Saturday, 1 January 2011

Lock it up for New Year



The subject on many lips lately is hackers and security, even more so with the announcement that someone can crack into your mobile phone calls and listen in with noting more than a cheap Motorola phone and some cunning skills.
An irony is that i have a firm belief that some of our greatest software advances are due to people cracking security in areas like Playstations, Xbox, WEP etc, this brings security forwards as people develop countermeasures and also brings skills out in testing and breaking those measures, I'm sure a time will come when a status quo will exist in the time and effort needed to break security will be far more than the rewards and people will simply not bother.

How can you help yourself ? I teach several subjects in my role and during the Desktop and Notebook course we discuss some basic security and their advantages.

Drivelock - if your system supports drivelock then this is one of the first defences.
This puts a password on the hard drive itself so in the event that someone powers up your system the drive will not mount itself or be accessible, what's important is to understand that Drivelock is a function of the hard drive not of the BIOS so although you set it through the BIOS if you remove the hard drive and attempt to bypass the operating system (for example putting it into a USB caddy) the drive will still be locked.

When setting Drivelock you will need to secure your BIOS (Drivelock will tell you it won't continue until you set a Bios password), set a good strong password then for Drivelock you normally have two passwords, the user level (your day to day password to unlock the drive) and the master password (In case you forget the user password or need to over ride it).

Once set the system will prompt for Drivelock password when booting the system, even if you intend to boot from USB drive or CD-Rom the system will still ask for it. This will prevent people using a boot disk such as Ubuntu live or a Windows recovery CD to bypass your OS login passwords and gain access to your data.

Drivelock is so efficient that if you remove the drive, put it in a USB caddy then to all intents you do not have a drive connected, you have not put the password in so the drive is not even visible as a device. To use it in an external caddy you must put it back in your system (or a compatible PC), enter the Drivelock password and in the BIOS disable the lock, at that point the drive behaves as any non protected drive.

People often ask me what happens if the encrypt their drive i.e will Drivelock work, Drivelock works BEFORE any OS is mounted it is at the drive firmware level so as an example, think of a car, you unlock the door and open it, get in, sit down and start the engine. Think of the engine as your Operating system, think of Drivelock as the car door (locked), in normal situations the door is not locked, you simply walk up to the car, open the door and start the engine.

With Drivelock you Unlock the door then start the engine (with a different key).

As another example imaging leaving your laptop on a train, could you power it up and get as far as the Operating system (where it asks you to log in) ?
If so then anyone with a live CD or Windows boot CD can easily start your system up, bypass any need for passwords and simply gain access to your files.

If you have some letters to the bank, perhaps a list of your passwords etc then everything on your laptop and far more is compromised.

Drivelock will secure your drive even when it is removed from your machine and attempts made to break into Drivelock cause it to lock the drive out after three attempts, at that point you must power down to try again.

If you have TPM (Trusted Platform Module) fitted then take control of your TPM chip, put ownership information in and secure your TPM.
TPM works by generating random numbers/keys, these are used for passwords such as https sessions, encryption and even drivelock.
One option in BIOS is normally to enable TPM Drivelock, this puts a 256bit (32 character) random password onto the drive, only Drivelock and the drive know the true password so you will never know it.

TPM will challenge you to prove your ownership (perhaps a fingerprint swipe), at this point TPM will unlock the drive - the beauty of this is that you can't use an obvious password as TPM chooses it, the strength set by TPM and it removes the weak point (you) from the password option.


TPM is also used if you decide to implement Bitlocker, this is Windows whole drive encryption, once Bitlocker is enabled then TPM will hold the master and run time keys that Bitlocker needs - should TPM fail (and your keys be lost) you can export a master recovery key for Bitlocker (make sure you keep this in a very very safe place).


As TPM is used more and more it will hold keys for just about everything, banking, log on passwords, file encryption passwords etc - should your TPM chip fail (or motherboard) then obviously the passwords are lost, TPM software allows you to export your keys to pen drive but you should NEVER export your master and public keys together, you can export your public keys and simply put the pen drive into a convenient drawer or even hang it on your wall, these are public keys and offer no security risk if others know them. Your public keys would be sent to others to allow them to send you an encrypted email, they encrypt it using YOUR public key.


With your master keys you would export them and take these to your bank and lock your pen drive away in the deepest vault, should your master keys be compromised you should dissolve them and immediately create new ones then refresh any applications that relied on these keys.
If someone sends you an encrypted email then you would decrypt it by using your master key, this confirms your credentials to the public key (used to encrypt the message in the first place) and is therefore of such importance you never reveal the master keys to the outside world.


Passwords - Where possible remove the human factor by using TPM to generate and secure your passwords, if not then use a long and secure password at least 14 characters/numbers, a non dictionary word and use special characters where possible.


You can increase a passwords security quite considerably by using special characters and numbers, take the following password "cheddar", now I like cheddar cheese so it's a simple word to pick (strength tests done using Microsoft password checker -


Password strength is weak, it is a dictionary word so easy to crack.
Cheddar - still weak.
C43dd4r - Strong
C43dd4r&! - Still Strong
1+L1k3+C43dd4r&1973 - Still Strong

One trick is to think of a passphrase (A sentence) and take key letters to form a password, let's consider "The Quick Brown Fox Jumps Over the Lazy Dog" - lets take the first letters of each word - TQBFJOTLD, it's not a long password so still considered weak.

How about the first and last letters, TEQKBNFXJSORTELYDG - this is now strong, the reason its not a very strong password is there are no numbers or special characters to increase the permutations.

Lets go back as step to TQBFJOTLD, lets put some numbers and special characters with it, let's assume we like the year 1986, let's put (using just 86), 8+TQBFJOTLD-6  we are now getting stronger but if you try this you will be amazed how easily you remember the password if you define some simple rules.

To explain in more detail, let's assume you have only 2 characters as your password and you use letters or numbers, this gives 26 lowercase characters plus 26 Uppercase plus 10 numbers per position = 62 possible characters for the first password position x 62 for the 2nd = 3844 permutations.

There are 32 special characters you can use so you can appreciate adding them into the equation makes each positions 26+26+10+32 = 94 possible characters, for our 2 character password this makes   8836 permutations for 2 characters.

If you have 14 character passwords, using combinations of all these then your password will have 94 to the power 14 or 4,205,231,901,698,742,834,534,301,696 permutations (more info here) .

TPM will generate 32 character passwords so you should by now appreciate that his is a significant amount greater in permutations for anyone to crack (I have no idea what this number is in English, surely more than a Trillion?)

 1,380,674,536,088,650,126,365,233,338,290,905,239,051,505,147,118,049,339,937,652,736



 Using TPM will generate passwords that are technically challenging for anyone to break through, it will remove the "human" weak point - we like to use dictionary words, it removes the need to remember complex passwords and as far as we are concerned there will simply be a challenge from the TPM chip to us to confirm ownership and then it will deploy the necessary password.

Once your rolling with Drivelock and perhaps TPM then start looking at using encrypted folders or containers to hold key files, Truecrypt is excellent for this as it is effectively a software representation of TMP functionality but in a program that runs in Windows, Linux etc and best of all - it's FREE !

Within 5 minutes you can have it installed and secure your key files in encrypted containers, their tutorials are excellent but all of this is useless if you don't use strong passwords.

Truecrypt allows one feature to help humans remove weak passwords, it allows "Keyfiles", these can be nothing more than a text file or a JPG, they form an additional file with your password to provide strength, if you encrypt a file container than you can put a password on it AND use a keyfile (perhaps a file held only on a seperate pen drive), you must then provide the password AND the keyfile to decrypt the data.

It has many other features but start at the beginning and go from there.

No comments:

Post a Comment