@ Nzomo, you are beginning to sound like a defense lawyer, always looking to punch holes into any recommendation given.

My 'security' against such instances is simple:

- I never save passwords on browser for personal access accounts; would rather lose and reset them.

- At one time I used to walk around with a laptop without OS password but changed that. A lot of people that steal laptops are never after the info in it info until they find it sitting invitingly open.

- I keep backup of my most important stuff; usually less than 10% of all used up HDD capacity.

Will consider adding one or two features; e.g. HDD password, encryption, etc in future.

Regards,
Mugo

On Sun, Jun 17, 2012 at 9:37 PM, James Nzomo <kazikubwa@gmail.com> wrote:
Just as i thought, i missed nothing.

Look closely at the sizes of those things, none of  them even comes close to fitting inside any lappy chassis ( or a battery or next to Dvdrom chassis, etc, )
Even if you were as creative as Leonardo da Vinci and stick those things (or anything with a GSM module) on the outside, you would risk subjecting your machine to RFI that it wasn't designed for.
Tell one of your buddies to call you, place your phone next to your HiFi amp & turn up the volume...see what i mean?

Current GPS + GSM technology is not yet as miniturized as you want it to be. 
Trust me.

Check again!





_______________________________________________

Without requirements or design,
programming is the art of adding bugs to an empty text file.
_______________________________________________




2012/6/17 Gichuki John Chuksjonia <chuksjonia@gmail.com>
http://www.pimall.com/nais/tracking.html
http://www.youtube.com/watch?v=MCp3H_qkj18
http://www.eyespysupply.com/gps-trackers--car--vehicle-tracking-devices.html

So its a matter of finding which one u need, fit it inside a battery, next to Dvdrom chassis, etc, just be creative.


>Why would a 1337 argue that logical controlls would be an adequate barrier when all >physical security is compromised?

Am not telling people to let a reboot, why are you? I have been involved in Security Assessment where a laptop had to be grabbed, and i know the risks.







On 6/17/12, James Nzomo <kazikubwa@gmail.com> wrote:
> lol Gichuki, I'm puzzled
> Why would a 1337 argue that logical controlls would be an
> adequate barrier when all physical security is compromised?
> Anyways, i see no end to this debate. Take whatever precautions you see fit
> for your portables, i'll stick to mine 
>
> One last thing tho, when you get time, kindly share a link to these "tiny
> covert GPS tracker devices" that can at least sent a text with lat & long
> and be fitted discreetly inside a laptop chassis.
> I'd like to know whether i've missed something concerning those
>
>
>
> _______________________________________________
>
> Without requirements or design,
> programming is the art of adding bugs to an empty text file.
> _______________________________________________
>
>
>
>
> 2012/6/17 Gichuki John Chuksjonia <chuksjonia@gmail.com>
>>
>> There are very small transponders size of USB stick, i cant remember
>> there names. There also some little GPS covert tracker devices, price
>> range of 299 USD to 500 USD.
>>
>> Using software for tracking laptops is not security advised (This
>> should be done for organizations that are open even to their
>> competitors), especially when working with a sensitive environment,
>> security 101.
>>
>> Best advice,
>>
>> 1) Backup your data always, off the laptop. Protect the storage.
>> 2) Lock your HDD on BIOS level, pretty easy
>> 3) Encrypt your whole Device
>> 4) Don't store your passwords on the browser
>> 5) Sensitive document should always be password protected or encrypted
>>
>> Saying that you let the thief get all the way to boot, man, thats a
>> horrible option, some of these guys know how to remove software. What
>> if the box is booted up in Mogadishu, will send KDF to pick it up?
>>
>> Kindly,
>>
>> ./Chucks
>>
>> On 6/17/12, James Nzomo <kazikubwa@gmail.com> wrote:
>> > By the way Bwana Chuks, as long as impunity or physical access is gained
>> > to
>> > a machine, it's disclosure time for sensitive data!
>> >
>> > Allowing or denying booting on a lost machine will make very little
>> > difference to a jambazi that really wants access to millions worth of
>> > company data.
>> >
>> > HDD huenda ikachujwa (bila matata) na kukaguliwa kwingine.
>> >
>> > About transponders, try opening your lappy and check whether there's
>> > enough
>> > room for a decent HW tracker.
>> > (by decent, i mean one that can acquire conclusive location data and
>> > submit
>> > it to you in NBO even if it ends up in Mandera)
>> >
>> >
>> > NB: anyone/org crazy enuf to store sensitive nfo (worth millions) on any
>> > portable machine is in serious need of an overhaul to their security
>> > policies (and 1000 cans of whoop ass unleased on them)
>> >
>> >
>> > _______________________________________________
>> >
>> > *Without requirements or design,
>> > programming is the art of adding bugs to an empty text file.*
>> > _______________________________________________
>> > *
>> >
>> > *
>> >
>> >
>> >
>> > 2012/6/16 Gichuki John Chuksjonia <chuksjonia@gmail.com>
>> >
>> >> Data cost millions to companies, a laptop is cheaper than that.
>> >>
>> >> A boot up of a box gets its naked even when you have an encrypted
>> >> partition, this is coz its a partition of one full device, and thats
>> >> where the vulnerability comes to.
>> >>
>> >> If you want to track something, use hardware, like a transponder can
>> >> do a great job, even in a remote area with no maps.
>> >>
>> >>
>> >>
>> >> On 6/16/12, James Nzomo <kazikubwa@gmail.com> wrote:
>> >> > Allowing a boot up doesn't guarantee unwanted data access.
>> >> > Disks can be partitioned.
>> >> > Partitions & Dirs with sensitive data can be encrypted.
>> >> > Decent tracking SW allows you to nuke your data remotely
>> >> >
>> >> > I don't know about you but to the rest of us common folk, a lappy is
>> >> > an
>> >> > asset that cost real heard earned bling and effort to acquire.
>> >> > I would think it wise to do everything within one's means to
>> >> > reacquire
>> >> > a
>> >> > lost machine
>> >> >
>> >> > _______________________________________________
>> >> >
>> >> > *Without requirements or design,
>> >> > programming is the art of adding bugs to an empty text file.*
>> >> > _______________________________________________
>> >> > *
>> >> >
>> >> > *
>> >> >
>> >> >
>> >> >
>> >> > 2012/6/16 Gichuki John Chuksjonia <chuksjonia@gmail.com>
>> >> >
>> >> >> @James, i cant let u access my laptop just like that. Its better to
>> >> >> have a backup of your work on an encrypted hdd, if the laptop goes,
>> >> >> i
>> >> >> say bye bye, get a new one, load my work up.
>> >> >>
>> >> >> Letting the laptop boot coz you want to track it, its a bigger risk
>> >> >> to
>> >> >> data, dont advice people that.
>> >> >>
>> >> >> On 6/16/12, James Nzomo <kazikubwa@gmail.com> wrote:
>> >> >> > @Chuksjonia
>> >> >> > Letting a laptop boot the OS sans boot passwords will allow a
>> >> >> > stolen
>> >> >> > machine to run prey or some other tracking SW (if it hasn't been
>> >> >> formatted
>> >> >> > already)
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> >
>> >> >> > *Without requirements or design,
>> >> >> > programming is the art of adding bugs to an empty text file.*
>> >> >> > _______________________________________________
>> >> >> > *
>> >> >> >
>> >> >> > *
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > 2012/6/16 <thomas.kibui@gmail.com>
>> >> >> >
>> >> >> >>
>> >> >> >> Furthermore if your hijacked email accounts are subscribed to
>> >> >> >> this
>> >> >> >> mailing
>> >> >> >> list . ... The hijacker is readin this thread as we speak ...
>> >> >> >>
>> >> >> >> Lets not even talk of other social sites like facebook, twitter
>> >> >> >> and
>> >> >> >> the
>> >> >> >> likes
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> Sent from my BlackBerry®
>> >> >> >>
>> >> >> >> -----Original Message-----
>> >> >> >> From: Erick Njoka <erickarn@gmail.com>
>> >> >> >> Sender: skunkworks-bounces@lists.my.co.ke
>> >> >> >> Date: Sat, 16 Jun 2012 15:19:21
>> >> >> >> To: Skunkworks Mailing List<skunkworks@lists.my.co.ke>
>> >> >> >> Reply-To: Skunkworks Mailing List <skunkworks@lists.my.co.ke>
>> >> >> >> Subject: Re: [Skunkworks] Hacked Email Accounts
>> >> >> >>
>> >> >> >> Even if the laptop requires a password to log in, Ophcrack can
>> >> usually
>> >> >> >> read most Windows login passwords.  I've tried it (on request, of
>> >> >> >> course) for XP, not sure about Windows 7.
>> >> >> >>
>> >> >> >> Erick
>> >> >> >>
>> >> >> >> On Sat, Jun 16, 2012 at 12:46 PM, Evans Ikua
>> >> >> >> <ikua.evans@gmail.com>
>> >> >> >> wrote:
>> >> >> >> > Well Philip, if your laptop does not require a password when it
>> >> >> starts,
>> >> >> >> and
>> >> >> >> > your browser is set to remember the passwords to websites like
>> >> >> >> > your
>> >> >> >> > email
>> >> >> >> > accounts (automatic login), then you begin to see the picture.
>> >> >> >> > Once
>> >> >> the
>> >> >> >> > person is logged into your email account, they can do plenty of
>> >> >> damage.
>> >> >> >> This
>> >> >> >> > is serious stuff. I wonder if there is a way of engaging Google
>> >> >> >> > to
>> >> >> >> rectify
>> >> >> >> > this? Especially with the local office?
>> >> >> >> >
>> >> >> >> > Evans
>> >> >> >> _______________________________________________
>> >> >> >> Skunkworks mailing list
>> >> >> >> Skunkworks@lists.my.co.ke
>> >> >> >> ------------
>> >> >> >> List info, subscribe/unsubscribe
>> >> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> >> >> >> ------------
>> >> >> >>
>> >> >> >> Skunkworks Rules
>> >> >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> >> >> >> ------------
>> >> >> >> Other services @ http://my.co.ke
>> >> >> >> _______________________________________________
>> >> >> >> Skunkworks mailing list
>> >> >> >> Skunkworks@lists.my.co.ke
>> >> >> >> ------------
>> >> >> >> List info, subscribe/unsubscribe
>> >> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> >> >> >> ------------
>> >> >> >>
>> >> >> >> Skunkworks Rules
>> >> >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> >> >> >> ------------
>> >> >> >> Other services @ http://my.co.ke
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >>
>> >> >> --
>> >> >> --
>> >> >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
>> >> >> I.T Security Analyst and Penetration Tester
>> >> >> jgichuki at inbox d0t com
>> >> >>
>> >> >> {FORUM}http://lists.my.co.ke/pipermail/security/
>> >> >> http://chuksjonia.blogspot.com/
>> >> >> _______________________________________________
>> >> >> Skunkworks mailing list
>> >> >> Skunkworks@lists.my.co.ke
>> >> >> ------------
>> >> >> List info, subscribe/unsubscribe
>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> >> >> ------------
>> >> >>
>> >> >> Skunkworks Rules
>> >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> >> >> ------------
>> >> >> Other services @ http://my.co.ke
>> >> >>
>> >> >
>> >>
>> >>
>> >> --
>> >> --
>> >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
>> >> I.T Security Analyst and Penetration Tester
>> >> jgichuki at inbox d0t com
>> >>
>> >> {FORUM}http://lists.my.co.ke/pipermail/security/
>> >> http://chuksjonia.blogspot.com/
>> >> _______________________________________________
>> >> Skunkworks mailing list
>> >> Skunkworks@lists.my.co.ke
>> >> ------------
>> >> List info, subscribe/unsubscribe
>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> >> ------------
>> >>
>> >> Skunkworks Rules
>> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> >> ------------
>> >> Other services @ http://my.co.ke
>> >>
>> >
>>
>>
>> --
>> --
>> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
>> I.T Security Analyst and Penetration Tester
>> jgichuki at inbox d0t com
>>
>> {FORUM}http://lists.my.co.ke/pipermail/security/
>> http://chuksjonia.blogspot.com/
>> _______________________________________________
>> Skunkworks mailing list
>> Skunkworks@lists.my.co.ke
>> ------------
>> List info, subscribe/unsubscribe
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> ------------
>>
>> Skunkworks Rules
>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @ http://my.co.ke
>
>
>


--
--
Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
I.T Security Analyst and Penetration Tester
jgichuki at inbox d0t com

{FORUM}http://lists.my.co.ke/pipermail/security/
http://chuksjonia.blogspot.com/






_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke


_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke