Improving my X61t security

[AlphaCentaury]

Hi,

I'm currently using my X61t at work and the only security enabled is Windows 7 authentication through either password or fingerprint.
As it can contain confidential data (the company's T40 use authentication at startup and full disk encryption) I'd like to improve the security but I don't want to take any risks to block my BIOS for example, and I'm not really aware of the X61 capabilities. Although, I don't want any loss important loss of performances.

I'm ready to enable fingerprint authentiation at startup and to change my hard drive for the ones which support hardware encryption (Seagate FDE or Hitachi BDE) but I'd like to have your opinion before doing any irremediable change. My current hard drive is a Samsung Spinpoint M6.

Could you help me to understand the principles of my laptop's capabilities? And although to compare the advantages and weaknesses of each security levels I could implement?

Thank you in advance!

[RealBlackStuff]

I'm no expert on this, but I don't like and trust fingerprint readers.
It's relying on both software and hardware. The software can fail and the hardware can break.
Paranoid side-remark: someone could chop off your finger to access your laptop without you being present...
The above will only work on the same laptop the HD is (supposed to be) in.

If you would put a password on the hard disk itself (using either IBM or Hitachi HDs), that would completely protect the hard disk from intruders, and make/keep it mobile so you could put it in another laptop if the first one fails.
The HD password is only stored on the HD itself, not in any other part of a laptop (or PC).
Unless you have a forensic facility, these HD passwords are unbreakable (valid only for the above IBM and Hitachi HD brands).

I have no knowledge/experience with fully encrypted HDs such as FDE and BDE.

There's little or no protection from Windows, BIOS or even Supervisor passwords, as these can be broken.
They only work as a deterrent for 'occasional thieves'.

My $0.02

[loyukfai]

The newer fingerprint readers won't work with "dead" fingers, last time I checked. Finger just cut off, maybe.

Still, there are other ways to hack around, and information on the Net (IMO) is lacking. And like any other security mechanism, including passwords and passphrases, there are always ways to get around.

And the weakest link is usually, the end-user.

I can go on but, if you work at a company, I think you REALLY should consult the IT department. Instead of asking here.

Just my 2 cents.

[AlphaCentaury]

To RealBlackStuff:

Thank you for this peace of information, it's very useful. A possible simple solution for a true security gain.

About these password protected HDDs: how does it work practically? You have a first boot step with authentication before loading your system? Does it support multi-systems installations? Is it possible to extract a backup using Norton Ghost or equivalent? What is the name of this functionality or which way to identify the right product?

I think about considering Hitachi HDDs as such IBM parts are usually too expensive in my opinion. Why are these such better as other brands in terms of password robustness?

About fingerprints, don't worry, my data isn't sensible enough to cut my finger to get access to it. And I think that it's possible to copy the finger print with the appropriate paste, they would only have to knock me off and reproduce my finger in silicon... Anyway, if I consider using my fingerprint, it should be redundant with a password like the Windows authentication. This functionality is very useful to me as I often use my X61 as a tablet and I like to be able to start it without having to turn the screen back to laptop position in order to type the password (the reader is next to the screen).

To loyufai:
My fingers thanks you! I can't tell if my reader is one of these last generation ones.

And don't worry, I know I'm out of my company's IT scope, but their laptops are running so slowly... and far from my X61 5h autonomy... I'm myself working for the IT I'm just not really aware of the last capabilities of my X61 and eventual HDD integrated security functions.

I also know that only a machine in a bunker at the top of a mountain, switched of and using no connectivity can provide a nearly perfect level of confidentiality (but not integrity). I'm joking but I know they do this somewhere in Switzerland to protect some critical certificates...

What I want is:
- to reach a level of security with my machine comparable or higher to what is done on my company's laptop just in case
- to preserve it's reactivity I'm enjoying every day
- to satisfy my curiosity for both efficient and useful technologies

So please, share with me, just a few more cents...

[EOMtp]

There isn't much point in "protecting" the entire laptop or hard drive or using FDE (which has "back doors" which circumvent the encryption). The fingerprint authentication, if enabled for bootup, is perfectly adequate for preventing nuisance intrusions, i.e., preventing someone from turning on the laptop and "browsing".

Beyond that, what needs to be protected is data, not programs. That requires just a bit of discipline, and then the task becomes almost trivial.

The discipline consists in placing data in an encrypted volume rather than in "My Documents" or similar locations AND using a sufficiently long and randomized encryption key that cryptographic techniques cannot decipher even given all the computing power in the known universe.

Hard to beat TrueCrypt for sheer simplicity, elegance, functionality, and ease of use. It's free and the encryption is unbreakable IF one uses a sufficiently large randomized encryption key.
http://www.truecrypt.org/

[RealBlackStuff]

HD passwords on IBM/Lenovo laptops have to be enabled first in the BIOS.
See here how to set/change/cancel them: http://www-307.ibm.com/pc/support/site. ... JXNTY.html

[Volker]

using FDE (which has "back doors" which circumvent the encryption).

Any examples? FDE drive store the password internally, you only hope is to somehow take them apart without erasing the key.

Beyond that, what needs to be protected is data, not programs. That requires just a bit of discipline, and then the task becomes almost trivial.

True in principle, but in practice there are many places where temporary data is written to (swap file, registry, system log files, temporary files of individual programs, ...). Also, unencrypted binaries can be exchanged for malicious ones in your absence.

There is no single technological solution to good security, its a complex problem.

[EOMtp]

Any examples? FDE drive store the password internally, you only hope is to somehow take them apart without erasing the key.

In the U.S., and perhaps elsewhere, providing such examples violates multiple laws. Ask yourself: If the FBI or Scotland Yard .. or, by extension, your local sheriff .. wanted to read encrypted disks, would they have to "take them apart"?

... unencrypted binaries can be exchanged for malicious ones in your absence.

It is vandalism, but not a breach of security, to exchange encrypted binaries given that the replacement binaries have not been encrypted with the same key!!!

There is no single technological solution to good security, its a complex problem.

There exist many technological solutions for good security. However, perfect security is more elusive. I agree: it's a complex problem, but not an insoluble one. If the data are that sensitive, then one simply does NOT place that data on a laptop. Period. For everything else, there exist numerous solutions which are plenty good enough.

[loyukfai]

If we assume the fingerprint reader is okay, then I think "passwording" the HDD maybe enough.

Just enable the password/passphrase in BIOS, then under Windows, enable "Use fingerprint scan instead of power-on and hard drive passwords", and if you like, "Enable single sign-on capability" as well (that way you don't have to swipe the finger twice, once at boot and once at Windows login).

The "passworded" HDD should not be accessible without the password or fingerprint swipe afterwards. However, as mentioned above, someone with enough time, money and/or tools may open the drive in a clean room, and cast some magic to extract the data.

A FDE-drive, OTOH, should bring another layer of security that (assuming the implementation is sound and there's no backdoor), when your PC is cold (read: off), someone with enough time, money and/or tools still won't be able to extract the data.

[Tasurinchi]

I'm not a security expert but I would start discussing the issue with your IT department and see what they recommend first.

I remember discussions with my IT guys and they would normally recommend to encrypt the hard drive data in the first place. Using a Windows password is a must nowadays, but it's dead easy to take the HD away from a notebook and put it in an USB/eSATA enclosure and read the data.

The idea mentioned in previous posts about putting a password to the HD directly makes sense to me as well. But I have no experience with it. I would go for an encryption software.

Consider also that there's no PERFECT SAFE solution, there will be always someone with enough skills/tools to hack into anything.

I think you should find a good balance for you between safety/costs/practicability as well. There are also many other factors to consider. Do you travel a lot? Is your work exposed a lot in other networks? Or internet? Or to competitors? The list could go on and on...

Just my 0.02 cents...

[RealBlackStuff]

You asked earlier on:
- if you can make backups with e.g. Ghost. Yes, but only after you have entered the HD password.
- if this works with multi-system installations.
------- If you mean, move the HD between laptops? AFAIK, no.
------- If you mean, multiple OSes on one HD? Yes.

[AlphaCentaury]

Thanks everybody, your answers are relevant of the complexity of this question.

About the authentication, I'm going to set the BIOS parameters up. But some questions remain:
1 - Is there a risk to definitely loose access to my PC (without sending it to IBM or specialists)? I remember having tried to change a security chip on a T30 with a locked BIOS without success.
2 - Are fingerprint and password authentication redundant (e.g. my fingerprint reader gets out of order)?
3 - When you speak about HDD password setting, is it part of the global hardware authentication mechanism through the BIOS or a parallel one?

4 - Now about the data confidentiality, I like the hardware disk encryption as it is transparent for the user (and also for the administrator) and it seems to induce no performance loss. But, my laptop is often connected to networks and the Internet, I use Bluetooth nearly everyday, and this means that the risk of intrusion exists by-passing this global encryption. Therefore, I understand the potential of specific software encryption which protects the data confidentiality all the time. Both solutions could be implemented in a "two levels" security approach...
5 - And what about this HDD password (apparently robust on IBM and Hitachi HDDs)? If I correctly understand, it locks the hardware components of the HDD without any specific treatment on the data. In other words, the only way (if the password is considered to be logically and physically unbreakable) to access the data would be to extract the plates from the disk. It prevents accessing the data from a SATA/USB adapter but not by a specialist... This could be an interesting alternative to hardware FDE if used with a software encryption solution for critical data... Conversely, if they are sold at the same price than FDE why not using FDE enabled disks...
6 - Again, how to identify these password enabled disks on the market?

To conclude, of course every solution can be by-passed at least through brute force solutions... and time! And I'm sure that at a governmental level they can break through most of the general public solutions if they put the means to do it. Using legal solution there is no way to provide unbreakable solution.

[loyukfai]

Seriously, you should have given it a try by now, based on your current config. You can always turn them off if you don't like it...

-1 - Is there a risk to definitely loose access to my PC (without sending it to IBM or specialists)? I remember having tried to change a security chip on a T30 with a locked BIOS without success.

2 - Are fingerprint and password authentication redundant (e.g. my fingerprint reader gets out of order)?

Not sure what you're asking in Q1, but I can use both a fingerprint swipe, or entering the password to login during boot. The default is to use a fingerprint swipe, but it can be bypassed if you like, and if the machine has waited for too long.

3 - When you speak about HDD password setting, is it part of the global hardware authentication mechanism through the BIOS or a parallel one?

???

4 - Now about the data confidentiality, I like the hardware disk encryption as it is transparent for the user (and also for the administrator) and it seems to induce no performance loss. But, my laptop is often connected to networks and the Internet, I use Bluetooth nearly everyday, and this means that the risk of intrusion exists by-passing this global encryption. Therefore, I understand the potential of specific software encryption which protects the data confidentiality all the time. Both solutions could be implemented in a "two levels" security approach...

Even with TrueCrypt, once you unlocked the data by yourself, all hell can break loose. And at one time, you have to unlock the data anyway, right?

Like I said above, these solutions only work when your PC is cold. (And I mean cold, since it's been demonstrated that the key can be read off the RAM in Suspend to RAM mode, or boxes that have just been turned off)

5 - And what about this HDD password (apparently robust on IBM and Hitachi HDDs)? If I correctly understand, it locks the hardware components of the HDD without any specific treatment on the data. In other words, the only way (if the password is considered to be logically and physically unbreakable) to access the data would be to extract the plates from the disk. It prevents accessing the data from a SATA/USB adapter but not by a specialist... This could be an interesting alternative to hardware FDE if used with a software encryption solution for critical data... Conversely, if they are sold at the same price than FDE why not using FDE enabled disks...

In fact, there are SOFTWARE tools to break ATA-passwords, though not all of them work with every drive.

FDE are better in this regard but again, there maybe flaws and backdoors in the implementations which you and me are not aware of.

6 - Again, how to identify these password enabled disks on the market?

Hitachi's use a digit in its long model no. to distinguish between FDE and non-FDE drives. Seagate's got "FDE" in their names. Others, not sure, but it should be relative trivial to Google them.


If it's really important, adhere to your IT department's policy (so if anything goes wrong, you won't be fired on the grounds that you didn't follow the company's directions) and, well, don't store them on your laptop (or USB stick) at all.

And IMO, security mechanisms can only be treated as a deterrence. Ask yourself, what's the cost of the data being stolen (USD100? USD100k?), and decide accordingly.

Cheers.

[loyukfai]

Disclaimer: I had a long day and I'm sorry if any information is not correct, but a good starter anyway, they should be... : )

Hitachi:
7K200/7K250: http://www.hitachigst.com/hdd/support/bulk_faqs.htm
7K500: http://www.hitachigst.com/tech/techlib. ... 500_DS.pdf
5K500.B: http://www.hitachigst.com/tech/techlib. ... _final.pdf

Seagate:
Momentus 7200FDE http://www.seagate.com/www/en-us/produc ... _7200_fde/
Momentus 5400FDE http://www.seagate.com/www/en-us/produc ... _5400_fde/

Fujitsu:
http://www.fujitsu.com/us/services/comp ... n-faq.html

Toshiba:
http://sdd.toshiba.com/main.aspx?Path=S ... ySolutions

And performance is not identical between FDE and non-FDE drives, last time I checked. Though I don't think the difference is that significant.

[Volker]

Ask yourself: If the FBI or Scotland Yard .. or, by extension, your local sheriff .. wanted to read encrypted disks, would they have to "take them apart"?

You think there is some global conspiracy whereby, say, Hitachi (japanese company) builds in a back-door for foreign police and secret services?

Depending on how far Habeas corpus has been eroded in your local jurisdiction you'll be imprisoned (e.g. UK/US) until you surrender the password. Much easier than extracting the key from the harddrive.

It is vandalism, but not a breach of security, to exchange encrypted binaries given that the replacement binaries have not been encrypted with the same key!!!

Thats exactly my point! Hence you need to encrypt your programs as well, and not just your data. Otherwise you cannot detect whether the binaries have been tampered with.

[AlphaCentaury]

I finally bought an Hitachi HDD supporting the FDE. I enabled all the securities in the BIOS and it works pretty good.
If I correctly understand, the HDDs supporting FDE always encrypt the data stored but without any password set. By setting a password you don't loose any performance.

Thank you for this intresting discussion.

[j-dawg]

It's funny that this topic should be resurrected today, because a white-hat hacker just announced today that he has broken the TPM encryption..

[richk]

There are more announcements than break-throughs