A few weeks ago, USyd’s Disability Services sent out an email informing students that a laptop containing sensitive data had been lost in transit. The email contained the ominous sentence, “While the computer is password protected, the University is concerned that this does not absolutely guarantee the security of the information.” As a programmer with some basic knowledge of security, I know that in security reporting, “computer was password protected” is usually code for “we didn’t even encrypt the drive”.
While most people think of password protection as a padlock, to anyone with even the slightest idea what they’re doing, it’s really more of a “do not enter” sign. It tells you you shouldn’t be there, but does bugger all to stop you.
While Disability Services have not confirmed that the laptop was unencrypted – when I asked them they dodged the question – it seems unlikely that it was, or else they would have mentioned it in their release. In fact, if an encrypted laptop was lost in transit, I doubt they would have reported it, because a correctly encrypted drive with a secure passphrase is damn near impossible to get into. But what is encryption?
On a normal computer, the password is just a lock screen on the operating system that won’t disappear until you enter the password. If you can circumvent the OS, by booting off a USB, mounting the hard drive as an external drive in another computer etc., you can access everything on it.
Encryption is different. When you encrypt a drive, you use a passphrase to scramble the drive on a bit-by-bit level. If you try and look at an encrypted drive, it just looks like unreadable nonsense until you decrypt it.
Last semester, USyd ran a course on practical security and penetration testing for the first time. The premise of the course was to learn the techniques hackers use, with a view to protecting systems against them – it’s common knowledge within the security community that the best way to stop a hacker is to think like one.
A class full of total n00bs went from knowing nothing about Windows to having system32 access (highest level of access) in about 20 minutes. Now that I know the trick, I could do it to any unencrypted Windows computer in about five. It was the easiest attack we learnt – we won’t publish it here, but anyone who wanted to could find it with a quick Google search.
If Disability Services did have unencrypted drives, as their email implied, they’d be far from the only ones to make this mistake. Overestimating the powers of password protection is an all-too-common mistake in cybersecurity.