The OP was asking about an add-on product for laptops that didn't have Bitlocker and the Evil Maid type attack was specifically targeting TrueCrypt whole-disk encryption as I remember. YMMV with other encrypting disk systems.
It is also difficult to cover user's foibles completely but I've found that locking the desktop to write access, setting the My Documents path to the encrypted container and a good dose of education go a long way. I've just had too many whole-encrypted disks (mainly flash drives, mind) come back with the user saying "When I plugged it in, Windows formatted it...). With whole-disk encryption, TrueCrypt writes the encryption loader into the same place as everyone else, sectors 2 -> 63 on cylinder 0, which obviously makes it non-standard and with laptops having to be repaired by foreign hands, I prefer the encrypted container approach I don't even bother with complex XP login passwords; simply the same as the username. Far too simple to bypass. I do insist that the encryption password be severely complex and as it is the only password they need remember, it hasn't hasn't proved to be a problem. -- Peter van Houten On the 27 May, 2010 19:26, Mike Gill wrote the following:
IT seems like you're trading one caveat for another, which is trusting that the user will always put sensitive data in the container. Also, this does nothing to protect the OS being compromised with key loggers, which may take less time than Evil Maid and still provide the encryption key. I'm sure it could be emailed in the background as well so the attacker who already copied the container will not need to come back for the either. You could add the ATA password as a second layer. On my Latitude, the password is prompted even when resuming. I have seen this configurable on other notebooks. They can't install a boot loader if they can't access the drive. This is assuming they are trying to be covert about it all. Resetting the ATA password would be fairly noticeable. I'm not aware of any method to bypass it. -- Mike Gill -----Original Message----- From: Peter van Houten [mailto:[email protected]] Sent: Thursday, May 27, 2010 8:48 AM To: NT System Admin Issues Subject: Re: laptop encryption I am a TrueCrypt fan with one caveat; we never use full-disk encryption for our clients but rather create an encrypted file container which, when mounted as a separate drive, becomes the repository for all data, including but not limited to Outlook PSTs or Thunderbird profile and mail files, Firefox profile & cache, mobile phone sync data and all documents. Still working on moving Skype and other IM data on to the encrypted drive and using an on-screen keyboard program to enter the encrypted drive's password to try to defeat key loggers. Besides the vulnerability of full-disk encryption to monitors such as Evil Maid, I have seen fully-encrypted disks presented to Windows, to which the response is "Format Drive XX?". Too risky if laptop is abroad and needs to be attended to by an ignorant technician. -- Peter van Houten
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
