helping you stay protected in the digital age

With the release of TrueCrypt 5.0, end users (ie: you and me) can now encrypt our entire hard drives even with their operating systems running. In my case, I’m running Windows XP Professional on a Gateway Tablet CX21610. But what some users don’t realize is that multi layered security is better than just one layer; in other words, using just a logon password without any other security (EFS, boot password, TrueCrypt, etc) will only slow down an attacker but not stop one.

Did you know that the hard drive in your computer can be taken out and used as an external drive? I’m not trying to scare you but if you just have a logon password for Windows (and even though some people don’t) then I could theoretically take your hard drive out of your computer, plug it into mine and then gain access to your files!

Using multiple layers of security can slow down and even stop attackers from gaining access to your sensitive information. Now, I’m not a security expert and there are a lot of knowledgeable people on DSLReports Security Forum but I do enjoy using multiple security solutions on my computer systems and I recommend one or two of the options that I use to my clients after repairing their systems or during a consulting session (I do PC consulting for businesses and end-users such as students when I have time). In a previous post I mentioned my current security “gates”** that I use on my laptop. In this post, I’m going to elaborate a little more on these “gates” and how you can use these systems.

1: Main Hard Drive Password (aka: Drive Lock)

• Theory: When a user powers on my laptop the first security mechanism that requires user input is the Main HDD Password. The main hard drive password is a password that locks the hard drive from use until the user enters the correct password. If the hard drive were to be removed from my laptop and plugged in as an external device the device would show up in Windows as an unformatted drive. I know this because I pulled my old hard drive which was locked with a HDD password and plugged it into my desktop to get some files off and I couldn’t until it was put back into my laptop and unlocked for use on other systems. If the user enters the password incorrectly 3 times then the hard drive locks until it is reset which is done in the BIOS. I read (and we all know how accurate information found online is) that the HDD password is stored in the drive’s EEPROM, so moving the locked hard drive from one system to another will still store the password on the drive (hence the reason why my drive shows up as “unformatted” and unusable when I try to use it as an external drive while it is locked).

• Implementation: Some computers support a hard drive password or drive lock password. You can either check your computer documentation or go into the BIOS of your computer during the first few seconds of powering on your PC. If a message isn’t displayed on how to enter the BIOS for your particular model pc, try F2, F8, F10, F12, DEL, or ESC.

2: BIOS Boot Screen Password

• Theory: After a successful password is entered then the next screen is the BIOS boot screen password. This password prevents a user from actually booting the computer whether or not the first boot device is an external device, CD-ROM, or hard drive. The BIOS won’t continue to look for bootable media unless this password is entered.

• Implementation: This password is controlled by the BIOS on this computer.
  If the CMOS battery were to be pulled out of the computer then on average after 15 minutes the BIOS boot screen password and access to the BIOS would be reset allowing the user to gain access to the computer BIOS, which can reset the main HDD password and the basic startup parameters. I wouldn’t trust this security option as the only security factor in a multi-layered defense. This will only slow down an attacker but not stop the attack. If an attacker wanted access then they could reset the CMOS by pulling the battery and then reset the main HDD password unlocking the hard drive.

3: TrueCrypt 5.0 Drive Encryption

• Theory: Now this is where the real security comes into play. With TrueCrypt 5, I’ve encrypted my ENTIRE hard drive using the full drive encryption option. If the first two passwords were reset or access was granted by these two systems then the user would need the TrueCrypt boot loader password.

• Implementation: The boot loader password is controlled by TrueCrypt. I’m not sure exactly how it validates the password or where it is stored as I am brand new to TrueCrypt’s drive encryption. The first two systems had a max password length of 8 letters, or 8 numbers, or 8 symbols. My TrueCrypt password is more than 20 characters and a combination of capital and lowercase letters, numbers, and symbols. When setting up TrueCrypt in my operating system I was able to configure certain options. I chose a mix between speed and security. TrueCrypt 5 provides both authentication and encryption; the first two security gates only provide one of the two: authentication. (Ok, ok. It provides a means of authorization via authentication :p ). Installation of TrueCrypt is just like installing any other program. Run the installer, follow the prompts, and you’re there. Beginners should REALLY read the manual before operation otherwise you might have a 160gb door stop.

3b: EFS – Encrypted File System

• Theory: Windows 2000 and more recent operating systems like Windows XP Professional provide encryption of files and folders selected by the end user. This is better than nothing at all, but there are some vulnerabilities in EFS.

• Implementation:Unlike the BIOS, HDD, and account logon prompt, EFS does not provide an authentication method for use; in other words, a password prompt does not appear to the user, EFS works in the background of the operating system. EFS must be enabled on your Windows XP Professional machine (sorry home users, I don’t believe EFS is an option for you folks) and the user must select which folders are to be encrypted with EFS. This can be done by right-clicking the files/folders, selecting properties, selecting the “general” tab, then checking “Encrypt Contents to Secure Data”.

4: Windows User Account Password

• Theory: The final authentication method is the domain user account stored on my active directory server. A user name and password must be supplied that is allowed access to the domain.

• Implementation: Any and all local user accounts on my laptop have been disabled through group policy and the only accounts that can log onto my laptop are my account and my other domain administrator stored in the active directory and cached on this local machine. For those that aren’t as geeky as I am and aren’t running a domain, then access to the user accounts occurs in the “User Accounts” module found in the control panel.

Note: Windows XP Home users and on some systems there is an administrator account NOT listed during logon. By default this account DOES NOT have a password. Please, please, PLEASE put a password on your Administrator account. Instructions and a little lagniappe on the administrator account can be found at: http://www.worldstart.com/tips/tips.php/1929

All in all I believe TrueCrypt 5 provides an additional, if not critical, layer in a multi-layered security solution. At the very least I would go with TrueCrypt and trust it with my security if I had no other option available to me. I believe I have a very good security system in place to prevent my data from getting into the wrong hands… or my hands if I have amnesia. It is good practice to store your passwords somewhere aside from your head such as an encrypted thumb drive. I’ll write more about encrypting removable media with TrueCrypt this week as well as how I keep a backup of my passwords in the event I die and include a poll I conducted about a month ago in which more than one hundred people shared their backup schemes for sensitive information!

• More information about EFS can be found @ : http://en.wikipedia.org/wiki/Encrypting_File_System

• More information about TrueCrypt 5 can be found @ : http://www.truecrypt.org/

• Blaize Stewart’s article about TrueCrypt can be found @ : http://www.blaize.net

• More information about BIOS passwords from a website I didn’t read completely and glanced at for about 5 seconds can be found @ : http://www.lockdown.co.uk/?pg=biospsw&s=articles

** The term “gates” simply refers to a security phase in which a password must be supplied to move past that security phase. I could have used another word, but I felt that “gate” visualized the idea pretty well.
*** I didn’t mention my firewall or other security software I use. I felt that it would draw away from the main idea of this article.

~ by johndball on March 3, 2008.