Portable computing offers additional challenges in the area of security. On August 31st, John Day discussed how security is different for laptops and handhelds versus the world of traditional desktop computing.If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

 

Portable computing offers additional challenges in the area of security. On August 31st, John Day discussed how security is different for laptops and handhelds versus the world of traditional desktop computing. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

 

Welcome to the Guild Meeting
MODERATOR: Greetings everyone. Welcome to tonight’s Guild Meeting. The topic for this evening will be laptop security. How do you keep your traveling computers from traveling right out of your organization forever? Tonight’s guest speaker will be John Day.

 

Missing equipment
JOHN DAY: Does anyone have any experience trying to protect your executives’ laptops?

T_LINDSEY: It hasn’t been too much of an issue yet with our guys, but I’m just waiting for it to happen. Although, now that I think about it, I did have a laptop go missing recently. I sent out a new, A20M ThinkPad to a user via FedEx. And they lost it.

JECASSERLY: Oh, sure they did.

TLSNC: Oh, we lost ten Compaqs like that.

T_LINDSEY: Nothing was on it that was mission critical luckily. But all told, we probably lost about $300 on the whole deal

TLSNC: They made it to the warehouse but not into it!

File encryption
JOHN DAY: I’ve been doing some research and was amazed at areas I wasn’t aware of, like Windows temp files and Word or Excel backup files.

JECASSERLY: Is there a special way to protect them?

JOHN DAY: Well, I used to believe that PGP (pretty good privacy) was a good way, but it doesn’t cover the temp or back file issues.

T_LINDSEY: True, it does have to be specifically used. One thing you can do is use PGP to encrypt the folders.

JOHN DAY: Yes, I agree, but PGP makes a product called PGP disk that puts all your secret data in a “container” folder that works well as long as you put all data there.

JECASSERLY: So temp or back files would be backed up?

JOHN DAY: Yes. The problem with just plain PGP is you have to unencrypt then encrypt each file versus PGP disk, which does it on login and then on shutdown. There are a couple of other products that do the same thing: Best crypt and Scram disk. Scram disk is free

T_LINDSEY: Cool. I like that so far.

TLSNC: It starts encrypting when you log in?

T_LINDSEY: Or is it a separate login to turn it on?

JOHN DAY: Yes, it encrypts when you log in, but it unencrypts on login and encrypts on shutdown. Then the only way someone can access it is with password and login or to spend a lot of time with serious hacking tools. Nothing is perfect.

TLSNC: If they think it is really worth it, they will find a way in.

JOHN DAY: To date there is no way to encrypt a complete Windows hard disk, but you can encrypt a container.

T_LINDSEY: I was not aware of that with the whole HD thing. Interesting.

JECASSERLY: So you have to put files in container?

JOHN DAY: Yes, and don’t forget to put your OST folders from Outlook there.

TLSNC: I would hope that the files would be unreadable then. They would not be unencrypted yet.

JOHN DAY: They are encrypted until you log in with user id and password and then encrypted when you shut down.

T_LINDSEY: Does it encrypt on suspend?

JOHN DAY: It doesn’t encrypt on suspend to my knowledge but that would be nice.

T_LINDSEY: This is a laptop were talking about?

JOHN DAY: It works on either laptop or any PC.

JCARLISLE: Can’t you get around it by booting with a DOS disk?

JOHN DAY: No, unlike NT security you can’t get around it without the key, which is the user id and password.

TLSNC: Do we have to train users to always save files to the container?

T_LINDSEY: Yeah, how easy is it to teach road warriors to use it?

JOHN DAY: Yes, you need to put their My Documents folder, OST folders, and default application folders in the container. All you can do is try and teach them that anything not in the container would be subject to easy access.

TLSNC: Yes, but anyone have a good way to keep them saving there?

T_LINDSEY: I’m thinking a large shock if they saved a file anywhere else would work.

JOHN DAY: Yes, the shock thing would be good or a couple of lashes.

JECASSERLY: Why could you not make the entire Windows a container?

TLSNC: Jecasserly, if Windows was in the container, how would you boot since everything is encrypted until you login?

JOHN DAY: Exactly. Tlsnc, this is why Windows can’t be placed in the container. I’m sorry perhaps I missed stating that the login to the container is a separate process after login to Windows, and Windows system files can’t reside there.

D.DAMICO: Can Windows NT workstation be used?

JOHN DAY: Yes, NT can be used, but someone could create a second instance of Windows and hack into the data easily.

The power of encryption
T_LINDSEY: What encryption strength does PGP disk use? 64? 128? 1024?

JOHN DAY: The last release on PGP used 128.

T_LINDSEY: Can you reset the bit level of encryption to greater than 128, for example to a 1024 bit string?

JOHN DAY: T_Lindsey, you have me there on the 1024 string.

Encrypting the Temp directory
T_LINDSEY: Can subfolders of C:\Windows be encrypted?

JOHN DAY: I don’t know about the subfolders, but system and system32 can’t be.

T_LINDSEY: I would think Temp couldn’t be either.

JOHN DAY: On the Temp directory, you’re correct, but it does empty Temp on shutdown and use a piece of PGP called secure wipe to make the Temp file’s contents unreadable.

T_LINDSEY: Ok, so Windows/Temp is covered by default.

TLSNC: But Temp can be anywhere. It does not have to be in the Windows folder. You can change the location in autoexec or in the Registry.

JOHN DAY: Yes, but Temp is a system variable that PGP reads or at least my understanding is that it reads it to perform the secure wipe function.

T_LINDSEY: A typical user wouldn’t have Temp changed. Users usually don’t even know it exists.

TLSNC: Boy is that right!

JOHN DAY: T_lindsey you’re right about that.

T_LINDSEY: If you’re going to encrypt, encrypt big I always say.

JOHN DAY: Heck, adding a BIOS boot password would stop 90 percent of hackers.

T_LINDSEY: The BIOS password would stop only 90 percent of script kiddies. Most hoodlums and script 3l33t hackers wouldn’t get to it.

TLSNC: I have one lab that keeps running out of HD space because PM5 drops stuff in temp!

T_LINDSEY: It’s too bad that /dev/null doesn’t exist in Windows.

Linux’s protection
JOHN DAY: Linux or UNIX allows a whole new level of protection for the whole OS.

JECASSERLY: That is true.

T_LINDSEY: Yes, Linux is the OS of choice for me.

JOHN DAY: Under Linux you can use PPDD to encrypt the entire hard disk.

T_LINDSEY: I haven’t tried that. I’ll have to look at it.

TLSNC: So what does Linux offer?

T_LINDSEY: It offers user-level and group-level permissions on files for one.

JOHN DAY: With Linux, there are several free secure wipe utilities to clean the drive should you want to do that.

TLSNC: Does PPDD come with Linux or is it an add-on?

JOHN DAY: Yeah, Tlsnc, PPDD does come with Linux or at least on some versions, and no I don’t know for sure which ones, sorry.

Securing your laptops
T_LINDSEY: What can we do to prevent physical theft?

JCARLISLE: Yeah, what about physical security?

JOHN DAY: Perhaps we should use handcuffs like Maxwell Smart?

T_LINDSEY: Maybe chain the laptop to a large cinder block like a gas station restroom key.

TLSNC: Or we could lock it to their arm.

JCARLISLE: Could always just glue them to the desk.

JOHN DAY: I see we all appreciate the traveling executive.

T_LINDSEY: Appreciate isn’t the right word.

T_LINDSEY: Isn’t there some retina or voice recognition locks for systems?

JOHN DAY: Yes, there are retina scans, and thumbprints are popular but expensive.

T_LINDSEY: I saw the retina scan technology in a Tiger direct catalog. I also saw the voice recognition equipment there too. Kensington makes a cable lock for laptops. It reminds me of a modified bike lock.

JOHN DAY: Yes, there are several locking devices, but most are related to strapping them to a desk, which kind of defeats a laptop’s purpose. There are basic security guidelines to follow like using BIOS passwords, utilizing IBM’s disk lock utility on their laptops, and not walking around with a “Compaq” case but putting it in carry-on luggage.

T_LINDSEY: Personally, I have yet to see this disk lock utility, and I work for an IBM partner.

TLSNC: Are they commercial yet or still trials?

JOHN DAY: Sorry T-lindsey I haven’t seen it either, but IBM has it on the security portal site as a feature of their product. I never buy IBM, so I’m relying on their press release. It isn’t that IBM isn’t great, but it takes so long to get the product and parts. I guess if you’re good you’re in demand.

T_LINDSEY: Agreed on the time thing. Takes me about 2 to 4 weeks to get a laptop.

TLSNC: T_lindsey, what kind of pull do you have to get them that soon? We have waited 6 weeks on some orders.

T_LINDSEY: I’ve got a good relationship with our distributors. We get on pretty good.

TLSNC: John, what models of IBM have the disk lock utility?

JOHN DAY: Tlsnc, I’m not an IBM heavy, so I’m not sure about that, but their press release says “ThinkPads,” which basically covers the whole range.

JECASSERLY: Sure sounds that way.

T_LINDSEY: It may be a software / bios level / utility? I haven’t seen it on any of the latest and greatest ones.

T_LINDSEY: I’ll have to look into that IBM utility.

Scram disk
TLSNC: Where do you get Scram disk?

JOHN DAY: PGP disk is $30 to $80, depending on user count. Bestcrypt is $90 and Scram disk is free. I have URLs if you guys weren’t so fast with the questions.

T_LINDSEY: So what’s the URL for Scram disk?

JOHN DAY: T_Lindsey, security portal suggests that the whole range is covered. See http://securityportal.com/closet/closet20000223.html. You can get more information about Scram disk at http://www.scramdisk.clara.net.

User privacy
T_LINDSEY: As administrators, would you think that a key escrow would be in order for users using PGP or such?

JOHN DAY: I think that would be very in order; in fact, I would demand it.

T_LINDSEY: Hmmm, the admin side of me agrees with you, but the privacy fanatic side of me disagrees.

JOHN DAY: You never know when someone might be asked to leave without notice.

T_LINDSEY: Or someone could just bail with a bad attitude.

JOHN DAY: That can happen too. There are many reasons.

JOHN DAY: Laptops are business machines, so user privacy may take a backseat here.

T_LINDSEY: Yeah, our company/user privacy line is pretty lax. I probably should tighten it a bit.

JOHN DAY: I’d suggest that you tighten it only as needed. I stand by users’ rights to a point.

Hard drive restore
TLSNC: John, what happens if the hard drive dies and we have to restore a backup? Can the same ID and password be set up on the new HD?

JOHN DAY: With hard drive restore, you need to know the password so that is why I believe admins need the password.

JECASSERLY: Exactly.

JOHN DAY: Yes, they have to be to enable access to the restored data. You can restore encrypted data, but you need the id and password to open it.

T_LINDSEY: That’s one reason that I always suggest to users to save stuff to the network drive. It’s always backed up and always there.

JOHN DAY: Network drives have a place and are often misused or under used.

TLSNC: Now that one has my vote all the time!

Other means of protection
T_LINDSEY: So basically, the only protection for a laptop is encryption.

JOHN DAY: That is the best protection, but some is better than none. Make it a practice to use BIOS/startup passwords, hide the thing in a briefcase instead of a Compaq or IBM carry case, etc.

T_LINDSEY: Hey, what about pulling the hard drive?

JOHN DAY: Pulling the hard drive is the first step a hacker takes to see if the drive can be accessed from another machine, bypasses BIOS and user id and password in the OS.

TLSNC: John, I like the backpacks on wheels myself.

T_LINDSEY: Great, now my laptop can get carjacked.

TLSNC: Unless of course someone sees you putting it away after working on it in the airport.

T_LINDSEY: So I get pick pocketed instead.

JECASSERLY: My neighbor had one stolen from her car.

T_LINDSEY: I fear the car thing all the time. If it’s in my car, it’s in the trunk. How about a proximity detector wired to some c4?

TLSNC: How about holding the user responsible?

JOHN DAY: Let the user be responsible? What IT department do you work for? I want to join.

TLSNC: They have to “sign their life away” when the laptop is issued.

JOHN DAY: Public humiliation is the only tool I’ve had at my disposal to stop “less educated” users.

T_LINDSEY: Humiliation is always nice, especially in a group.

JOHN DAY: Ah, T_Lindsey, e-mail is a great humiliation tool

PPG versus Scram disk
T_LINDSEY: Between PGP disk and Scram disk, what do you choose?

JOHN DAY: PGP disk is more popular, and support is probably better since it is a pay product.

T_LINDSEY: Is Scram disk open sourced?

JOHN DAY: Yes, Scram disk is open sourced.

New encryption technology
TLSNC: What do you see in the future for encryption utilities? Is there anything new in the works?

JOHN DAY: Windows 2000 uses some new tools that may enhance encryption options.

Thanks for coming
MODERATOR: Okay gang. Thanks to everyone for attending this evening. Thank you, John Day for leading us through this informative, if not entertaining, Guild Meeting.

T_LINDSEY: Thanks John. I enjoyed the chat.

MODERATOR: Thanks to everyone. Guild Meeting adjourned.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.