1 / 47

Ramblings of a paranoid part 7

Ramblings of a paranoid part 7. Pete Hickey. What is the value of your PC?. Lets try to find whose PC is worth the most?. Laptop Theft. Growing crime Major reason for car break-ins “ You don’t know what you’ve got ‘till it’s gone.” Joni Mitchel. What is the value of your PC?.

thetis
Télécharger la présentation

Ramblings of a paranoid part 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ramblings of a paranoidpart 7 Pete Hickey

  2. What is the value of your PC? • Lets try to find whose PC is worth the most?

  3. Laptop Theft • Growing crime • Major reason for car break-ins “You don’t know what you’ve got ‘till it’s gone.” Joni Mitchel

  4. What is the value of your PC? • Most likely the value of your PC is much higher than its cost. • A brand new PC probably has the least value. • Value of the PC is • your time to set it up • the DATA it contains.

  5. What is the value of the data? • Value to you? • Can you replace it? • Can you spell backup? • With the cost of zigabyte USB drives, no excuse. • Value to others • Identity theft? • Credit cards in web cache? • Tax forms from various years • Blackmail? / privacy

  6. What is the value of the data? • Law may REQUIRE you to have it encrypted. • Yes with medical data • Unknown with FIPPA.

  7. What is the value of the data? • Other people’s data? • People who trust you. • Old emails • Business/client data • Data which has no value? • Could have value in the future.

  8. What is on your PC • Do you even know? • In cache histories, etc. • Look up PC forensics • Do you purge old data? • What do you do when you get a new PC? • Pack rat syndrome

  9. What is on your PC • Only a good thorough analysis will tell you for sure • There is a cost to inexpensive large capacity storage. • Never have to clean up!!!!!!!

  10. A tool that helps • Two obvious things are SINs and Credit Cards. • Student Cards????

  11. SIN format • 9 digits • xxx xxx xxx • xxx-xxx-xxx • xxxxxxxxx • Find all strings which look like those.

  12. SIN format • There is also a checksum • Sum up 1,3,5,6,9 digits • Double digits in even locations • If result >10 add digits in result. • Result mod 10 should be zero • OR • Sum up 1,2,5,7 and twice digits 2,4,6,8 • (10 – (Result mod 10 ) is last digit.

  13. SIN format • Is 130 692 544 a valid SIN? 1 + 0 + 9 + 5 + 4 = 19 6 + (12->3) + 4 + 8 = 21 (19+21) mod 10 = 0 VALID

  14. SIN format • 123 456 78x Find x so it could be a SIN • 1 + 3 + 5 + 7 = 16 • 4 + 8 + 3 + 7 = 22 • (16 + 22) mod 10 = 38 mod 10 = 8 • Last digit must be 2!

  15. SIN format • Is 123 456 782 a valid SIN? • Only value if there is other identifiable information with it. • Only you know that.

  16. Credit Cards • VISA • 16 digits long, starts with 4 • Four groups of four or 16 contiguous • MasterCard • Starts with 52, 53,54, or 55 • 16 digits long, contiguous of 4 of four. • American Express • Starts with 34 or 37 • 15 contiguous or four, six, five groups.

  17. Audit tool • Most from USA • Spider • Modified FindSSNs to FindSINs • http://newmud.comm.uottawa.ca/~pete/FindSIN.zip • These are audit TOOLS, not magic.

  18. USB key • What is on your USB key? • Those running labs can tell you about lost keys • Forget • Holes in pockets. • Inexpensive, so you don’t care.

  19. Encrypt your disk • Lots of options here. • What do you want? • Required by law? • Yes • Maybe

  20. Encryption Algorithms • AES – Winner of competition • Serpent – more secure than AES, but lost • Twofish • Combinations AES-Twofish, Serpent-AES, etc. • All SYMETRIC encryption • Fast • Same key encrypt-decrypt

  21. Hash Algorithms • One Way (trapdoor) function • SHA-512 • RIPEmD-160 • Whirlpool

  22. Which to choose? • They are all ‘good enough’ • Unless working with top secret military • Weakness will be in the key. • Hashed password is key

  23. Password is the weakness “Choose your password wisely, Grasshopper.”

  24. Key properties • If the key is not well chosen, patterns may appear in the cypher text which may help to crack it. • We want to choose a key such that the encrypted data looks like white noise.

  25. Key vs password. • Passwords do not make good keys. • Printable characters have first few bits as zero • Typically use about a third of its space. • 256 possible combinations • 52 letters, 10 digits, 20 special-> 80 • Assume 128 to make math easier • Frequently some function will be used to ‘randomize’ the password.

  26. Key vs password • Assume key is 128 bits • 128 bits = 16 bytes • 128 bits -> 2**128 possible keys • 3.4 x 10 **38 • Each character of a password is a byte • Example 8 character password • 80 ** 8 = 1.7 x 10**14 • That assumes even distribution.

  27. Key vs password • Other password combinations • 6 mixed characters • 80 ** 6 = 2.1 x 10**11 • 6 upper case letters • 26 ** 6 = 3 x 10 ** 8 • Word in dictionary • 2 * 10 **6 • Date + 3 digits • You do the math.

  28. OC Transpo (STO) and Encryption • Encrypted laptops attract buses • “What happens if the owner is hit by a bus?” • If laptop contains his taxes and family data, we don’t care. • What if it contains important information for the University?

  29. Don’t believe it’s lost forever • Encryption people try to tell you that if you loose the key, the date is lost forever. • NOT TRUE!!!!! • You should be able to get it in 25-50 years.

  30. Parameters for disk encryption • Large scale encryption (policy) requires a managed system. • Users will complain if we make them encrypt, and they loose their password. Ask help desk workers if people forget passwords. • Escrow server

  31. Backups!! • Do you want the backups to be encrypted as well. • Do you want to encrypt the backup?

  32. Cost of encryption • Cost of the software • Cost of management • Cost in performance hit

  33. What flavor of encryption • File • Folder • Virtual Disk • Data Disk • Complete Disk

  34. Encrypted file • Easiest • Lowest performance hit • High maintenance if many files • Backup is encrypted

  35. Encrypted folder • Everything put in a specific folder is encrypted. • Easier than individual files • Cache-working files not encrypted • Backup encrypted

  36. Container • File within file system is a virtual disk • Mounted as your X: disk • Everything on X: disk is encrypted • Backup may or may not be encrypted

  37. Data disk encryption • At the file system level • Everything on data disk is encrypted • Backups probably not encrypted

  38. Full system encryption • Everything, including system files encrypted. • Gets caches, work files, temporary files, etc.

  39. Advantages of full/complete • User looses laptop • Were ALL files encrypted? • Did the user miss some? • With full system encryption, you can offer assurances that all data was encrypted.

  40. What about • Paging file • Hibernation file • Menory dump files • registry

  41. Plausible Deniability • Under duress • You want to deny that you have any encrypted files. • Containers may appear to be data files. • Containers residing on ‘empty’ disk. • You cannot deny full disk encryption.

  42. Border crossing • People should not bring laptops containing personal information across US border. • Customs may ask to decrypt system. • Not legal for them to see personal information.

  43. Encryption of USB keys? • Portability? • Within an OS • Across different OS • Keys with encryption built in. • Do they need autorun on? • Password management

  44. Encryption of Desktops? • Although less frequently, they do get stolen. • Peace of mind with their disposal. • Disks should be wiped clean before disposal.

  45. Other issues • Policy pushed to machine? • Windows logon one also takes care of decrypting? • If not, two logons are needed. • Performance? • Hardware encryption of disks possible. • etc

  46. Not a recomendation • TrueCrypt • Not good because it is not managed. • Unless you can afford to wait 25-50 years to handle forgotten passwords. • It is good to play with to get a feeling for the various parameters to consider.

  47. Parameters for disk encryption • Folder, container, full disk • Escrow • Backups • What are needs

More Related