WEBVTT

00:00.470 --> 00:06.960
This security plus covers all kinds of hardware and firmware security and to lump it all together a

00:06.960 --> 00:07.770
little bit.

00:07.860 --> 00:13.860
I'm using this episode as my potpourri section to make sure that I'm covering a broad cross-section

00:13.860 --> 00:19.800
of objectives that definitely fit under the idea of hardware and firmware security so bear with me as

00:19.800 --> 00:25.230
we bounce through a couple of small but important different types of topics well more than a couple

00:25.500 --> 00:25.840
anyway.

00:25.890 --> 00:33.450
Let's go ahead and get started with the concept of full description or F.D. the best security you can

00:33.450 --> 00:39.840
do for mass storage is to encrypt your mass storage and full disk encryption is one methodology that

00:39.840 --> 00:40.500
we do this.

00:40.490 --> 00:46.080
Now typically when we talk about full disk encryption we're talking about using software or firmware

00:46.080 --> 00:48.390
based tools in the Windows world.

00:48.480 --> 00:55.260
We use something called Bit locker now that Lochore takes advantage of the concept of Trusted Platform

00:55.260 --> 00:56.250
Module.

00:56.250 --> 01:01.290
This is something that's built into pretty much all modern motherboards where you have a little chip

01:01.290 --> 01:04.610
on there that stores a unique key for that system.

01:04.860 --> 01:11.730
We're going to enable bit locker on this system and the nice part is that if this hard drive is ever

01:11.730 --> 01:16.400
separated from this motherboard there is no way that anybody is going to be able to get to the data.

01:16.410 --> 01:20.020
So let's go and get started and fire up a bit locker on the system right here.

01:20.220 --> 01:23.340
So I'm just going to run over to the bit locker configuration.

01:23.340 --> 01:24.660
There it is.

01:24.660 --> 01:26.760
Right now you can see that locker is off.

01:26.760 --> 01:29.670
And let's go in and turn it on.

01:29.850 --> 01:32.700
This device can use a Trusted Platform Module.

01:32.700 --> 01:34.150
Wait a minute.

01:34.230 --> 01:40.950
All it's saying to me right now is that TPM has not been turned on and this is a big problem with bit

01:40.950 --> 01:44.170
locker and other full disk encryption tools.

01:44.220 --> 01:48.000
If the TPM isn't enabled and running we're in trouble.

01:48.000 --> 01:53.390
So what we're going to have to do is let's jump into bias real quick turn on TPM.

01:53.620 --> 01:58.630
So now that we're in our bias let's figure out where we have to go to turn on TPM.

01:58.630 --> 02:05.020
So on this one just because I've done it before it's right up here at the top Intel platform trust technology

02:05.350 --> 02:08.770
that is despite whether they say it or not that is TPM.

02:08.770 --> 02:12.380
So let's go ahead and enable that.

02:12.440 --> 02:13.910
Now we're going to have to reboot.

02:13.910 --> 02:15.310
But this is ready to go.

02:15.620 --> 02:16.550
OK we're all rebooted.

02:16.550 --> 02:18.570
Let's try bit locker one more time.

02:22.610 --> 02:27.760
Now this time now that I have the TPM module turned on it should kick right over.

02:27.940 --> 02:29.370
OK.

02:29.540 --> 02:30.200
All right.

02:30.230 --> 02:35.670
Now the first thing it's going to ask is once the recovery key This can be really important.

02:35.930 --> 02:38.950
If by some chance the motherboard died.

02:38.960 --> 02:45.320
For example I wouldn't have the key the TPM module would be destroyed and the data would be lost so

02:45.320 --> 02:48.510
you could actually make yourself a recovery key.

02:48.560 --> 02:50.140
You can store it in a Microsoft account.

02:50.150 --> 02:52.460
You can actually printed out on paper if you want.

02:52.460 --> 02:57.180
And it would only be used if the actual motherboard itself was destroyed in some way.

02:57.290 --> 02:59.480
Otherwise you're not going to get this data back.

02:59.480 --> 03:04.250
And by the way when I say you're not going to get this data back the United States Department of Justice

03:04.250 --> 03:08.600
who I've done a lot of business with is unable to currently crack that locker.

03:08.600 --> 03:11.250
It's a very very powerful encryption.

03:11.510 --> 03:16.430
Now what I'm going to do right now is I'm going to cancel this simply because running bit locker can

03:16.430 --> 03:23.150
take a very very long time on the initial time and we don't need to watch a progress bar move along.

03:23.150 --> 03:26.390
Now Bilker is great and full disk encryption is amazing.

03:26.450 --> 03:29.780
But for a lot of people they want to make it even a little bit easier.

03:29.900 --> 03:32.390
And that's where we get into something like this.

03:32.480 --> 03:36.590
What I've got here is a hard drive which is self encrypting.

03:36.620 --> 03:42.500
You actually buy the hard drive like this and it's ready to be completely self encrypted it's got all

03:42.500 --> 03:46.370
of the TPM ESC module built into the drive itself.

03:46.550 --> 03:53.510
When I plug this into a system when I first boot it up a little thing pops up and says Please give a

03:53.510 --> 03:55.220
password for this drive.

03:55.370 --> 04:01.130
What's that password is generated every time this drive is accessed or at least during boot every time

04:01.130 --> 04:06.800
when this drive is access you have to enter that password and do not ever lose it because if you do

04:06.800 --> 04:10.970
my friends you will literally never get that data back.

04:10.970 --> 04:16.550
However it's incredibly convenient and a lot of people as opposed to using things like bit locker much

04:16.560 --> 04:19.090
prefer self encrypting drives.

04:19.310 --> 04:19.640
All right.

04:19.670 --> 04:20.750
Well that's it for drives.

04:20.750 --> 04:27.400
Now let's take a minute and let's talk about something called Secure boot.

04:27.440 --> 04:30.290
People get pretty paranoid about their systems.

04:30.350 --> 04:36.980
If you think about the last 30 plus years of malware and evil things that have happened to systems the

04:36.980 --> 04:44.420
idea of being able to protect your system with hardware and firmware is a very attractive option.

04:45.310 --> 04:52.660
TPM which is great as a trusted platform module goes way beyond simply activating bit Locher the current

04:52.660 --> 04:58.530
TPM standard TPM 2.0 include something called Secure boot.

04:58.540 --> 05:06.100
The whole idea behind secure boot is that your operating system your complete system every time it boots

05:06.430 --> 05:10.640
sort of checks the quality of everything that's in it.

05:10.690 --> 05:16.780
Any firmware any applications and everything everything must be signed.

05:16.780 --> 05:17.840
Amazing huh.

05:18.070 --> 05:23.170
Now that does get a little bit big brother Fearn Linux users and people like that.

05:23.230 --> 05:29.080
The fact that they can't play with the boot sectors or anything without the system completely going

05:29.080 --> 05:31.440
nuts can be very very frustrating.

05:31.480 --> 05:36.540
But like within the Windows world with Windows 10 you're required to use secure boot.

05:36.550 --> 05:39.500
It's part of the operating system now.

05:40.810 --> 05:45.610
It's sometimes though we don't really like big brother that can be a great example.

05:45.660 --> 05:51.470
Your car probably has an embedded operating system and probably has two or three.

05:51.480 --> 05:56.430
So just imagine that big navigation computer at the very front of your system how would you like a bad

05:56.430 --> 05:59.250
guy putting something in there and causing trouble.

05:59.280 --> 06:00.540
Or your smartphone.

06:00.540 --> 06:04.880
How about some evil person injecting some malware into it.

06:04.890 --> 06:08.280
Those are places where suddenly I become to love Big Brother.

06:08.310 --> 06:15.570
I'm sorry 1984 but the bottom line is is that by doing stuff like this we create what's known as a hardware

06:15.570 --> 06:17.040
route of trust.

06:17.040 --> 06:23.850
We have a big brother or it could be Microsoft or somebody like that or Intel who has in essence a root

06:23.850 --> 06:30.360
certificate that everybody signs from anybody attempting to inject anything into these embedded systems

06:30.690 --> 06:33.170
will prevent the system from booting up.

06:33.270 --> 06:38.940
In most cases depending on the operating system it can literally go back to a snapshot automatically

06:38.940 --> 06:44.710
before anything was injected and things like cars and things like smartphones.

06:44.730 --> 06:51.960
It's really really difficult to put malware onto them anymore because of a properly handled secure boot.

06:51.960 --> 06:55.500
More than that it even forces a secure supply chain.

06:55.650 --> 07:03.440
If anybody wants to have anything to add to for example your Apple phone they have to go through Apple

07:03.450 --> 07:04.560
and they have to be certified.

07:04.560 --> 07:10.410
They have to be placed into the Apple store in such a way that we can count on them a high degree of

07:10.410 --> 07:11.460
security.

07:11.470 --> 07:14.680
So there's times where you can love secure boot.

07:14.690 --> 07:20.650
Probably not so much on desktops but by golly on embedded systems it's a real attractive option.

07:21.030 --> 07:26.630
All right there's one more thing I'd like to add and that is something that I'm not even sure why I

07:26.630 --> 07:27.100
come to you.

07:27.100 --> 07:27.890
Put it in.

07:28.040 --> 07:30.590
It's not that it's unimportant but it's kind of rare.

07:30.680 --> 07:33.700
It's called a hardware security module.

07:33.950 --> 07:39.890
In this world with all these certificates and everybody signing everything you can put a lot of work

07:39.890 --> 07:46.640
load on your you just checking certificates checking digital signatures go into the calculations to

07:46.640 --> 07:48.110
confirm somebody is good.

07:48.290 --> 07:55.010
So what we can do and this is fairly easily done is we can get a hardware security module hardware security

07:55.010 --> 08:01.400
modules are nothing but hardware whose only job is to calculate and check signage to make sure everything's

08:01.400 --> 08:01.730
OK.

08:01.730 --> 08:03.110
They can store keys.

08:03.200 --> 08:07.590
They can do whatever you need to within the world of signing to make sure everything's OK.

08:07.820 --> 08:10.010
We see this a lot for example with web servers.

08:10.010 --> 08:16.130
I've got a web server and each one of these Web services running HD CPS as opposed to making server

08:16.130 --> 08:16.970
work so hard.

08:17.030 --> 08:22.550
A lot of companies will just put a big HSM box in there that everybody plugs into and it handles all

08:22.610 --> 08:24.000
the signing for it.

08:24.110 --> 08:26.670
Equally I think I actually have a picture this to have.

08:26.720 --> 08:28.060
OK so look at this.

08:28.070 --> 08:34.880
So this is actually a card that we can snap into a computer and we call this an HSA card and it handles

08:34.880 --> 08:36.140
it all for us.

08:36.140 --> 08:40.970
Now keep in mind that H S M is really going to be used in places where there's a lot of signing going

08:40.970 --> 08:44.450
on your regular desktop your regular Android smartphone.

08:44.450 --> 08:46.640
They can handle what they need internally.

08:46.640 --> 09:01.760
We're talking about server type situations where there's a lot of people coming onboard.