Schneier on Security
A blog covering security and security technology.
« Monopolies and DRM |
| Automatic Surveillance Via Cell Phone »
July 28, 2005
Risks of Losing Portable Devices
As PDAs become more powerful, and memory becomes cheaper, more people are carrying around a lot of personal information in an easy-to-lose format. The Washington Post has a story about this:
Personal devices "are carrying incredibly sensitive information," said Joel Yarmon, who, as technology director for the staff of Sen. Ted Stevens (R-Alaska), had to scramble over a weekend last month after a colleague lost one of the office's wireless messaging devices. In this case, the data included "personal phone numbers of leaders of Congress. . . . If that were to leak, that would be very embarrassing," Yarmon said.
I've noticed this in my own life. If I didn't make a special effort to limit the amount of information on my Treo, it would include detailed scheduling information from the past six years. My small laptop would include every e-mail I've sent and received in the past dozen years. And so on. A lot of us are carrying around an enormous amount of very personal data.
And some of us are carrying around personal data about other people, too:
Companies are seeking to avoid becoming the latest example of compromised security. Earlier this year, a laptop computer containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of an MCI financial analyst in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on the online auction site eBay with confidential information still stored on the device. And in yet another incident, personal information for 665 families in Japan was recently stolen along with a handheld device belonging to a Japanese power-company employee.
There are several ways to deal with this -- password protection and encryption, of course. More recently, some communications devices can be remotely erased if lost.
Posted on July 28, 2005 at 11:40 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Ideally the devices would have built in biometric security.
I think every laptop and handheld should use encryption to encrypt all data to and from the hard-drive, and the virtual memory. If essentially all the blocks on the disk are encrypted using one or more passwords/phrases you have to type in at the BIOS level during bootup and prior to login then the data should be reasonably secure even if you lose it (unless you were dumb enough to lose it, still logged in).
Of course that probably requires hardware encryption to avoid crippling the performance of the disk, and probably some or all manufacturers are capable of messing up the implementation...
Actually, does anyone know if SELinux does that in software?
Some, probably most, forms of biometric security don't work well, Casey. For example, fingerprints. There's a rather high chance that the device will be covered in liftable fingerprints... :-)
The only chance you have is making the data inaccessible even if they have access to every part of the device for long periods. That probably means hard encryption. So, no storing unencrypted passwords on disk or even RAM when you put the device into standby mode for example.
"Ideally the devices would have built in biometric security."
Yes; I think this is an excellent application of biometrics.
I have to admit I am a little bit confused Bruce. Some time ago you suggested people should note their passwords and put them in their wallets rather than use no password at all or one password for everything. And now you are afraid of losing portable devices? How does a PDA differ from a wallet? Social security number, credit card numbers, passwords versus the information on a PDA?
You don't have to be a security guru to acknowledge that personal information should only be carried around if it can be kept safe or is stored encrypted. I guess better PDA should support this setup, or not?
Don't forget that using hard encryption at the lowest level doesn't do you any good if the passphrase or password to unlock the hard encryption is trivial (or taped to the body of the laptop somewhere, or stored in the Palm Pilot that is also in the laptop bag that itself has a trivial password, or stored in the cell phone, etc).
Throwing encryption at the problem isn't going to help, in fact it will probably make it worse. The core of the problem is that people don't classify their data properly, and don't take proper steps to protect data that should be classified "secret". If we just say, "Everything on your laptop is now encrypted", users will continue to just dump whatever on their laptop (even data that they have no business having/keeping/transporting), because now, "It's encrypted and perfectly safe." If we want a technical solution to the problem, we need to make it easier for people to classify and manage their data.
The IT industry has gone to great lengths to make things easier on people, but one of the consequences of this agenda is that people now no longer can be bothered to think about the consequences of their data storage.
People keep email forever because they can -> their email storage capacity has gone from "you can keep a few hundred plaintext emails that you've received and you need to clean out old mail" to "You can keep everything that anyone has ever sent you, along with their 5+ MB attachments".
There are several issues here.
One, I think writing a strong password down is more secure than choosing an easy-to-remember/easy-to-guess password.
Two, there's a whole lot of personal information in PDAs that can be very damaging if lost.
Three, there's much less personal information in wallets than in PDAs, cellphones, and small computers.
Four, if you store your passwords on your PDA, I recommend using some kind of encrypted memo application.
Five, if you write your passwords down, it's best to obscure them in some way.
What's the confusion? Security is always a trade-off, and there's no perfection.
It's possible for me to note logins & passwords on a post-it with enough of a mental clue to tell me which system it's for but not enough for a non-sophisticated person to match them with a system. (Someone with intimate knowledge of what systems I use and what the logins for them are is a different story) I'd say that's the difference betwee the PDA information which is designed to be read & understood.
we encrypt data and automatically wipe the contents after several failed authentication attempts, since pdas can be resynced by their true owners.
The horrorstories from the field can be worse that just losing a machine with confidential data; consider someone losing his laptop with the only copy of the confidential data on it... I know of an occasion where that happened.
- Failure to make backups
- Taking confidential data out of a secure facility
Thanks Ian for the tip on liftable fingerprints. I hadn't thought of this. I notice that Lacie has a biometric USB hard drive now available. One can use up to five fingerprints to gain access to the information. It has a built in fingerprint scanner. However, since it is portable and metal casing (I believe), then most likely the user's fingerprints will be on the case. Someone with the right know-how could lift the fingerprints and probably defeat the system.
One other possibility: Have the mobile device be a data ACCESS device rather than a data storage device. Thus you lose the access device -> decredential the device and problem solved.
EG, for mail, have it be IMAP with the mail on the server.
The disadvantage, however, is you need connectivity to use the device.
Yes, mobile devices are best automatically synced not only for backup purposes themselves, but because the backups greatly facilitate using software that auto-destroys data on a lost system. For example you can set the self-destruct to be based on time since the last sync, as well as brute force attempts.
Two things have been brought up here: Securing data and securing passwords. I actually wrote about both of them a while back already.
About a way to use hashes to make strong passwords, without having to remember them or writing them down, here:
And thoughts about on-the-fly encryption of disk-data in software (using Bruce's very-own BlowFish or TwoFish for example, which is fast and does not noticeably degrade performance) here:
Note that the latter also provides for a very easy and effective way to backup all important data with a single drag-and-drop, which is nice.
I keep all of my account info (logins, passwords, etc) on my PDA. But I also use Zsafe to store them in. You have to know the password to view the account info.
As for my laptop, I had a piece of software (don't remember the name) that I tried. It encrypted the entire drive, the performance hit wasn't too bad. My problem was that being a developer, I end up having to wipe and reload the OS (MS of course) way to often. So now, I try not to keep the "important" file on the laptop. I "archive" them off to DVD or CD and keep them at the house. If I am going to need something, I only get the info I need. I figure this will limit the risk.
How ironic that this thread is straight after one that discusses DRM and it's potential downside.
One of DRM's close cousins is "trusted computing", and securing lost documents is one of the benefits of these technologies.
Imagine loosing a paladium PDA containing DRM'ed documents. To contain the breach, simply instruct the DRM policy server to disapear the documents, something a simple phone-call can do.
In the end of course security relies on training users to report losses in a timely manner, so the technology enables security but does not provide it in and of itself.
Personally I don't think the benefits of the above scenario are worth the trade-offs.
My Fujitsu laptop has a bios lock and won't boot unless the right key sequence is pressed. It also has a fingerprint scanner which can be used to authenticate as well as a password (I'd rather disable the password although the drivers have a habit of locking up). Now all it needs is a decent encrypted FS and I'd feel very safe about the relatively unimportant data on the HD. It would at the least make it sufficiently difficult for a thief to use the laptop that it wouldn't be worth stealing, although he may just look at the next person with a laptop.
@ Ian Woollard
"Actually, does anyone know if SELinux does that in software?"
AFAIK SELinux does not do any encryption. It's implementation of Mandatory Access Control in Linux kernel, not any encryption engine.
"Now all it needs is a decent encrypted FS..."
If using recent windoze, consider Truecrypt:
which I use on my windoze laptop and find to be excellent.
(Technically on recent NTFS systems you could also try Microsoft's EFS but who the heck would trust them with a crypto project. BTW note that EFS automatically escrows stuff to the administrator account.)
Of course there are also plenty available for linux although I can't personally recommend them, as on my linux desktop machine my only bulk encryption is backups (done through a script), but here are some examples:
BTW as well as BIOS and boot passwords and an encrypted disk, I would also add a swap file eraser (can be configged in Win2K with a registry key), and Tripwire or Tripwire for Windows because it is too easy for a smart attacker to screw with the system when he can obtain physical possession, which is particularly easy with a portable device.
"Ideally the devices would have built in biometric security."
Some time ago I read about Paron, secure PDA manufactured by IBM and CDL:
Does anyone know anything about availability of this device ? I've tried to ask IBM about it, but got no answer at all. Perhaps it's not intended for open market.
For Linux, I would add Bestcrypt from Jetico (http://www.jetico.com). It's commercial product, but not terribly expensive ($60). There are verions for both Linux and Windows (the same container files), and Linux version is available as source code for 30 days evaluation - not common practice for commercial product.
I'm not employed there - I just think it's worth consideration.
The method used in the company I work for is quite simple and elegant. While all employees have laptops, no data can be stored on them at any time.
While inside our corporate network we access the data on the network drives (OK, I know that his might leave some data in temporary caches of different programs accessing it), but we cannot store offline copies.
When we are outside the corporate network the laptops become glorified thin clients connecting to corporate network through Citrix.
If a laptop is stolen, no data theft occurres, and the thief still cannot access Citrix network even if the password of the account is somehow cracked, as we use two factor for authentication.
With my service provider (in Ireland - don't know about the US) if my phone gets robbed, I can just ring up and get my sim-card blocked - just like a credit card. All my contacts etc. are saved here. So the thieves get the phone but not the information. It's quite a regular occurance with people losing phones etc, so they have a really quick response.
also: "More recently, some communications devices can be remotely erased if lost."
-good idea, but then you get into remote access security risks. But I guess it's worth the trade off for some companies.
Too bad my Treo stores its info in flash instead of a Seagate "full disc encryption technology" drive (http://www.seagate.com/newsinfo/newsroom/success/D2g42.html). And too bad those aren't available yet, too -- just a press release (vaporware?) so far.
>When we are outside the corporate network the laptops become glorified thin clients connecting to corporate network through Citrix.
Is the power of a GSM with 38.400 BpS enough to connet through Cirtix ?
I do not belive it.
The risk of losing hard disk has been known and solved a long time ago - by the password system of IDE hard drive.
and read "6.10 Security Mode feature set" around page 30 / page 46.
Pay attentiong to the last sentense of "6.10.4 Frozen mode" - only one bootloader does that.
(1) Overhyped buzzword featured for first time in history during last few years.
(2) usage sure sign of a business based on selling out their fellows to overeager jailers for a buck.
(3) A word that should not be used by a commentator without a paragraph about their morals about the apartheid systems this technology inevitably brings us and whether they believe the world would be better off without any markets for it leading to production of it.
(4) The removal of every happy ending of every refugee in history who escaped from their murderers by going across a borderline they were not supposed to. Ever identify with a protagonist who escaped? Too bad.
I am working on a project that implements biometric authentication for pda's with the authentication being done on a SIM-card.
One problem is that most devices require authentication only on startup, and most devices such as smart phones or PDA's are always on to allow acceptance of incoming calls. So, it is likely that if someone steals your PDA they don't need to authenticate to get access to your data.
Further, the problem about protecting the PDA is that you don't need to steal it at all: Recall the Bluetooth sniper rifle? Recall that bluetooth can be broken in seconds? Both have been tried and tested.
So, if you're up to steal identities, build yourself a bluetooth rifle (see tomshardware) and use the attack mentioned by FBI and tested (I recall some article on security-focus.com) to crack the device in seconds.
Storing sensitive information on a PDA is not a good practice. At least using currently available devices.
> Storing sensitive information on a PDA is not a good practice.
> At least using currently available devices.
I agree. Actually, storing sensitive data in any portable format (usb key, portable computer) is probably generally a bad idea (unless you have good security practices when it comes to safeguarding the format, or the data itself is easily depreciable.) This is the classic trade-off situation again, though... I keep an unencrypted password file on my usb key (for example), but I don't keep my "top secret" passwords on it, and I have a disaster recovery plan already in place so that I can render that data useless in relatively short order in the event I lose the key.
But again, the underlying problem here is the classification of the data. What is "sensitive" is not well defined. People keep copies of things they shouldn't keep (oftentimes unaware they're keeping the data at all), because they aren't trained to dispose of data.
Shredders are still pretty uncommon in the general public... if the average American is still learning how to dispose of stored data in a format (paper) that's been around for thousands of years, they're probably going to take at least a couple of decades to learn how to dispose of digital data properly.
> Is the power of a GSM with 38.400 BpS enough to connet through Cirtix ?
> I do not belive it.
38400 is WAY more than enough for a decent Citrix connection. You can optimize it even furhter for slower connections. I used to regularly connect over 19200, and rarely had problems.
Local printing/file transfers would be quite slow though.
Let us not forget two basic but effective techniques for preserving the integrity of your data in the event that your device is stolen:
1) Dilution. Say you have 5 phone numbers of senior members of your counter-terrorist force in your PDa which is then stolen. Unless the thief particularly and intentionally targets your mobile to gain this information, will they know the significance oif maybe 10% of your phone numbers? Almost certainly not.
2) In this discussion we are assuming the risk is that of a deliberate, malicious attempt to gain access to the important personal data on your PDA. Statistically this form of attack is infintesimally likely compared to the opportunist thief who steals it out of your bag / the crack head who robbs you and is in no fit state to do anything other than to seel it to his dealer for the next rock.
Sure, it may well be a good diea to encrypt your credit cards and address, but the rest... Is it really necessary? Are we discussing how to protect from a threat that does not really exists in the real world?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.