How Secure Is Your Encrypted Data?

Most people with portable computers carry around sensitive data on their hard drives. The computer may contain personal data such as accounts and social security numbers. It may also contain sensitive business data, and even worse customer personal information.

The problem is not just limited to portable computers.  What about the computers in your office?  If someone steals a computer or gains physical access to it, could they get sensitive data?  In most cases, the answer is yes.  The standard logon/logoff procedures are usually good enough to keep the typical office worker or janitor out of a computer.  However, even with sophisticated password polices, a person determined to steal data will blow right past those password defenses if they have physical access to the computers.   We are not just talking about some very smart professionals either, hacking tools are easy enough to use for any high-school drop-out. 

More security conscience organizations have moved to enforce encryption on portable computers, and some workstations.  Encryption raises the bar out of reach for even sophisticated hackers. There are some great encryption systems available like AES, 3DES, Blowfish, Twofish...,  these are all virtually unbreakable without the encrypting key. So if your encrypting key is vulnerable, then your data is only as safe as your encrypting key.  Your encrypting key could be vulnerable for obvious reasons, like it is based on a persons name, address, or other common information.  Or it may be vulnerable because it is stored some place where the hacker can gain access to it.  Obviously, if it is in the secretary's top drawer it is vulnerable, but there are less obvious ways that your encryption key might be obtained.  See the article below about how it is possible to extract an encryption key from a computer using special electronic tools, even after the computer is powered off.  Now keep in mind that this type of attack requires physical access to the computer, it also requires sophisticated electronics and skills.  This is beyond the reach of all but the most sophisticated hackers. 

Quoted from http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html:

Researchers: Disk Encryption Not Secure | Threat Level from Wired.com

Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer -- say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen.

At least one of the encryption tools that was mentioned in he above article, Truecrypt, allows you wipe the cache and memory of the computer when you are finished using the data or turning off the computer. 

I would also like to point out that many online backup service providers store data in encrypted form.  A few of the better designed systems never have and never store your encrypting key.  So even if the most sophisticated professional hacker gained access to the offsite server providers equipment, there would be virtually no chance that data could be decrypted and stolen, because the encryption key is never stored and never used by the service provider.

No comments: