Friday, 30 November 2012

How-to: Choose Encryption or Remote Wipe


Image credit: Password by Salvatore VuonoThe ubiquity of mobile devices is accompanied by the ubiquity of loss and deliberate theft. Most people are unsure how to deal with this and don't realise the damage data loss can cause until it happens.

Which prompted 'friend of the show' Tony Whitmore to ask our Local User Group (LUG):

Are there any options for remote wiping Linux systems, in the case of them being lost or stolen? I'm sure that some funky trigger mechanism could be set up using dyndns and SSH, but I was looking for something that would scale to a larger number of devices.

Michael Paving wrote: "Ah... I see, corporates have made a decision about a solution, and are now looking for a problem it fits... What is their use-case scenario?
  • Michael loses his Ubuntu laptop in a house burglary, which has company confidential information on it.
  • Michael calls the helpdesk and they send out a "wipe" command.
  • Ronnie (the burglar) turns on Michael's laptop at home, and is presented with an Ubuntu login screen. Scratching his head, he gives the machine to Reggie (his techie mate), who installs a hooky "MS Windows X" onto the machine, wiping everything that was on there...
Are they relying at some point on Ronnie or Reggie plugging the machine into their home ethernet to receive the "wipe" signal? What if Reggie goes one step further, and slaves your hard drive in his desktop? - no "wipe" signal will be received now, and he can browse your data at his heart's content.

The "remote wipe" stuff works well for machines that have their own network connections (3G phones and tablets), but for a desktop or laptop, it's not that likely to be of much use. If the machine auto-logs in, so that Ronnie or Reggie can at least use it (and maybe be tempted to hook it up to their network at this point), it would work, but why would you set up your machines to auto-login if you're worried about your data in the first place?!

Probably not the best security if security is the primary concern...

If you're... concerned for your local machine's data, it would probably be better to encrypt your partitions rather than rely on some tool to lock the stable door. Encrypted partitions don't suffer from the flaws of "remote wipe" software. - no accidental wipes - no need for the machine to be online to receive a signal - no risk of drives being slaved to other machines"  

My first thought:
"Oh dear. This old chestnut again. Michael is absolutely right. They need an information security policy to cover use, storage and transport of data before they go leaping to BBC1 'Spooks' solutions.

If I want to acquire data off a hooky laptop, first thing I do is remove the hard drive to a usb enclosure and set to with my Linux data recovery tools. Do not turn on machine, do not pass go, do not collect £200...

And I'm an amateur. Never done such a thing. Ever. Of course...  

Paul Stimpson added:
If you are that concerned about security of the information (things like personal or medical data), encryption is a must. My colleague handles data on vulnerable children, she's been given an Ironkey encrypted USB stick and the moving of the data from the stick to the laptop hard drive is a sacking offence.

If you're worried about an opponent sufficiently sophisticated that they can suck drive keys from suspended RAM, forbid suspending and make the users shut down.

I've always found a good place to start with security is by listing what information is on a device and deciding if it should really be there (should Bob from accounts really be carrying the complete customer database 24/7 because he's too lazy to only carry what he needs?). Then decide who your opponent is and how motivated and sophisticated they are (industrial spies from a major corporation are a much bigger threat than a crack head that wants to sell your laptop for a fix). Also think how long the data is useful for (if it's next month's sales projections and in 3 weeks they will be of no use to your competitor then you only need to keep them out for that long.)

I would try to sell this to whoever thought of the idea and that it was clever that encryption is wiping that is so clever that it's already done before the guy picks up your device.

Password protection is nothing. In a USB caddy and the contents of the drive are yours, no matter what clever wiping software is on the machine.  

Benjie Gilliam came in with:
I agree with encryption being a better option, but the risk is if you don't shut down then your encryption key is still stored in RAM (most cold boot RAM extraction issues have been solved by shutdown scripts in the last few years, I think?) and if there's a bug in your screensaver (or whatever locks people out when you resume from standby) then they can bypass it and get full access to all your data. (e.g. Google for gnome-screensaver bypass vulnerability or, even more worryingly, Xorg screen lockers bypass vulnerability [1].)

For a typical thief encryption is sufficient, but if someone is determined to get your data you might want to add additional precautions. I would never use a laptop without encryption these days - just the amount your web browser caches about you is enough to worry me about someone stealing that data, even if I never store passwords/etc.

Prey Project comes to mind.

[1]: https://news.ycombinator.com/item?id=3484859  

And James Courtier-Dutton contributed:
Yes, encryption makes remote wipe unnecessary. If the remote person does not know your password, the information stored on the laptop is a random pile of mess. I think it would be nice to see a feature in Linux whereby the suspend to RAM erases the disk password held in RAM, and prompts the users for it on resume. That would help make a bit more of the data protected while in standby.  

Gordon Scott replied:
I guess if they're happy that they could recover from any unexpectedly lost data, that a wipe on "Too many failed password attempts" might be an alternative? That would help avoid malicious remote-wiping of normal systems and would circumvent the issue of 'must be connected to wipe'.

I agree with Robin, though, on extracting the data .. the first thing one does is take the drive out of a context where it can run. If deliberately stealing data, I think one probably also makes sure it's not connected to th'Internet. Whether or how easily one can 'take the drive' out of a smart-phone or tablet is another matter...

 Finally, Victor Churchill has to get the last word:
... oh, but there is something so Evil Doctor about a remote wipe ... mwahahahaaa!  

Image credit: Password by Salvatore Vuono

No comments:

Post a Comment

At least try to be nice, it won't kill you...