Preparing laptops for theft [closed]

untagged

Having your "dropbox" folder encrypted is a good first step. I use a dedicated TrueCrypt partition for data, and use two passwords on the laptop -- one for Windows login, and another for the TrueCrypt data partition. One weakness here is that browser history, last opened file names, and many other potentially interesting kinds of user data are left unencrypted.

You can supplement this with a 'phone home' solution like Prey. I think it's debatable how much this would help against a professional information thief, but at least it gives the appearance of doing something active about recovering the laptop.

You can also encrypt the full boot drive. There are pros and cons. On the plus side, full drive encryption is comprehensive, nothing is accidentally left unencrypted. On the negative side, a small software or hardware malfunction can lead to a OS reinstall.

Tom's Hardware recently compared TrueCrypt and BitLocker from Microsoft, but not some of the competition. IMHO the article misses the point a bit; speed is not a significant differentiator between the two, but BitLockers stronger support for enterprise deployment and key maintenance is.

Edit: Great comments below, thanks Warner, nedm & Maxwell. As for the "Evil Maid" attack, I know of this attack, but it's not stopping me from using TrueCrypt. If an attacker can repeatedly get physical access to a PC, then any security measure can ultimately be defeated. The question is, would it be economical to mount an attack, relative to the expected value of the stolen good. For most companies, I think TrueCrypt full disk encryption would make an attack uneconomical (cost of one criminal to make mutiple break-ins etc). The common thief would simply wipe the harddrive and sell the laptop as a stolen good. If that's not good enough for you, then have a look at BitLocker, or better yet PGP's Whole Disk Encryption with two-factor authentication -- or stop using laptops. :-)


Look at using full disk encryption, whether Bitlocker or a 3rd party product. This is not perfect, but makes it harder on a thief to get anything off of the system. Most will likely wipe and reload. You won't get the HW back, but you'll better ensure company data isn't lost because of a theft.


I would also advise going for the TrueCrypt solution as it can cover pretty much everything you want. I have a TrueCrypt voume on my laptop and have been experimenting with TrueCrypting the boot volume too. It's free, it's open source, and It don't play (as much) havoc with deployment.


Use bitlocker and bitlocker to go. Bitlocker is easily maintained and simple to deploy. If you want to get the hardware back try laptopcop. I like laptopcop because they work with the police freeing you from that pain. Another source of security is windows rights management


If you do not have physical security you do not have any security. Any attempt at securing the data on an otherwise physically insecure system is only a delaying game against an incompetent thief. Since NTLM hashes for 14 character password, even with special characters, can be broken in 6 to 8 seconds now I would recommend forcing a complex password scheme of no less than 24 characters and hoping the bad guy does not have a large enough rainbow table.

Related

How to make Batch-file automatically stop on error
How can I recursively bzip2 all files that aren't bzipped?
Would you use Splunk?
Bittorrent ports, why do I need them?
Server SSD upgrade
Setting up a small office network
How to configure mod_proxy_balancer to gracefully fail under high load
Man In The Middle Attacks vs. SSL Certificate Authorities
What's the cheapest way to host hobby projects? [closed]
rsync or sftp?
Number of nameserver entries in resolv.conf
iptables: forward port 80 to port 8080