VeraCrypt | Part 1/2

Imagine following day-to-day situation…
You are on a train on your way to work. Once the train arrives at your station, you leave the train. While the train leaves, you realize, that you left your bag at your place within the train.

These or similar situations happen every day and may have happened to one or the other of us.

With the loss of your bag there is loss in the form of material value and non-material value.

However, due to the ever-increasing integration of digital devices into the everyday life, it is very likely that there is another cause of damage:

The damage due to loss of data!

Your bag may contain your personal or business laptop, tablet, smartphone, USB stick or any other item with digital information. Each of these may contain sensible data. This can be vacation photos, chat histories, browser data, emails or documents or many more.

With the loss of your bag, these data can potentially be seen, or even misused by anyone. It is important to note that this is not necessarily a targeted attack against you as the owner of the bag. But a random finder of your personal bag might take a look at the stored data out of sheer interest. The impact of data access can range from minor disruption to the leak of confidential business data.

In recent years, there have been increasing reports of data loss in companies due to stolen or lost devices. Unfortunately, there are limited statistics available. However, no scientific research can be conducted. Nevertheless, this correlates with expectations, since the number of digital devices is rapidly increasing.

Since it is not hundred percent possible to conclusively prevent device loss, companies, as well as individuals, must address how to protect data in the event of a loss of devices. Specifically, this means that it must be ensured that data can only be accessed by the authorized individual, even if a potential attacker gains physical access to the device.

What can we do?
User passwords on computers or user PINs on smartphones are already widely used solutions for protecting data from access by unauthorized persons. This type of security measure ensures that when the device is switched on, a login must take place before access is granted to the stored data and the device’s functions. In this way, a user can protect himself from prying eyes if the device is unattended for a short time.

However, if an attacker has undisturbed physical access to a device, it is still possible to view or modify the data stored on such device. Technically, a user password or user PIN is a protective measure in which the installed operating system restricts access to the stored data. This measure can be circumvented by starting a different operating system or by removing and reading the hard drive on another computer.

It should be noted at this point that a user password or user PIN is by no means a superfluous security measure, but merely protects against a different attack scenario.

At first glance, booting another operating system may sound technically complex. In practice, it can be done by lay users within a very short time without any special tools. Appropriate instructions can be found easily after a short search on the Internet.

For the situation, described in this article, this means that it is very likely that a random finder, even without a technical background, tries to extract the information on that device.

Due to the small amount of effort involved, it is even quite realistic that this finder has no criminal intentions whatsoever but would like to look at the stored data out of pure interest or with the intention of finding out the owner of the device. But information found by chance could arouse other desires.

In the following articles, we will look at how you and companies can protect the data on mobile devices in the event of a device loss. We will look at the technical challenges and present methods and tools that can be used to protect your devices and data.


In the first part, we introduced which risks can arise for the data on mobile devices if the devices are lost or stolen. We found out that reading out data is generally not a problem for anyone, even if they have little IT knowledge. Mistakenly, it is often assumed that user passwords protect against this attack.

To understand this fact, we need to look at how the authorization system of an operating system works. Imagine an archive of documents. Since some documents are sensitive, each document has a label indicating who is allowed to read the document. As soon as a visitor wants to read a document, he contacts the archivist and presents his ID card to prove his identity. Once the archivist has checked the identity, he checks the label on the document to find out if the visitor is authorized to read the document and in case of eligibility, he hands over the document.

The situation is comparable to the situation with computers: in addition to the actual data, each file and folder also contains an attribute that specifies which user is allowed to open the file or folder. To identify a physical person as a specific user, a user password is used, which only the owner knows. Once a user is logged in, he can now access the file or folder. Based on the attribute specifying the allowed user access, the operation is continued or denied.

If we look back at our analogy with the archive, we see that security is entirely dependent on the archivist. This person must be trustworthy and must adhere to the specifications of the label. The documents themselves are not physically protected, for example by being locked away.

And this is exactly the problem with user passwords. They are just there to allow the operating system to associate a physical person with a digital user. The security of the files now depends on whether the operating system allows access or not. The password itself does not protect a file but only the identity of a digital user!

But what happens if we bypass the archivist in our example by walking past him in an unnoticed moment? Well, we simply take the documents out of the rack and ignore the labels. And this is exactly what we can do in the technical field as well. We do not have to query the data from the installed operating system if we bypass the operating system. So, similar to the stickers, the attributes can simply be ignored, and the data can be viewed.

To achieve this, it is sufficient either to plug the hard disk into any other computer or to start another operating system on the computer, which is stored on a USB drive, for example. Back to our original scenario: if you lose a mobile device or if it is stolen, a third person has just to use one of these two possibilities to gain access to the stored data in a few minutes if only a user password is used.

So how do you protect yourself from this? In our analogy, the answer is simple: the archivist must lock the documents and no one else may have a key. So even if we achieved to bypass the archivist, we would stand in front of a locked door protecting the secret documents. This way, the archivist could make sure that we only receive the documents that we are allowed to see.

And that’s exactly the solution in the digital domain: we have to lock the files away when the operating system is not started. This way, the access control can no longer be bypassed if third parties want to gain access to the stored data.

In the technical realm, “locking away” is implemented through encryption. Data is not simply stored on the hard disk but is modified beforehand by mathematical methods in such way that a key is required to restore the original state. Since this key is only passed to the installed operating system when it is started, it is not possible to read the actual data via another computer or operating system. This protects us from third parties being able to read the stored data.

So, a user password only helps to connect a physical person with a digital user, but it does not protect the data itself. To protect ourselves from data access by third parties, it is necessary that we encrypt our data and only pass the key for decryption to the operating system at startup. This ensures that the operating system’s own authorization management can take effect.

In the next articles in this series, we’ll put this theory into practice. We will take a look at which programs can realize this encryption. We will also look at the advantages and disadvantages of the programs and what effects the use of encryption technology has on the user experience.

The next part will be released on September 22, 2022!

Business and IT: Like Cain and Abel?

Appropriate IT solutions are crucial for the success and security of a company. But how is it that often the IT department is the scapegoat of companies? Almost every department is concerned with strategic planning, long-term goals, measures that are coordinated with each other, and of all things, IT seems to be going haywire. Quick solutions are needed, driven by digititalization pressure triggered by the pandemic, which is giving departments a good run for their money.

“Our IT is not getting off the ground!” or “The IT solutions don’t fit at all” – these or similar statements are often made by friendly colleagues from other departments. From the business perspective, in-house IT is often too slow, does not implement new requirements and presents a patchwork of solutions. IT, on the other hand, sees itself as the driven one, little supported and taken seriously, and in times of pandemic and war, even more pressured and constantly forced to move. Added to this is the budget pressure. Where does this discrepancy in perception come from? Historically, the answer is. This attitude comes from a time when IT was merely a technical service provider for the employees, and this attitude should be urgently revised so that there is better cooperation for the sake of the company’s success.

This is because the company’s own IT represents the link between business and technology within the company. It is therefore an essential component in the development of corporate strategies and business areas based on new technologies and thus also has an increasingly strong influence on value creation. Improving communication and understanding between business and IT is fundamental and indispensable for successful business models that are adapted to the needs of the market.

New thinking for IT
Old thought patterns must be abandoned in order to embark on a sustainable and strategic development in the right direction,. Start-ups with digital business models, whose approaches can be applied to the ways existing companies function, can serve as a model for this. Startups view IT as a driver whose performance is not measured in terms of saved costs, but rather in terms of the innovative power it delivers. The thought-provoking impulses provided by this IT are highly relevant to the core activities of the company, agile in conception and focused on business-oriented implementability. Away from being a pure service provider and computer nerd to a respected department that does not generate costs, but helps to run a successful and progressive business.

Digital transformation requires a solid cyber security

During and after my studies of business administration I worked in different areas and companies. Most recently, almost 5 years in the corporate development/strategy of a semiconductor company with a big focus on automotive applications. During my master’s studies, I mainly focused on entrepreneurship, innovation management and digital topics. That’s why I wrote my master thesis about digital business models. Since August this year I’m working as a consultant in the areas of cyber security and digital transformation and to be honest I’ve more questions than answers after the first weeks.

What is KRITIS and who does it affect? 

In Germany, special regulations apply to operators of critical infrastructures under the Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI) Act. But who counts as an operator and when are infrastructures classified as critical?

The case for flat networks

Flat is trendy.  Flat rates, flat hierarchies, flat iron steaks and even a flat earth, but a flat network?  That is a real no-go nowadays and already for a long time.  Anyone in the business of enterprise network design knows by that a flat network design is just begging for trouble at many levels and layers.