee's password, they're never getting at the data. There was a news story last year about how the FBI gave up after trying unsuccessfully for 12 months to crack TrueCrypt on a Brazilian criminal's computer (http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/). That's good enough for me.

Billy Welsh · September 30, 2011, 09:57:46 AM

I just got this the other day and used it for the first time yesterday. I plugged in 2 hard drives from retired PC's, and had instant access to ALL user data, including that in folders with a padlock icon.

So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.

Mark · September 30, 2011, 10:00:06 AM

Quote from: Billy Welsh on September 30, 2011, 09:57:46 AM
So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.

Windows 98 all over again!!

Seriously though, you are correct. Those are just locks on the door, but everything behind is still in plain sight.

Kevin Crow · October 03, 2011, 09:56:51 AM

Quote from: Billy Welsh on September 30, 2011, 09:57:46 AM
So unless I am missing something (as I often am), the user password or screen lock without any encryption does not protect the data.

Correct. And to be clear: when I mention using a screen lock on a laptop I know that doesn't lock the data. What most thieves would do in that situation, I believe, is restart the machine or pull the hard drive, both of which mean dealing with the encrypted drive and without the TrueCrypt password, they're out of luck.

Jeff Golas · October 03, 2011, 10:41:11 AM

Another option that you may see is a hard drive lock - supposedly this secures the interface of the drive (without actually encrypting it) so that any computer that drive goes into has to be programmed with the password of the drive before the drive can be accessed.

Although its pretty much free (most computers/laptops and hard drives support this now) its not the best solution - if you take the circuit board off the hard drive and swap it with another identical drive one could access the data again.

laptops and security

Alice