[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISN] ComputracePlus deletes stolen data



Forwarded from: Russell Coker <russell@xxxxxxxxxxxx>

On Mon, 30 Dec 2002 09:23, InfoSec News wrote:
> http://www.fcw.com/fcw/articles/2002/1230/web-comp-12-30-02.asp
>
> By Michelle Speir
> Dec. 30, 2002
>
> The agent is invisible to the user and can survive a hard drive
> reformat, F-disk command and hard drive repartitioning. According to
> Absolute, ComputracePlus is the only product on the computer-tracking
> market that can withstand these attempts at removal.

Interesting that they claim their software-only solution can survive
fdisk and format.  I wonder if they will claim that it can survive the
installation of a different OS?

Something like TCPA MIGHT be able to do this, but nothing less will.

> Data Delete

Hasn't anyone ever heard of cryptography?

Surely if you want to steal someone's data then the first thing you do
is power the machine down and remove the hard drive to prevent such
erasure!

> Conclusion
>
> ComputracePlus goes a long way toward protecting computer assets
> and, perhaps more importantly, the data stored on them. The product
> is also a useful tool for managing and tracking an agency's
> inventory, even if a theft never occurs.

Conclusion, after you steal someone's laptop to get their data don't
immediately connect it to the Internet, copy the data off first!  
Don't boot from the same OS they used, put the hard drive in your own
machine (for best results mount the hard drive on a non-Windows OS).

> Just remember that a product like this has limitations. For example,
> a thief could view data or copy it to disks before connecting to the
> Internet. Also, if the thief is at the computer while the data
> delete process is taking place, he or she might notice it and could
> disconnect the machine and stop the process. Finally, some thieves
> are sophisticated enough to disguise their locations with false IP
> addresses.

My observation is that "rm -rf /" is fast enough that even experienced
administrators often don't catch it while there's still something
left.  mkfs is even faster.

As for "disguiseing your location with a false IP address", that's an
amusing claim.  Firstly IP addresses on their own aren't THAT useful
for locating people (think about NAT, think about ISPs in other
countries that won't accept court orders).  Secondly if you want your
program to trace it's location based on IP addresses then you could
give it "traceroute"  functionality and have it send the complete
trace log to the server.

> Because the agent is undetectable, however, chances are good that an
> average thief would not think to take such precautions. But
> professional thieves might be familiar enough with this type of
> technology that they would automatically operate as though a
> tracking agent were in place.

Of course it's undetectable.  It's so undetectable that even fdisk
can't find it...  :-#

> While ComputracePlus may not be foolproof, it's certainly much
> better than nothing at all, offering agencies a good chance at
> recovering physical property and keeping sensitive data out of the
> wrong hands.

A much better option is to encrypt all the disks and have the
encryption keys stored in a central office.  Then if the laptop is
rebooted it loses all access to the encrypted data until the
encryption key (could be a regular file on a floppy disk) is used.  
Then as long as the machine has a screen lock program that is used and
as long as it can't be locally hacked then it will be safe.

NB If using an encrypted file system on your laptop be sure to
permanently disable the "Hibernation" facility in the BIOS.  If a
thief can get a dump of all kernel memory to disk then the encryption
key will be available in there.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.