RE: password protect encrypted directory

From: Ted Yavuzkurt (element0_at_phreaker.net)
Date: 08/23/04

  • Next message: Edwin Rene: "User Activity Monitoring" 
    To: <security-basics@securityfocus.com>
Date: Mon, 23 Aug 2004 15:30:25 -0400

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I use PGP Disk to encrypt data - it works wonders.

    With PGP the directory will appear to be empty unless you mount it.
    It also auto unmounts volumes after a specified period of time. What
    I've found to be especially handy with PGP disks is the way you can
    create a sort of "panic button" that will forcibly unmount the disk
    even if it has files open.

    One thing you have to watch out for though is opening the files on
    the PGP disk. Some programs may create cached versions of documents
    that will persist after the disk is unmounted.

    As far as NTFS security goes, encrypted files remain encrypted unless
    you know the original password they were encrypted with...however
    cracking those passwords is often not terribly difficult and the
    encryption is weak and prone to the previously mentioned
    vulnerabilities.

    Good luck.

    - -Ted
    - - -----Original Message-----
    From: fiber [mailto:mynameisfiber@gmail.com]
    Sent: Thursday, August 19, 2004 11:32 AM
    To: security-basics@securityfocus.com
    Subject: Re: password protect encrypted directory

    i think the best option out of all of the suggested was Thomas
    Evans'.

    using NTFS security is like wrapping it in paper and hoping no one
    sees it: when you start up with a boot disk there is no NEED to crack
    the admin password, all the things that keep the security system in
    tact are not on and you can browse the hard drive free.

    with PGP you can ensure that even if everything is STOLEN it will not
    be read (assuming you keep good passphrase's and treat it as sacredly
    as a password).

    hope this helps!

    - - -fiber

    On Mon, 16 Aug 2004 23:22:39 +0200, Hugo Deckx <hugo.deckx@skynet.be>
    wrote:
    > All,
    >
    > The best product I found so far to protect folders but also files
    > (based on
    > extension) is called C4-Polytrust
    > More info at http://www.polytrust.com and http://www.safeboot.com/
    >
    > SC Award Best Encryption Solution 2004
    >
    > Rgs,
    > Hugo Deckx
    > Corporate IT Security & Computer Forensic Manager Belgacom nv
    > Belgium Telecom Operator mailto:hugo.deckx@belgacom.be Phone
    > +3222024914
    >
    >
    >
    >
    > -----Original Message-----
    > From: Thomas T. Evans, III [mailto:ttevans@hawkcorp.net]
    > Sent: 16 August 2004 15:01
    > To: 'Dana Rawson'; security-basics@securityfocus.com
    > Subject: RE: password protect encrypted directory
    >
    > Dana:
    >
    > Depending on how far you want to go, PGP will allow you to create a
    > mountable volume that is encrypted and needs a password to view.
    > The volume is not visible unless mounted, if I recall correctly.
    > That should be pretty secure.
    >
    > Thomas T. Evans, III CCNA
    > Senior Network Manager
    > Hawk Corporation
    > ttevans@hawkcorp.net
    > 216-267-7787 Ext. 500
    > Cell: 440-669-2526
    > Fax: 917-464-7241
    > President, MFG/Pro Midwest User Group
    >
    > "The difference between genius and stupidity is that genius has
    > limits" --Albert Einstein
    >
    >
    > -----Original Message-----
    > From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
    > Sent: Thursday, August 12, 2004 12:38 PM
    > To: security-basics@securityfocus.com
    > Subject: password protect encrypted directory
    >
    > G'Day, all.
    >
    > Hope this isn't too basic of an issue but I wanted to ask for your
    > direction if possible.
    >
    > Preface: I have directory which contains sensitive data on a w2k/xp
    > laptop. I have the directory and files residing within encrypted.
    >
    > Issue: I would like to password protect this directory so even the
    > user who is logged into this profile is prompted for a password
    > prior to gaining access to this data.
    >
    > Desired outcome: By accomplishing this (if possible) I wish to deny
    > access to this data via remote entry/being hacked, and also
    > protect the data should the laptop be stolen, or someone walks
    > away from their computer without locking it (i.e. ctrl-alt-del)
    > leaving it wide open for someone to sit down and start playing.
    >
    > Is this something that can be accomplished? Is there commercial or
    > opensource software available?
    >
    > I have found software on the web that states it can password
    > protect a directory, but with out installing and testing all of
    > them how can I know if it most secure? Has anyone tested or
    > reviewed this type of software?
    >
    > Is anyone familiar with this that might make a recommendation?
    >
    > Thanks again in advance for your time.
    >
    > Regards,
    >
    > Dana
    >
    > --------------------------------------------------------------------
    > -- ----- Ethical Hacking at the InfoSec Institute. Mention this ad
    > and get $545 off any course! All of our class sizes are
    > guaranteed to be 10 students or less to facilitate one-on-one
    > interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
    > l
    > --------------------------------------------------------------------
    > -- ------
    >
    > --------------------------------------------------------------------
    > -- ----- Ethical Hacking at the InfoSec Institute. Mention this ad
    > and get $545 off any course! All of our class sizes are
    > guaranteed to be 10 students or less to facilitate one-on-one
    > interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
    > l
    > --------------------------------------------------------------------
    > -- ------
    >
    > --------------------------------------------------------------------
    > -- ----- Ethical Hacking at the InfoSec Institute. Mention this ad
    > and get $545 off any course! All of our class sizes are
    > guaranteed to be 10 students or less to facilitate one-on-one
    > interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of
    > in-the-field pen testing experience in our state of the art hacking
    > lab. Master the skills of an Ethical Hacker to better assess the
    > security of your organization. Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
    > l
    > --------------------------------------------------------------------
    > -- ------
    >
    >

    - -
    - ----------------------------------------------------------------------
    - - -----
    Computer Forensics Training at the InfoSec Institute. All of our
    class sizes are guaranteed to be 12 students or less to facilitate
    one-on-one interaction with one of our expert instructors. Gain the
    in-demand skills of a certified computer examiner, learn to recover
    trace data left behind by fraud, theft, and cybercrime perpetrators.
    Discover the source of computer crime and abuse so that it never
    happens again.

    http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_
    040817
    - -
    - ----------------------------------------------------------------------
    - - ------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3

    iQA/AwUBQSpFlp2pO7IuQU1ZEQKv7ACgoKSsfs7ncxmwGOV4dGyYVL7uVIIAnin0
    Z0Kg4Ps5BdvY8XJwHgX1USRR
    =SfYn
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Computer Forensics Training at the InfoSec Institute. All of our class sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.

    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ----------------------------------------------------------------------------

  • Next message: Edwin Rene: "User Activity Monitoring"