Jump to content
IGNORED

If you ever forget or lose your Windows password

John Ranalletta

By John Ranalletta
in Riders Discuss Other Topics

Recommended Posts

John Ranalletta

John Ranalletta

Posted
Posted

Try this.

 

Worked like a charm. I changed the domain on a used laptop and invalidated the admin login password.

 

Downloaded the ISO from the above site, blasted it to a CD; booted the laptop from the CD and simply followed the instructions.

 

Very cool lifesaver....

Link to comment
Joe Frickin' Friday

Joe Frickin' Friday

Posted
Posted
Nothing is secure...

 

No doubt, but this doesn't even seem slightly secure. Granted it requires physical access to the computer, but still...

Link to comment
John Ranalletta

John Ranalletta

Posted
  • Author
Posted

It is what it is. If a person has the data on any bootable media (floppy, usb or cd), the computer will load all the necessary drivers and offer to wipe or change any and all user data including the admin's.

 

I thought I was toast and sent out a msg for help to two sources and both responded with the same utility within minutes.

 

I thought I was the only person not in the know...

Link to comment
plext

plext

Posted
Posted

It suprises me that this would be a shock to anyone.

 

No electronic system, whether running Windows, Lunix, Mac, iOS, or anything else for that matter is secure if not physically secure.

 

Things like disk encryption can help, but you are only slowing down the inevitable if a really determined person has physical access.

 

It is not a security flaw, but rather a limitation of the medium. Even the worlds strongest vault is not secure if somebody is given unlimited physical access.

Link to comment
John Ranalletta

John Ranalletta

Posted
  • Author
Posted

I think it boots linux and simply lets the user manipulate user data. Other than a BIOS password, if the OS is programmed to fetch a password stored on a separate medum (usb drive), that might provide better security.

 

I don't know how a biometric system works but as long as a password resides in a file on the disk, somebody will figure out a way to read it.

Link to comment
IT_Mike

IT_Mike

Posted
Posted

Paul has the right of it. Any box can be broken with unfettered physical access.

 

The only secure data options are FIPS compliant external media or whole drive encryption. I've personally bypassed Windows EFS and Mac encrypted DMG security measures with publicly accessible tools (authorized access for work).

Link to comment
Aluminum_Butt

Aluminum_Butt

Posted
Posted

So does this mean we should be using BIOS passwords if we want better security?

 

BIOS passwords are also useless if the intruder has unmonitored physical access. Most, if not all, PC's have a way to reset/remove the BIOS password - usually a matter of removing the battery that powers the CMOS, or pulling a jumper that erases the CMOS.

Link to comment
Dave McReynolds

Dave McReynolds

Posted
Posted

The notebook computer that I carry around has confidential information on it for every tax return I have done for several years back.

 

It would be preferable for me to lose all the information rather than have it fall into the wrong hands, if the computer were lost or stolen. All the information is backed up, and while it would be a nusiance to restore it to a different computer, that would be nothing compared with explaining to 400 clients that their confidential information has been compromised.

 

Is there some kind of program out there that would erase all the information on the computer if some unauthorized person starts monkeying with it?

Link to comment
Nice n Easy Rider

Nice n Easy Rider

Posted
Posted

Our University IT department is modifying all laptops used for University work by adding 128-bit encryption to the hard drives. My understanding is that this makes it very difficult for someone to pull any info off the hard drive even if they remove the drive from the computer. I suspect that a good computer store might be able to do this for you.

Link to comment
Dennis Andress

Dennis Andress

Posted
Posted

The weak link in most encryption schemes is not the cryptography -- the math -- but how it's used. Destroying data only upon unauthorized access means that the data could be accessed if that process were interrupted. A cracker would most likely attack the program you are counting on to destroy your data. Another scenario could be that you fumbled your password once too often and your drive got wiped. Would you then reinstall the program that did the wiping, or say the hell with it?

 

Adding encryption to the hard drive may not be the same as using an encrypted file system. If the encryption is only applied after Windows is up and running, then any file that's part of the Windows OS is probably not encrypted. That's means the attack that JohnRan posted at the top of this thread would still work.

 

Security at this level is a PITA, yet compromising 400 private tax returns would suck more. Take a look at the IronKey I posted a link to above. It would provide an effective way to secure your data. But, it alone is not enough. Security will always rest on the data owner.

 

Dennis

Link to comment
John Ranalletta

John Ranalletta

Posted
  • Author
Posted

In Dave's example, could he achieve a higher level of security by saving the data in the cloud w/ nothing on the pc then use a lastpass-type key? Who doesn't have a net connection today?

Link to comment
Aluminum_Butt

Aluminum_Butt

Posted
Posted

Encrypting the drive is likely your best option. You can also encrypt individual files, but this should probably be in addition to, not instead of, drive encryption.

 

Drive encryption would be your first line of defense. This is great protection - it would take a pretty sophiscated hacker some time to break it - not likely they care THAT much about your data. The main weakness is that if your computer is stolen while it's still on (or even in Sleep) the theif would have access to the data (make sure you set a password on your screensaver, and a short time for it to come on). Or, of course, someone could find a weakness in the encryption and publish a program to break it. Certain types of malware/viruses (boot record infectors) can also pick up on the key when you type it in.

 

Assuming you use something like Turbotax and MS Office, where you create individual files for clients, you can encrypt those separately.

 

The drive encryption will keep things like temporary files and other stuff created by your apps safe - I would think it's possible for these files to contain client data from time to time (based on the way your apps work) The file encryption will be an extra (and optional) level of protection.

 

If your laptop supports it, there is a technology called TPM (Trusted Platform Module) - basically a chipset that "marries" your hard drive to the laptop. It works in combination with drive encryption software, so that the data is encrypted and can't be decrypted on any other machine.

 

I did a quick search and didn't really see anything out there that will automatically erase the drive in the event of too many failed attempts to access it. That's a pretty cool idea though - surely somebody has or will do it.

Link to comment
Dennis Andress

Dennis Andress

Posted
Posted

I don't know. But, unless the cloud provides encrypted storage, and is certified to some standard, then it wouldn't be anything more than "security by obscurity".

Link to comment
Dennis Andress

Dennis Andress

Posted
Posted

I thought about erasing a drive for a bit and remembered that I've recently used a program that writes zeros to every byte on a drive. Booting to DOS from memory stick it took over an hour to wipe a 200 GB drive. It's not the answer Dave was asking for, but you should run something like this if you are disposing of your laptop or drive.

 

KillDisk and WDClear are names that come to mind...

Link to comment
Boffin

Boffin

Posted
Posted

My company uses Be Crypt Disk protect full-disk encryption on all of its laptops. This program is used because it meets the requirements of ans is approved by, the UK Ministry of Defence for the protection of restricted information.

 

Andy

Link to comment
Bob Palin

Bob Palin

Posted
Posted
I don't know. But, unless the cloud provides encrypted storage, and is certified to some standard, then it wouldn't be anything more than "security by obscurity".
Tha Amazon cloud servers are certified by the ICP people who regulate credit card information security, that should be plenty good enough for tax returns.
Link to comment
Dennis Andress

Dennis Andress

Posted
Posted
My company uses Be Crypt Disk protect full-disk encryption on all of its laptops. This program is used because it meets the requirements of ans is approved by, the UK Ministry of Defence for the protection of restricted information.

 

Andy

 

After a quick read of that page I think they're okay. The page does say that the OS loads through the encryption software -- That's good.

 

Enterprise management software allows disk encryption recovery data and audit logs to be recorded centrally

 

From a casual read I'm looking at this as a possible place for an attack. Who controls the "Enterprise management software" What is done to secure access when one of those people leave?

Link to comment
Dennis Andress

Dennis Andress

Posted
Posted

Maybe I'm going a bit over the top with this. I'm writing from the perspective of Dave needing to secure 400 customer tax returns -- A data owner needing to secure confidential data. This is not the same as using a piece of encryption software, or a cloud, to increase security. The former implies the responsibility has been met, the later that it has been shared. I'm not saying the second form isn't good enough rather, if shit were to start flying, I'd want to have every confidence that I've retained control of my data.

Link to comment
Woodie

Woodie

Posted
Posted

HP includes full drive encryption with some of their machines. Players in the Full Drive encryption include McAfee (SafeBoot), Utimaco (purchased by Lenovo?), and Symantec (bought PointSec, IIRC).

 

Most of these have the option to "forget" the key and render the drive unrecoverable if you mistype the initial password enough times. At least in the enterprise or managed space.

 

I architect/support both full-disk and file-based encryption for work.

 

For this individual user, I would recommend a hardware-based encryption on a USB stick, rather than encrypting the whole HD. Easier to manage, portable between different machines, and limited data to protect.

 

Link to comment
Dave McReynolds

Dave McReynolds

Posted
Posted

For this individual user, I would recommend a hardware-based encryption on a USB stick, rather than encrypting the whole HD. Easier to manage, portable between different machines, and limited data to protect.

 

Thanks for all your suggestions. This one appeals to me. Even unencrypted, keeping all the client data on a USB stick probably decreases the probability that it will be compromised. Going back to someone's earlier comment that the only real security you have is physical security of the data, it would probably be less likely that a USB stick would fall into the wrong hands than my computer, as I can keep the USB stick either in my computer while I'm using it, or in my pocket, or locked in my safe. So it's probably less likely to be stolen than my laptop (although maybe more likely to get lost, but I don't think I've lost any USB sticks yet). The data is a little slower to retreive and store than on my computer hard drive, and I suppose a USB stick is more likely to malfunction than my computer hard drive, but those are not deal-breakers, if I am careful about backing things up.

Link to comment
Bob Palin

Bob Palin

Posted
Posted
I suppose a USB stick is more likely to malfunction than my computer hard drive
Not at all, buy a good brand name one (though they are almost certainly all made by a few companies anyway). Test it - read and write it at least a few times with lots of data and check that it returns what you put on it. Keep several copies and you will be fine.
Link to comment
Woodie

Woodie

Posted
Posted

On me I have:

Kingston Traveler - 1GB, encrypted

McAfee Encrypted USB - 4GB

SafeBoot USB - 1 GB, fingerprint reader on it

 

McAfee has some sort of partnership with SAN, they provide USB stick w/ encryption and with VirusScan. When you insert it into client, it does a virus-scan of the memory before it lets you access the data. IDK what the retail rate is, it was a conference freebee for me.

Link to comment
Aluminum_Butt

Aluminum_Butt

Posted
Posted

An update...

 

This weekend I installed True Crypt on my company laptop. It's free and open source. The installation program was very thorough and professional, completely explaining every step of the way what the system was doing. I chose to encrypt my entire system drive, but there are other options. You can also create and mount other encrypted volumes (like thumb drives).

 

It's only been a couple of days, but it's working perfectly. No perceptible impact on system performance.

 

 

Link to comment

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...