Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Protecting the Operating System

Reply
Thread Tools

Protecting the Operating System

 
 
Ricardo
Guest
Posts: n/a
 
      09-24-2006
Hello,
I have just come to the conclusion that the only way to protect the machine
with free physical access to anauthorized personnel is... to encrypt it.
Unfortunately it seems that this can be done only the lonely by DriveCrypt
software which costs a lot. It's wonderful stuff indeed allowing to encrypt
the drive with authentication feature at the pre-boot level! The encryption
seems excellent AES-256 algotithm. It's only drawback (except for the price)
is that it doesn't see Linux partitions (not to mention that it doesn't run
on Linux)which makes them liable to potential attack. It looks like for now
only Windows operationg system may be securely locked unless you run Linux
as a VMware guest system on the DriveCrypted Windows host. I wonder what are
your experiences with respect to securing the stand alone box with
uncontrolled physical access, like at the University (my case).
P.S. Have just noticed free stuff called CompuSec PC Security Suite which
seems both Windows and Linux compatible though as compared to DriveCrypt it
uses weaker encrypting algorithm AES-128 and looks like is much slower. I
cannot wait to hear your comments.
Kindest regards,
--
Ricardo


 
Reply With Quote
 
 
 
 
Vanguard
Guest
Posts: n/a
 
      09-25-2006
"Ricardo" <(E-Mail Removed)> wrote in message
news:c6eac$4516d82a$57cf8a7f$(E-Mail Removed). ..
> Hello,
> I have just come to the conclusion that the only way to protect the
> machine
> with free physical access to anauthorized personnel is... to encrypt
> it.
> Unfortunately it seems that this can be done only the lonely by
> DriveCrypt
> software which costs a lot. It's wonderful stuff indeed allowing to
> encrypt
> the drive with authentication feature at the pre-boot level! The
> encryption
> seems excellent AES-256 algotithm. It's only drawback (except for
> the price)
> is that it doesn't see Linux partitions (not to mention that it
> doesn't run
> on Linux)which makes them liable to potential attack. It looks like
> for now
> only Windows operationg system may be securely locked unless you run
> Linux
> as a VMware guest system on the DriveCrypted Windows host. I wonder
> what are
> your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite
> which
> seems both Windows and Linux compatible though as compared to
> DriveCrypt it
> uses weaker encrypting algorithm AES-128 and looks like is much
> slower. I
> cannot wait to hear your comments.
> Kindest regards,
> --
> Ricardo
>



Explain how encrypting your hard drive using an MBR bootstrap program
replacement will protect the OS and any files. It doesn't. The
purpose of boot-time encryption is to prevent someone from *stealing*
the information from the hard drive. Once you boot past the
encryption authentication, obviously the OS must be usable to the user
which means files can be written. Once you're in, you're in and can
modify the files. The purpose is not to let in a thief in the first
place.

 
Reply With Quote
 
 
 
 
nemo_outis
Guest
Posts: n/a
 
      09-25-2006
"Ricardo" <(E-Mail Removed)> wrote in
news:c6eac$4516d82a$57cf8a7f$(E-Mail Removed):

> Hello,
> I have just come to the conclusion that the only way to protect the
> machine with free physical access to anauthorized personnel is... to
> encrypt it. Unfortunately it seems that this can be done only the
> lonely by DriveCrypt software which costs a lot. It's wonderful stuff
> indeed allowing to encrypt the drive with authentication feature at
> the pre-boot level! The encryption seems excellent AES-256 algotithm.
> It's only drawback (except for the price) is that it doesn't see Linux
> partitions (not to mention that it doesn't run on Linux)which makes
> them liable to potential attack. It looks like for now only Windows
> operationg system may be securely locked unless you run Linux as a
> VMware guest system on the DriveCrypted Windows host. I wonder what
> are your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite
> which seems both Windows and Linux compatible though as compared to
> DriveCrypt it uses weaker encrypting algorithm AES-128 and looks like
> is much slower. I cannot wait to hear your comments.
> Kindest regards,



Free Compusec works fine and is not discenibly slower than any other full
HD OTFE encryption product (the hit from any of them is negligible on a
fast machine).

I wouldn't worry about AES-128, it's more than strong enough. In fact, it
is rare for a user to have a password/passphrase that comes anywhere close
to 128-bit equivalence - the password, not the encryption, is usually the
weakest link.

Regards,

 
Reply With Quote
 
Saqib Ali
Guest
Posts: n/a
 
      09-25-2006
Ricardo,

There are a dozen or so full/whole disc encryption solutions available
with pre-boot authentication option. See the URL below for list:

http://www.full-disc-encryption.com/...ncryption.html

I use CompuSec. It is free and has support for Linux. It has pre-boot
authentication and has a builting credential manager. One thing that is
missing support for Trusted Platform Module (TPM). TPM can make the key
recovery possible and simplify single sign on.

You might also want to take a look at hardware based Full Disc
Encryption. There are few vendors that provide that. The above URL
lists a few. Hardware based FDE works regardless of the OS you are
using.

If you are using a notebook Ce-Infosys has PCMCIA card or Seagate
Technology will soon have FDE HDD for notebooks:
http://www.seagate.com/docs/pdf/mark...400_fde_bb.pdf

Also check out the Wikipedia article about Full Disc Encryption:
http://en.wikipedia.org/wiki/FDE
It talks about "Full disk encryption vs. file or directory encryption"

P.S. If you have any feedback about DriveCrypt, please do send it to
me. I am looking to buy that product as well.


Ricardo wrote:
> Hello,
> I have just come to the conclusion that the only way to protect the machine
> with free physical access to anauthorized personnel is... to encrypt it.
> Unfortunately it seems that this can be done only the lonely by DriveCrypt
> software which costs a lot. It's wonderful stuff indeed allowing to encrypt
> the drive with authentication feature at the pre-boot level! The encryption
> seems excellent AES-256 algotithm. It's only drawback (except for the price)
> is that it doesn't see Linux partitions (not to mention that it doesn't run
> on Linux)which makes them liable to potential attack. It looks like for now
> only Windows operationg system may be securely locked unless you run Linux
> as a VMware guest system on the DriveCrypted Windows host. I wonder what are
> your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite which
> seems both Windows and Linux compatible though as compared to DriveCrypt it
> uses weaker encrypting algorithm AES-128 and looks like is much slower. I
> cannot wait to hear your comments.
> Kindest regards,
> --
> Ricardo


 
Reply With Quote
 
Anonyma
Guest
Posts: n/a
 
      09-25-2006
Vanguard wrote:

> Explain how encrypting your hard drive using an MBR bootstrap program
> replacement will protect the OS and any files. It doesn't. The


Sure it does. By encrypting them.

> purpose of boot-time encryption is to prevent someone from *stealing*
> the information from the hard drive. Once you boot past the
> encryption authentication, obviously the OS must be usable to the user


Where in the poster's question did you see anything that would indicate
he was wanting to do anything else? In fact the notable mention of wide
open physical access more or less tells us he's trying to secure a
machine that might be stolen or tampered with while he's not around,
and the machine is off.

> which means files can be written. Once you're in, you're in and can
> modify the files. The purpose is not to let in a thief in the first
> place.


Yeah. That's the whole idea behind whole disk encryption. To keep
people with physical access from "getting in in the first place". And
it's the best protection there is in this scenario.

 
Reply With Quote
 
Ricardo
Guest
Posts: n/a
 
      09-25-2006
Użytkownik "Ricardo" <(E-Mail Removed)> napisał w wiadomości
news:c6eac$4516d82a$57cf8a7f$(E-Mail Removed). ..
> ...

Thank you guys so much for your comments. They will help a lot.
Kindest regards,
Ricardo


 
Reply With Quote
 
Vanguard
Guest
Posts: n/a
 
      09-26-2006
"Anonyma" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Vanguard wrote:
>
>> Explain how encrypting your hard drive using an MBR bootstrap
>> program
>> replacement will protect the OS and any files. It doesn't. The

>
> Sure it does. By encrypting them.
>
>> purpose of boot-time encryption is to prevent someone from
>> *stealing*
>> the information from the hard drive. Once you boot past the
>> encryption authentication, obviously the OS must be usable to the
>> user

>
> Where in the poster's question did you see anything that would
> indicate
> he was wanting to do anything else? In fact the notable mention of
> wide
> open physical access more or less tells us he's trying to secure a
> machine that might be stolen or tampered with while he's not around,
> and the machine is off.
>
>> which means files can be written. Once you're in, you're in and
>> can
>> modify the files. The purpose is not to let in a thief in the
>> first
>> place.

>
> Yeah. That's the whole idea behind whole disk encryption. To keep
> people with physical access from "getting in in the first place".
> And
> it's the best protection there is in this scenario.
>



The subject says the OP is trying to protect the operating system.
Excuse me, but why does the OP care since anyone can purchase or
obtain a copy of the OS? I read "free physical access to anauthorized
personnel" meaning the malcontents actually have *access* to the OS or
data files, not simply that they can manage to leave a fingerprint on
the case. The OP could use a BIOS password and padlock the case (to
protect the BIOS settings, and some laptops don't even need to protect
against physical entry) if that's all he wanted to do to restrict
physical access *inside* the box (and not preventing instrusion means
I can get around your encryption by altering the hardware inside by
letting it read the unencrypted data after the cold file system has
been decrypted after boot).

It doesn't sound like the OP was particularly concerned about losing
his laptop/desktop when travelling but protecting his *data* wherever
he happens to leave the computer lying around. Well, why couldn't
someone then load their own MBR bootstrap program that moves out the
original one (used for security)? That is, they simply chain the
original bootstrap program onto their own (by, perhaps, moving the
original MBR bootstrap program into the rest of the unused first
track). While the malware that runs under the OS can't get at the
bootstrap password to decrypt the hard drive, the replacement MBR
bootstrap can. If you want real security, you need to have it BEFORE
you or the BIOS even touch the hard drive (or any other drive or
storage device). Does CompuSec or DriveCrypt protect against the MBR
bootstrap area getting usurped (just like they usurped it) and getting
chained so the authentication used for decryption cannot be captured?
Obviously if physically access isn't restricted than something could
be installed inside the box that runs even before the MBR bootstrap
program gets loaded.

There is no point in protecting the OS from theft as it is readily
available elsewhere. There is no point in protecting the applications
(unless they are your projects). Both can be readily obtained
elsewhere than from your piddly laptop so encrypting them is just
stupid because it is a waste of performance. If the OP really means
that they want to hide their data by encrypting it, then TrueCrypt
would be sufficient, and it's free. Why incur the performance penalty
of decryption on the OS when its just the data files that need to be
protected? Plus you're not screwed over by the security product
usurping the MBR bootstrap program that perhaps you would like to use
for a multiboot manager. As I recall, Safeboot was the only one that
would chain the original MBR bootstrap program after it usurped that
spot while all the others simply step atop the MBR bootstrap area.

 
Reply With Quote
 
TwistyCreek
Guest
Posts: n/a
 
      09-26-2006
Vanguard wrote:

> "Anonyma" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Vanguard wrote:
> >
> >> Explain how encrypting your hard drive using an MBR bootstrap
> >> program
> >> replacement will protect the OS and any files. It doesn't. The

> >
> > Sure it does. By encrypting them.
> >
> >> purpose of boot-time encryption is to prevent someone from
> >> *stealing*
> >> the information from the hard drive. Once you boot past the
> >> encryption authentication, obviously the OS must be usable to the
> >> user

> >
> > Where in the poster's question did you see anything that would
> > indicate
> > he was wanting to do anything else? In fact the notable mention of
> > wide
> > open physical access more or less tells us he's trying to secure a
> > machine that might be stolen or tampered with while he's not around,
> > and the machine is off.
> >
> >> which means files can be written. Once you're in, you're in and
> >> can
> >> modify the files. The purpose is not to let in a thief in the
> >> first
> >> place.

> >
> > Yeah. That's the whole idea behind whole disk encryption. To keep
> > people with physical access from "getting in in the first place".
> > And
> > it's the best protection there is in this scenario.
> >

>
>
> The subject says the OP is trying to protect the operating system.
> Excuse me, but why does the OP care since anyone can purchase or
> obtain a copy of the OS?


Why would you believe "stealing" the operating system is the only
threat. Far more likely scenario is wanting to keep people from
tampering with the copy you have installed. A good way to do that is to
prevent anyone from accessing it when nobody is around. Make it
impossible to even boot the machine, or access the drive with the OS on
it. Whole disk encryption is the best way to do that.

> I read "free physical access to anauthorized
> personnel" meaning the malcontents actually have *access* to the OS or
> data files,


Then you're misreading things or assuming way too much. Physical access
means just that. They have the ability to lay hands on the equipment.
It doesn't mean a single thing about access to data, you're just
assuming the equipment is left on 24/7.

> It doesn't sound like the OP was particularly concerned about losing
> his laptop/desktop when travelling but protecting his *data* wherever


Yes. And encrypting it is the best way to do that outside a hardened
bunker and armed guards. In many ways it's more secure than even that.

> he happens to leave the computer lying around. Well, why couldn't
> someone then load their own MBR bootstrap program that moves out the
> original one (used for security)? That is, they simply chain the


Because the whole disk is encrypted. Replacing the MBR just makes the
whole drive inaccessible even *with* proper authentication.

Did you really believe that whole disk encryption could be circumvented
by swapping MBR's, or maybe booting from another device??

Wow...




















 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      09-26-2006
Anonyma wrote:

> Vanguard wrote:
>
>> Explain how encrypting your hard drive using an MBR bootstrap program
>> replacement will protect the OS and any files. It doesn't. The

>
> Sure it does. By encrypting them.


No, it doesn't. I can simply overwrite the hard drive with garbage and all
files are gone.

>> purpose of boot-time encryption is to prevent someone from *stealing*
>> the information from the hard drive. Once you boot past the
>> encryption authentication, obviously the OS must be usable to the user

>
> Where in the poster's question did you see anything that would indicate
> he was wanting to do anything else? In fact the notable mention of wide
> open physical access more or less tells us he's trying to secure a
> machine that might be stolen or tampered with while he's not around,
> and the machine is off.


A non-tamper-resistent machine is trivially tampered to reveal everything.
The simplest and most obvious method is to modify the bootloader to store
the entered key additionally to its normal functions - that's why you
should keep on a separate media. Then, ranging from modifying the BIOS
(pretty easy) to reading data directly from RAM (FireWire, PCI, PCMCIA) and
keyloggers (put between your keyboard and the keyboard connector) up to
directly updating the CPU's microcode, everything else will be successful.

>> which means files can be written. Once you're in, you're in and can
>> modify the files. The purpose is not to let in a thief in the first
>> place.

>
> Yeah. That's the whole idea behind whole disk encryption. To keep
> people with physical access from "getting in in the first place". And
> it's the best protection there is in this scenario.


Beside that, what exactly would someone try if the OS boots without
invention to a login screen where the password is unknown? I can't see how
someone should be able to write files at this point.
 
Reply With Quote
 
Nomen Nescio
Guest
Posts: n/a
 
      09-26-2006
Sebastian Gottschalk wrote:

> Anonyma wrote:
>
> > Vanguard wrote:
> >
> >> Explain how encrypting your hard drive using an MBR bootstrap program
> >> replacement will protect the OS and any files. It doesn't. The

> >
> > Sure it does. By encrypting them.

>
> No, it doesn't. I can simply overwrite the hard drive with garbage and all
> files are gone.


What a meaningless drizel of semantic idiocy... "a watermelon can't fly
an airplane so it's no good for painting your house...".

Oh, and you're replying to posters you've claimed to have killfiled
again ya' pathetic loser.

<rest snipped unread>
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting both computers with different operating system together naderbd Wireless Networking 1 07-29-2005 12:47 AM
Sun to Give Out Operating System for Free Rich Firefox 7 11-16-2004 07:47 PM
How to get the Operating System info like ( Wireless info, Wireless connection) Vasanth Perl 0 06-28-2004 08:56 AM
Re: 32 bit operating system Consultant MCSE 0 01-08-2004 02:58 PM
Re: 32 bit operating system Politician Spock MCSE 0 01-08-2004 02:55 PM



Advertisments