January 7, 2008

Securing Linux laptops

Author: Rick Cook

Laptop and notebooks are being stolen at an ever-increasing rate. In 2004, Safeware Insurance which sells computer insurance, estimated 600,000 laptop and notebooks a year were being stolen. In 2006 an estimated 750,000 were being swiped, according to Absolute Software a company that makes computer tracking products -- and does not support Linux. LoJack For Laptops, another computer tracing company -- which also does not support Linux -- says FBI statistics show 2 million laptop and notebook computers were stolen in the US in a recent year. While the figures may not agree in detail, they all show that laptop and notebook theft is a major problem -- and if you're not careful, your Linux laptop might be next.

While you can find dozens of products to secure Windows laptops, security products for Linux laptops are scarcer -- but they do exist. We found a range of products and fixes ranging from security patches for the operating system to encryption to the equivalent of computer bicycle locks which can help keep your Linux laptop or notebook safe.

Before we get to how to protect yourself, you need to accept a depressing statistic. According to the FBI, 97% of stolen computers are never recovered. While you can do things to better your odds (see the sidebar) you pretty much have to accept the fact that when your notebook disappears, it's gone and so is everything that was on it.

There are three problems with having a computer stolen: the loss of the machine, the loss of the information on it, and the possible security breach if that information includes sensitive information or client data. Each of those problems requires a different approach.

Insurance

The economic loss is the easiest to deal with. Insure your system.

If you have homeowners or renters' insurance, you may already be covered. If not, you can usually get a policy rider to cover your computers, including your laptop. This is usually the cheapest way to do it, but you may not like the terms and conditions. For example, there is likely to be a hefty deductible.

You can also insure through a specialist company like Safeware. Such policies are usually more expensive than a rider on your homeowner's policy, but they tend to be more flexible. For example most specialist companies will allow you to insure your laptop for enough to completely cover replacement.

Be sure you understand just what you are getting. You need to make sure your computer is covered when you're away from home. Also, make sure you're covered for the current replacement value of your machine rather than something like the cash value, which is typically much lower.

The cost will depend on the value of your computer. Some homeowners' policies automatically include several thousand dollars in computer coverage for free. A rider or a special policy will probably cost in the neighborhood of $100 to $200 a year.

Protecting your work

If you're doing important work on your system, you want to get your data back even if you never see the computer again. One way to do that is to make frequent backups of your critical files to a device that isn't left connected to the computer. This can be an external hard drive or, more conveniently, a USB thumb drive.

Another approach is to do your non-confidential work on Web applications such as the Google Docs word processor. Google then stores the information no matter what happens to your computer. (Of course this assumes you've properly secured your computer against Wi-Fi threats and such -- but if you haven't, you've got bigger problems.)

And of course you can just email your work to yourself at frequent intervals. If you want more security you can encrypt the emails before sending them.

Encrypt your disk

Encrypting your system doesn't prevent someone from stealing your laptop, but it will prevent anyone from getting at the information on the system.

The actual risk that a thief will try to get at the information on your computer is pretty small. Although there are hundreds of thousands of laptops stolen each year, there are few cases reported in the news where the information on them was used by the bad guys. Mostly laptop thieves want to resell the hardware as quickly as possible and don't care about the information.

Encrypting your disk is easy and cheap enough that there's no reason to risk misuse of your data, even with a purely personal machine, where you may store passwords, credit card numbers and other personal information. Of course in the business case you have to be able to prove that thieves can't get at the data. If you can't definitely prove it, you're probably in trouble. If the stolen laptop has customer information, such as Social Security numbers, on it, your whole company has a problem and you may show up in the news.

Encryption alternatives

When it comes to disk encryption there are two approaches. One is to encrypt only part of the information on the disk. The other is to encrypt everything.

While you can encrypt files or folders individually, you're much more secure if you encrypt the entire disk. If the operating system is available, the attack surface is enormously increased. Not only are there unobvious vulnerabilities, such as files in the print spool, but there are more possibilities for getting around the file encryption.

One common method of full disk encryption allows the computer to begin to boot and then prompts for a user name and a password to complete the boot. This is convenient, which is why it's common, but it does involve a certain amount of exposure since it uses the system's boot routine.

An alternative method, using a USB flash drive, is described in our disk encryption HOWTO. This uses a USB flash drive holding GRUB, a minimal kernel and an initrd. The setup has just enough brains to ask for a password, set up the encryption mechanism and mount it. After mounting the device resumes the boot process from the encrypted disk.

The most common way to set up an encrypted Linux system is to establish a small partition to handle booting and encrypt everything else on the disk. This is more secure than file-level encryption, but it still exposes the boot partition to crackers. How much of a problem that presents is somewhat controversial. Some people think the added risk is negligible or non-existent, while others believe it poses a significant additional risk beyond true full disk encryption.

If you want stronger encryption than that you can use a utility that requires a separate key before you can even start booting.

A number of products let you encrypt only specific files, directories, and such. For example dm-crypt uses the device-mapper built into the Linux 2.6 kernel as a basis for block-level encryption. Device-mapper creates virtual block devices on physical virtual devices such as disks, and dm-crypt uses that ability to encrypt just about any kind of block you want encrypted.

Dm-crypt lets you pick the encoding method from among several symmetrical ciphers, as well as the key length, and then create a device in /dev. Writes and reads to the new device are then automatically encrypted and decrypted.

TrueCrypt creates encrypted devices, such as disk volumes, and encrypts and decrypts them on the fly without user intervention. Versions of TrueCrypt earlier than v4.1 suffer from the same vulnerability as older 2.6 kernels.

Of course, encryption implies keys, and those in turn imply key management. You need to be able to get into your system even if you lose a key. Needless to say, you don't keep a physical key with your computer. One common practice is to put a memory stick containing the key on your (physical) key chain. If you use a disk to hold your key you can stick the disk in your pocket or purse. Don't put it in your laptop case and always take it with you if you leave your machine.

Find your stolen system

If your system is stolen, you may be able to find it again if the thief connects to the Internet. There are a couple of products for Windows that do this, but none for Linux.

However, you can set up your own tracking system using a dynamic DNS provider, such as DynDNS, and setting up a client to keep track of the computer's actual IP address. If your computer is stolen, you can can look for your DNS entry with ping. If you find it online, you can use traceroute or something similar to find the gateway your computer is using. Then you can contact the police and the thief's ISP to get your computer back.

(Of course this technique is not foolproof. If the thief reformats the hard disk, you're out of luck. Unfortunately a lot of thieves, or their fences, do reformat disks as a matter of course. Still, implementing this system simple enough to do and can work against an unsophisticated crook.)

Compliance policy issues

Increasingly, security is about compliance with various laws and regulations. HIPPA, Sarbanes-Oxley, and a host of others mandate that data be protected. More than that, most of these mandates require that companies be able to prove the data is protected.

Where this gets sticky for Linux is that to meet those requirements, many companies mandate that only approved products be used for security. Since the approved lists are typically Windows-centric, it can be hard for Linux users to get products for their laptops approved.

There are two ways for Linux users to deal with the situation. Either check and see if your company's chosen security products come in a Linux version or get your security people to agree to let you use a Linux product.

A surprising number of security companies do offer Linux versions of their products, more than laptop Linux' market penetration actually warrants. For instance, Check Point Software Technologies specializes in data protection with emphasis on big enterprises, and most of its business is focused solidly on Windows. Yet Check Point's full disk encryption software also supports Linux. The reason, ironically, is that Check Point aims its business at large enterprises, in which a certain number of non-Windows laptops, running, say, Linux, need to be protected.

Alternatively, you can try to convince the IT security people that there are products available for Linux that offer equivalent levels of security, but this can be a long, hard slog.

And finally

Keep in mind that most of these methods are not foolproof. If a thief has your computer, technical knowledge, and persistence, it is hard to keep the information secure. But few thieves have the knowledge, equipment, or interest to break into a well-protected system.

The only truly foolproof security method is to not have sensitive data on your laptop or notebook in the first place.

How much protection is enough? Ultimately you have to decide.

Categories:

  • Wireless & Mobile
  • Security
Click Here!