return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Protecting mobile information in your possession and transiting to/from you ]

Protecting mobile information in your possession and transiting to/from you


Most encryption approaches have failed due to the delta between the security level that a firm's management seeks to instill and the overhead that their employees are willing to endure. As a PGP user since rev 3 (DOS-based), I can sympathize, but once PGP migrated to Windows and Outlook allowed a toolbar add-in, it has become almost easy.

Many now see the issue as protecting mobile machines and their still shrinking, easily mislaid or stolen flash drives. I submit that users must also protect materials transiting to and from them while they are deployed.

Transparent whole data volume encryption

I recommend Schneier's short item on protecting data on a PC, laptop or otherwise, and associated mass storage items such as jump sticks. Not only is Schneier's approach practical and easy to employ, it is now essential, given the number of mobile computers in use and the rising number of opportunistic and premeditated predators, for virtually any firm:

PGP Whole Disk Encryption locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system, and swap files. The encryption is transparent to the user, automatically protecting data.

There are added features such as preboot authentication, anti-key logging and one-time use emergency passphrase. A removed disk cannot be booted when inserted into another computer, nor is there any modification to Windows.

Schneier recommends a two-tier encryption strategy:

Encrypt anything you don't need access to regularly -- archived documents, old e-mail, whatever -- separately, with a different password. I like to use PGP Disk's encrypted zip files, because it also makes secure backup easier (and lets you secure those files before you burn them on a DVD and mail them across the country), but you can also use the program's virtual-encrypted-disk feature to create a separately encrypted volume.

Use multiple tiered passphrases

I go beyond Schneier's two tier strategy to use a tiered set of passphrases, one for PGP transmissions, another for full disk encryption and a third or more for reference volumes so that one passphrase does not reveal all.

Know how to turn off your laptop fast

Know how to quickly turn off your laptop and, if you have to hold down a key or key combination to do it, how long it takes. You may not wish to endure bodily harm before surrendering a laptop, such as in a coffee shop theft, but holding onto it long enough to power it down will not leave the PC on and any volumes in use vulnerable to attack.

Minimize data stores on any mobile device, PC or jump drive

Take note of Schneier's comment to not have excess data on the disks to begin with, i.e., why have to encrypt or risk legal or physical demands to decrypt data:

minimize the amount of data on your laptop. Do you really need 10 years of old e-mails? Does everyone in the company really need to carry around the entire customer database? One of the most incredible things about the Revenue & Customs story is that a low-level government employee mailed a copy of the entire national child database to the National Audit Office in London. Did he have to? Doubtful. The best defense against data loss is to not have the data in the first place.

Use 'transit addresses' wherever you are reasonably at risk

I realize that data scrubbing will be considered too great a trouble for most, and certainly those whose laptop has long become their roving desktop machine, but here is one essential process that I urge, especially for those bound to locals where in-transmission capture is possible/probable: use a 'transit address' when you are travelling that only receives a filtered subset of one's normal traffic.

While enroute to, or within, certain countries, by prearrangement with home office, I only look at the transit address traffic and even that transit traffic may be encrypted. (I also reset my email passphrase.) All mail continues to go to my usual address but then pertinent items are flagged and forwarded (often with abstraction) to the transit address, i.e., if you don't send it, they have more difficulty in intercepting it. I alert colleagues that I am deployed for a time window and am only looking at transit traffic.

You cannot imagine the traffic that flows to and from senior executives and senior technical personnel; they effectively make no differentiation between home office and fragile in-transit and deployed locations where key-logging and other government mandated monitoring efforts are in effect. I say again, you can imagine the volume of traffic laid open to collection. Just capturing email addresses of traffic to and from the target lays a trusted group open to targeted phising attacks. See Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets.

Don't do dumb things

Even the best encryption systems will not protect you if Homo Boobus takes over the keyboard, doing things such as leading your cyphertext with the cleartext title from the subject line, using key words from the text in the subject line, or pasting the encrypted cyphertext above or below the cleartext. I have gotten too many of those from amateurs.

Never, ever send or receive faxes. If it is worth sending, encrypt it and send via email.

But do carry any keys on separate media on your person 24/7, carry the laptop with you 24/7 to prevent physical attack with a Linux boot disk, frequently send random encrypted blocks of text to blunt traffic analysis, etc. People's eyes usually glaze when they hear this but intel collectors and criminals depend upon that resistance.

Putting it all together

One client's staff followed the rules such that we had emcon (emission control) to the point that our Asian hosts grew increasingly frustrated in negotiations. (Our presumption was that our host was not getting the expected level of background information needed to design their response to the client.) Turning the tables a bit, well past the halfway point in the visit I had the client announce that we were going to take the last day off for a special sightseeing tour. Now it was our hosts who had to work under compressed timelines.

Plausibly deniable encryption

For the few that must endure the likelihood of coercive interrogation that would force the prisoner to disclose any and all passphrases, there is plausibly deniable cryptography that clouds the very existence of encrypted volumes:

Encrypted filesystems fail against the Rubberhose Attack [because] traditional encrypted filesystems leak information. While the Bad Guy doesn’t know what the encrypted data is, he is able to see that there -is- encrypted data. Thus, he can beat our spy until all encrypted data has been decrypted.

Most processes by which one hides a data volume so that an inquiring police or immigration officer sees nothing to demand access thereto is usually not for the technical faint of heart. The system that I used, Rubberhose, is no longer supported and its creator is not the speediest in responding. The level of effort is higher on the install side but if you are likely to face coercive interrogation, it has its merits:

Deniable cryptography allows a captive or defendant that does not wish to disclose the plaintext corresponding to their cyphertext to be able to that there is more than one interpretation of the encrypted data, i.e., an investigator will likely know that encrypted material exists on the drive, but will not know how much as so there is an opportunity to keep the existence of the most essential data hidden. Designed by Julian Assange, co-author of The Underground, Rubberhose is named after the decryption tactic it attempts to defeat: Rubberhose Cryptanalysis, in which suspects are exposed to repeated beatings or torture until their password is surrendered.

The best product extant in this area appears to be TrueCrypt but if this cloaked approach is necessary, your systems specialists should evaluate its ability to withstand the expected level of forensic analysis for the hostile states through which you expect to travel.

For most commercial environments, disk and associated data volume encryption, a fast off-switch, transit address usage and excising unnecessary data from the mobile unit will stand you in good stead.

How Does Bruce Schneier Protect His Laptop Data? With His Fists — and PGP
Bruce Schneier
11.29.07 | 12:00 AM
Mirrored as:
How to Secure Your Computer, Disks, and Portable Drives
Bruce Schneier
Schneier on Security
December 04, 2007

Deniable File System
Bruce Schneier
Schneier on Security
April 18, 2006

Defending against Rubberhose Attacks
Christopher Soghoian
JHU Systems Seminiar
March 9 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Intellectual Property Theft Public  


  discuss this article

<<  |  December 2019  |  >>
view our rss feed