Forwarded from: Russell Coker <email@example.com> On Mon, 30 Dec 2002 09:23, InfoSec News wrote: > http://www.fcw.com/fcw/articles/2002/1230/web-comp-12-30-02.asp > > By Michelle Speir > Dec. 30, 2002 > > The agent is invisible to the user and can survive a hard drive > reformat, F-disk command and hard drive repartitioning. According to > Absolute, ComputracePlus is the only product on the computer-tracking > market that can withstand these attempts at removal. Interesting that they claim their software-only solution can survive fdisk and format. I wonder if they will claim that it can survive the installation of a different OS? Something like TCPA MIGHT be able to do this, but nothing less will. > Data Delete Hasn't anyone ever heard of cryptography? Surely if you want to steal someone's data then the first thing you do is power the machine down and remove the hard drive to prevent such erasure! > Conclusion > > ComputracePlus goes a long way toward protecting computer assets > and, perhaps more importantly, the data stored on them. The product > is also a useful tool for managing and tracking an agency's > inventory, even if a theft never occurs. Conclusion, after you steal someone's laptop to get their data don't immediately connect it to the Internet, copy the data off first! Don't boot from the same OS they used, put the hard drive in your own machine (for best results mount the hard drive on a non-Windows OS). > Just remember that a product like this has limitations. For example, > a thief could view data or copy it to disks before connecting to the > Internet. Also, if the thief is at the computer while the data > delete process is taking place, he or she might notice it and could > disconnect the machine and stop the process. Finally, some thieves > are sophisticated enough to disguise their locations with false IP > addresses. My observation is that "rm -rf /" is fast enough that even experienced administrators often don't catch it while there's still something left. mkfs is even faster. As for "disguiseing your location with a false IP address", that's an amusing claim. Firstly IP addresses on their own aren't THAT useful for locating people (think about NAT, think about ISPs in other countries that won't accept court orders). Secondly if you want your program to trace it's location based on IP addresses then you could give it "traceroute" functionality and have it send the complete trace log to the server. > Because the agent is undetectable, however, chances are good that an > average thief would not think to take such precautions. But > professional thieves might be familiar enough with this type of > technology that they would automatically operate as though a > tracking agent were in place. Of course it's undetectable. It's so undetectable that even fdisk can't find it... :-# > While ComputracePlus may not be foolproof, it's certainly much > better than nothing at all, offering agencies a good chance at > recovering physical property and keeping sensitive data out of the > wrong hands. A much better option is to encrypt all the disks and have the encryption keys stored in a central office. Then if the laptop is rebooted it loses all access to the encrypted data until the encryption key (could be a regular file on a floppy disk) is used. Then as long as the machine has a screen lock program that is used and as long as it can't be locally hacked then it will be safe. NB If using an encrypted file system on your laptop be sure to permanently disable the "Hibernation" facility in the BIOS. If a thief can get a dump of all kernel memory to disk then the encryption key will be available in there. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email firstname.lastname@example.org with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:01:40 PST