Improve your Security #2: Securing your notebook

Quite a lot of people take now their netbook or smartphone with them when travelling. Because of this, almost every quarter of the year we read stories about sensitive personal data was lost because some laptop or USB stick got stolen. Moreover, with the rise of the mobile devices like smartphones, tablets and pads, anyone can carry gigabytes of data anywhere. All these problems can disappear if we simply encrypt the data no matter where we carry it. But, while encrypting each file is the most secure method, it is also the most inconvenient of all. In this article I will describe simple, effective and gratis methods of securing your devices.

Local protection

There are several layers of protection possible for the information on your laptop.

Active measures:

  1. Set up a BIOS password
  2. Set up a Power on password
  3. Protect the Hard drives from being accessed in any way by setting up an HDD activation password
  4. Protect the operating system to be accessed by setting up user authentication using a password and/or fingerprint recognition

With these areas protected, even if the device is stolen or lost, it is, more or less, just a useless but expensive piece of hardware. Of course, there are ways of overriding the BIOS protection, but I really don’t think that anyone would invest so much to exchange some chips on the motherboard just to get access to the laptop.

Passive measures:

  1. Protect the data on the hard drive(s) by encrypting the data.
  2. Work as a non-privileged user
  3. Deactivate booting from USB Devices, CD/DVD, Network
  4. Deactivate automatic execution of the “autorun” file for USB Devices

Active – the user has to type a password in order to proceed further. In this category the layers 1, 2, 3 and 4 belong. In these cases, the user has to set up first a password in the respective area, as follows:

BIOS – at startup, press F2 or F10 or ESC (depending on the manufacturer of your device) and go to Security. Choose “Password” and set up a 6-12 alpha-numeric chars password.

While in BIOS, under Security:

Power On – choose “Power On” password. This password will be asked before booting the device. Failing to authenticate, prevents the device to start the boot sequence.

Hard drive – once the first level of boot initialization took place (initialization of hardware parts), the hard drives have to be enumerated in order to select the bootable one to start the operating system. Failing to provide this password completely deactivates that hard drive, but allows booting from another device (hdd, CD/DVD, USB Stick) installed on the computer.

User authentication – this forces the user to enter a password upon login, instead of clicking on an icon. Unfortunately, the default installation of Windows is intended to make the login easy and not secure. In order to activate this login mode, go in Control Panel, User Accounts, “Manage the way users logon” and choose that the users must enter a password in order to logon. Some laptops also allow entering an additional fingerprint to the password. This is an easier way to secure your data if you don’t like to write a password each time.

Passive – the user doesn’t have to do anything after setting up the protection method. In this category enters the layer 1 of the passive range, encrypting the data on the drive.

The tool I present in this article is called TrueCrypt. This article is not a replacement of TrueCrypt’s tutorial, but more a summary of what is possible to do with this tool and how this may help securing your data. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc). The advantage of TrueCrypt is that it integrates perfectly with your operating system and that it is cross platform (Windows, Mac, Linux). This means that a drive or crypt file encrypted on any of supported operating systems can be decrypted on any of the other supported operating systems.

In order to start using TrueCrypt, you must choose one of the three methods available: encrypt a partition, create a TrueCrypt file, encrypt the entire disk, including the bootable partition. I strongly recommend the second option: create a TrueCrypt file. The reason for this is that this way you have a file which contains all your data, and you can (and you should) create a backup of that file. The only problem with this method is that if this files get damaged, then you probably lost all your data. However, I am using TrueCrypt for at least 5 years and I have never had a problem. But this can happen, so this is why I do not recommend this method as a replacement of traditional backup software, but only as a secondary emergency measure. If you don’t change your laptop as often as I do, then also the first method (encrypt an entire non-bootable partition) is a very good choice. I do not recommend the 3rd option, encrypt the boot partition, because I don’t know any software except Microsoft’s Bitlocker that can do a good job in any circumstance. But, Bitlocker is available only on the high-end Windows versions, and I promised to talk about a completely free solution.

In the Beginner’s Tutorial it is described how to create a TrueCrypt Volume.

Once you created the TrueCrypt container, you can assign a drive letter to it and then start using it normally. I also suggest to have it added in the Favorites so that it is automatically mounted on startup.

After the drive letter is created, you can access your encrypted container as any normal drive. A tip how to force Windows XP to save your information in this container: Open an Explorer window, right click on the “My Documents” (or Documents if you have Windows 7) and choose Properties.

The first thing that pops up is a “Target folder location” screen. Select the button “Move” and choose the network drive created from the Truecrypt container on your computer.

In Windows 7 this is done more elegantly and you can include your encrypted drive in “Documents Library”.

Sorin Mustaca
Data Security Expert