For those who travel, a laptop, notebook or netbook is a great tool in many ways. However a wealth of exploitable information is carried around on the hard disk, in many cases without any form of data security. Here’s how to build a first line of defense in case your laptop falls in the wrong hands based on a 4 year and ongoing journey in the Middle-East and Asia.
Lock down your sensitive hard disk information
The value of a laptop nowadays is two-fold, First the value of machine, secondly the (exploit) potential of the information stored on the hard disk. In some cases the laptop is insignificant compared to value of the information it’s carrying. Measures to lock down information stored on the hard disk is easily justified. A first line of defense secures your sensitive data against those who seek to exploit the information of others.
Laptop hard disks are very easily removed and simply accessed in external USB enclosures
In present time the average operating system on a laptop isn’t configured well enough to provide that first line of defense out of the box. Either there’s a lack of tools (Windows) or it’s too complex to use (Unix/Linux) for the average user.
Here you find the basic components to protect your sensitive data DIY style on a Windows based laptop. However most of the concepts explained here are applicable to Linux or Mac based laptops too.
A bit of experience with configuring your laptop is usually enough. Otherwise find someone who can show you how. Information you find here is based on 4 years of continuous travel through Asia and the Middle-East.
Building a first line of defense - securing your laptop data
The basic components for a first line of defense are:
- Data encryption – protecting your files by means of a password.
- Online network security – protecting your files while online
- Secure password storage – how to securely store access keys
Although most speak for themselves – key is how it’s being used for those who travel. So a few criteria are:
- Easy to use, traveling already grabs most of the attention
- Takes little time to learn and operate
- Battery and CPU friendly, AC mains is not always available
- Prevents owner lock-out
A brute force approach would be to lock down all information on the hard disk by a full disk encryption. For example SafeBoot by Control-Break (Now McAfee) was one of the first offering a full lock-down with one "last resort" backdoor key in case the main password gets lost. In present time, most operating systems offer a full lock down facility similar to SafeBoot, however it’s never switched-on by default. More recently, there are self-encrypting hard disks with the encryption task embedded inside the harddisk.
Now there are 2 arguments against a full encryption lock down for those who travel. First of all hard disk failure makes it very hard to get anything back with conventional recovery tools like Partition Recovery. Secondly backups are a pain, specially when it’s about disk cloning or drive imaging a fully encrypted disk.
Next to that owner lock-out (oops, forgot my password) is almost as painful as loosing the hard disk itself. The last resort backdoor SafeBoot provided was peace of mind but requires even more extra’s to maintain. For traveling a less heavy and more portable type of encryption also does the trick.
TrueCrypt is an example of more portable encryption. It’s based on encrypted containers sort of like a compressed ZIP file. To read the contents it creates a new virtual disk which makes the encrypted information available just as it is with a USB stick or external disk.
The TrueCrypt container can be sized to for example an USB stick and becomes portable and can serve as a simple backup. Nonetheless a disk failure in a encrypted container is as crippling as with full disk encryption. However because of it’s portability, backups are easier to create. Therefore using encryption comes with rigorous applied backup schemes.
Container based encryption requires a (master) password which either should be memorized or stored in a password management scheme which is discussed in secure password storage.
Online network security nowadays has become as important as encrypting data on a hard disk. It’s common knowledge that Operating Systems, Browsers and E-mail programs have security flaws allowing exploits that leads to access to all sorts of information on a disk.
Disk encryption like for example TrueCrypt can prevent an online grab for information however it should be locked down when online. That’s not always the case.
Basic online security comes with a firewall monitoring in and outgoing network traffic. A powerful feature is a program access list that grants access to individual programs to communicate over the (internet) network. In the example above you see the McAfee program Access Control List part of the security suite. A simple program like Netstat (DOS) or the more sophisticates X-Netstat shows the programs with active network connections.
It’s surprising how many programs communicate online without the user knowing what’s being communicated. An example is the defragmentation program O & O. It ships installation / usage information to the manufacturer each time a connection is made with the internet. O&O head quarters can see how many times a single O&O license is used.
Having a program access list comes with another advantage, it controls the amount of traffic going in and out to the minimum required amount. When connected to prepaid 3G internet this saves the bandwidth budget and eradicates unnecessary traffic.
Another part of online security is to lock down network traffic through a network cable or for example a WIFI access point. While traveling it’s not uncommon to connect to a rogue networks where traffic is monitored either by thugs, ISP’s or government agencies. Although most websites that handle sensitive information are HTTPS encrypted, it’s still possible that usernames and passwords still fly over the line in clear text. For instance some of the social networking sites still have unsecured logins.
A simple and effective lockdown of network traffic is to use VPN based network encryption. This way all traffic is encrypted up-to the VPN access point. There are several commercial VPN secured internet connection providers, such as Witopia. It uses the open-source initiative OpenVPN.
Basically it encrypts an active internet connection through WIFI, Lan Cable or G3 Modem and connects the laptop to the internet on a different location in the world. So it’s possible to connect a laptop to the internet in for instance in Oman but from the outside it seems one connects (through VPN) to the Internet in for example London or New York. This also bypasses any local (government) filtering.
There’s a lot to say about secure password storage. Read more about Secure Password Storage in a separate section.
Information bits with potential exploit value
Here’s an overview of information that has the potential to be exploited once found on a unsecured laptop harddisk or during an open unsecured internet session.
- License keys for software and services
- Banking access keys (Paypal, Google Checkout)
- Credit and debit card numbers
- Business information (business / marketing plan)
- Access to e-mail and POP/SMTP servers
- Internet domain name access keys
- Web hosting access keys
- Shopping account access keys (Amazon, E-bay)
- Access keys to online forums and social networking sites
- Access keys to online utilities (water, gas, phone, cell phone electricity)