Re: [ISN] ComputracePlus deletes stolen data

From: InfoSec News (isnat_private)
Date: Tue Dec 31 2002 - 00:57:41 PST

  • Next message: InfoSec News: "[ISN] Tricare files stolen from Central Region"

    Forwarded from: Russell Coker <russellat_private>
    On Mon, 30 Dec 2002 09:23, InfoSec News wrote:
    > By Michelle Speir
    > Dec. 30, 2002
    > The agent is invisible to the user and can survive a hard drive
    > reformat, F-disk command and hard drive repartitioning. According to
    > Absolute, ComputracePlus is the only product on the computer-tracking
    > market that can withstand these attempts at removal.
    Interesting that they claim their software-only solution can survive
    fdisk and format.  I wonder if they will claim that it can survive the
    installation of a different OS?
    Something like TCPA MIGHT be able to do this, but nothing less will.
    > Data Delete
    Hasn't anyone ever heard of cryptography?
    Surely if you want to steal someone's data then the first thing you do
    is power the machine down and remove the hard drive to prevent such
    > Conclusion
    > ComputracePlus goes a long way toward protecting computer assets
    > and, perhaps more importantly, the data stored on them. The product
    > is also a useful tool for managing and tracking an agency's
    > inventory, even if a theft never occurs.
    Conclusion, after you steal someone's laptop to get their data don't
    immediately connect it to the Internet, copy the data off first!  
    Don't boot from the same OS they used, put the hard drive in your own
    machine (for best results mount the hard drive on a non-Windows OS).
    > Just remember that a product like this has limitations. For example,
    > a thief could view data or copy it to disks before connecting to the
    > Internet. Also, if the thief is at the computer while the data
    > delete process is taking place, he or she might notice it and could
    > disconnect the machine and stop the process. Finally, some thieves
    > are sophisticated enough to disguise their locations with false IP
    > addresses.
    My observation is that "rm -rf /" is fast enough that even experienced
    administrators often don't catch it while there's still something
    left.  mkfs is even faster.
    As for "disguiseing your location with a false IP address", that's an
    amusing claim.  Firstly IP addresses on their own aren't THAT useful
    for locating people (think about NAT, think about ISPs in other
    countries that won't accept court orders).  Secondly if you want your
    program to trace it's location based on IP addresses then you could
    give it "traceroute"  functionality and have it send the complete
    trace log to the server.
    > Because the agent is undetectable, however, chances are good that an
    > average thief would not think to take such precautions. But
    > professional thieves might be familiar enough with this type of
    > technology that they would automatically operate as though a
    > tracking agent were in place.
    Of course it's undetectable.  It's so undetectable that even fdisk
    can't find it...  :-#
    > While ComputracePlus may not be foolproof, it's certainly much
    > better than nothing at all, offering agencies a good chance at
    > recovering physical property and keeping sensitive data out of the
    > wrong hands.
    A much better option is to encrypt all the disks and have the
    encryption keys stored in a central office.  Then if the laptop is
    rebooted it loses all access to the encrypted data until the
    encryption key (could be a regular file on a floppy disk) is used.  
    Then as long as the machine has a screen lock program that is used and
    as long as it can't be locally hacked then it will be safe.
    NB If using an encrypted file system on your laptop be sure to
    permanently disable the "Hibernation" facility in the BIOS.  If a
    thief can get a dump of all kernel memory to disk then the encryption
    key will be available in there.
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:01:40 PST