In-Depth

Locking Down Laptops

Keeping hard drive data encrypted is more important than ever

• By Mathew Schwartz
• 02/16/2005

Most laptops that get stolen or even sold today still have recoverable information on their hard drives, including drives pulled from corporate PCs.

Two studies outline the problem: In January 2003, MIT researchers bought used hard drives on eBay, then used common software tools to examine their contents. They found intact information on the majority of those drives.

In 2004, O&O Software GmbH in Berlin conducted a similar study, buying 100 used hard drives—some advertised as non-functional—on eBay. Also using readily available software, O&O then examined the hard drive contents. The results: “From the 100 hard disks, only 10 were securely and properly wiped,” the company reports. “The other 90 all contained data from the previous owners—from illegal software to MP3 music files to personal bank account details and love letters.” The company also found sensitive information from a German health care company.

One way to prevent this kind of problem is to use hard drive encryption software, which makes data recovery extremely difficult—if not impossible—if the hard drive is lost, stolen, or even sold. To discuss this technology, Security Strategies spoke with Walter Loiselle, Vice President of U.S. Operations and Technology, for Utimaco U.S., based in Foxborough, Mass. Utimaco makes hard disk encryption software, SafeGuard Easy, which has over 2.2 million users.

What’s the market today for encrypting data on laptops? Are many companies doing this?

It’s interesting that you asked that question, because from a marketing standpoint, there’s a lot of theft of laptops, so a lot of people automatically equate hard disk encryption [with] laptops. But it’s not just around laptops. An example, is, we have a client that put [our product] on all its laptops and desktops, and the reason is, they’re such a large company that they’d have employees changing their hard drives or swapping out the chassis when they knew upgrades were coming. Also they were paying a vendor for the destruction of the drive. In order to destroy the machine, it cost about $40 per machine. But when you have encrypted drives, you don’t need to certify that they’re destroyed.

So if the drive is removed from the machine, it’s useless?

I can take the drive out of my PC now and sell it on eBay, and they’ll never be able to get anything off my drive; all they can do is reformat it.

How much does hard drive theft really cost businesses?

If you think of someone like Wells Fargo, with three security incidents in 18 months, and if you think of the money because of lost business, or just to get a mailing out [to comply with California’s SB 1386 notification law], that costs millions.

It’s not about the value of the laptop or desktop or PDA, because those are replaceable … it’s the cost of the data. Like when BJ’s [Wholesale Club] had its credit card information stolen. Or there was a recent one with the San Diego blood bank … your health cards have to have their Social Security numbers scrambled now, but at a blood bank, [the database] contains … your Social Security number, whether you have HIV, and all this information you don’t want to get out into [the] public.

There’s another story where an attorney got his car stolen, and his laptop was in it, and his star witness had to go into the Witness Protection Program.

What about insider attacks?

There’s a theory [according to a Michigan State University study] that 70 percent of thefts are internal to a company. So what you’re doing with encryption is, you’re not only stopping the theft or potential theft by outsiders, but also insiders.

And these internal thefts … [sometimes happen when] you have employees changing jobs. We had one client that has about 30 percent turnover on its sales force, and their greatest fear is when employees move from one mortgage company to another; they can’t just start with a new client base, although they’re supposed to. So this client is encrypting not only the hard drives, but also all the removable media, so they can’t take it with them when they go. Or else they’d have to try and e-mail it all.

[This approach] also supports the outsourcing of business, because a lot of companies outsource their security processes—to an extent. They don’t outsource things they consider critical to the company. But now you can; you can outsource everything … and [the outsourcer won’t be able to read] confidential, proprietary pieces of information.

How does your software handle encryption?

The encryption itself, if all I was to do was encrypt your drive, you wouldn’t know it’s encrypted. It’s about a one percent to three percent hit on the CPU and I/O [input/output] on the machine, overall. So if you’re not moving hundreds of megabytes of data, you basically don’t know you’re running an encrypted machine.

Now it also comes down to access control. Access control, combined with encryption, really gives you strong control over your data. So … you can also put in a strong password at the BIOS level, what they call PBA (pre-boot authentication) and that prevents further anyone from hacking into the machine to hack into the hard drive.

Is PBA use prevalent?

I would say 99.9 percent of our clients have PBA turned on … [and] the only difference to end users is, you hit the power button, and two seconds later, you have to give your password. And when you put your password in, the software takes care of it from there. So it takes care of your Windows software, or you can synchronize your PDA … Then with IBM [computers], we also support hardware binding with a chip.

Is the type of encryption used important anymore?

Today, no one encrypts any more strongly than [anyone else] … What separates companies now is what you offer beyond that, such as usability, user access control, antiviral, and other bells and whistles that come with your encryption access software … With our software [for example], we’ll check the master boot records to make sure there are no Trojans floating around in the master boot record. So your master boot record, which used to be Windows-controlled, is now security-software controlled … Now when I boot my machine, it looks to make sure the [record’s] length is the same as last time.

Are there any drivers for using this technology?

California’s SB 1386 is pushing a lot of people. It actually says right in the law [that companies have to notify customers of security breaches,] “unless it’s encrypted.”

My own personal prediction is in less than eight years, you won’t find any serious company out there running plain text data. And what you’ll see in four or five years is a push from large companies, saying other organizations have to encrypt all their data too.

What about building these features into the operating system?

You have to remember that not all encryption products are the same. For example, if you look at Microsoft’s EFS (Encrypting File System)… it’s contingent upon the user doing something, and it only encrypts documents. So … if you open [those documents] on your drive, then it’s in the cache or temporary storage, where someone can retrieve it. It’s only the full hard disk encryption that’s going to give [users] the full protection if their machine is stolen. And you also need to encrypt peripherals … It goes a lot deeper than just the hard drive encryption.

How do you encrypt peripherals?

What people will do with a product like ours is, they’ll put a security certificate on the jump drive, so they can plug it into any computer in the company, and it will work, but not if they take it out of the company.

Related Articles:

Used Laptops Offer Secrets for Sale—Cheap
http://www.esj.com/security/article.aspx?EditorialsID=1009

Businesses Ignore Mobile PDA Threat
http://esj.com/news/article.asp?editorialsId=927