Laptop Security

From YWAMKnowledgeBase

Keeping sensitive data secure is important, as sensitive data in the wrong hands is always a problem. But do we in YWAM know what is and what isn't sensitive information? When we do we can go about securing that information in a number of ways.

Although this is a general problem all computer users face, with the great numbers of laptop computers in our hands in the missions the chance for theft or other data loss to happen keeps increasing. That is why this article is directed to Laptop users although it applies across the board.

Laptop Security

Just what ought we to consider as "sensitive information" that requires securing?

If we take as a starting point that we have two categories:

  1. Personal information (That is information that belongs to us only)
  2. YWAM information (Information that belongs to YWAM only)

The first category is important to most users! However, when we think operationally we need primarily concern our selves with YWAM Information. However, many of our co-workers are also our friends. This means we communicate with them on a personal as well as business basis. Then, of course, we have our family and supporters we communicate with. And how easy can slip a little piece of information in there that might reveal something that just helps for someone to get a bigger picture... There is a strong case that if YWAM information needs to be made secure then ALL the information we have needs to be secure.

I would think that if we believe we require the highest level of security then we are out of scope with this article which needs to focus on the General Security that 90% of YWAMers need.

So what sensitive information falls into the second category? What should we be concerned that our colleagues should keep secure?

NOTE: Let's not forget that Mobile Phones and Handheld computers/Agendas can also be a security risk too!

Sensitive YWAM Information

  1. YWAM Bank accounts and passwords
  2. Passwords to YWAM websites
    • not only YWAM Websites, since many people are just using one password for everything like Personal / YWAM Website, MySpace, FaceBook, Blog, Forum, Second Life, etc. - even the same password as the login for the computer itself...
  3. Confidential information about members of YWAM (Beliefs, Health etc)
    • YWAM and other organisations and churches we partner with
  4. Reports about meetings (potential to reveal Names, Locations, Contact Details, Future Plans, etc.)
  5. Projects / Outreach Plans (General Information)
  6. Project Partner / Outreach Partner (Names, Locations, Contact Details, etc.)
  7. Email communication
    • Emails reveal Names, Email Addresses, Information, etc. and user names / passwords for email accounts
    • Emails are always sent in plain text accross networks - if you don't want anyone to read it you will need to encrypt it before you send it!
    • Email Attachments
    • Email Address books
  8. Mailing lists and address books for obvious reasons
  9. Browser Bookmarks (and caches) can reveal interesting information as well as the Browsers History. Remember, Google, MS and others claim that they can find out if a person is male or female, age, hobbies, approx wages and other information just by logging the browsing habits.
  10. Pictures can reveal a big deal.
    • E.g. At a recent U of N conference there was a person present who's image should not be published on websites or what ever other publications. It got specifically announced...

Government Snooping of personal data

Recent exposure of the degree to which the NSA have been accessing personal email, Skype, cloud storage of documents have been quite alarming. Apple, Google, Microsoft and many many more companies have to comply with legal requests from US government to supply information about or direct access to emails stored in their servers. This information is known to be shared with other agencies and the UK government for example. Whilst this is perhaps little threat to YWAM it is sobering to note that as we increasingly rely upon such services for our email, document storage and communications we are unable to have true privacy.

Please review all your use of Outlook.com email, Hotmail, Microsofts SkyDrive service, Skype conversations and calls, Googles services etc.

See this Guardian article for an example of what governments can have access too.

Securing a Laptop

There are several ways of securing your laptop.

Preventing People From Stealing Your Laptop

  • Anti-theft cable from Parkin Security Consultants
    Buy a Laptop security cable. All laptops for the last 10 years have a little secuirty slot built in for a metal cable like this one to lock into (now LCD screens and Beamers have them). You lock the cable into your laptop at one end having passed the other end around a secure fixture. NOTE: I have never seen a YWAMer with one of these.

Preventing Others From Accessing Your Data

  • Pick a good password and make sure that you log into your Desktop account with a password!
  • Make sure you have a screensaver (even the blank screensaver)  with the option to insist upon a password to let you back into your account.
  • Turn on the BIOS password option - then anyone wanting to start your machine will have to figure out what password you chose - they can't bypass this without removing the CMOS battery. (This is only prevents people who have quick access to your laptop)
  • And of course make sure your computer is regularly backed up. The backup must be stored somewhere secure too!

Encrypting Your Data

You can use TrueCrypt to encrypt a whole partition of your hard disc and/or make a very big file on your disk and then turn that into a new partition. Then you need to put all your data inside that encrypted drive.

You can also do Full Disk Encryption. This is where the entire hard disk is encrypted rather than a small part.

  • You can purchase some laptops with the entire hard drive encrypted and secure... but you might have to search around for them!
  • Microsoft Windows Vista (Ultimate or Enterprise editions only) includes a form of full disk encryption by the name of BitLocker Drive Encryption [1]
  • You could install a recent version of Linux ( Ubuntu Linux, [Fedora http://fedoraproject.org/] etc.) on your laptop as it comes with Full Disk Encryption. You could also buy a Linux Laptop (Dell offer some good ones) pre-installed but you might need to look around for someone to install it encrypted. There is a step-by-step guide to installing Ubuntu with full-disk encryption onto a computer here [2].

Sending Encrypted Emails

This will keep the contents, but not the recipients addresses (obviously), and neither the subject line, secure during the transition of the email across the different mail servers till the recipient reads it.

How to send emails that ensure a Pretty Good Privacy (PGP) ?

  1. It is a complex process and you will need specialised email software or special extensions for your current email. Thunderbird has a useful add-on called Enigmail that together with the GNU Privacy Guard (GnuPG) program can provide a good encrypted email system for Windows, Linux and Mac. Instructions available here.[3]
  2. You software will create two keys. You own Private key (YOU MUST NEVER DIVULGE THIS, EXCEPT FOR LEGAL REASONS), protected by a password you choose, and a Public key that should be passed around freely.
  3. You will need to first of all securely share you Public key with the recipient and you must get a copy of their Public key too. Tip: don't send your key by email if you can but why not when you next meet copy their key onto a USB stick and pass them yours... The point here is that you have to make sure that you can be confident that this public key really belongs to the person you think it belongs to. An alternative would be to compare the so-called "Fingerprints" by another medium than Email (e.g. Phone).
  4. Once you have their key and you know for certain it is their key then you can sign their key with your Private key. This established a relationship of trust with that persons keys. Only now can you start encrypting mail with that person.
  5. You then write and email and ask the mail program to encrypt and sign it. It will ask you for the password of your private key. Sometimes it will ask which key you wish to encrypt the email with. You choose your correspondents key. Then you send your mail to the recipient and no-one else than yourself and the recipient will be able to read your messages.
  6. The encryption is strong. Very Strong. It would take 1000's of hours of processor time, even by very large computers to crack it. However, it is almost certain that if a mail cannot be cracked then the fact that you both are sending encrypted email to each other will almost definitely be noticed.

Sending Encrypted Emails (Alternative Method)

There is one interesting alternative to PGP, S/MIME.

The Process changes:

  1. At PGP, everybody is responsible himself to verify that he can trust the key's owner (Is he who he says he is?) or at least that somebody of those I trust trust him (Web Of Trust). S/MIME, however, gives this responsability to an organisation called Certificate Authority (CA). Participants have to register to this organisation, proove them to be who they claim to be, and the organisation confirms it.
  2. That's why a S/MIME client certificate (i.e. another name for the private/public keys) costs something: an enterprise let you pay the work they do for you. However, there is one free community alternative: http://www.cacert.org/
  3. Community here means: everybody, whose certificate can be trusted, can give trust to other certificates. When 3 people confirm having seen your identity card, CACert will give you the desired certificate - for free.

Advantage of S/MIME over PGP:

  • The technique S/MIME is integrated into Thunderbird and Outlook. So there is less hassle to install extensions etc.

Disadvantage:

  • However, CAcert is not yet on the list of known Certificate Authority. All that will use these certificates will have to install the Root Certificate of CAcert. How?
    • Go to http://www.cacert.org/index.php?id=3
    • Click on one of the Links depending on the browser you use. Firefox: PEM.
    • A popup window appears - confirm to trust this certificate.
    • Export this certificate (Firefox: Options > Advanced > Encryption > Show Certificates > Authorities) to a file.
    • Import it into Thunderbird or Outlook or whatever.

Warning:

  • Choosing one of both, either PGP or S/MIME, is recommended. They are not compatible, and when you want to send an Email to 2 recipients, one that uses PGP, the other S/MIME, that's where the trouble begins. Also, don't try to send Emails encrypted to only some of the recipients (doesn't make to much sense anyway). Emails can always be signed, though, as clients that don't understand it only show it as a attached file (with strange content).