Is anyone else encrypting thier hard drives?

I'm not engineer, but I do that on my bank's website, using an encrypted (https) connection. The transaction leaves no record on my hard drive. (I clear my browser history more or less daily.)


I store all sensitive data, including my income tax program and the files it produces, on a USB pen drive. It's connected to my computer only a few days a year. That would not include travel days.

You are assuming wrong. I only use Windows in virtual machine these days.


This and all of the rest of your statement assumes that the person that steals my laptop is much more interested in my data than they are the hardware. Good luck on your 30 second claim. In reality, you wouldn't be able to bypass most protections in 30 seconds since it would take longer than that for most systems to boot up and get to a working screen. If you pulled my hard drive and put it on the average Windows system the drive would be unrecognized.

How many people with the skills to bypass passwords in 30 seconds are stealing laptops? It's easier to get a real job that pays 6 figures than it is to steal computers on the off chance you can find sensitive data. No one is going to target my computer to get company trade secrets. I consider it an acceptable risk.
1. They need to get my computer.
2. They need to realize they won't be able to start the OS without a password.
3. They need to start with an off computer OS. (Very easy to do but you still have to boot the computer which takes more than 30 seconds.)
4. They then have to browse through all my files looking for ones that have data they can use. (They can't just search the hard drive for key words like "account" or "password" since I have encrypted those files.)
5. Once they find the password protected files, they then have to break into those files. (Not too difficult, but it all takes time.)

You will be lucky to get sensitive data from my computer in less than an hour.
And that's if you bothered to mount all my logical drives or found my Windows virtual drives that might contain info.


That's a good one. Quick. Where is your CD? Can you find it in the next 30 seconds? Most people that make recovery disks, as Windows used to ask for, probably lose them within a month.


And the same can be said of your TrueCrypt password. In this day and age, it can probably be brute forced in less than a week.

Thomas it always a good idea to do backups encrypted drive or not and now external drives with the 2T range going shortly 3T of room at a cost of around 100 dollars being on the market there is no reason not to do so.

With truecrypt there is also a boot rescue disk that depending on how bad the drive is can still removed most of the encryption even if the drive os section is in such bad shape the computer will not boot.

Footnote the program spinrite will work to do repairs on a hard drive that is encrypted however it cost as must by itself as a 2T backup drive!

Thomas I would not count on no record on your hard drive with tax software for example as such software had the charming habit of putting out all manners of temp files and backup files all over the place that you are not normally aware of.

As far as banking transactions leaving no record I would also not count on that being true as the pagefile and hibernation file is likely to have such information for some time.

It is amazing how must windows OS leak information all over the hard drive.

I'm using Linux.

So you are the one or two percents of so of all computer user that use Linux!

I been thinking of giving it a try as I do not wish to go to win 7 and beyond.

Now my first question is do you used wine to run windows tax programs or is there tax programs that will run under linux directly?

Second question you are a linux user and still do not do backups?

I can see the average windows user not knowing how important backups can be to do but I would expect that the average level of linux user knowledge would be far higher then the average windows user.

I'm curious how you convinced your relatives they have to type in a minimum 20 character password that can't be easily guessed every time they boot up.

Go to the following link to GRC concerning passwords and padding.

Note it is highly interesting to go to this link as it contain a Brute Force Password “Search Space” Calculator that is fun to play with.

The password "PARADOS,,,...///" by the calculator would take 69.73 thousand centuries assuming guessing one hundred trillion passwords a second. The search space size would be 2.19 x 1028


https://www.grc.com/haystack.htm

And here's the key insight of this page, and “Password Padding”:
Once an exhaustive password search begins,
the most important factor is password length!

•The password doesn't need to have “complex length”, because “simple length” is just as unknown to the attacker and must be searched for, just the same.
•“Simple length”, which is easily created by padding an easily memorized password with equally easy to remember (and enter) padding creates unbreakable passwords that are also easy to use.
•And note that simple padding also defeats all dictionary lookups, since even the otherwise weak phrase “Password”, once it is padded with additional characters of any sort, will not match a standard password guess of just “Password.”

They still have to remember the 20 characters and type them in accurately.

Do I type that "," 4 times or 5? People are still people. Frustration of typing in a 20 character password twice because you got it wrong the first time leads to changing passwords. Do your relatives regularly use 20 character passwords or not?

Yes when it come to the truecrypt password and there is zero need to remember the other passwords you use day in and day out as you have them in a word file protected by truecrypt and cut and paste them. I do not remember my banking password or my credit card passwords and they are all very long and complex.

So typing is a word or two then some padding is hard to do????!!!??.

Padding such as ????;;;;,,,,.... is hard to remember or type????!!!!!!!

Strange my wife does not have that problem and neither do I and once you enter your password a few times the error rate go to near zero.

That and the fact that you will have to find someone to send it to.

I think that encrypting your hard drive is overkill for 99% of us. There is no data on your laptop that is worth anything. Not even credit cards or tax returns are really worth anything from one laptop (unless you are famous).

We carry purses and wallets around without locks or chains.

Overkill?

More and more of us are controlling our total financial life over the internet and in my case my computers contain passwords able to move many hundreds of thousands of dollars out of banks accounts and investment funds.

Not only my funds but also others family members funds and that does call for strong encryption at the very least.

For some strange reason I do not feel like getting into a race between myself and who ever stole one of my computers to see if I can lock down all the accounts under my control before the funds leave the US at the speed of light to Nigeria or some other similar location in the world.

Yes, I could removed such informations from my computers and place it on a piece of paper in my safe however no safe and surely not a Sear safe is as secure as a hard drive protected by truecrypt and with the information on my computers I can manage my finances anywhere in the world as if I was home.

Edit: This is what I do too

One wonder if you carry a piece of paper around with you or keep it at home with all your passwords written on it or used one password for all your banking/credit card/etc sites or..............

Oh good luck with the idea that at least as far as windows os is concern with the idea that no information is to be found on your hard drive.

I do not know enough concerning the Mac os or Linux os to express an opinion on them in that regard.

Yes Overkill. You are completely exaggerating the risk.

The security of financial transactions doesn't come from account numbers and passwords. It comes from audit trails. Every time money is taken from your account, there there are electronic records that leaves a trail. This trail will allow your bank or financial institution to get their money back.

Notice I said "their" money. When you report money stolen, any modern bank or financial institution from your local savings bank to eTrade will put the money back in your account after a short investigation.

People are not only comfortable caring little plastic cards with important banking information in their wallets, they pass them to wait staff and gas station attendants without a care in the world. Modern Americans even send little pieces of paper with our account numbers and our signatures (the only things needed to withdraw money from our bank accounts) to strangers to buy things or pay bills. The reason this is okay is because when someone uses this information incorrectly it can be easily tracked. There is some fraud, but the amount of successful fraud is so low that we keep doing it without much thought.

You should be careful with your passwords. But there really isn't major risk here.

Lord there had been more then one case where the bank could not get the money back after if let the country and the account holder ended up eating the lost.

You are living in a fool paradise indeed.

Good luck.............

No, I don't write my passwords on a piece of paper. No, I don't use the same passwords for any accounts. I have my passwords in my head, at least the ones that count

I have a pc with no personal info on it and my main computer is a mac.

More than one?

Find me two stories where people doing normal banking lost money because someone found out their account numbers and passwords.

Yes this was businesses instead of a consumer and banks even for some very large sums might eat the loss or need to eat the loss but I would not count on it.

Seem far better to stop the whole matter by using truecrypt in the first placed.

Second most of the funds I control are not in banks but under the control of investment firms that do not work under the same set of laws concerning consumers protections.

http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/

A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”

Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.

Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.

Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.

“I had a company that was interested in purchasing us, but they’re not going to do that now. I’m basically looking at bankruptcy, because I have very little money to operate on now.”
“They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now. I’m basically looking at bankruptcy, because I have very little money to operate on now.”

Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, which hasn’t returned calls seeking additional information and comment.


As Mrs. McCarthy found out the hard way, businesses do not enjoy the same protections that consumers have against online banking fraud. Most banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by cyber fraud.

McCarthy said she never would have done online banking for her business if she had understood how precarious it was for her business.

“I go to the bank and I see everywhere signs that your money is insured up to $250,000, but maybe they should have a little asterisk next to that saying ‘except for businesses,’” she said. “If I had understood that, I wouldn’t have been banking online.”

McCarthy said a $41,240 wire was sent to a company in New York called Asbury PHH; two wires totaling nearly $80,000 were sent to a man in North Carolina; and a $28,640 wire was sent to a Kimto LLC in California. Efforts to track down any individuals tied to those entities were unsuccessful.

The fifth wire was sent to a 59-year-old Kennesaw, Ga. resident named Pamela Biagi, who said she got the money after signing up for a work-at-home job over the Internet. Biagi said her employer called itself Adams Interiors, and used the Web site name interiors-a.com (that site is no longer online).

As it happened, that Web site essentially hijacked the good reputation of an interior design firm in Brooklyn, N.Y., claiming it was one and the same and pointing to the firm’s stellar reputation with the Better Business Bureau. Biagi said this was part of the reason she felt good about accepting the job offer.

“I did an online and phone interview with them. They wanted to hire me to be a financial agent, and to help their subcontractors who were going around the country doing interior design work,” Biagi said.

Then, on Feb. 12, she received a wire transfer of $14,875 with instructions to wire the money to another individual in Georgia. Suspecting fraud, Biagi’s bank promptly froze her account.

“The guy I was supposed to send the money to kept calling me…he was real nervous and kept asking me if I’d sent the money,” Biagi recalled in a phone conversation with krebsonsecurity.com. “I told him, ‘No, I’m sitting here with police officers and people from the bank because of all this.’

When confronted with the news of where the money had come from, Biagi said she was “horrified.”

“This has been an absolutely horrible experience for me, and I feel terrible for [Little & King],” she said. “I’m really glad they stopped it when they did. To think that I have been participating in something so horrendous like this is awful. It’s a black mark on my soul.”