Increasing Computer Security through Hardware? 69
Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with. I would like to use some sort of external security measure, such as a pen drive token or something similar. I had considered custom building a key card and reader to install on all my machines, but once I started thinking about the cost and time of building a card reader for each of my computers it became rather impractical. Does anyone have any suggestions for external locking devices or software? I would prefer something that I could use on both my Windows and Linux machines, but protecting the Windows machines are the top priority. I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday. I own a 128mb flash disk watch, so possibly using that as a token would be both easy and geek chic. Any suggestions on what to install?"
How about this (Score:3, Interesting)
Re:How about this (Score:2, Funny)
* Way Way too cheap: Technology is supposed to drain your wallet
* Too Mundane: everybody has a screensaver, who's impressed by that nowadays
* Breakable: reboot into single user mode? If you encrypt all your files with a key stored on a usb flash thingy, then you'll be all set
Re:How about this (Score:2)
lilo/grub password (or even BIOS password).
Re:How about this (Score:2)
As for removing the HDD - that would be a bit conspicuous. I would add to the suggestion of BIOS and Grub/Lilo and Windows/Linux password, also bolt down the physcical case and see if you can put some kind of locking device on the case to prevent someone from removing the cover (to steal the HDD).
Added layer of protection (Score:3, Funny)
Nobody's compromised any of my machines yet!
Re:Added layer of protection (Score:4, Funny)
Is it supported in Linux?
Re:Added layer of protection (Score:2)
Re:Added layer of protection (Score:1)
Re:Added layer of protection (Score:2)
I understand that ESR uses something similar -- but be real careful When you've got those things between you and the keyboard, a typo can be deadly.
Or this... (Score:1)
Re:Or this... (Score:2)
And lose it.
Re:Goddam (Score:1)
Well if it wasn't broken before, it sure as hell will be now that every bored sysadmin with a Mozilla install is surfing on by to check out how broken it is.
Smart Card (Score:1)
Re:Smart Card (Score:2, Informative)
Does this attract or repel you? (Score:4, Interesting)
Really fucking big neodynium magnet installed in the door frame of the entrance to your office.
(Shamelessly stolen from Cryptonomicon. I guess Neal Stephenson should have used a bigger magnet.)
Re:Does this attract or repel you? (Score:2, Interesting)
Re:Does this attract or repel you? (Score:2)
Use reliable hardware. (Score:5, Insightful)
Don't use the watch. You'll smack it against something, and then you're screwed. Ditto for a generic USB flash drive, unless you're sure it's bulletproof. Get something reliable, or don't get anything. If you want to be sure you're covered, buy three of whatever it is. Keep one handy, one in a fireproof safe/lockbox on the premises, and one at home. If your only hardware key gets hosed, so do you.
Oh, and KISS. You're right; the cardkey isn't practical, and not just because it'd be difficult/expensive to build. It would probably also be something prohibitively difficult to troubleshoot, should you have problems later. Then you have to call a specialist, and hope he's A) cheap and B) can figure out how to solve your custom-built (and therefore, proprietary) hardware problem. You're probably on the right track with small, removable hardware. Just make sure it's also reliable, or it's useless.
Look out for Fritz Chip- The CryptoProcessor (Score:3, Interesting)
Re:Look out for Fritz Chip- The CryptoProcessor (Score:4, Funny)
Re:Look out for NGSCB! (Score:1)
A lock (Score:3, Interesting)
Re:A lock (Score:1)
Huh? (Score:2, Insightful)
You mean, like, customers??? Are you implying that these customers are unsupervised for a period of time lengthy enough to get into your computer and do something to it, or read some personal files? Maybe you should invest in something larger than a USB device. ThinkGeek doesn't sell what I'm talking about, but you could find it at the local unemployment office. Thats right, I'm talking about hiring an employee!!!
If an employee is beyond your means,
Re:Huh? (Score:3, Informative)
Re:Huh? (Score:3, Informative)
Yes, you can open the case, and fiddle with the lose bios settings jumper, but one hopes you'ld notice when they open the case.
*Many bioses have a backdoor password, make sure yours doesn't, or at the least it's not a common one.
Re:Huh? (Score:1)
Of course, you ne
Re:Huh? (Score:1)
Re:Huh? (Score:1)
And 30 seconds (Which is probably about twice or even three times as long as actually required.) compared to the time required to open the case and swap out the hard drive is minisucle, in addition to the time required
Re:Huh? (Score:2)
Re:Huh? (Score:2, Informative)
That is truly +2 insightful. You got me. I want to protect my computer mostly from my annoying RA and frat buddies, not the freelance graphic designers I occasionally employ that aren't monitored constantly while they are working. I can only guess that you are making this assumption based on the fact that my
It'll definitely handle Windows... (Score:4, Informative)
pam_usb (Score:1)
Hardware Encrypted Hard Drive (Score:4, Interesting)
Re:Hardware Encrypted Hard Drive (Score:2)
Oh yeah, that reminds me, I've seen something like that before: the Abit SecureIDE [abit-usa.com]. It's a USB key + inline IDE device that encrypts (using 40bit DES, not massively strong) the contents of the HDD at the hardware level, so isn't device-driver dependant. Can't say I've tried it, but it looks interesting and relatively cheap (~40USD).
Of course, as others have already pointed out, if someone determined has got unmonitored physical access to your hardware then the game is pretty much lost anyway... though a
Re:Hardware Encrypted Hard Drive (Score:2)
SmartCard USB Token (Score:1)
you may look for PKCS#11 enabled smartcard USB tokens. If you go for this, you can use the token email and disk encryption software, use it for Secure Single Signon and have it as a "bunker" for for you gpg/pgp keys and certificates.
Christian
Paladium? (Score:1)
While its _main_ point is not necessarily that, the paladium arch is designed essentially to ensure that..
on a less trenchcoat idea, 2.6 comes w/ a USB root key module, you might wanna check the source if palladium aint up your ally though
MSI had a USB boot lock on some motherboards (Score:1)
Suffice to say, I wasn't game enough to enable it... I can barely remember what I had for lunch yesterday...
Re:MSI had a USB boot lock on some motherboards (Score:2)
Try this... (Score:4, Interesting)
and if you really want to make your pc hardware secure, have you tried padlocking it to the wall?
Bluetooth Mobile Phone (Score:2)
How about... (Score:3, Funny)
(Note: this is not meant to be a constructive idea)
Er? Bad question! (Score:5, Insightful)
Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with...
Er, what sort of security?
A simple bios boot password will prevent the computer-naive from accessing your machine.
GnuPG under Windows and the unix clones will allow you to encrypt/decrypt and digitally sign files.
The unix clones tend to be able to encrypt their entire filesystem by whatever algorythm you want. NTFS claims some sort of filesystem encryption as well, but I'm unfamiliar with the mechanism and thus won't recommend it.
OpenBSD has encrypted swap and tends to be tops on the 'utterly paranoid' scale.
How about you tell us what you are trying to do exactly, and we'll tell you the best solution.
Re:Er? Bad question! (Score:2, Informative)
Haha. No, seriously, the concept behind NTFS encryption is great. It keeps keys with login creditials, and they're decrypted with your login password. I forget the algorythm, but it's not some snake oil crap, it's a real, heavy duty encryption thing. Linux could use something like it, it's so amazingly transparent and just works correctly.
The problem, of course, is that administrator has all the keys, and administrator isn't anywhere near protected en
Re:Er? Bad question! (Score:2)
An administrator can reset a key, but cannot read it. When you reset a key, documents become unrecoverable.
Most places who are seriously considering using file encryption implement security policies that eliminate things like local administrative accounts and check some of the powers of administrative users.
For example, data that is protected by HIPPA law in the US can be deleted, moved or indexed by a computer administrator, but cannot be modified. Only users with a business need to view/manipu
Re:Er? Bad question! (Score:1)
Whether or not you can set it up any other way I don't know, but that's how it works by default.
And setting up no local adminstrator account is insanely stupid...what if the network drivers break?
Re:Er? Bad question! (Score:2)
If you have the budget to spend lots of time dianosing arcane workstation issues, you are misspending your budget.
The most important thing in data security is policy & practices. If you or your IT people are ignorant of the system that they work with to the point that they allow anonym
Re:Er? Bad question! (Score:1)
I was just taking issue with the concept of removing the account. By all means, IT are the only people who should have access to it, but it still needs to exist.
Otherwise you will run into incredible stupid things like having to reimage a drive because your network card failed. Which despite whatever you may claim, is not an effective way to run a business, especially a business with important enough data that
how far are you willing to go? (Score:3, Interesting)
Security is a tradeoff, go too far and you end up being so annoyed with it that you bypass your measures and become less secure. So decide how far you need to go.
I'm, not impressed with hardware security, other than keeping important files on the USB keychain at your side. (And even then you need regular backups kept in a good data safe) Do a web search and you can find information on how to fake fingerprints. You can find keyboard loggers, which a well equipped attacker can modify into a more general logger to simulate your hardware device. (though I doubt you are worth that much effort, and encryption can prevent man in the middle attacks like this if you are)
Personally I would build a network, save all my files to a UNIX (openBSD perhaps) box in a secure area, and mount that disk everytime I was at the machine, and unmount it when I was done.
Don't forget access control lists. If the user you leave the machine logged in as cannot access files you have one less worry. Window has pretty good ACLs if you use them.
What are you protecting against? (Score:3, Informative)
up the settings, deleting stuff, whatever) or against information theft? The
solution will be completely different.
To protect against vandalism, nothing beats nightly offsite backups, nothing.
To protect against information theft, how about storing the informationg in
question on an external device that you keep on your person? Then when they
go to steal it, it's not there. Hard to beat that.
Abit SecureIDE (Score:4, Informative)
Lock your door. (Score:2)
Think more about the room, and less about the chincy little card reader someone could easily rip out of the front of your case, or better yet just snag the HDD from your system and proceed to hack your data..
ibutton.com (Score:1, Informative)
Gimme Access and it wont matter (Score:3, Insightful)
All you can do is slow them down..
Enabling bios passwords, disabling boot from anything but the HD, storing data on the servers, and good system passwords should be enough to keep out the casuals...
Removable HDD bay (Score:2)
Install a lock on the case, cut the wire from the start button to the motherboard, insert keyswitch like the old keyboard locks.
Should just about do it.