PDA

View Full Version : How to protect your PC with Encryption.



kingdragonfly
14-05-2014, 03:14 PM
I know most people don't care if the someone reads every file on your PC: "if you got nothing to hide, then you shouldn't be worried..."

However even individuals like ex-President Jimmy Carter, noted peace activist, tries to avoid surveillance.

Note the following is for stand-alone systems. An enterprise solution, protecting many PC's with centralized management, is outside the scope. I assume you are working from home / "on-the road".

*************************************
Tip 1, full disk encryption
*************************************

Use stand-alone full disk encryption, to encrypt everything on your hard drive.

Full disk encryption, abbreviated FDE, will protect your all your contents including memory page file, temporary work files, Internet history, hibernation files, everything...

In a good stand-alone system, if you lose your password, no one can recover your hard disk.

By the way, you can backup encrypted hard drives by using any number of disk image tools, that can create a raw sector by sector disk clone. "Acronis Backup & Recovery " is popular.

https://kb.acronis.com/content/1543

*************************************
Tip 2 - avoid BitLocker, use Truecrypt
*************************************

Do not use Microsoft's Bitlocker. Even if you try to "opt-out", Microsoft REALLY wants you to store your keys in a hidden central location, out of your control. Given half a chance, it'll copy them elsewhere.

You should strongly consider using TrueCrypt, which is open-source.

Truecrypt's short-coming is there's no two-form authentication. (see YubiKey note above)

*************************************
Tip 3 Disable hibernation
*************************************

Disable hibernation / sleep on your PC. Always power-off your PC when you're not using it.

Example:
http://www.moonsols.com/windows-memory-toolkit/

See
http://support.microsoft.com/kb/920730

*************************************
Tip 4 - do NOT use Solid state drives
*************************************

Don't use SSD / Solid state drives with TrueCrypt encryption.

Use the "old-fashion" / cheaper hard-drives.

If you use SSD, please realize that the FDE feature is actually riskier than software-based encryption. Most attack vectors still exist for FDE, plus there's an additional attack vector "hot plug attack".

http://www.truecrypt.org/docs/wear-leveling
https://www1.informatik.uni-erlangen.de/filepool/projects/sed/seds-at-risks.pdf

*************************************
Tip 5 - two form authentication
*************************************

Let me digress a moment, and discuss "two form authentication".

Think about using an ATM machine. To get cash, you'll need your ATM card, and know your PIN.

For PC's "two form authentication" is often a password, and a smart card / USB token.

For most, a password is sufficient.

The next level up is pseudo-two form authentication, which protects against most attacks, except for the most extreme.

https://www.yubico.com/applications/disk-encryption/disk-encryption-truecrypt/

And then for the "I'm Edward Snowden" level, you need true two-form pre-boot authentication.

For "serious geeks only" solution, you'll need Ubuntu, and supported hardware
https://www.opensc-project.org/opensc/wiki/SupportedHardware

Lastly there's a commercial product called Winmagic "SecureDoc Standalone". It's supposed to work standalone with tokens, and smart-card readers. By the way, Aladdin tokens are easily available and inexpensive.

It's not open-source, so that's a problem.

https://www.winmagic.com/products/full-disk-encryption-for-windows
http://www.winmagic.com/3rd-party-technology-integrations?manufacturer=-&type=Token

*************************************
Tip 6 - Do NOT use these
*************************************

Avoid these technologies:

- - Microsoft's Bitlocker

- - SED: "self-encrypting drives"

- - TPM: "Trusted Platform Module"

- - TCG: "Trusted Computing Group".

*************************************
Tip 7 - disable FireWire
*************************************

This one's easy to fix, because disabling it is almost never noticed.

Firewire is an Apple technology, that you'll find on some PC's. It's rarely used, and USB 3 is easily poised likely to eliminate it completely.

Since it's rarely used, have a technician disable your FireWire ports if they exist through BIOS. It also needs to be disabled in Windows.

Example:
http://www.breaknenter.org/projects/inception/
http://support.microsoft.com/kb/2516445


*************************************

Here's some background articles

http://www.mcbsys.com/techblog/2010/08/how-secure-are-truecrypt-and-bitlocker/
http://ctogonewild.com/2009/08/28/10-things-you-dont-want-to-know-about-bitlocker/

Speedy Gonzales
14-05-2014, 03:36 PM
I doubt USB 3 will eliminate firewire, if the device youre using doesnt use or have USB 3.

I may use TPM. Since I'll be getting a TPM module for this mobo sometime this week. I doubt that it'll or can sync with Onedrive / whatever if its off / disabled. And if you dont use your MS account in Win 8.1.

kingdragonfly
14-05-2014, 04:02 PM
I find the FireWire security hole a bit shocking:

"The [Inception] tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. "

Speedy Gonzales
14-05-2014, 04:14 PM
Cant say I've ever used a password for firewire. I know people who have tried to give it an ip address, which is a no-no. It can screw it up. I know that it can cause network probs for some reason. Esp when its starting to die or fail

I had a FW card in the other PC here, then noticed over time, it couldn't get online. The longer it was installed, the worse the network connection got. Until I removed it completely

Used to have one in this too for the video cam I've got (so I can xfer video, since the only thing its got is a FW connection).

But have removed it now. Since, the one I've got now, uses an SD card. And I can use the card reader to copy what I record

Alex B
14-05-2014, 05:10 PM
Don't use an SSD, yeah right.

kingdragonfly
14-05-2014, 06:35 PM
You read the links before you posted your reply.

Yeah right

wainuitech
14-05-2014, 06:53 PM
What say a person doesn't use Encryption on their drives. A high percentage of people don't, so its all irrelevant really. ;)

kingdragonfly
14-05-2014, 07:14 PM
My very first sentence said most people don't care about encryption.

It's inconvenient. Even when there's no performance degradation, you still have to do / have something extra to start your PC.

Hopefully it of interest to a couple of people.

fred_fish
14-05-2014, 07:16 PM
I've seen more data loss in the last year due to people (mis)using encryption than to hardware failure.
Forgetting the passphrase, remembering the passphrase but formatting the device with the actual encryption keys etc.

Them: "You can 'bypass' this password thing can't you?"
Me: "Um - no... Where are your [unencrypted] backups?"
Them: "Ah......" (priceless look on face as reality hits)
Me: ROFLMFAO

Greg
14-05-2014, 07:52 PM
Hopefully it of interest to a couple of people. It is, and thanks.

Alex B
14-05-2014, 08:45 PM
You read the links before you posted your reply.

Yeah right

I did, and when they made references to 3 year old SSDs I lost interest.

kingdragonfly
14-05-2014, 09:14 PM
I haven't seen any SSD that doesn't use wear-leveling.

From my original link

"Some storage devices (e.g., some solid-state drives, including USB flash drives) and some file systems utilize so-called wear-leveling mechanisms to extend the lifetime of the storage device or medium. These mechanisms ensure that even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). Therefore, multiple "versions" of a single sector may be available to an attacker. "

If you need further more proof that using software encryption on an SSD is not good, here's a link from last month, from "Digital Forensics Consulting, LLC" discussing wear-leveling

http://www.dfinews.com/articles/2014/04/solid-state-drives-part-6

As mentioned before, nearly all new SSD have hardware based FDE built-in, however it adds an additional attack vector.

wainuitech
14-05-2014, 10:00 PM
Them: "You can 'bypass' this password thing can't you?"
Me: "Um - no... Where are your [unencrypted] backups?"
Them: "Ah......" (priceless look on face as reality hits)
Me: ROFLMFAO Yeah, normal sign in passwords are a piece of cake to bypass. Had one last week a lady had called to clean out hers and sons Laptop, she didn't know the sons password, and couldn't get hold of him. She asked if there was a way to get around it - I said yes, but only with her permission - she said go ahead, around a minute later I was working on it -- she was a little surprised :horrified & this was windows 8.1.

Encrypted stuff as fred was describing :(

Renegade
15-05-2014, 12:32 AM
Yeah, normal sign in passwords are a piece of cake to bypass. Had one last week a lady had called to clean out hers and sons Laptop, she didn't know the sons password, and couldn't get hold of him. She asked if there was a way to get around it - I said yes, but only with her permission - she said go ahead, around a minute later I was working on it -- she was a little surprised :horrified & this was windows 8.1.


How about those Microsoft account 8.x logins? ;)

Arggghh, people and passwords. :badpc:
Setup new PC, what's your Skype password? "I don't have one", ditto email. Sure you don't :lol:

wainuitech
15-05-2014, 11:11 PM
Had a call today, the person had a laptop that's gotten encrypted, no idea of what was done apart from theres a message saying the drive is encrypted -- Asked how much to decrypt it --Didn't like the reply to much :(


How about those Microsoft account 8.x logins?
Working on that one. Theres a method but have not tried it yet. If its only the local account that's easy as falling off a slippery log while drunk ;)

kingdragonfly
16-05-2014, 08:07 AM
I'd really need to known the model of the laptop, OS, and the text of the prompt to take a guess.

Many corporate laptops have "self-encrypting drives" SED (hardware based using the TPM). These are NOT tied to a Windows account, almost always tied to the physical MAC address and stored in a Enterprise level central key server

Alternatively course BitLocker is popular. (software based encryption)

Note many other products, like TrueCrypt, has an easy to change prompt to anything, to fool the theft.

You can look at the boot sector, to give an indication of the encryption, but this of course doesn't get you anywhere near finding the password.

1101
16-05-2014, 10:10 AM
http://windowssecrets.com/top-story/better-data-and-boot-security-for-windows-pcs/

Some quick reading for those interested, discusses Win8 & secureboot issues with whole disk encrytion
"TrueCrypt, for example — which might well be the world’s most popular open-source, whole-disk encryption tool — currently doesn’t work on Win8 systems using Secure Boot. This situation will most likely change in the future; but today, some TrueCrypt users who upgraded from Win7 to Win8 have run into severe trouble, such as losing access to the entire contents of their hard drives."

nmercer
17-05-2014, 08:32 PM
I find the FireWire security hole a bit shocking:

"The [Inception] tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. "

this is just the way it works. Any system with Firewire or Thunderbolt ports are vulnerable to Direct Memory Access (DMA) attacks when the computer is turned on or is in the Standby power state

You can mitigate this by
Shutting down the system when not in use
Don't use standby
Don't use just TPM protection for a 2nd factor
Removing Thunderbolt and Firewire ports (not that easy if your laptop already has them)

nmercer
17-05-2014, 08:36 PM
My very first sentence said most people don't care about encryption.

It's inconvenient. Even when there's no performance degradation, you still have to do / have something extra to start your PC.

Hopefully it of interest to a couple of people.

full volume encryption can be configured to not require a 2nd factor but to just use the machines TPM, so there isn't anything extra to do when starting the PC

this is particularly handy on Windows Tablets

kingdragonfly
06-06-2014, 11:53 AM
An update to this thread, in May 2014, Truecrypt began displaying message that it was no longer secure. Needless to say, if you were using Truecrypt, decrypt your partition.

An open-source alternate is DiskCryptor

See this link
http://www.ilovefreesoftware.com/31/windows/security/free-alternative-truecrypt-diskcryptor-disk-encryption-software.html