Lazybit

If you're someone who checks the system logs every now and then, to make sure things are running smooth - you may have noticed some errors related to Private Disk:

The PRVDISKAMD64 service failed to start due to the following error: The system cannot find the file specified.

The program works fine, despite these log entries.  The error is not critical and it has no impact on the program's functionality. But why is it there? And what does it mean?

Private Disk comes with several flavours of drivers - 32-bit and 64-bit. Upon installation, both driver types are registered, but only one of them is successfully loaded by the system.

The other type, which is not compatible with the platform, fails to load - hence the log entry is generated.

In other words, you can simply ignore these notifications.

This behaviour will be changed in the next release, so the system won't bother loading modules that are not designed for it. Until then, here is a simple solution:

1. download Autoruns from Sysinternals
2. run the program and switch to the Drivers tab
3. find the drivers the pubisher of which is Dekart
4. uncheck the versions that do not correspond to your system
5. the new settings will come into effect after a restart

On choosing the entries:

• if you have a 32-bit (x86) system, disable the ones ending with "amd64"
• for 64-bit platforms, disable the other ones (as in the example below)

What the modules mean:

• pdfilter - Disk Firewall, the application-layer access filter;
• prvdisk - virtual disk driver (the thing that makes the encrypted drive show up in My computer as a regular disk);
• prjndl - the disk encryption driver that implements AES-256 in CBC mode, our NIST-certified implementation of it.

PD Explorer is a free tool that enables you to explore Private Disk encrypted images even in the cases when Private Disk is not installed on the computer, even if you don't have administrative privileges.

You can view the contents of the encrypted disk, write or remove files from it - as you can normally do with an archive such as a ZIP file.

It is extremely simple in use, making it easy to add new files to the encrypted vault, delete or update existing files.

PD Explorer is compatible with NTFS images of any size, there are no file size restrictions, nor are there limitations about the maximum number of files that can be processed.

PD Explorer is a available for free, you can download it right now.

It has been reported that in certain circumstances the system will shutdown instead of rebooting itself when the user restarts it while Private Disk is running and an encrypted disk is mounted.

This was a problem difficult to trace; while it repeats itself 10/10 times on a "problematic" machine, on "non-problematic" ones everything is working correctly and it is impossible to simulate the problem.

This is what makes it of reason to make an educated guess that this is caused by a third-party component present on the system, which somehow alters the standard behaviour of Windows. The tough part is that even when you think you have disabled all the non-standard programs, there is a myriad of low-level components that one can't see with the naked eye.

Full story »

It is not known to the wide public, but the truth is that for quite some time a version of Private Disk Light for Windows Vista, as well as for 64-bit versions of Windows XP has been available.

It can be downloaded: http://files.dekart.com/beta/PrvDiskLight-Vista.exe

It is unofficially called Private Disk Light 1.23, and here are the changes:

• Support for Windows Vista (32-bit and 64-bit)
• Support for Windows XP 64-bit
• Prettier icon
• Surprise - a new feature that hasn't been present in the earlier versions of Private Disk; it is not likely to get noticed. But if you do notice it, you can get a free license for the full version of Private Disk, and I am absolutely serious about this one ;-) Good luck!

If you watch the evolution of security systems, you are probably aware of the study that explains and demonstrates how private data can be extracted from the system's memory, by forcing a reboot or extracting the RAM modules.

This is an intriguing research, because it shows how far a sophisticated attacker can get. What makes this even more interesting is the fact that there is empirical evidence that shows that it works not only on paper.

Like other encryption programs, Private Disk is permanently decrypting and encrypting some data whenever files on the virtual disk are read or written. Naturally, the keys must be somewhere in the system's memory, therefore our software can become the target of such an attack.

Why should I not worry about this?

Although the attack can have practical results, there are things that can be done about it.

Imagine that you are an attacker that stumbled upon a computer with valuable data protected by Private Disk. If the keys are in memory, it means that the encrypted disk is mounted - and if so, why not just copy the data from it while no one's watching?

Why is it easier to disassemble a computer in order to make the RAM modules easily accessible, then take the memory out and connect it to another computer? When you're done - you'll put the RAM back but the system will be shut down, so the owner will figure out that something is fishy when they return.

Why is it easier to force a system reboot, configure the BIOS to boot from an external device, then dump the contents of the RAM to the external device for future analysis? As in the previous case, the system will be in a different state when the owner returns, so they will realize that an attack has just occurred.

Besides, there are many things that have to be taken into account, and the attacker can only hope that luck will be on their side; for instance:

• is there a guarantee that upon a system reset, there will be no password prompt when entering the BIOS settings?
• what makes the attacker sure that the BIOS is configured to allow booting from any external device?
• why would it be easy for someone to disassemble a computer and take the RAM out (or reset the BIOS settings)?

Of course, all of these problems have solutions: disassembling a system can be done very quick if you're good at it, and resetting the BIOS settings is a matter of time. But all of this is only useful in one condition - the computer that was left unattended contains a virtual disk in a mountedstate.

This is what brings us to the solution, which is just a set of best practices, which are well known for a long time; once you cycle through each item, ask yourself "which of these I hear for the first time?".

End users

• Password protect the BIOS;
• Don't allow the system to be booted up from anything other than the internal drive (no external devices, CDs, or network booting);
• Dismount your encrypted disks if they are not in use;
• Turn the computer off when it is not in use for a long time (cut your electricity bill, save your planet).

Company owners, administrators, and leaders of the IT department

• Do not allow full physical access to corporate workstations;
• Make sure that every employee understands that a stranger walking around with a canister of liquid nitrogen (to cool down the extracted RAM modules to keep their contents intact longer) is not a common phenomenon, and this should be reported immediately;
• Make it impossible for a stranger to enter the office when no one is around;
• Use surveillance equipment to monitor remote locations (this implies that the sly attacker managed to get past the guards who found nothing suspicious about a "smoking" canister of liquid nitrogen in the hands of a stranger who visits the office past working hours and ends up doing something in the server room after unlocking multiple doors with the power of thought).

Developers

• Do not keep the keys in the memory when you don't need them, overwrite the memory with some other data as soon as the keys are not required.

As you can see, none of the above is new. Of course, this does not mean that the new attack method is useless, but it makes it clear that simple measures can be taken in order to protect your assets. Moreover, all these measures are either free (features such as "disconnect encrypted disks when the system hibernates" in Private Disk, or "Automatic lockdown" in Password Carrier are there for ages), or are already in place (guards, locks, security cameras, etc).

Finally, I must point out that I can hardly imagine a thief who prefers to try this new high-tech wizardry, when it is known that the encrypted disk is already mounted, so all that has to be done is simply copy the data and walk away (which is obviously the path of least resistance).

Summary - the end of the world is postponed yet another time, and you can protect yourself by following a short list of best practices. How is this news?

Make IT secure!

I was asked what makes Private Disk better than the hardware-based encryption solution offered by another company. The name of the other solution will not mentioned, because it is not relevant - the arguments are valid in either case.

The discussion is about Private Disk vs. a hardware based encryption solution that is built into a 4 GB USB disk.

Note that some of the points were taken out of context, so they may sound a bit weird (us = Dekart, them = "the other company").

• They use the same algorithm for encryption, AES-256. Our implementation is certified by NIST (we also have certifications for the used hashing algorithms). Having a certification makes it clear that you're dealing with someone who is not just an amateur cryptographer; many other competing solutions use implementations that were not tested by an unbiased third party. So this makes a difference, because not all implementations are equally correct and effective.
• "The software needs to be able to access, for example, a private key. Software and hardware debuggers can monitor the software and capture the private key for rogue use".
  
  The fact that the keys are stored somewhere is obvious. Getting them out of there is non-trivial; I have recently answered a similar question on our forum.
  
  
  Since our solution uses a driver, the encryption key is stored in the system's kernel memory, which cannot be accessed by user-mode processes (unless a user-mode program 'asks' the driver to pass it some data and the driver complies; Private Disk is built in a way that the key is 'forgotten' immediately and only known to the driver, and there is no option in the driver to pass it back to anyone - even Private Disk itself).
  
  
  In their case, they don't use a driver, so there must be a user-mode program which takes your password and passes it to the device. That's the weak spot, so I would definitely start with that point. Analyzing the memory of a user-mode process requires much less skills than in the case of a driver (when I say "less" I don't mean "piece of cake", everything is relative).
  
  
  
  In other words, before the key reaches the device, it is subject to the same threats.
• They may also use "zero performance penalty" as a factor that makes a big difference. That's correct, software encryption will obviously take some CPU cycles, but with today's modern computers this is not that critical anymore. I am not saying that "Private Disk is very slow, but with a fast computer you won't notice anything anyway"; In fact I must point out that Private Disk is a very well-designed tool, it has a low memory footprint and it never was, nor it will ever be a performance hog. It is also able to run on Windows 9x machines, besides the modern Windows NT-based systems.
• Another point is that since we're providing everything in software - we can provide updates easier. When AES-256 becomes outdated, it's a matter of updating the program. In the case of hardware it's also a matter of "getting rid of" a device (multiply that by N - how many devices you have in the company).
• Flash memory has a finite number of write cycles (of course this problem is being dealt with, and technology evolves; and this finite number is big enough already) - so you might have to replace the device sooner, because you have to make sure the device is not 'worn out'.

Other significant things, Private Disk is better because:

• we provide backup functions - so you can have an encrypted backup outside the flash disk (for archive purposes)
• you can create images of very large sizes and store them anywhere (remote share, DVD, laptop... you name it). You are not tied to a flash disk;
• Private Disk can work with multiple encrypted drives at the same time, the drives can be of different sizes, file systems
• you can store database files inside a virtual disk, share them across the network - this would not be possible with the USB storage (too slow, too many write operations, size constraints)
• Private Disk can be configured in a way that allows different users to access the same image using different passwords
• Disk Firewall - this is something nobody else has - an application level filter that prevents other programs from accessing the contents of the protected disk. For instance, once the disk is mounted - a virus can infect it, or simply copy its contents elsewhere. In the case of Private Disk - this is impossible, because untrusted programs will be rejected. This brings data protection to an entirely new level - you don't need an antivirus or antispyware, because Disk Firewall takes care of that, and there is no need to update every day, or pay for updates.
• We provide helpful support. I once tried to find something out and contacted their helpdesk - never received a reply. Perhaps things would have been different if I indicated that I was planning to make a major purchase? There is a chance that their reply was marked as spam (though I checked my filter and nothing was there), so I don't really have the right to say their support team is not effective.
  

From the points above, the ones that matter the most to me (as an end user) are: Disk Firewall, and the ability to create encrypted disks of very large sizes (it will take a long time until USB flash disks are of at least 100 GB in size, and work as fast as a hard disk) - this gives me the chance to use encryption for serious activities (storing my mail archive on it, or a database, or the company's CVS repository, etc). Of course, people are different, so your mileage may vary.

The time has come, Private Disk 2.10 is now officially released. Some of the changes were already commented in the release notes of an earlier beta version of PD (those features are Disk Firewall's training mode, trusted program authenticity verification).

One of the most important things is compatibility with Windows Vista systems of all flavours that exist out there. Private Disk is now shipped with digitally signed drivers, so if you have a 64-bit Vista platform - you can use PD on it. This makes Private Disk yet again compatible with every version of Windows (starting with Windows 95).

There is also a new icon, which looks good whether you're looking at a zoomed in version, or at a tiny icon in a "list view".

Run Private Disk as a service

This is a very handy option, it used to be a part of the older 1.x versions of Private Disk Multifactor. Once this is enabled, you can run Private Disk, mount the image, then log off - the virtual drives will still be mounted, allowing other logged on users to access them (including those who access them from the network, if they are shared).

The idea is that you can mount the disk and restrict others from changing its settings (ex: alter the white-list, or change the disk's properties, etc). As an administrator, you can start the server and mount the disk, then share it; from that point on end-users can connect to the server and use what they are allowed, without being able to do (break) anything. This feature will help you offer users only as much power as they need to get their job done.

PD File Move - the secure data migration utility

This is the newest addition to Private Disk's arsenal, and it was not a part of any of the beta versions that were made public prior to the release (although the utility itself could be downloaded from the site, if you explored it thoroughly). It is designed to find a group of wanted files in a certain location, create an encrypted disk of the right size, move them to the protected storage vault, and then wipe the originals, so that the files cannot be recovered.

This is a typical screenshot of PD File Move

What can it do?

• Let's say you have a music archive you want nobody to see. Just tell PD File Move that you want to look for MP3, WAV, AAC, FLAC, WMA and OGG files (you can add your own extensions too) in D:\. The program will find all those files, and then securely move them to the new location. Afterwards there's no trace of the original files, if you used the file wiping option.
• You purchased a new computer in your office, you want to move all the data from the old machine to it. You don't remember clearly where all the documents are, but you know that you work with PDF, DOC and ODT files. PD File Move will find them for you, so there is no chance that you accidentally forgot to copy something before giving the old computer to a relative, or donating it to a school.

We decided not to bring these features into Private Disk itself, and instead have a separate utility to do the job. Private Disk continues to be extremely lightweight (using about 2.5 MB of RAM when disks are mounted), and PD File Move will not get in your way while you use Private Disk.

We are against bloatware, so you can be sure that Private Disk will continue to be a fast and solid tool, and it will never turn into a performance hog.

Here comes the changelog of the final version:

+ added XP-style and Vista-style icons
+ allows to run Private Disk software as a system service

+ added Disk Firewall Program integrity verification feature
+ allows to disable/enable Disk Firewall Program integrity verification

+ added Disk Firewall Traning Mode feature
+ allows to disable/enable Disk Firewall Traning Mode

+ compatibility with Windows Vista
+ compatibility with Windows Vista x64

+ the encryption password can be changed when the disk is mounted
+ allows to create a backup copy of a disk's encryption key automatically

+ optimized disk creation speeds when "fill disk with random data" is enabled
- fixed bug with occasional blue screen errors if Windows Defender is installed

- fixed bug with autorun.inf on USB-drives

Enjoy using the software!