Domain: securstar.com
Stories and comments across the archive that link to securstar.com.
Comments · 17
-
Re:And keeping credit card info?
Yes, http://www.securstar.com/products_ssolo.php
Or, if you are wealthy, get an offshore co-lo, configure it with SSH, and use SSH tunneling, to force everything through port 22.
-
Re:Which is why encryption should be usedYou can take it a step further
... Drive encryption with a decoy OS to which you provide officer friendly the password, once logged in an auto overwrite process begins and the "Real" OS hidden in the FAT table of the Decoy OS is destroyed as all of the "Free Space" on the drive is overwritten with ones and zeros a time or ten.http://www.securstar.com/products_drivecryptpp.ph
p That software is not open source however. but for the really paranoid a hundred and twenty five bucks is a small price to pay.
-
Encrypt system drive
> On my windows machines it would probably be of more use
> since I can't encrypt the system drive
You can, using DCPP -
What's not to like?
Full disk encryption (FDE) is simple, is easy to use, is readily available, imposes negligible user-visible performance penalties on Windows laptops, and is completely effective in solving "theft of laptop" problems. Not using it should be automatic evidence of gross negligence.
I've deployed both PointSec and DriveCrypt Plus Pack for over five years on a large number of machines, and even for heavy-duty software development, where "rebuild world" takes many minutes, the actual impact--in terms of effect on end-user activities--is negligible.
Sure, if you imagine performance is an issue, you can try any of the vastly more difficult to manage solutions that try to "encrypt only sensitive data", or the even sillier solutions that "delete sensitive data" when the laptop connects to the Internet after it's stolen, but why bother? Try it yourself, and you'll find that performance is NOT an issue in the vast majority of real-world situations. As long as you don't use FDE on heavy-duty I/O-bound database servers and such, you'll rarely notice a difference. Modern computers are so fast that encryption just isn't an issue.
Yes, key management requires some attention. For example, as system administrator, you can just generate some reasonably long passphrases, write them on little cards, and give them to your users to carry in their wallets--and explain the rules. Don't allow users to change them, and keep a copy along with other critical corporate records, and key management is a solved problem. Worried about users losing wallet and laptop simultaneously? Take the cards back after a week, and obfuscate their contents to begin with. Worried about backup? Keep two copies. And so forth. Sure, it could be stronger, and some users will always work around the system, but users will lie, cheat, and steal in other ways, too. In the corporate world, at least, your goal is risk management, not perfection.
Too hard to type a password when you boot the machine? Gosh, fifteen characters at one character per second is, yes, fifteen whole seconds--and anyone will learn to type it more quickly over even a short period of use. Don't change the passwords, either: they're not shared, and not transmitted over networks, so there's virtually no risk of interception--just pick a good one and stay with it.
Backup and recovery also requires some thought. I've actually recovered encrypted drives occasionally, but most recovery is done from file-level backups, where the data is backed up in the clear, over a secured network, and stored on other encrypted volumes. That's really no different when using FDE as not.
If computer theft is the problem, full disk encryption is the answer. It's not the whole answer, and it's not perfect, but it sure goes a long way toward solving the problem. Heck, even Microsoft is offering it in Windows Vista, only a decade or so too late.
-
So what software packages will they be using?
I only know of a handful of whole-disk encryption products that support encrypting the operating system disk:
- PGP sells a corporate level product called "PGP Whole Disk Encryption".
- SecureStar sells DriveCrypt Plus Pack
What else is out there that is trustworthy? (Heck, do we even trust that there aren't any weaknesses / or back doors in PGP or DCPP?)
-
IT Information Security
Our company does a lot of data processing on job applicants and up to about three years ago, saying that the collection of SSN's was mandatory wasn't even second guessed. Within the last nine months, two of our customers demanded that not only do we stop collecting the applicants SSN's, but that we also purge our entire DB of previous applicant SSN. This is all due to the growing trend of corporate policy of collecting data that could be linked to identity theft. It's a liability thing for them.
Not to say that we're not taking the proper steps to protect this data. In California there are state laws in place that require encryption of data if you collect any combination of personal data (including last name, home address, etc., etc.). We abide by these laws and use AES-256 encryption within our actual database systems, enforce 128bit SSL for web systems and also implement strict firewall and IDS rule sets.
Recently I spearheaded a corporate IT security review. What were our weak links and how could we prevent our company from falling victim to identity theft in the event of compromised security.
At first my IT department rebuffed this review because they felt that our data systems were secure, and I agreed! Our datacenter systems were under strict lock and key and the data was secure without question and according to California state law.... BUT, what about our desktop computers or company laptops? All too often our data analysis people perform data exports to crunch the data within SPSS or other statistical applications on their work PC's or Laptop computers.
To remedy this issue we've implemented two very simple solutions which solve any data security issues:
1) RSA SecurID Appliances -- We've implemented a two factor password/token system using RSA Key fobs. This is implemented in Domain Logins, File Server Access, Source Control and .....
2) Hard Drive Encryption (on portable computers) -- We use DriveCrypt Plus Pack to encrypt the entire hard drive using AES-256 encryption using two factor password/token authentication. This way, even if the laptop were lost/stolen, none of the data on the drive could be compromised (unless complete theft of key fob and knowledge of password).
Now we can boast complete data security at on our datacenter side AND any device with sensitive personal data is secure from theft.
This entire overhaul only cost our (small) company $25,000 in hardware, software and staff time.
So do I think corporate policys are to blame? Not so much. I think a lot of blame falls on the IT department and their "good enough" stance towards their companies IT security.
If you are victim of Identity theft, I would seriously research the Identity Theft prevention laws in your state, because if the company was not in compliance with those laws, you're within your rights to sue for their negligence. -
Wait...
-
Wait...
-
Boot time encryption
I love truecrypt, but what I really want is boot time encryption. Boot and the first thing you enter is a password, then the OS gets booted, be it linux or windows.
I know http://www.securstar.com/products_drivecryptpp.php and http://www.pgp.com/products/wholediskencryption/in dex.html claim to do this, but I need an open source solution.
Does anyone know of one? -
Re:Computer power
Who has a sixty-character passphrase?
I have two 20 character passwords, each of which was randomly generated by sampling physical phemonema and selecting a printable ASCII character. These are the keys to my Windoze laptop, which is entirely encrypted (with DriveCrypt PP, a great piece of software). It wasn't hard to memorize after a few dayss of typing it repeatedly ... it's amazing how fast motor memory kicks in.
Last I checked it were ~90 printable ASCII characters on my keyboard, giving me about 260 bits of actual security (90^40 is roughly 2^260). And I'm just a guy with nothing to hide. I have no doubt that sinister people with half a brain and half a secret can, and do, take similar steps to secure their data.
The difference between 14 days and 90 days is less than 4 bits of extra guessing regardless of the hardware used to bruteforce something. In general, either a password can be bruteforced in a trivial amount of time, or it can't be bruteforced at all - there's not much middle ground, practically speaking.
I don't believe for a second that the police anywhere can "guess" passphrases. They may be extracting them with pliers and lemon juice, and the extra 2.5 months in custody could certainly help there, but they're not guessing anything unless their suspects are idiots. -
Re:Tonight at 11:
This is the first level. Hard drive is encrypted from the word go.
This is the second level. Everything on the hard drive from boot onwards is encrypted in software.
This is the third level. Everything you need to store in encrypted containers you can quite easily. You can also encrypt files and then store them in encrypted containers to add a fourth level.
Using all of these, no hack will open the system to unauthorized use. You need the physical and software keys and the password. Without them there's no chance of recovery in this lifetime with any computer technology now or forseen within the next century that will break all of it without the entire resources of the planet being turned to the job for a period slightly in excess of the sun's remaining lifespan.
You can also get hardware encrypted external drives as well and use multiple layers of software encryption on them.
To address the main post, like who didn't know the best way to gain access to a system was to physically pwn it? I mean, really...
(It's just that with prudent countermeasures and the machines not being left on and requiring all authentication for decryption from start to finish, that point is moot.) -
Steganography?
This is the way it has been in Australia for ever. We are required to provide our keys if directed by warrant - wo don't have the luxury of the right of non-self-incrimination.
One answer is to use Steganography software to give plausable deniability. With a program like DriveCrypt you can have an encrypted file or bootable partition with two keys - One, that you can hand over to the police unlocks some harmless (but seemingly sensitive) files like pr0n the other which you don't disclose unlocks your real data.
While the Police can see an encrypted file it can be unlocked with the first key and they cannot prove the second key exists. -
Re:Like a partition?
If there was one that did something like Drivecrypt's partition hiding then that'd be scary. What it does is use the freespace in your windows partition to hold encrypted data for a separate partition. This hidden partition is even bootable and AFAIK can hold encrypted partitions of its own in its freespace. Of course, the MBR would have to be altered for it to run, but perhaps it could make the MBR seems as if it hasn't been altered (catch filesystem calls).
-
Re:how about dual-plaintext messages?
I'm surprised no one else seems to have mentioned DriveCrypt from http://www.securstar.com/ . Their "Invisible Containers" feature works pretty much like you described. You use two keys, one decrypts the outer disk, and the other the invisible disk.
They also have a Hidden OS option in the Plus version. (Both versions are Windows only)
BTW, I'm not associated with them and I never used their products, except for Scramdisk several years ago. Drivecrypt just seemed really cool when I read their page. -
Re:Step 1
Step 1: Turn off the machine.
Step 2: Make a bit for bit copy of the drive (there are special devices that will ensure that NONE of the bits are changed).
Step 3: You can now run whatever forensics tools you want *on the copy*. The original has to be kept unchanged for it to be worth anything in court.
There are cheap, very secure encryption packages (like DriveCrypt) that will scramble the entire hard drive to the point that any forensics work won't be able to tell what OS is on the computer, much less what's in the browser cache. In this case, turning the computer off just guarantees that nothing will be recovered without the keys.
Make sure to never boot up the drive in question, a good criminal will have the drive auto-erase if it doesn't get a password in a certain amount of time, etc.
These forensic techniques will work against the ignorant or incompetent, but any criminal with an ounce of sense has little to fear from having his computer seized or hard drive copied. I suppose there's always social engineering (pliers & a blowtorch), or a contempt of court charge (?, IANAL) for refusing to give up his keys. But simply grabbing the bits doesn't do much good in a world with strong encryption so readily available. -
Drive Crypt
That's why I use DriveCrypt. I got my version years ago and it's pretty antiquated but it supports up to 1024 bit encryption (granted it makes things relatively slow).
-
Firewall + data encryption, etc
A few things:
1. Add a firewall if you don't have one. IPCop on an old Pentium will work (and be less hassle hardware-wise than the 386 or 486 it could also run on), which you can probably get for free by asking around.
2. Encrypt the data on your hard-drive. DriveCrypt looks pretty good for that and can encrypt the entire drive as well as specific directories.
3. PGP/GPG-sign your email. Thunderbird does this with a simple plugin (takes about 15 minutes to set up). The commercial PGP works with Outlook if that's what you use and won't change.
4. Get rid of Outlook and Outlook Express. These two email programs are major security holes. There is little that Thunderbird can't do for email, and for scheduling use something like the old Lotus Approach or Microsoft Schedule+.
5. Use DVD-RAM for data backups to give you the reliability you need when you have to cover your back.
Damien