Why you need passwords on your ThinkPad

Message

hausman · #1 Post by **hausman** » Mon Jun 07, 2004 4:15 pm

Oops! Firm accidentally eBays customer database

A customer database and the current access codes to the supposedly secure Intranet of one of Europe's largest financial services group was left on a hard disk offered for sale on eBay. The disc was subsequently purchased for just £5 by mobile security outfit Pointsec Mobile Technologies.

According to Pointsec, one of the hard discs contained "highly sensitive information from one of Europe's largest financial services groups with pension plans, customer databases, financial information, payroll records, personnel details, login codes, and admin passwords for their secure Intranet site...

Pointsec purchased 100 hard discs over auction site as part of its research into the "lifecycle of a lost laptop". Pointsec found that they were able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay despite the fact all of had "supposedly" been "wiped-clean" or "re-formatted". The company said the exercise illustrated how easy it is for identity thieves or opportunists to access highly sensitive and valuable company information from lost laptops and hard-drives...

Pointsec visited one of the auctions used by Gatwick airport, near Chertsey and found that before even purchasing the laptops, the researchers were able to start up the laptops to inspect whether they worked. Using password recovery software they were able to access the information on one in three of these laptops. The exercise was repeated in Sweden, the US and Germany.

geobel · #2 Post by **geobel** » Mon Jun 07, 2004 5:20 pm

password doesn't help much if disk is physically accessible... One has to encrypt sensitive data with programs like Axcrypt http://axcrypt.sourceforge.net/

and erase data instead of deleting them (and wipe free space regularly) with programs like Eraser
http://www.heidi.ie/eraser/

Gosha

hausman · #3 Post by **hausman** » Mon Jun 07, 2004 6:36 pm

geobel wrote:password doesn't help much if disk is physically accessible... One has to encrypt sensitive data with programs like Axcrypt http://axcrypt.sourceforge.net/

The HD password on ThinkPads makes the data on that HD inaccessible. As I understand it, the password doesn't encrypt data on the drive but instead is a lock to the electronics on the drive. I suppose someone could switch the electronics or move the platters, etc. but that's likely beyond the capabilities of all but the most determined (and sophisticated) people.[/quote]

cynic · #4 Post by **cynic** » Mon Jun 07, 2004 8:58 pm

Plus, you could use the embedded security chip to lock down the data.

geobel · #5 Post by **geobel** » Tue Jun 08, 2004 4:41 am

hausman wrote:The HD password on ThinkPads makes the data on that HD inaccessible. As I understand it, the password doesn't encrypt data on the drive but instead is a lock to the electronics on the drive. I suppose someone could switch the electronics or move the platters, etc. but that's likely beyond the capabilities of all but the most determined (and sophisticated) people.

[/quote]

If you protect data from you little sister HDD password might be enough... But when we are talking about government agencies and high-tech corporate espionage HDD password is nothing. As long as your data are in plane text in HDD it is not too difficult to get them.

Gosha

geobel · #6 Post by **geobel** » Tue Jun 08, 2004 4:52 am

cynic wrote:Plus, you could use the embedded security chip to lock down the data.

This sounds too dangerous... No matter how many backups you have you will loose all your encrypted date if something happens to your laptop (or securiity chip). Besides it is also inconvenient because you can work with encrypted data only on one computer.

Gosha

compispezi · #7 Post by **compispezi** » Mon Jun 21, 2004 4:12 am

Yes, what Geobel means is absolutely ok.
For normal business use the HDD password - it is C2 securita - a standard of US military.
Try to use a password fixed HDD via adapter in a Desktop - you don't see this HDD in the accessable drives.
For more security a good way is the encrytion via the security chip of IBM. A solution also for more mailsecurity. Be aware - only files and folders will be encrypted - not the complete HDD. But it ist a hardwaresolution with highest security. it also ca work together with fingerprints, Xyloc Badges and so on.

vjacob · #8 Post by **vjacob** » Wed Jun 23, 2004 2:47 am

compispezi wrote:Yes, what Geobel means is absolutely ok.
For normal business use the HDD password - it is C2 securita - a standard of US military.
Try to use a password fixed HDD via adapter in a Desktop - you don't see this HDD in the accessable drives.
For more security a good way is the encrytion via the security chip of IBM. A solution also for more mailsecurity. Be aware - only files and folders will be encrypted - not the complete HDD. But it ist a hardwaresolution with highest security. it also ca work together with fingerprints, Xyloc Badges and so on.

do you use the security chip on a daily basis by any chance? I've kind of thought about looking more into it after installing linux, but I'm not sure it makes sense for everyday private use.

Second question: Do you think security chip use makes sense for common everyday private use?

Why you need passwords on your ThinkPad

Why you need passwords on your ThinkPad

Who is online