Since I am using a laptop more and more, and traveling with it, I would like to know if my current security methods are effective and any other inexpensive (free) security measures that I should do, which also don’t effect the ease of use.
The first one is that all business related files are stored on a encrypted falsh drive. Without the decrypt program and entering the code it shows up as a drive with no storage space. The info is backed up on my desktop.
The second is I use the Win XP username password, but this is XP home edition, which I know is not as secure as the pro edition.
2 aspects which I see are problematic are someone can access my emails and also be able to access stored usernames and autocompleted passwords. But can the get into the OS if the users are password protected?
Take a look through the archives of Security Now which is podcast by Leo Laporte and Steve Gibson (who wrote the first anti-spyware program), as they cover a lot of things that will be useful for you. I don’t remember the name of the software (It was mentioned on Laporte’s “Daily Giz Wiz” podcast some time back), but it stores all your passwords (for the websites you visit) on a flash drive and not on your machine, so that if someone gets their mitts on your laptop, they won’t be able to log into your bank account and clean you out or log you in here and begin to describe how much you enjoy sheep.
Note that a password enabled log in for XP is not secure at all! There’s a number of small programs that can be loaded to a thumb drive which will bypass the log in screen and give the user direct access to your machine.
Computer security is largely a matter of raising the bar. If the Men In Black want to know what you’ve got on there, they WILL find out. Your job is to keep the merely curious out–to make it that much harder to glean useful info.
Another of our truisms, in computer security, is that physical access trumps all. As you can imagine, laptops are especially vulnerable to this. This means that there’s a limit to practical measures you can take.
This is great! Continue doing this; don’t forget to remove the flash drive when you’re done; don’t forget the password; etc. Honestly, this is pretty much the best measure you could take.
But–pardon me if I am being exceptionally dense–what does “the info is backed up on my desktop” mean? Your desktop computer, as opposed to your laptop? Or on your laptop’s physical drive? If the latter, then the flash drive trick isn’t doing you any good.
Theoretically, no. In practice, yes. (See above re: physical access)
For e-mails: What’s not on the computer can’t be read. Consider keeping all e-mails on the server (i.e. not downloading them) and reading them there, probably via web interface. Note that this means that you must have Internet access in order to even read your e-mail.
If you want to keep the e-mails on your computer, you might consider finding out which folder XP uses to store downloaded mail, and turning it into a symlink (fake folder that points elsewhere) to an encrypted volume. Note that I’ve never actually tried this. E-mail travels in the clear, so you’ll have to connect to the mail server through a VPN to avoid getting the mail intercepted in transit.
For usernames and passwords: go into your web browser’s preferences and tell it to clear the cache when you close the browser. Firefox has a handy feature where the passwords are themselves protected by a password, which does provide some measure of protection (use a strong password, of course, and don’t repeat one you’ve used elsewhere). BUT BE CAREFUL! If you DON’T set the master password, Firefox stores them in the clear.
One final tip: on a wireless network, try to have the final link with your computer be wired. If this isn’t possible, then don’t do anything sensitive, as there’s a possibility of the connection being monitored. Online banking in coffee shops is Right Out.
If you’re as paranoid as we are, you’d install pre-boot drive encryption.
We use Pointsec, and there are a handful of others out there like Ultimaco and Entrust. How these work is when you turn on the computer, you’re prompted immediately for a user ID and password before the OS can even start loading. Our instalation of Pointsec uses 256-bit AES encryption, which is the level the US government encrypts “Top Secret” level data with, and it’s not been broken in the real world yet.
A warning on encryption - if by some chance you travel internationally, some countries (notably France) immediately equate encrypted data with terrorism or other illegal acts and will really spoil your day if you had thoughts of a vacaion in Paris.
As Lath of Heaven said, if the bad guys can get their hands on it, it’s Game Over, You Lose, so don’t leave the laptop where it can be picked up, use a cable lock, etc.
XP’s passwords? <giggle> All someone needs to do if they can walk away with your laptop is get in as an administrator and change ownership of the files, and that’s trivial. Commercial software that will help you recover a “forgotten” admin password is readily available, never mind the “haxxor warez” to do similar things.
Just a note about this. There are two ways to hack a XP password that I am aware of. One is to write (or buy) a program that will run attacks against password. If the password is simple this can take a couple minutes, if it is complex it can take months. Some of these programs will run on a network and intercept packets and run a crack against what they pick up. Most home users passwords are simple so they can be cracked pretty quickly. On the other hand, there is a program out there (I have a copy somewhere) that will just wipe out the XP administrator password. If you have physical access to the machine it takes about 5 minutes to get access.
Apparently, Linux can be made tougher to crack than Windows. I haven’t played with the app yet, but you can tie your access to an encrypted USB thumb drive, and when the drive’s not connected, you’re blocked from access.
I don’t know how to disable it, but LM Hashing is how Windows stores your password. IIRC, LM hashing stores it unencrypted so that anyone with the right software can read your password. Non-LM hashing means that their program’s got to just completely bypass the whole thing, which can give imperfect results (i.e. they’ve got access to your machine until it reboots or not everything works like it’s supposed to).
At one point in time, you could buy a polarized film to put over the screen so that anyone who wasn’t wearing polarized lenses couldn’t read the screen (this is different than the film which blocks people from different angles from being able to read it, you had to wear glasses to see the screen).
A hash of your password (an encoded version of it generated by applying a mathematical algorithm to the password) is stored locally on your Windows PC. This allows you to log in to things without having to have the domain controller available and without having to store your pasword in plain text.
LM Hashing is the hash method used in Lan Manager, the forerunner of Windows NT/2000/XP etc. It’s not too difficult to crack, so it was replaced with the much more secure NTLM hashing. But LM hashing was left enabled by default in case you needed to log in to servers running older versions of Windows. This meant that a relatively easy to decode LM-hashed version of your password was left lying around on your PC.
This isn’t programming or other security advice - more a tip for your next laptop; Biometrics. My laptop can only be logged in using my fingerprint. It’s a Medion laptop and it has a little finger scanner and a password vault memory. The only way to access it is to use my fingerprint but once it’s logged in, you can access the vault. It’s great fun and I feel like an international spy when I log onto the SDMB!
The serious computer thief often isn’t the biggest threat. Things like laptop locks and complex passwords protect against the most common threat, which is a laptop growing feet and walking away as a crime of opportunity. The data stored on a laptop in these cases is a bonus (more likely to the fence rather than the thief).
The true data thief is going to be able to bypass most reasonable measures to secure your data.
walrus, I know that the jumpers can be easily reset on a PC. Is it just as easy for a laptop? Either way, it still depends on what kind of thief is lifting your laptop - one specifically targetting the data stored on there, or one just looking for a quick score.
These are infamously easy to break, though. Consumer fingerprint scanners have a very high false-positive rate to begin with, and many of them can be quickly defeated given a “gelatin” finger created from a dusted print. There was a Mythbuster’s episode about the latter technique (against a high-end commercial scanner – and they got in) a while back (they obscured some of the details, as will I, because I don’t know them), and it’s a regular discussion topic on Slashdot.
How does it work? Does it just somehow pass the login requirements, or does it give the user the priviledges and rights of a particular account? If the former, can you access stuff that’s only set to be readable by a certain account? Does this program work on all versions of NT (nt 4, win2k, win2k3)?
That’s not going to get past any encryption he might have.
These generally work on any “wintel” hardware platform - just slip in a something like a bootable Linux CD and - *shazam! * - you’re root, and own the entire drive. From there, it’s a cinch to toddle over to \docum~1\username and load up at the all-you-can-eat file buffet.
If the user bothered to employ Windows EFS encryption, the task is much harder, but still not completely impossible. There are a few things that can be tried with Microsoft’s own administrative tools to crack EFS, but I won’t say anything about them other than they exist.
Remember: if you can touch it, you can own it, copy it to a CD and play with cracking it at your leisure. But, if you encrypt it, it will be a lot harder for someone to get your files, and casual snoops will move along.
The program I used wasn’t like that at all. I don’t remember the name of it, and it’s been a couple of years since I used it (I needed it because Pete Puma locked himself out of the office PC), but it was on a floppy that I stuck in and booted from. I then got a command prompt asking me if I wanted to change the password or just wipe it out altogether, as well as something else (that I don’t remember). It wouldn’t let me change the password, so I had to wipe it out, and then I had to jigger around with various settings (and reboot the PC a couple of times, IIRC) before I had the machine back to normal.
Oh, one other useful security device that I just remembered. It’s called Power Logon and what it does, is plug in via a USB port on the machine, then what happens is when you’re surfing the web (for example) and you come to a site where you have to enter a password, you enter it in normally, but instead of it being stored in your browser, it’s stored on the card which plugs into your USB. Pull the card, and assuming you’ve set your browser to not remember passwords, no one will be able to gain access to things like your email account or your bank account via the web.
E-mail travels in the clear, so you’ll have to connect to the mail server through a VPN to avoid getting the mail intercepted in transit.