| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 137020 | 2014-05-14 03:14:00 | How to protect your PC with Encryption. | kingdragonfly (309) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1374946 | 2014-05-14 03:14:00 | I know most people don't care if the someone reads every file on your PC: "if you got nothing to hide, then you shouldn't be worried . . . " However even individuals like ex-President Jimmy Carter, noted peace activist, tries to avoid surveillance . Note the following is for stand-alone systems . An enterprise solution, protecting many PC's with centralized management, is outside the scope . I assume you are working from home / "on-the road" . ************************************* Tip 1, full disk encryption ************************************* Use stand-alone full disk encryption, to encrypt everything on your hard drive . Full disk encryption, abbreviated FDE, will protect your all your contents including memory page file, temporary work files, Internet history, hibernation files, everything . . . In a good stand-alone system, if you lose your password, no one can recover your hard disk . By the way, you can backup encrypted hard drives by using any number of disk image tools, that can create a raw sector by sector disk clone . "Acronis Backup & Recovery " is popular . . acronis . com/content/1543" target="_blank">kb . acronis . com ************************************* Tip 2 - avoid BitLocker, use Truecrypt ************************************* Do not use Microsoft's Bitlocker . Even if you try to "opt-out", Microsoft REALLY wants you to store your keys in a hidden central location, out of your control . Given half a chance, it'll copy them elsewhere . You should strongly consider using TrueCrypt, which is open-source . Truecrypt's short-coming is there's no two-form authentication . (see YubiKey note above) ************************************* Tip 3 Disable hibernation ************************************* Disable hibernation / sleep on your PC . Always power-off your PC when you're not using it . Example: . moonsols . com/windows-memory-toolkit/" target="_blank">www . moonsols . com See . microsoft . com/kb/920730" target="_blank">support . microsoft . com ************************************* Tip 4 - do NOT use Solid state drives ************************************* Don't use SSD / Solid state drives with TrueCrypt encryption . Use the "old-fashion" / cheaper hard-drives . If you use SSD, please realize that the FDE feature is actually riskier than software-based encryption . Most attack vectors still exist for FDE, plus there's an additional attack vector "hot plug attack" . . truecrypt . org/docs/wear-leveling" target="_blank">www . truecrypt . org . informatik . uni-erlangen . de/filepool/projects/sed/seds-at-risks . pdf" target="_blank">www1 . informatik . uni-erlangen . de ************************************* Tip 5 - two form authentication ************************************* Let me digress a moment, and discuss "two form authentication" . Think about using an ATM machine . To get cash, you'll need your ATM card, and know your PIN . For PC's "two form authentication" is often a password, and a smart card / USB token . For most, a password is sufficient . The next level up is pseudo-two form authentication, which protects against most attacks, except for the most extreme . . yubico . com/applications/disk-encryption/disk-encryption-truecrypt/" target="_blank">www . yubico . com And then for the "I'm Edward Snowden" level, you need true two-form pre-boot authentication . For "serious geeks only" solution, you'll need Ubuntu, and supported hardware . opensc-project . org/opensc/wiki/SupportedHardware" target="_blank">www . opensc-project . org Lastly there's a commercial product called Winmagic "SecureDoc Standalone" . It's supposed to work standalone with tokens, and smart-card readers . By the way, Aladdin tokens are easily available and inexpensive . It's not open-source, so that's a problem . . winmagic . com/products/full-disk-encryption-for-windows" target="_blank">www . winmagic . com . winmagic . com/3rd-party-technology-integrations?manufacturer=-&type=Token" target="_blank">www . winmagic . com ************************************* Tip 6 - Do NOT use these ************************************* Avoid these technologies: - - Microsoft's Bitlocker - - SED: "self-encrypting drives" - - TPM: "Trusted Platform Module" - - TCG: "Trusted Computing Group" . ************************************* Tip 7 - disable FireWire ************************************* This one's easy to fix, because disabling it is almost never noticed . Firewire is an Apple technology, that you'll find on some PC's . It's rarely used, and USB 3 is easily poised likely to eliminate it completely . Since it's rarely used, have a technician disable your FireWire ports if they exist through BIOS . It also needs to be disabled in Windows . Example: . breaknenter . org/projects/inception/" target="_blank">www . breaknenter . org . microsoft . com/kb/2516445" target="_blank">support . microsoft . com ************************************* Here's some background articles . mcbsys . com/techblog/2010/08/how-secure-are-truecrypt-and-bitlocker/" target="_blank">www . mcbsys . com . com/2009/08/28/10-things-you-dont-want-to-know-about-bitlocker/" target="_blank">ctogonewild . com |
kingdragonfly (309) | ||
| 1374947 | 2014-05-14 03:36:00 | I doubt USB 3 will eliminate firewire, if the device youre using doesnt use or have USB 3. I may use TPM. Since I'll be getting a TPM module for this mobo sometime this week. I doubt that it'll or can sync with Onedrive / whatever if its off / disabled. And if you dont use your MS account in Win 8.1. |
Speedy Gonzales (78) | ||
| 1374948 | 2014-05-14 04:02:00 | I find the FireWire security hole a bit shocking: "The [Inception] tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. " |
kingdragonfly (309) | ||
| 1374949 | 2014-05-14 04:14:00 | Cant say I've ever used a password for firewire. I know people who have tried to give it an ip address, which is a no-no. It can screw it up. I know that it can cause network probs for some reason. Esp when its starting to die or fail I had a FW card in the other PC here, then noticed over time, it couldn't get online. The longer it was installed, the worse the network connection got. Until I removed it completely Used to have one in this too for the video cam I've got (so I can xfer video, since the only thing its got is a FW connection). But have removed it now. Since, the one I've got now, uses an SD card. And I can use the card reader to copy what I record |
Speedy Gonzales (78) | ||
| 1374950 | 2014-05-14 05:10:00 | Don't use an SSD, yeah right. | Alex B (15479) | ||
| 1374951 | 2014-05-14 06:35:00 | You read the links before you posted your reply. Yeah right |
kingdragonfly (309) | ||
| 1374952 | 2014-05-14 06:53:00 | What say a person doesn't use Encryption on their drives. A high percentage of people don't, so its all irrelevant really. ;) | wainuitech (129) | ||
| 1374953 | 2014-05-14 07:14:00 | My very first sentence said most people don't care about encryption. It's inconvenient. Even when there's no performance degradation, you still have to do / have something extra to start your PC. Hopefully it of interest to a couple of people. |
kingdragonfly (309) | ||
| 1374954 | 2014-05-14 07:16:00 | I've seen more data loss in the last year due to people (mis)using encryption than to hardware failure. Forgetting the passphrase, remembering the passphrase but formatting the device with the actual encryption keys etc. Them: "You can 'bypass' this password thing can't you?" Me: "Um - no... Where are your [unencrypted] backups?" Them: "Ah......" (priceless look on face as reality hits) Me: ROFLMFAO |
fred_fish (15241) | ||
| 1374955 | 2014-05-14 07:52:00 | Hopefully it of interest to a couple of people. It is, and thanks. | Greg (193) | ||
| 1 2 | |||||