in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption And Password Protection: Why The Latter Fails

Most people know (…or do they?) that password protection on a laptop computer is, security wise, an oxymoron, like “pretty ugly” and “military intelligence” (an honorable discharge means I’m allowed to take potshots at my former employer).  That’s why people in the know will resort to something like laptop encryption for protecting their computer data.  Here’s an explanation on why I think “password protection” is a fraud at best.

When most people talk about password protection, they generally refer to a variation of this:

windows logon prompt

The reason why the above is the de facto definition of password protection is pretty simple: Microsoft pretty much owns the world when it comes to computers.  Now, facing the above prompt, most people will give up if they don’t know the username and password combo.  Sure, they may try to guess, but it will not be long before they realize that the chances of hitting the right combo are close to nil.  The keyword is “most people.”  You’ll probably agree, most people don’t go around stealing other people’s computers.  By definition, computer thieves are not like most people.

Now, if the thief is interested in a quick turnover, he may never turn on the computer and never see the above prompt.  No problems there.  But what if the thief is not interested in a quick turnover?

Maybe he knows someone who’s interested in buying personal information.  Or, perhaps, he’s interested in taking over someone’s identity himself.  Or, he’s just curious; after all, he could have stolen a celebrity’s laptop chockfull of compromising pictures perfect for blackmailing or selling for a nice chunk of change (assuming the word “compromising” means what it used to mean; it doesn’t seem to anymore.).  The point is, a modern computer’s high storage capacity increases the chances of something really useful being in there somewhere.

Will a thief try to get to the data?  I’d say most would.  Will they find it hard to do?  Depends.  If they try to guess the username and password combo, chances are they will fail.  But, if they try to get around the password protection, then they’ll be all over that computer’s data in five minutes flat.  That’s because they don’t have to guess the username and password combo.

I’ll repeat that.  They don’t have to guess the username and the password.  See, there are two ways of getting around the above prompt to get to the computer’s data.  The first—and obvious—way is to provide a valid username and password.  The other way is to bypass the prompt.  There are several ways of doing that.

Now, before you get critical, the following methods of bypassing the prompt aren’t a secret.  They’re very well documented and easily available with a simple search in your search engine of choice (4 to 1 odds that it's Google).

One surefire method of bypassing passwords is to take out the hard disk and connect it to another computer.  This is known as "slaving a hard drive" (it's the basic principle behind external, portable hard drives).  With this move, the password-prompt doesn't even show up.

Another method is to use a boot disk of some sort to boot up the computer.  Because the computer is booting up from the boot disk--and not the hard drive--a password prompt will not show up.  Once the computer is up and running, it's just a matter of copying off the data from the computer.

There are other methods, but they get more complicated so I won't describe them here.  This does not, however, imply that it's so complicated that a fourth grader couldn't do it.  It just means these other methods are not ridiculously simple as the two methods above.

Conclusion?  Password-protection does not work as a security measure where it counts most.  If you or your company really feels the need to protect the contents of your computer, you'll have to go with something that has been proven to work effectively: encryption software.

While encryption software also requires the use of passwords (namely for you to go gain access to your own data, while keeping others out), it differs from password-protection in that the above methods of bypassing it (and, technically, any methods of bypassing the password prompt) won't work.

 
<Previous Next>

Full Disk Encryption Software Not Used On OHSU Medical Laptop

Drive Encryption Software: Irish Gas Board Laptop Stolen, Not Protected

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.