Panos and the BitLocker example

[kristalsoldier]

Hi all...

I was watching (again) Panos' presentation of the Surface 2. There is a sequence where he talks about losing the Surface 2. At that point he hands over the Surface 2 (which he claims is/ was his personal device) to Mary Jo (ZD Net). He then says that it is impossible for anyone to break into his device and get his 3-year roadmap because his device is BitLocker enabled. He then picks up a second Surface 2 and shows how all this documents/ desktop/ apps etc. show up thanks to the SkyDrive integration.

My question is about that BitLocker part. What exactly did Panos mean? I understand that BitLocker is enabled by default in the Surface 2, but how exactly does Panos get the confidence that his documents are safe? When he hands the Surface to MJ, you can clearly see (or so I think) the tiled interface of Win 8.1, which means signing in (with Panos' MS account). At that point, all that is required is to open any Office App and take what you want. Where does BitLocker play any security role?

Obviously, I am missing something, which explains why I am posting this question.

Thanks in advance.

 

[jnjroach]

At 44:37 he logs out before he hands over to Mary Jo, and you can see at 45:17 it is at the login screen.

Now the main ask - Bitlocker

From the source -

"BitLocker Drive Encryption is a data protection feature of the operating system that was first made available in Windows Vista. Subsequent operating system releases have continued to improve the security offered by BitLocker protection to allow the operating system to provide BitLocker protection to more drives and devices. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. Manage-bde is the command-line tool that can also be used to perform tasks on the computer related to BitLocker. When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature. This feature is used to support hardware encrypted drives. On servers there is also an additional BitLocker feature that can be installed, BitLocker Network Unlock. Computers running Windows RT, Windows RT 8.1 or Windows 8.1 can be protected using Device Encryption, which is a customized version of BitLocker for

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. In Windows 8 using an operating system volume password is another option to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM. In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented."

Basically if I attempt to mount a drive (SSD or HDD or Flash) that is encrypted with Bitlocker using disk recovery or forensics software (or another OS like Linux) the drive will appear blank to the disk scanning software, the only way for the bad guy to gain access is by either know/cracking you PIN or Password. This is why many IT Departments don't allow the use of PINs on Windows 8/RT machines enforced through Exchange Active Sync (EAS) Policies. Using Disk Cloning Software again it will fail as it can't read the bits on the disk.

When that fails, I might be tempted to add the drive back into the system or boot up the system, the TPM onboard will flip the failed integrity test and ask for the recovery key to be entered, until that key is entered the system is locked as it is stored in the TPM.

 

[kristalsoldier]

Thanks. I must have missed the part where he signs out.