Data Security Software + OS suggestions Watch

boloop
Badges: 0
Rep:
?
#1
Report Thread starter 11 years ago
#1
Recently, after christmas I upgraded my old desktop Computer. Now this machine is my primary machine for playing games and general use. Since I have a spare laptop I no longer use. I have always been wondering if there is any secure way to run it. Not physically, but the data that is held on the harddrive. Not that I am afraid some bugler will steal my identity (it won't contain personally identifying info) But it will just contain a lot of personal info I don't want unwanted eyes to be seeing.

First of all, Windows. I Like to use XP, can do pretty much everything with it. For emailing, browsing watching Videos etc... But XP comes with no built in HDD Encyption function. A good piece of kit out there is PGP hard drive encyption. I have used this before and it asks for the pass key as soon as it boots up. So the windows files and all other files on the partion are encypted, including the pagefile. But the only problem with it except the monie is that it would be used on the internet and on a network. I worry for the poor security of windows that some one may access my files while its powered up (as it can get around the encypted pass-phrase) So would be installing an Anti-virus, Firewall and other various software?

Or would I better be off with Linux or BSD. I have had a fair bit of experience with these things. But they never always seem to work first time in my experience. And I really hate it when there is a Kernel panic when ever you boot the install CD. But I can see Linux/BSD being better as overall it has better security. But I am not too sure about encypting it. Would it mean I would have to recompile the kernel (never really had sucess with, but willing to try agin since the other times were special cases) and since there is the typical Root, home and Swap partitions. Would they all be encypted? Also, would it be a good idea to leave out the swap If I'm only really going to be doing websurfing, writing documents ect.. with 1GB of ram? I can't see why not. And does anyone have any recomendations for which distro and software to use for encyption?

So any ideas suggestions or opions for what I should do?

Thanks

~Boloop~
0
reply
TomX
Badges: 14
Rep:
?
#2
Report 11 years ago
#2
(Original post by boloop)
First of all, Windows. I Like to use XP, can do pretty much everything with it. For emailing, browsing watching Videos etc... But XP comes with no built in HDD Encyption function. A good piece of kit out there is PGP hard drive encyption. I have used this before and it asks for the pass key as soon as it boots up. So the windows files and all other files on the partion are encypted, including the pagefile. But the only problem with it except the monie is that it would be used on the internet and on a network. I worry for the poor security of windows that some one may access my files while its powered up (as it can get around the encypted pass-phrase) So would be installing an Anti-virus, Firewall and other various software?
On a Windows machine it's generally recommended to run an anti-virus, firewall and anti-spyware program. Other tips are to only have installed programs that you're going to use. If you don't use it, uninstall it. Also, keep a close eye on what processes are running on the machine.

Or would I better be off with Linux or BSD. I have had a fair bit of experience with these things. But they never always seem to work first time in my experience. And I really hate it when there is a Kernel panic when ever you boot the install CD.
Hmm, I'm guessing you tried installing Linux/BSD a while ago? I think a lot of hardware problems have been sorted now.

Check out http://www.linux-laptop.net/ for laptop compatibility for various distributions.

But I can see Linux/BSD being better as overall it has better security.
I think this is potentially true.

But I am not too sure about encypting it. Would it mean I would have to recompile the kernel (never really had sucess with, but willing to try agin since the other times were special cases)
No. You wouldn't necessarily have to recompile the kernel.

and since there is the typical Root, home and Swap partitions. Would they all be encypted?
It's up to you.

Also, would it be a good idea to leave out the swap If I'm only really going to be doing websurfing, writing documents ect.. with 1GB of ram? I can't see why not.
If someone steals your computer while you're using it they could inspect the RAM where private information/passwords/etc. may have been stored. Given you're even considering encrypting your home partition, I'm assuming people reading what's in RAM would be an issue too.

And does anyone have any recomendations for which distro and software to use for encyption?
Since you seem to be highly concerned about security, I recommend you consider running Debian Stable. It's a version of Debian which is released every 12-24 months after undergoing a strict quality (security is implied from quality) check, and only receives security patches until the next release. However, with this comes the lack of new software, but if you're willing to sacrifice that for security/stability, Debian Stable might be right for you.

Also, Slackware Linux, FreeBSD and OpenBSD might be worth checking out.

Here are a few documents you might useful:
ftp://ftp.slackware.com/pub/slackwar...ADME_CRYPT.TXT - These are the instructions for setting up encrypted partitions on Slackware.
http://gentoo-wiki.com/Indexecurity#Filesystem - A whole bunch of stuff from gentoo-wiki (which is usually applicable to all the main Linux distributions).

There's probably documents from Debian on how to do it too, I'll leave that to you.
0
reply
boloop
Badges: 0
Rep:
?
#3
Report Thread starter 11 years ago
#3
(Original post by TomX)
Hmm, I'm guessing you tried installing Linux/BSD a while ago? I think a lot of hardware problems have been sorted now.
Actually, past as well as present. Although Combatability has been getting better. But with getting all teh latest updates from the certain distrobution. Something once worked flawlessly now doesn't work. Thats hapened about twice. But I guess A fix would be easy todo with the power from google.

(Original post by TomX)
If someone steals your computer while you're using it they could inspect the RAM where private information/passwords/etc. may have been stored. Given you're even considering encrypting your home partition, I'm assuming people reading what's in RAM would be an issue too.
Although reading the Ram is a little far to go for most theives. But in the end, I guess this is why Linux was an option as it is more difficultto access these things. Looks like proper hacking has to be done rather than getting a USB stick, then launch an .exe.

But Anyway, Thanks for the advice. I was thinking no-one would reply to this.

But my main concern is that some one may be able to trace my activities either remotely or even have the hard drive themselves and cannot read any files. I sound like a right paranoid twonk. But you hear all the stories in the media. I just dont want to end up in a victimising situation.
0
reply
TomX
Badges: 14
Rep:
?
#4
Report 11 years ago
#4
Mmm I just realised I started talking about encrypting RAM when you asked about swap... oops. I don't know if it's possible at the moment to encrypt the contents of your RAM.
0
reply
boloop
Badges: 0
Rep:
?
#5
Report Thread starter 11 years ago
#5
(Original post by TomX)
Mmm I just realised I started talking about encrypting RAM when you asked about swap... oops. I don't know if it's possible at the moment to encrypt the contents of your RAM.
Lol, It doesn't matter. At the moment I've made a 'Encypted Physcal Volume' Which I create a VLM in to hold the Root + Home directory, as well as the Swap. Obviously The boot partition has to be unecrypted. But hoew can I stop those Files being being tempered with. As Some for of simple logger to catch the PassPhrase/key on bootup could be caught.

I was thinking along the lines of MD5 Hash check. But Does any one have any ideas of how to make a simple script on boot up to check it?

I Think Encypting Ram is too far for my needs. Remember the simple basic fact that once its powered off it loses all the info on the Ram. If the ram can be read then, the attacker pretty much would have access to the rest of the sytem while it is powered up.
0
reply
TomX
Badges: 14
Rep:
?
#6
Report 11 years ago
#6
(Original post by boloop)
Lol, It doesn't matter. At the moment I've made a 'Encypted Physcal Volume' Which I create a VLM in to hold the Root + Home directory, as well as the Swap. Obviously The boot partition has to be unecrypted. But hoew can I stop those Files being being tempered with. As Some for of simple logger to catch the PassPhrase/key on bootup could be caught.

I was thinking along the lines of MD5 Hash check. But Does any one have any ideas of how to make a simple script on boot up to check it?
If you are assuming your kernel (which resides in the boot partition) could be modified, then anything else on that partition could be modified, so having the md5 script shouldn't be on that partition.

Possible solutions are keeping your kernel on read-only media (and then even carrying that around with you), or just having a script on some form of read-only media which checksummed your kernel and invoked GRUB/LILO/whatever if and only if it hadn't been changed.

I Think Encypting Ram is too far for my needs. Remember the simple basic fact that once its powered off it loses all the info on the Ram. If the ram can be read then, the attacker pretty much would have access to the rest of the sytem while it is powered up.
Given this, maybe it's worth considering encrypting the really sensitive (passwords, private documents) on a per-file basis, as well as encrypting the whole partition. Sure, it'd be a little inconvenient, but if someone stole your machine while the machine was turned on, they wouldn't get these. Security vs convenience.


These methods both seem inconvenient (and I'm not even sure of the feasibility of the first method), but it's up to the person to decide how much convenience they're going to sacrifice for security.

For more crazy ideas, check out http://www.debian.org/doc/manuals/se....en.html#s10.5 (Most of the information you find in the Debian Security Manual can be done in other distributions and the BSDs.
0
reply
boloop
Badges: 0
Rep:
?
#7
Report Thread starter 11 years ago
#7
(Original post by TomX)
If you are assuming your kernel (which resides in the boot partition) could be modified, then anything else on that partition could be modified, so having the md5 script shouldn't be on that partition.
I was thinking placing the Md5 checker in the encypted volume. So I would have to enter my pass phrase let it boot up and then tell me if its compromised. So hopefully however wants to avoid the kernel modification alert can't easiy edit the encypted data withought curropting something.

But if there is a modification, potentially it could of captured and saved my passphrase. Assuming the machine isn't connect to any form of network. The only way for an attacker to get this is to reach the machine again. So it would give me time to be on alert and replace my kernel as well as change the passphrase (could take a while!).

(Original post by TomX)
Possible solutions are keeping your kernel on read-only media (and then even carrying that around with you), or just having a script on some form of read-only media which checksummed your kernel and invoked GRUB/LILO/whatever if and only if it hadn't been changed.
Thats an idea. Carrying the it on USB pen. My laptop can boto on usb pen. I got a live Linux set up on it at the mo. I am sure just copying the kernel and the other module file (whatever it is typically called) to the usb and editing the config file for grub will work. This way I know it wont be modified as it would always be in my pocket! Still, would run the MD5 check over it in the saem way as previously mentioned.

Or I could just keep a 'write-once' closed session CD with the kernel on it. While the remaining space is burnt with random data (to stop any playing around with it to delete the old kernel and add their own) Might sign it in UV light and check it if it is the same disc or has it been swapped. I think I am getting Really paranoid now. lol. But its fun to talk about ideas.
0
reply
X

Quick Reply

Attached files
Write a reply...
Reply
new posts
Back
to top
Latest
My Feed

See more of what you like on
The Student Room

You can personalise what you see on TSR. Tell us a little about yourself to get started.

Personalise

Have you made up your mind on your five uni choices?

Yes I know where I'm applying (55)
67.9%
No I haven't decided yet (17)
20.99%
Yes but I might change my mind (9)
11.11%

Watched Threads

View All