9
GuardianEdge Technologies Inc. www.guardianedge.com
10
SafeBoot International, www.safeboot.com
11
Pointsec Mobile Technologies, www.pointsec.com
How Hard Drive Password Security
Is Defeated
Although hard disk password drive locking
conforms to an industry standard, different drive
manufacturers implement the security feature
in slightly different ways. Authors of password
removal tools use a variety of methods to
determine how to remove the hard-drive ATA
password from the various drives. Once the
technique has been mastered for a particular
drive model, the same method can be applied to
all drives of the same model. Over time the tools
have become smart enough to quickly and easily
remove the password lock from nearly all models
of hard drives.
Encryption Is the Only Secure Protection
The problem with relying on hard-drive ATA
password security is that the data itself remains
unprotected. Because password locking does
not encrypt any data, once the lock is defeated
the data can be read and stolen.
The solution is to encrypt the data. If the data
on the hard drive is encrypted, it remains
protected even if the password lock on the
drive is defeated. A drive with its password lock
beaten will retrieve data, but that data is useless
if it is securely encrypted.
Fortunately good, transparent encryption solutions
are becoming available. Gone are the days when
one had to be a techno-geek to install, configure
and manage encryption. Software-based full
disk encryption products have been available for
several years from companies like GuardianEdge
9
,
SafeBoot
10
and Pointsec
11
(recently acquired by
Checkpoint). Although these are aftermarket
solutions that must be installed on existing
systems and require a significant effort to deploy
at large organizations, their use is much better
than relying on hard drive password locking.
AMERICAS
Seagate Technology LLC 920 Disc Drive, Scotts Valley, California 95066, United States, 831-438-6550
ASIA/PACIFIC
Seagate Technology International Ltd. 7000 Ang Mo Kio Avenue 5, Singapore 569877, 65-6485-3888
EUROPE, MIDDLE EAST AND AFRICA
Seagate Technology SAS 130–136, rue de Silly, 92773, Boulogne-Billancourt Cedex, France 33 1-4186 10 00
Copyright © 2007 Seagate Technology LLC. All rights reserved. Printed in USA. Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology LLC in the United States and/or
other countries. Momentus is either a trademark or registered trademark of Seagate Technology LLC or one of its affiliated companies in the United States and/or other countries. All other trademarks or registered
trademarks are the property of their respective owners. Seagate reserves the right to change, without notice, product offerings or specifications. TP580.1-0710US, October 2007
However, the best news by far is that full disk
encryption is starting to be built right into drives.
Seagate
®
is the leader in this area with its newly
released Momentus
®
5400 FDE.2 drive. Seagate
is also heading up a standards-based initiative in
conjunction with the Trusted Computing Group
(TCG), which will, if successful, make encryption
performed within hard drives ubiquitous. The
initiative, run by the TCG Storage Workgroup,
has wide industry participation, so the prospects
are promising.
Full disk encryption performed within the
hard drive itself provides the best solution for
protecting data stored on the hard drive.
Conclusions
The risks to organizations of losing confidential
data stored on hard drives in PCs and servers
cannot be ignored. Utilizing password security to
protect data on hard drives is better than relying
on BIOS or operating system passwords, but it is
not strong enough for most organizations. Hard
drive password security can be easily defeated
by an attacker, either through a service or by
obtaining password-cracking tools from any
number of sources. Because hard drive password
systems do not encrypt the actual data, a broken
password routine allows full access to the data
on the drive. This means that hard-drive ATA
password security alone is not secure enough
for protecting anything but casual data.
For most organizations, obtaining adequate
protection of sensitive data on their hard drives
requires encrypting that data. Software-based
full drive encryption systems are one solution,
but the next generation of encrypting hard
drives have important advantages over the
software-only solutions and will certainly be
of value to any organization with high-value or
regulated information.
Can Your Computer Keep a Secret?
Why All Laptop Data Protection Methods Are
NOT Created Equal
