Protecting Personal Data in Windows

I want to protect my laptop data from being accessed if my computer is stolen. What can I do to protect my laptop running Windows?

Before you non-laptop owners blaze by this because you think it might not apply to you, read on - protecting your personal information stored in Windows requires a similar procedure whether your computer is a laptop, desktop, tablet, or any other form factor. Portable computers are more likely to be stolen than their desktop counterparts because we take them in public and are easier to transport quickly.

This doesn't mean you shouldn't protect yourself if your computer sits under a desk. At the very minimum, disabling Windows autologon, forcing you to type in a password each time you login to Windows will slow down novice data thieves. I talked about disk encryption when I featured TrueCrypt awhile ago. Recognizing encryption as a valuable safety mechanism is a good first step, but you also need to be aware of what you should encrypt. Beyond encryption, you need to be aware of all the places Windows leaves your personal information exposed, so you can have a comprehensive protection strategy.

According to Time Magazine, 591,000 laptops were reported stolen in 2001. I haven't been able to find an updated report, but latop and tablet sales continuing to grow, tt's safe to assume that number went up over the past 10 year. In December 2004, Margita Thompson, Press Secretary to Governor Arnold Schwarzenegger, had a laptop stolen from her home. More recently, a laptop containing Social Security numbers and personal information of 98,369 UCal Berkeley alums was stolen. While I cite two high profile thefts here, presumably most of the 591k people from the Time article are normal people like you and me. There are ways, including the drive encryption I mentioned earler, to protect yourself.

Types of Personal Information Leaks

Before you determine the best strategy for protecting data on your computer, you need to understand where the risk points are. Some of the places where personal information gets leaked are fairly obvious. Email applications are a clear path to all kinds of personal information. Browser temp files keep an ongoing history of where you visit as well as providing access to any stored passwords. Instant messenger clients store log file data in publicly accessible locations on your PC. If you use a financial data app like Quicken, Money, TurboTax and Tax Cut all your data is potentially wide open, even if you use a password tool. If you store any personally identifying info in Word, Excel, PDF, ACT or other files, your data is equally at risk. Spotmau makes an excellent password recovery tool which is affordable and could just as easily be used to steal passwords.

Some not so obvious places where information gets left behind on your computer have equal potential for revealing personal data. Google includes an autofill page that stores personal data including credit card info, which is both convenient and a major security risk. In many cases, if you don't use this feature, autofill will remember the credit card info you typed in the browser. If someone steals your laptop, they need only scan the history for places you visited, look for sites that might accept credit card information and make a few educated guesses about the data you entered. For instance, in the United States most credit card numbers from Visa and Master Card start with '4' which is enough detail to trigger the autofill dropdown selection. If you typically Hibernate your laptop, Windows XP writes that hibernation data to your hard drive as a temporary file containing everything you currently have open, including email, documents, Web pages and any other apps that were running at the time of hibernation.

Encrypting the Obvious Security Leaks

For the obvious group of applications, there are several things you can do to protect yourself. This is where using encryption comes in. Most Windows encryption solutions leave a key behind on the disk outside of the encrypted portion of the disk, making it possible for a smart thief to gain access. I like TrueCrypt because it's free, it doesn't leave a key behind, and it's simple to configure and use. Basically, you define a portion of your hard drive to use for encrypted information, use a password that's complicated for anyone to guess; just be sure you never forget that password. The downside to encryption is forgetting the password means you are in the same boat as someone trying to steal your information; you'll need a brute force password guessing application and many hours in order to break the encryption. The way around this is to put the password for your encrypted disk somewhere secure, like a safe deposit box, just in case you ever forget it.

When you create your encrypted virtual disk, make sure the encrypted disk is large enough to store everything you want to keep private. For instance, if you plan to secure the information from your email software, make sure the drive can support all that data. My Outlook PST file is about 2GB in size, so I need an encrypted volume larger than that to make room for other data as well. I generally plan for at least 25% of a hard drive to be used for encryption, so if my laptop hard drive is 60GB, I create a 15GB encrypted volume. After creating the encrypted drive, it's time to configure how your applications access information. For instance, if you use Outlook, move your PST file to a folder on the encrypted drive. If you use Mozilla Thunderbird, the Profile Manager will assist you in relocating your mail folders. Quicken and Money both allow you to choose a location for your data files, which should be inside your encrypted volume as well. Any personal information you might normally store in files on your desktop or in the My Documents folder should also be moved inside the encrypted volume.

If you use Google Talk for IM, consider running it in the off-the-record mode, so that your chats aren't getting logged as an additional source of data leakage.

Eliminate Unencrypted Personal Data

Some of those not so obvious places are a little trickier. Windows isn't flexible about where some information is stored. Browser temporary files are stored in the user account under Documents and Settings. The hibernation file is stored in a fixed location. Temp files are generally stored under the Documents and Settings hierarchy as well. Since there is no easy way to store this information inside the encrypted volume, it's best to eliminate prior to any possible opportunity for your laptop to be stolen. The hibernation file is avoided by properly shutting down Windows. You can get rid of many of the temporary files manually, although they are still recoverable until overwritten by other files. The process for dealing with temporary files is the same as what is discussed in the article on Index.dat files (which are just one of several temp file storage points where personal information may be stored).

Other Protection Methods

Beyond encryption and elimination of personally identifying information, several mechanisms may slow down would-be data thieves. As a first line of defense, turn off the Autologon feature of Windows. By default, rebooting Windows either automatically logs your primary user account in without typing a password or requires no password. This is configurable in the User Accounts area of the Control Panel. From the User Accounts pane, click Change the way users log on or off. Uncheck the box to Use the Welcome screen which forces you to enter both username and password. If your user currently has no password, create a password that is reasonably complex; ideally one that is 10 or more characters in length. Requiring a password to login to Windows only stops inept computer thieves. By putting a bootable CD or DVD in the laptop drive, a data thief could easily bypass Windows altogether and access information directly. Another mechanism for slowing down data access is to add a password to the system BIOS. This is done as the computer boots, prior to Windows loading. Each BIOS requires different information, so you'll need to consult your computer's documentation to determine how to access your BIOS. This will force a password prompt before Windows boots, forcing a data thief to remove the hard drive from your PC in order to continue.

System and BIOS passwords are like putting a deadbolt on your front door. They keep honest people out, but don't stop anyone determined to gain entry. Both are easily bypassed by removing the hard drive and connecting it to a different system. Use passwords on software applications which contain sensitive information. Use a password manager with encryption instead typing in passwords manually. Make sure the encrypted volume is protected with a complex password. Automate protective processes wherever possible. For instance, choose a data elimination tool that offers scheduling for cleaning temp files and eliminating personal information. Set-it-and-forget-it processes are the best way to make sure you never accidentally forget to protect yourself.

Also be sure you aren't signing on to public WiFi networks insecurely. Open wireless networks are a great place for people to mine your personal information if you aren't protected. Most importantly, store a backup of non-recoverable passwords in a secure location separate from your computer, preferably without making reference to what they are for. You may not prevent someone from stealing your laptop, but you will make sure they can't do any more damage to you once they get it.