[FDE] hard disk p/w protection - secure?

Allen netsecurity at sound-by-design.com
Mon Jun 4 22:04:24 MDT 2007 

Hi Crispin,

Crispin Cowan wrote:
> Allen wrote:
>> Crispin Cowan wrote:
>>   
>>> It costs organizations big $$$ when a laptop with sensitive data on it
>>> is stolen, but that is because they don't know for sure that it has been
>>> fdisk'd.
>>>
>>> More over, if everyone used BIOS and HD passwords that would .... hmmm,
>>> not do much at all:
>>>
>>>     * No effect on the market for stolen laptops, see above.
>>>     * Nearly no effect on the cost of recovery if sensitive data is on a
>>>       stolen laptop: it just sets a lower bound on the value of the data
>>>       you can disregard. If the value of the data is below the $2K it
>>>       costs to recover the drive, then ignore the incident, otherwise
>>>       proceed with your press release mea culpa
>>>     
>> Actually there is one market you are forgetting - blackmail. How 
>> much would megabucks corp pay to keep their name out of the 
>> papers over embarrassing disclosures?
>>   
> Ok ... I considered that to be part of the stolen data cost. So, given
> that BIOS and HD passwords are trivially breakable, one should only
> store secrets on them that are worth less than the $2000 (or less) it
> would take to break the password protection. How is this market different?

What is an e-mail worth? Can you put a value on a mash note? In 
one sense, sure, by evaluating the consequential damage 
potential. If the significant other finds out it might result in 
a nasty divorce with significant costs associated.

However, what if the data by itself has no intrinsic value? The 
easiest way to explain is with an example. You find a key to a 
house on the lawn at the park. Assume, in the first instance, 
that you have no clue as to which house it belongs to. Value to a 
burglar, zip. In the second instance you notice a magazine laying 
  nearby with a name and address on it. You don't know if they 
are related but they might be. What is the value then? If it is 
the address then the value of the potential loss is the contents 
of the house. So a 2 buck item gets a much bigger value when 
amalgamated with other data.

In much the same way what be trivial information on its own can 
have much greater value when amalgamated with other data.

Okay, back to the laptop. Odds are that if you can read the data 
at all and it is from a large company you could go googling and 
see what else you can find about the person whose computer it 
was, their position in the company and their work associates. 
This then applied to a bit of social engineering could result in 
a much bigger breach. Or you could go dumpster diving at the 
company offices and pick up information that could tie into what 
was found on the computer. Now what value is the data on the 
computer? A two-bit memo could give enough information to do a 
pump and dump stock scheme, etc. The possibilities are almost 
endless.

For what it's worth, this type of puzzling things out from bits 
and pieces is where the CIA gets the overwhelming bulk of it 
intelligence.

But, in a way you are correct that the risks are low that any 
given laptop is going to be treated this way. Is it worth the 
cost to mitigate this risk? If I was a salesman for a large 
company, you bet. For a personal computer, probably as you might 
have enough data about yourself to enable identity theft. In fact 
I am hard put to think of a computer used at all significantly 
that doesn't merit mitigation of the potential risks.

Best,

Allen

More information about the FDE mailing list