What is important to you ?
What are you trying to protect or prevent ?
- Prevent your device from being stolen.
Solution: physical security (locks, cables, lock-box, etc) or hide it. - Prevent your device from being damaged.
Most likely threats:
- Device gets dropped.
- Spill water or soda on device.
- Spike or surge through power line.
- Snag a cable plugged into the device and damage connector.
- Overheating.
- Prevent a thief from reading your data: encryption. (protecting "data at rest")
See Data Encryption section. - Avoid losing your data: backups.
See my Backups page.
- Avoid post-theft losses.
If your device contains account and password info, identity info, info about your family and friends, then after a theft you'd have to take steps to avoid further damage. You'd have to change passwords, put out monitoring or alerts to prevent identity theft, contact other people at risk, etc. What else is on the stolen device ? Apps with registration codes or passwords stored in them, email in-box with account and password data, bookmarks ditto, cookies, any data files you use to record accounts and passwords, any BAT or CMD files with account/password in them.
Perhaps now, before any theft, you should evaluate your device. Does it contain sensitive data that really doesn't need to be on there ? Or should that data be encrypted ? Does the browser contain cookies that will give instant access to your email and Facebook accounts ?
[Same with your wallet or purse. Does it contain sensitive data or cards that really don't need to be in there ?]
After a phone or smart-phone is stolen, if you don't want to try theft-recovery, immediately report the theft to your carrier, to avoid huge call charges. Do it immediately; you are liable for calls made until the time you report the theft, and some gangs will make thousands of dollars of calls as quickly as they can after stealing the phone. Double-check with your carrier to make sure they received and recorded the report of the theft; probably a good idea to call them again and confirm it (article). Maybe report it online, and then call to confirm ? Ask them to send an email confirmation to you. A handset PIN doesn't protect you if the thief moves the SIM to another device.
After your phone is stolen, the thieves might send a phishing email to you, appearing to be from Apple or your phone company and saying "good news, we found your phone, login here to get it back". Don't give any login information; the thieves will use it to steal your account and re-activate your phone. - Get your device back.
Solutions: etch your contact info onto the case of the device, inside and outside. Use the theft-recovery software listed on this web page. Keep a record of make, model, color, and serial numbers. Probably a good idea to have digital pictures of the device, front and back, to give to police.
Display your contact info on the lock screen or login screen or physical label, so if a Good Samaritan finds your device, they can return it to you.
After a theft, report the theft to police, and report the theft to the manufacturer or carrier (they'll probably require a copy of the police report). Put up fliers in the area where it was stolen, offering a reward for return ? Look for it on Craigslist or EBay, maybe in the section for your local area.
Data Encryption
This is encryption of "data at rest". It protects the data while the device is turned off or the encrypted volume is closed/unmounted. A thief or rogue application can't read the data because they don't have the key.
Data Encryption solutions
- Completely-Full-Disk-Encryption (FDE).
The whole disk from block 0 to block N-1 is encrypted.
Either via hardware (built into SATA controller or the drive controller) or software (e.g. BitLocker, VeraCrypt, LUKS). - Almost-Full-Disk-Encryption (FDE).
The partition table and boot partition and maybe swap partition are NOT encrypted, but every other partition is encrypted.
There might be only one LUKS-encrypted LVM physical partition, with multiple LVM logical partitions (/, /home) inside it. Or there might be only one LUKS-encrypted Btrfs physical partition, with multiple Btrfs sub-volumes (@/, @home) inside it.
Via software (e.g. BitLocker, VeraCrypt, LVM+LUKS).
random blog's "Boot drive encryption security on Windows" - Encrypted partition (e.g. BitLocker, VeraCrypt, LUKS) that decrypts to give a filesystem (ext4, Btrfs, etc).
- Encrypted container / virtual disk (e.g. VeraCrypt, LUKS) that decrypts to give a filesystem (ext4, Btrfs, etc).
- Encrypted directory / folder (e.g. fscrypt) with an API connecting to the surrounding filesystem (ext4, F2FS).
- Encrypted archive (e.g. ZIP or RAR) with an application that copies files in/out.
- Encrypted file of any type (e.g. encrypted with PGP, AxCrypt, ccrypt,
age).
- Encrypted app-specific file (e.g. NotepadCrypt, password manager database,
encrypted PDF, encrypted MS Office document).
Full-disk encryption (FDE)
Either via hardware (built into the hard drive) or software, such as:
VeraCrypt
FreeOTFE
DiskCryptor (Windows only)
zuluCrypt (Linux-only, but handles BitLocker, VeraCrypt, other volume types)
Wikipedia's "Comparison of disk encryption software"
Martin Brinkmann's "List of TrueCrypt encryption alternatives"
Lifehacker's "How to Encrypt and Hide Your Entire Operating System from Prying Eyes"
Micah Lee's "Encrypting Your Laptop Like You Mean It"
Chris Hoffman's "Why a Windows Password Doesn't Protect Your Data"
EFF's "What Should I Know About Encryption?"
But from /u/jm9fw on reddit:
VeraCrypt: A note for those doing full disk encryption:
I've said it here before many times but people just don't get it. I read the forums daily and constantly see people who either can't login to their OS anymore or they just lost everything. After seeing this guy yesterday who said his life was on an encrypted disk and now he can't open it, I decided to post again here. DON'T DO DISK ENCRYPTION. USE A CONTAINER. This poor guy explains what happened and it looks like Windows decided to initialize the drive because it had no standard signature. This isn't a VeraCrypt issue, it's a Windows issue and Microsoft has been denying it for more than 10 years. It happened to me twice. There is no way to recover this by restoring a header or anything. There are people here who will say "blah blah you don't know what you are talking about, I don't have a problem." Sure, so go ahead and learn the hard way and ignore the pages of similar complaints in the VeraCrypt forum. Of course the people who lost everything didn't have a backup either. It's a terrible thing to lose everything you have and I hate having to see it almost daily. Use containers.
And from /u/CharredOldOakCask on reddit:
I've said it here before many times but people just don't get it. I read the forums daily and constantly see people who either can't login to their OS anymore or they just lost everything. After seeing this guy yesterday who said his life was on an encrypted disk and now he can't open it, I decided to post again here. DON'T DO DISK ENCRYPTION. USE A CONTAINER. This poor guy explains what happened and it looks like Windows decided to initialize the drive because it had no standard signature. This isn't a VeraCrypt issue, it's a Windows issue and Microsoft has been denying it for more than 10 years. It happened to me twice. There is no way to recover this by restoring a header or anything. There are people here who will say "blah blah you don't know what you are talking about, I don't have a problem." Sure, so go ahead and learn the hard way and ignore the pages of similar complaints in the VeraCrypt forum. Of course the people who lost everything didn't have a backup either. It's a terrible thing to lose everything you have and I hate having to see it almost daily. Use containers.
VeraCrypt system encryption is flawed, and simply not user-friendly enough.
When windows upgrades, or the computer unexpectedly shuts down (out of power), my [VeraCrypt] boot-loader stops working, and I have to use the recovery USB. This is happening a few times a year now, across multiple computers, and every time I have no clue what the correct menu choice I should use when recovering. And the documentation I was asked to save does not reference the same menu choices which are in the recovery USB. They say similar things, but it is ambiguous which to choose. Googling to find clarity doesn't work either because the instructions there are too generic too. More like what you can do, vs how to do it. It doesn't directly reference the recovery USB menu, even when I specify version number. I'm quite tech-literate, data scientist and programmer by profession, but I'm not a security specialist, nor do I know much about how hardware and how a computer really boots. The recovery USB is full of jargon, with very similar menu options, and even how to get it to run is unclear. On top of this, booting after hibernation literally takes 20 minutes.
This simply isn't user-friendly enough. I'm going to upgrade windows from Home to Professional and use Bitlocker. Ultimately the threat vector I'm concerned about is losing my laptop, and some crook reading data off it. If some dedicated attacker (like the government or whatever) is after me, I'm screwed regardless. I'm stilling going to use the file-based VeraCrypt encryption for extra sensitive data, but whole-disk system encryption doesn't work for me.
When windows upgrades, or the computer unexpectedly shuts down (out of power), my [VeraCrypt] boot-loader stops working, and I have to use the recovery USB. This is happening a few times a year now, across multiple computers, and every time I have no clue what the correct menu choice I should use when recovering. And the documentation I was asked to save does not reference the same menu choices which are in the recovery USB. They say similar things, but it is ambiguous which to choose. Googling to find clarity doesn't work either because the instructions there are too generic too. More like what you can do, vs how to do it. It doesn't directly reference the recovery USB menu, even when I specify version number. I'm quite tech-literate, data scientist and programmer by profession, but I'm not a security specialist, nor do I know much about how hardware and how a computer really boots. The recovery USB is full of jargon, with very similar menu options, and even how to get it to run is unclear. On top of this, booting after hibernation literally takes 20 minutes.
This simply isn't user-friendly enough. I'm going to upgrade windows from Home to Professional and use Bitlocker. Ultimately the threat vector I'm concerned about is losing my laptop, and some crook reading data off it. If some dedicated attacker (like the government or whatever) is after me, I'm screwed regardless. I'm stilling going to use the file-based VeraCrypt encryption for extra sensitive data, but whole-disk system encryption doesn't work for me.
Another downside of FDE using VeraCrypt:
Every time you attach the disk to Windows, File Explorer will say something like "unrecognized, want me to format this for you ?". If you ever say "yes", it's toast.
If you use a container, the outside can be exFAT or NTFS, which Windows will recognize,
and it never will suggest formatting it.
The software approach offers several alternatives and gets a bit confusing; hardware encryption may be faster and OS-independent.
But hardware encryption is not open-source, you can't verify how good/bad it is, and:
Dan Goodin's "Western Digital self-encrypting hard drives riddled with security flaws"
Joseph Cox's "Some Popular 'Self Encrypting' Hard Drives Have Really Bad Encryption"
Bill Buchanan's "Doh! What, My Encrypted Drive Can Be Unlocked By Anyone?"
Brendan Hesse's "How to Switch to Software Encryption on Your Vulnerable Solid-State Drive"
Hardware-encrypted flash drives are available, but again you can't verify the encryption, and probably not cheap:
FabatHome's "Best Encrypted Flash Drive"
Encrypted container / virtual disk
Keep your most critical data in an encrypted container / virtual disk (an encrypted file that looks like a disk drive to the OS), perhaps by using VeraCrypt or something similar.
Some advantages: you can have multiple containers, of varying sizes, of various filesystem types, portable to other OS's or not, with same or different passwords, back them up on different schedules and/or to different places.
Encrypted file
A more limited solution: keep your most critical data in an encrypted text file (perhaps by using NotepadCrypt or something similar). But it doesn't have to be a text file; you could have an Excel file or Word file or database file.
Bitlocker, 7-Zip, AxCrypt can encrypt individual files or sets of files.
The strategy I use: full-disk encryption (FDE) using the OS's native encryption, plus encrypted containers for specific data. Have each container open (decrypted, mounted) only when you are actually using that data.
Smartphone
How-To Geek's "How to Encrypt Your Android Phone and Why You Might Want To"
Eric Ravenscraft's "The Essential Android Security Features You Should Enable Right Now"
I encrypted my Android 5 phone via Settings->Security, everything works fine, but it made me change from a 4-numeric PIN to a 6-8-alphanumeric passcode.
On iPhone, just set a passcode and everything gets encrypted automatically ?
Apparently, some smartphones must be jail-broken if you want to encrypt just specific folders, not encrypt or password-protect the whole phone.
Password-lock your device, unless you're using a theft-recovery product that prevents this.
Most of the theft-recovery products listed on this web page give you a "delete" or "shred" capability: when the thief connects to the internet, a command comes from the central site and all data on the hard disk is deleted. This prevents the thief from reading your data. But it works only if the thief connects to internet before trying to read your data, and if they haven't disabled the theft-recovery software somehow.
Whitson Gordon's "How to Break Into a Windows PC (and Prevent It from Happening to You)"
Martin Brinkmann's "You better add Pin Protection to your Bitlocker configuration"
OpenCL BitLocker
See encryption status: run as admin "manage-bde -status".
From gouttegd on LinuxQuestions:
There are ways to protect your system even in the case your machine gets
in the physical hands of an attacker. By order of simplicity and depending
on the kind of attacks you want to protect yourself against:
BIOS password
Will prevent an attacker from booting on anything, including a live USB/CD.
What it will not protect against: data theft. If what the attackers are looking for is your data on your disk, then all they have to do is to physically open your machine, take the hard disk out, and put it into another machine. Then they can boot on that other machine and explore the contents of the disk as much as they want.
Full-disk encryption
Will prevent an attacker from doing what I just wrote: even if they put the disk in another machine, they won't be able to mount the filesystem and explore its contents without knowing the encryption passphrase. They can try brute-forcing the passphrase of course, but as long as you chose a "decent" passphrase you should have nothing to worry about.
What it will not protect against: the so-called "evil maid" attacks. Basically, a scenario when the attackers get physical access to your machine once, alter the boot system [so their software will capture your passwords or your data later], then somehow give you your machine back in such a way that you do not realize it has been in their hands and has been tampered with (for example, a hotel maid could do that by entering your room while you're having breakfast at the hotel's restaurant - hence the nickname of this kind of attack).
Secure Boot
Implemented correctly and assuming you trust Microsoft, it should prevent the "evil maid" attacks, by preventing the attackers from tampering with the boot system (or rather, they may still tamper with the boot system, but after that Secure Boot should prevent it from booting).
BIOS password
Will prevent an attacker from booting on anything, including a live USB/CD.
What it will not protect against: data theft. If what the attackers are looking for is your data on your disk, then all they have to do is to physically open your machine, take the hard disk out, and put it into another machine. Then they can boot on that other machine and explore the contents of the disk as much as they want.
Full-disk encryption
Will prevent an attacker from doing what I just wrote: even if they put the disk in another machine, they won't be able to mount the filesystem and explore its contents without knowing the encryption passphrase. They can try brute-forcing the passphrase of course, but as long as you chose a "decent" passphrase you should have nothing to worry about.
What it will not protect against: the so-called "evil maid" attacks. Basically, a scenario when the attackers get physical access to your machine once, alter the boot system [so their software will capture your passwords or your data later], then somehow give you your machine back in such a way that you do not realize it has been in their hands and has been tampered with (for example, a hotel maid could do that by entering your room while you're having breakfast at the hotel's restaurant - hence the nickname of this kind of attack).
Secure Boot
Implemented correctly and assuming you trust Microsoft, it should prevent the "evil maid" attacks, by preventing the attackers from tampering with the boot system (or rather, they may still tamper with the boot system, but after that Secure Boot should prevent it from booting).
Mobile phone security
[Do I have this right ?]
Three things to protect: your data, your device, and access to the service (ability of thief to make calls and run up bills on your account).
- Data:
- If your data is stored on SD card, there's no protection, thief just pops it out and reads it on another device.
[Except some OS versions allow full encryption of data, which would prevent this.
Patrick Nelson's "How to turn on Android encryption today"
Cyrus Farivar's "Apple expands data encryption under iOS 8" ] - If your data is stored in phone's internal memory, having a passcode/PIN set will
prevent thief from accessing your data.
[Except there are tools that can unlock a phone and extract data via USB cable ? But some OS versions allow full encryption of data, which would prevent this ?]
- If your data is stored on SD card, there's no protection, thief just pops it out and reads it on another device.
- Device:
Having a passcode/PIN set prevents thief from using your phone, even with another SIM inserted.
[But is there a hardware reset that wipes everything and sets back to defaults ?]
Reporting your phone as stolen can prevent a thief or purchaser from ever enabling service on that phone again; the service provider may look up the IMEI to see if the phone is listed as stolen. - Service:
- If phone has a SIM card (GSM or LTE phone), disabling service after the theft
is your only protection on access to the service.
Having a passcode/PIN set on the device doesn't stop thief from popping out the
SIM card and using it in another phone.
But: some SIM cards do have a separate PIN for the card itself. - If phone has no SIM card (CDMA phone), having a passcode/PIN set will prevent thief from using the service.
- If phone has a SIM card (GSM or LTE phone), disabling service after the theft
is your only protection on access to the service.
Having a passcode/PIN set on the device doesn't stop thief from popping out the
SIM card and using it in another phone.
After your phone is stolen, the thieves might send a phishing email to you, appearing to be from your phone company and saying "good news, we found your phone, login here to get it back". Don't give any login information; the thieves will use it to steal your account and re-activate your phone.
If your accounts use SMS or voice phone for account recovery or password reset, the thieves might try to do those things to take control of your accounts. Login to your important accounts and change to a new phone number ASAP.
Adopt some practices from the business world
- Inventory your physical assets: What devices do you have ? Record their model numbers and serial numbers.
Take pictures of them.
- Inventory and classify your data: What data do you have ?
How important is each type ? Your security info (usernames and passwords),
your financial data, personal data about other people, family memento data, job-related data, legal data, etc.
- Inventory your software and configuration. If your computer is stolen and you have to load a new computer,
do you have a list of all the software you use ? Do you have any license keys ?
- Inventory your network, in that you should know every device on it,
and be able to notice any new devices that appear.
- Have disaster plans: Suppose all of your devices were stolen ?
Suppose a fire destroyed everything in your home ?
- Evaluate vendors or services that are critical to you: Suppose your Facebook or Google or Apple account was deleted ?
- Do your backups have Confidentiality, Integrity, and Availability ?
Have you tested that you actually can restore from them ?
- Often, users are the weakest link. Can you recognize scams ?
Are you careful to lock up your stuff ? Do you do backups at a reasonable frequency ?
Tracking Products
Products to track and maybe disable a stolen device.
- Prey:
Free.
Will not survive a reformat-and-OS-reinstall by a thief.
10/2019: Installed in Linux Mint. Added my Prey API key to /etc/prey/prey.conf. Run /usr/lib/prey/current/bin/prey to start the agent or check the status. It starts automatically somehow at system boot; the process name is "prx". - LoJack / Absolute / Computrace:
$15 to $60 per year.
Will survive a reformat-and-OS-reinstall by a thief, if they re-install the same kind of OS you were using. If you're using Windows and the thief installs Linux, LoJack won't work. - GadgetTrak:
$20 per year.
Will not survive a reformat-and-OS-reinstall by a thief. [Have to confirm this.] - Smart-phone apps:
iPhone has tracking/wiping features via Apple's "cloud": "Find My iPhone" app (also see Max Eddy's "What To Do When Your iPhone is Stolen").
Android has apps AndroidLost, lockIO, and new Android Device Manager from Google (also see Max Eddy's "What To Do When Your Android Phone is Stolen" and Lincoln Spector's "Protect your Android phone from loss or theft" ).
Robert Zak's "5 of the Best Anti-Theft and Find My Phone Apps for Android"
Lookout is available for both Android and iPhone.
One note: if someone (a hacker or ex-spouse) finds out your theft-recovery password, they might be able to tell the software to delete all of your data, even though your device hasn't been stolen !
Password / login issues
All of these theft-recovery products work by your computer sending "here I am" messages over the internet to a central site. But a computer running Windows 7 Home can't access the internet until the user has logged in to Windows. So the thief has to be able to get past the BIOS/firmware password prompt and the Windows password prompt.
There are three ways this could happen:
1- you always use your laptop with no passwords set, or
2- you have passwords set, but the thief resets the BIOS password and OS password (it can be done), and then logs in, or
3- you have passwords set, but the thief resets the BIOS password (it can be done), reformats the hard disk, installs a new OS, and then logs in.
In case (1) or (2), obviously a thief or casual snoop can log in right away, and read all of your files. Unacceptable.
Under Windows 7 Home Premium, there is no way to have a Guest account that can log in but then be unable to read files.
In case (3), a few of these theft-recovery products can survive the reformat/re-install and be capable of reporting their location when the thief eventually logs in and connects to the internet.
Case (2) or (3) represents a sophisticated thief; they could just pull out the hard disk and attach it to another PC, so they could read your files that way. Unless you're using some special full-disk-encryption product.
And case (2) or (3), the sophisticated thief, probably would be aware of the existence of theft-recovery products.
So it seems to me that this is a Catch-22 situation: these theft-recovery products work best in case (1), but that's the case where you've left your data most vulnerable to a naive thief or casual snoop. And in case (2) or (3), nothing protects you very much from a sophisticated thief.
I believe Linux and Mac systems are slightly better than Windows in that: once the OS password prompt is displayed, the machine can connect to the internet, even though the thief hasn't logged in to the OS. The thief would still have to get past the BIOS password to get to this point. So for Linux and Mac, if you set no BIOS password but do have an OS password, the laptop might report its location while the thief is sitting there trying to guess your OS password.
Recovery issues
What "location" information do you get once the thief has logged in and connected to the internet ?
You'd get the IP address. Maybe also the Wi-Fi or Ethernet network name ? If your stolen device had a GPS in it, you could get latitude/longitude. If your stolen device connects via cellular data-modem, you could get approximate latitude/longitude. Software could use the list of visible Wi-Fi networks to calculate approximate latitude/longitude.
From the IP address, you could find the ISP's info, and contact them.
If the IP address is specific to a person or house, the identity of the thief is fairly clear.
But if the IP address maps to a public Wi-Fi spot (such as provided by a school or library or McDonald's or Starbucks), or a private house that's running an open Wi-Fi signal, the identity of the thief is unclear.
Most products can use the laptop's webcam to take a picture of the thief, which helps.
The companies selling the commercial theft-recovery products may assist in the tracking and recovery process, helping you follow the IP address, contact law-enforcement, etc.
Some users who had devices stolen report great cooperation from law-enforcement in recovering their property; others report that police were uninterested in helping them. Probably varies from town to town and country to country, and also depends on how much info you can give to the police.
Whitson Gordon's "Can I Track My Laptop or Smartphone After It's Been Stolen?"
Lincoln Spector's "Protect your Android phone from loss or theft"
Christopher Hill's "Top Ways to Find Your Lost Phone or Tablet"
Miscellaneous
Fabian Nunez's "How to avoid buying a stolen laptop"
Stolen Phone Checker
Max Eddy's "What To Do When Your iPhone is Stolen"
Neil J. Rubenking's "What to Do When You've Been Hacked"
Leo Notenboom's "What to Do When Your Account Is Hacked"
Lincoln Spector's "You've fallen for a scam! Now what?"
Patrick Allan's "What to Do When Someone Gets Unauthorized Access to Your Computer"
NCCIC's "So You Think You've Been Compromised ..." (PDF)
Nicholas Tufnell's "Naked selfies extracted from 'factory reset' phones"
Melanie Pinola's "What Should I Do If My Credit Card Gets Hacked?"
Alan Henry's "What To Do If Your Social Security Number Has Been Stolen in a Hack"
FTC's "IdentityTheft.gov" (what to do in case of identity theft)
My "Computer Security and Privacy" page