Win 7 Bit Locker Expertise needed....

Gotta admit I am liking Bit Locker in Win 7 for security of information and I especially like the fact that I can lock external devices but I am curious about some things...

1. How secure is bit locker? Can it be broken or is it at government level encryption????

2. When you encrypt a folder on your own system....does this mean that if someone breaks into your system, through a worm or trojan, that they cannot access that folder???

Is it possible to encrypt and also password protect a specific folder on my computer?

Thanks ahead..... I also use an Ironkey which has alot of surfing advantages since it has Firefox within its hardware and allows you to surf totally undetectable by anyone...

 

1) It's government level, it's gonna keep anyone outside of government or law enforcement from cracking it.
2) It depends - if the worm is running as you, using the windows encrypt a folder option, it could get access to that folder, because it's piggybacking on your authentication. I would go with either PGP or Truecrypt for encrypting inside the O/S unless you know what you're doing (this means that things like Active directory are implemented, not usually true of a home environment)

On the browser front, you might look at the new version of firefox with its private browsing mode - it doesn't save anything to the drive, so when you close it, and memory gets wiped, there's no trace.

On the subject of Whole Drive Encryption (be it bitlocker, or one of the others) there are a couple of ways around, other then breaking the encryption, but the big one is easily solved - use hibernate instead of suspend when you put your laptop to sleep and never leave it running (even screen locked) when you're not 100% sure of your environment).

Security is always a trade off, there's no free lunches

Min

 

Yes....Microsoft should have asked me what would be the most useful way of setting up bitlocker. I would have told them that the ability to encrypt and then password protect a folder, as you would an external USB or drive now, would have been the cats @#$.

And then my next concern...what is the best way to password protect a folder..

My only option might be to shove a sd card in and then use bitlocker to password protect and encrypt correct?

 

It's even impossible for government or law enforcement to crack bitlocker. Bruteforce methods are rendered mute and there is no backdoor. If you did not backup your private key or have not specified a backup operator and you forget the password, your files are forever lost.

You can use NTFS encryption to protect a folder. Right clicking a file and under properties, select encrypt. It also uses a similar mechanism to encrypt your files, with your user account password linked to your private key.

 

Ya but thats what I was trying to avoid... I dont use a password on my system, but rather, would like to be able to password protect an encrypted folder. I learned how to do it with TrueCrypt tonight and, as well, had fun resizing and creating a partition which I encrypted and password protected.

Thanks for the help!

 

As a matter of professional principle (I do this for my day job, and hold the appropriate certifications) I never say "impossible" when it comes to encryption. The NSA may have bribed someone at MS to put in a backdoor, there may well be a currently publicly unknown weakness in the alg being used, or an implementation weakness. If your life depends on it being government proof (and for some people in some areas of the world, it does), I would go for truecrypt over bitlocker because of the opensourceness.

If you're concerned about some two bit thief reading your email, bitlocker will cover you

Min

 

Were you able to retain the service (fatctory image) parition with your BitLocker installation?

 

The Bitlocker source code has been available to Microsoft partners for review for years. Despite it being a closed source code, it's not like the book is locked nor is the capability to look at the code nonexistent. Security researchers have scrutinized programs for years without the "source code."

The conspiracy theories about Microsoft implementing backdoors has never flown due to the complexity of software development these days. For a backdoor to exist, someone(more than likely some people) has to implement it, test it and then notify NSA. All these steps are easily tracked.

Plus, in the past, governments have requested Microsoft for backdoor access to certain functions and have been denied. The burden of proof is on the conspiracy theorists.

 

now what??/

 

Umm this is old news? With little practical application.

 

It's never(!) impossible to crack/hack something.

Such backdoors DO exist in various services and software.

Well... of course they would never make that public, would they?

Christopher Tarnovsky has recently succeeded in reading data from a TPM. The attack has been confirmed by Infineon.

For the same reasons minupla stated above, another solution (such as TrueCrypt) should be used whenever possible.

Sure they can. For something to be secure, you have to see the system as whole and secure it completely. For example, encryption won't help you anything if your computer is easy to infect.
Also, if someone has physical access to your machine, you can't really secure it from that person, no matter what.

 

Which was never my point.

My point was you are coming up with theories that are neither provable nor unprovable for the purpose of motivating people through fear. Computer Security companies have been accused of publishing uninformed statistics and reports which drive up the sale of their security software.

It is irresponsible.

The Google hack was a backdoor!!??

Such a complicated explanation. The more likely and simple explanation? It was a bug in IE6, which isn't exactly that hard to believe. The exploit code has been available for months to the public to scrutinize.

http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html

It wasn't all that sophisticated of a "hack." It was mostly social engineering, like all high profile espionage attempts.

I remember hearing about this hack. Infineon had also said they had known about this hack while testing the chip but determined that the hack was so difficult that it was deemed an insignificant threat. And the extend of the hack is unknown, which no viable exploit currently available to take advantage of the vulnerability.

Like I said, it is just irresponsible to think something like this will have any practical application.

I'm not even going to bother with the rest of the post. Conspiracy theorists are all the same. Fragile egos that live in a self conjured world.

 

Theories, yes. Theories with laws which mandate backdoors.

Let me distill the information I posted above:

Source: http://edition.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html​

-----------------------------------------------------------------

Oh, it was "highly sophisticated"!

Source: http://www.wired.com/threatlevel/2010/01/operation-aurora/​

-----------------------------------------------------------------

There doesn't have to be a public exploit to make something dangerous. The existence of a flaw alone is enough to alarm people, since once the flaw is being exploited, it's too late already.

Given the fact that data stored in a TPM is usually worth a lot, a 200.000$ investment for the equipment can make for a valuable business model, don't you think so? Even though the attack won't be usable in future TPMs.


-----------------------------------------------------------------

Ah, well... I guess I should just stop reading this thread. Sorry for wasting your time.

 

This link only goes to protocols that allow for law enforcement to tap into a network. It does not link to an actual law that requires backdoors. Simply because it does not exist.

So sophisticated that if you had upgraded to IE7, it would not work.

The code is available online. It isn't all that sophisticated. Email link, take over computer.

If you can't figure out the difference between a vulnerability and an exploit, then you are making ill informed decisions and irresponsible advisories.

The data stored in all TPM chips is a million dollar fixed investment, not per chip........ Please read what a TPM chip is.

http://en.wikipedia.org/wiki/Trusted_Platform_Module

 

I dont know.. didnt even know freezing your RAM was a real option haha

 

That's the wrong approach. If you have any interest at all in the scurity of your data, use a password. If you can't be bothered to password-protect you account, then don't bother with third-party kludges. In your case, if anybody was interested in your files, they'd simply install a keystroke logger while they can get a hand on your machine, plus a suitable remote-control server, and Bob's their uncle...

 

They cannot get a hold of my system. It stays close as I take it with me alot. My work is sensitive, such that I now carry along an 8Gb Ironkey. I solved my problem in any case which will be to separate and encrypt/password protect a drive once I get a bigger ssd. This way I can have the 20 second boots which I love and then only open the drive when needed.

If something happens to the machine then...Im gold.

With respect to the key logger.... I work through a protected VPN mainly which keeps me plenty safe and enables me to securely connect from anywhere in the world as long as I have an open network connection.

My only concern was information loss should this system come out of my possession. The encrypted and password protected drive is great I think.

 

If your only concern was information loss, you wouldn't need any encryption at all; all you would need is a backup. If you really want to make sure prying eyes cannot see your files once the system is "lost" (or stolen), you had better make sure the files you are talking about were never in an unencrypted state on your machine. Drive locker could guarantee that, your third-party solution may or may not be able to do so. Not having your accounts password-protected is simply bad judgement. In the corporate world, no company would allow you to do that...

 

Yes but, thats what Bit Locker does and damn good from what the standards seem to be. I back everything up so its not information loss, my apologies. Its what could come of the information being compromised that I am concerned about. Now, the concern only comes from when I am not behind the screen at which time I know the system is off, information on the drive encrypted, password protected and very secure...or so I am told.

Am I right on this assumption?

 

Well, like I said, if you have the file on your system in an unencrypted state, and then encrypt it, deleting the unencrypted version (which is something your encryption program might do behind the scenes), then conceivably somebody could still analyze your hard drive and recover the unencrypted data. That would take some work, of course, so it all depends on how much energy somebody might be interested in investing in order to uncover the information in your encrypted files.

Other than that, however, things also depend on what else you do with this particular laptop. People are often surprised by how much information about them can be obtained simply by sifting through the information on their laptops, like web browsing history, cookies, recently opened files and their dates, recent network locations and the times you used them, etc., etc. People can typically put together a comprehensive profile of the laptop's owner and his/her habits from such information. Unless your usage of this particular laptop is very restricted, I doubt you would want any stranger to be free to ferret all of this out. This is particularly true since the effort required to prevent that from happening is as minimal as typing in a password to log in to your computer. To put it very bluntly, I cannot see any rational reason to not use a password on a computer that is not just a toy.

 

Let me give you an example:

1. You have some kind of project files on your encrypted drive.
2. You enter your credentials to get access to the encrypted drive.
3. You open up the project's files using the associated program. (for example, if the project file was .doc, you'd probably open it using Microsoft Word)
4. You make your changes to the project.
5. You save the project, exit the software, close the encrypted drive so there's no longer any access to it.
6. You turn off the computer and everything's secure. Right? Well... no.

Security is not just about the current state of the system. If you turn it off and think you're perfectly safe unless somebody steals your system, then you're about to learn that as long as you don't make sure that the system is trustworthy at all times, your project (to stay in the example) isn't secure.

Here are some examples of things that an attacker could utilize to retrieve your data in the example above:

The encryption of your drive might have a backdoor. (Discussed above)

The encryption of your drive might have been implemented using outdated/insecure algorithms, and thus be easy to crack.

You may not have entered your credentials via a secure channel, so a malicious software that somehow got onto your system earlier (because you didn't pay enough attention to the security of the whole system) could have been used by the attacker to steal your password.
Sidenote: depending on your needs (which seem to be pretty high), better use a three-factor-authentication instead of a password:

• Something you own (example: a smartcard)
• Something you are (example: your veins, using a vain scanner)
• Something you know (example: a password)
  
  • Write your password down. (Yes, write it down! That's a good thing as long as you store it on paper and not electronically and make sure that no one will find it. This is much, much better than using shorter/easier passwords.)
  • Only use secure passwords. ( http://en.wikipedia.org/wiki/Password_strength#Common_guidelines http://en.wikipedia.org/wiki/Password_cracking )
  • Don't use the same password for different things.

  ​

Even if you use advanced authentication methods, the moment you're unlocking the project files you want to work on, they're accessible to anything on your machine that has the rights to access them. So, a malicious software on your system might be instructed by an attacker to copy the files to an unsecured place on your drive and send them over to him later on when there's access to the internet. The only effective countermeasure is to make sure that the system won't get compromised in the first place.

Make sure your system is secure! I can't give a complete guide, but here are some good things to start:

• Keep your system and all your software up-to-date!
  
  
  On Windows, use Windows Update (or, better yet, Microsoft Update, which can be activated via the Windows Update Control Panel).
  Solutions like Secunia PSI (free for home use) can assist in keeping software up-to-date on Windows systems. When using Secunia PSI, make sure to set it to "advanced mode" and enable "notification for outdated software even if the solution isn't easy" (or similar named) in the settings.
  ​
  
  
• Make sure only trustworthy people get physical access to your machine!
  
  
• And, yes: password-protect ALL accounts on a machine.
  
  
  If you REALLY do want the security-comfort compromise of not having to log in, set passwords for every account, then open the start menu and enter
  

  Code:

  cmd /c "control userpasswords2"

  into the start menu textbox to set your account to auto-login even though it has a password. However, I strongly recommend to NOT do this and secure all your accounts using advanced authentication methods instead, also on login.
  ​
  
  
• On Windows Vista an Windows 7, use UAC.
  
  
  On windows 7, set UAC to the highest setting ("Always notify"): enter
  

  Code:

  UserAccountControlSettings

  into the start menu and press enter.
  Set all your accounts you use for working to limited standard accounts using the control panel, because the default UAC "consent prompt" of "Administrator in Admin approval mode" users is not a security boundary. (Whether the OTS ("Over The Shoulder" elevation, where Windows will ask you for an Administrator's credentials via a UAC prompt) "consent prompt" of limited users is a security boundary is actually questionable. For higher security, you would have to disable OTS elevation and switch between users).
  ​
  
  
• Secure your webbrowser, PDF reader, browser plugins and addons.
  
  
  Webbrowsers, PDF readers (Adobe reader, in particular), browser plugins (like Adobe Flash, Apple QuicktimeSun Java etc.) are a common way to break into machines nowadays. In addition, browser addons can be poorly written and reduce the overall security of a webbrowser.
  
  
  

  • Make sure you keep this kind of "internet software" (as well as all other software, see above) up-to-date.
  • In addition, you could use a virtual machine like Sun Virtualbox or VMWare Player to browser the web, but they're not "magic bullets" that will ultimately secure your system from any security threats.
  • You could also use Windows Vista's and Windows 7's Mandatory Integrity Control mechanisms to secure your browser other than Internet Explorer, which is ALMOST like the Protected Mode that increases Internet Explorer's security by default. But be careful in what files and folders (objects and containers) you assign low integrity to on your machine, since all processes running with low integrity (like Internet Explorer in Protected Mode) will have access to them. Using this in combination with separated user accounts for specific tasks like surfing the web should be preferred over using Mandatory Access Control alone.

  ​
  
  
• Use the all-famous Brain 1.0. Only execute executable files if you trust the creator and can alt least EITHER - by signature or hash (don't rely on md5, it's popular but considered harmful) obtained from a trusted source - verify that the files have not been modified OR trust everyone who was involved in bringing the files from the source to you in not wanting to attack you and being clever enough to keep others from successfully attacking them (like the people affiliated with a website used to spread the files). While the chance that non-executable data (like office documents, PDFs, MP3s, website data, images, cursor files and so on) will get executed is lower, ideally the same guidelines should apply.

The software you used to work on your project might have stored temporary or backup data of your project on the unencrypted drive. Even if the software deletes these files when you exit it, it's not at all hard to recover them as long as the system drive (more precise: the drive the software will store these temporary files on, which likely is the system drive) is unencrypted. Not utilizing low-level encryption like Bitlocker or Truecrypt for the system drive in order to gain higher transfer speed is not a good compromise if your data is very important to you.


-----------------------------------------------------------------

Of course this is by no means meant to be a comprehensive list, and will - like any other list would - never make you secure. Because what you need is a complete concept covering every single aspect of security for your specific needs. Actually, the point of this text isn't to provide a list of possible security enhancements.

The point of this text is to explain why there is no such thing as a magic security enhancement if there's no concept surrounding everything. It seems to be very hard sometimes to explain this to people on this forum, so this is a rather lengthy post so I can link to it in the future.

 

Bitlocker use 256 bit key to do encryption. It is only safe when you lost your machine when it is powered off.
It use TPM or USB driver to store key, so it as secure as the TPM. You can also use your brain to memorize the 256 bit key, that will be the most secure way to store it.

 

My goodness, what is the point of all this?
I don't recall anyone claiming there is a magic non-contingent security scheme.....

We are pragmatists here.