Computer security

[Evan]

This thread http://www.frequentflyer.com.au/com...-your-legal-rights-re-15538-3.html#post207945
got me thinking about what people do to protect there data.

If anybody is wondering the lengths i have been known to go to i have my hard disk encrypted, you enter a password to boot to the normal 'public' or 'decoy' OS and you enter a different password to boot to a completely hidden OS.
Volumes can be protected by 3 cascading encryption algorithms, eg AES, Twofish, and Serpent. The chances of all 3 algorithms being compromised is i would say rather slim.
Generally however i think its ok just to use AES 256bit key for most jobs

E

 

[straitman]

This thread http://www.frequentflyer.com.au/com...-your-legal-rights-re-15538-3.html#post207945
got me thinking about what people do to protect there data.

If anybody is wondering the lengths i have been known to go to i have my hard disk encrypted, you enter a password to boot to the normal 'public' or 'decoy' OS and you enter a different password to boot to a completely hidden OS.
Volumes can be protected by 3 cascading encryption algorithms, eg AES, Twofish, and Serpent. The chances of all 3 algorithms being compromised is i would say rather slim.
Generally however i think its ok just to use AES 256bit key for most jobs

E

If only I had some idea of what you are talking about

 

[rwatts]

Provided you have plausible deniability you might get away with it.

I wouldnt see the possibility of the encryption being broken as the main problem. If the type of people who have the resources to devote to breaking the encryption take an interest then I think you have other problems (checked your home for listening devices lately, confident your mobile phone calls arent being intercepted at the switching centres, etc ?).

The presence of encrypted file systems is generally very obvious and under Australian law you may be compelled by court order to assist with data recovery. Of course in some other countries torture or "rigorous interrogation" may also be used to assist the process.

So, by using multiple levels of encryption you may be able reveal the encrypted info you dont care too much about and plausibly deny the existance of the info you are concerned for.

Richard.

 

[simongr]

I have no encryption on my laptop other than the normal windows "security" :shock:

My way to protect my data that may be dubious (i.e. downloaded TV shows shhh) it to put it on a usb and put that in my pocket.

I have no information on my machine that a i would have a concern with a foreign government official reading/viewing.

 

[JohnK]

I have never bothered to encrpyt my hard drive. As far as I am aware there is nothing on my laptop that would incriminate me and while I do have some personal information, ie excel spreadsheets, stored on the laptop it would not be useful to anyone reading it.

 

[Evan]

Provided you have plausible deniability you might get away with it.
<..>
So, by using multiple levels of encryption you may be able reveal the encrypted info you dont care too much about and plausibly deny the existance of the info you are concerned for.

Richard.

Thats the hope, i used each OS each day most days. I am reasonably sure i have some plausible deniability.
I dont worry about phone calls etc, i dont have anything confidential to say.

And to be honest these days i deal with boring accounting systems so i have nothing to hide, just old habits die hard. I am already forbidden to work in some countries due to some knowledge i no longer remember so i have to be careful where i visit... i think the list runs to about 6 or 7 that i cant work, i can visit but i am sure if i turn up to the USA with a stamp from one of those countries they will be getting the latex gloves out !

The company i work for now has (or had until about 3 weeks ago) a policy of all notebooks had encryption, i think its a good idea.

It is not so much a worry about governments having access but rather a system being stolen and falling into a competitors hands. Some of our engineers have so much information on notebooks since the move of a lot of our CAD to Windows based systems is scary.

E

 

[rwatts]

Some of our engineers have so much information on notebooks since the move of a lot of our CAD to Windows based systems is scary.

Which is why wherever possible we encourage our overseas travellers to get a new/sanitised HDD installed and new o/s built for the trip. Encryption is still required but the risks are less.

Problems arise for non-windoze operating systems as there are no approved full-disk encryption products available. Generally best to remove the internal HDD from the laptop and rely on physical protection of an external usb drive.

And of course, never trust a computer thats returned from an overseas trip - even if the user thinks its been in their possession at all times. Sanitise the disk and start again.

Richard.

 

[mainly tailfirst]

And of course, never trust a computer thats returned from an overseas trip - even if the user thinks its been in their possession at all times. Sanitise the disk and start again.

Richard.

Wow, that's some serious paranoia. Which appears to becoming more common.
Interestingly, with the change in the 'policy' of some countries w.r.t. laptop inspections, our IT guys are starting to worry less about 'evil 3rd parties' and more about overzealous "thou shall reveal the password" customs officials. I predict that VPNs will become di rigeur for all work in future - all storage will remain on company servers.
Either that or employes will learn to smuggle USB sticks - "Johnny Mnemonic" anyone?

mt

 

[rwatts]

Wow, that's some serious paranoia. Which appears to becoming more common.
Interestingly, with the change in the 'policy' of some countries w.r.t. laptop inspections, our IT guys are starting to worry less about 'evil 3rd parties' and more about overzealous "thou shall reveal the password" customs officials. I predict that VPNs will become di rigeur for all work in future - all storage will remain on company servers.
Either that or employes will learn to smuggle USB sticks - "Johnny Mnemonic" anyone?

mt

Customs officials can be a problem. Sometimes one has to resort to sending via DFAT diplomatic bag or getting a laissez-passer but that becomes rather inflexible.

Paranoia ? Yep, but I get paid to be paranoid.

Richard.

 

[Evan]

We already use VPN's. No data should be stored on the local workstation unless really needed, but you know how it is. (I am sure they are looking closely at the netbook style notebooks with just a smallish SSD for office workers but you can forget that for anybody using the engineering products of diagnostics software.

We also disallow access to internet from notebook (systems report back to an internet gateway and you get sent a message saying you must only access internet via VPN, of this is easy to get around but for the majority of users with no admin rights is enough to be annoying)
So you can get to the hotel log-in page for example but as soon as you have direct net access you will be blocked.
Just little things like also having the VPN login check for active and up to date virus scanner before allowing a connection.


Serious paranoia ??? i dont think so, i think its a decent practical level of security.

Sure the applications guys our internal security zones meaning that they need to know how exactly there application talks to other applications in other security zones or how users talk to.

I have heard at some time ago security setups described as ...
- Hard on the outside and soft in the middle
- Firm all the way through

The latter being the best design, multi level security, starting from the host level... only encrypted connections, authentication and authorization, logging of actions. Moving to the next layer where some sort of LAN security should be deployed like secure subnets with port blocking etc and traffic monitoring. Segregation of networks through virus walls and gateways, eg production networks do not have unlimited access to office networks.
And then the workstation side, possibly personal type firewalls (not used by our organization but is by some large ones i have worked for) and virus scanning, OS updates etc, File and email encryption, VOIP encryption.
Finally external security, VPN's, firewalls that are maintained by a dedicated skilled worldwide team, User training how to avoid phishing attacks etc.

I am not by any means a security expert but appreciate what is required in so much as to how it relates to my job. And yes i still use products like Skype on my internet appliance for example, if its only personal calls i am not going to be too worried about the chances of being intercepted. You just have to be aware of the possibilities.

E

 

[notzac]

I'm not sure what work's position is on staff travelling with work laptops - though I'll probably find out later in the year.

As for travelling with my own laptop; a couple days before the trip I move anything personal that I don't absolutely need access to to an external hard drive and leave it at home. If I'm feeling truly paranoid, I'll move everything off the internal hard drive, securely wipe it and install everything from scratch (I don't generally hate myself enough to go to that length).