Slashdot Mirror
Protecting a Laptop From Sophisticated Attacks
mike_cardwell sends in a detailed writeup of how he went about protecting a Ubuntu laptop from attacks of varying levels of sophistication, covering disk encryption, defense against cold boot attacks, and even simple smash-and-grabs. (He also acknowledges that no defense is perfect, and the xkcd password extraction tool would still work.) Quoting:
"An attacker with access to the online machine could simply hard reboot the machine from a USB stick or CD containing msramdmp to grab a copy of the RAM. You could password protect the BIOS and disable booting from anything other than the hard drive, but that still doesn't protect you. An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead. The first defense I used against this attack is procedure based. I shut down the machine when it's not in use. My old Macbook was hardly ever shut down, and lived in suspend to RAM mode when not in use. The second defense I used is far more interesting. I use something called TRESOR. TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM. The laptop I purchased works perfectly with TRESOR as it contains a Core i5 processor which has the AES-NI instruction set."
The real enemy, which is the alien space zebra vampires that are out to suck your blood.
Seriously, this much effort is excessive considering the value of what anybody in a normal situation should have on their laptop. If you have a genuine need for this, you should be on the level of the person carrying the Football, and as such, you would be better investing in the Secret Service equivalent.
I must be new here, I thought it was traditional to at least RTFS, if not RTFA.
Power it down, encase it in concrete, and toss it overboard into the Mariana trench.
Oh, ha! No, I'm just a really bad skimmer today...
Gee, I wonder how that link got planted into your mind...
INCEPTION
What time is it/will be over there? Check with my iPhone app!
I agree that it's just too much hassle to go through to secure a standard laptop. It's still an interesting experiment and it neatly lays out the attack vectors and potential counters.
I'm so sick of that comic, with deniable encryption implementations like those found in TrueCrypt you can be quite effective against such an attacker.
Yes.
TFA's a fine intellectual exercise, but as explicitly pointed out, the willingness to commit kidnapping and inflict torture rather pathetically trumps all of that.
Interesting. Not completely practical, but interesting.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Did you not notice the reply right above yours?
you must value your pron a whole lot more than i do.
An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead.
Is this the whole "freeze electrons in place" nonsense? I'd love to see a real world example of this actually working.
Sounds like the whole "well if you dont wipe your drive with zeros a hundred times a guy with a tunneling electron microscope could count the off spin of the variant quarks.. blah blah " ie; theoretically possible with infinite funding, but not feasible in real life and only happens on movies.
You and your fancy registers, I use a specially trained hamster to push buttons depending on the bits it sees on an LED board. And the hamster only taps the buttons in the correct way if fed the correct combination of grains!
Although I am having my suspicions that the little bugger is selling information to the north korean hamsters...
Just because of the utter fail.
Unless they know what they want and don't find it in your primary encrypted drive, in which case they'll continue to beat you. What, you don't think they also know about plausibly deniable encryption?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Tinfoil hat anyone???
Willingless to kidnap and commit torture is not trumped if you're dealing with law enforcement. If they gotten to the point where their only remaining option is beating the information out of you, then you've won, assuming our legal system has any remaining value. Evidence that flows from that beating isn't going to be admissible in court. And why would an ordinary citizen want to hide information from law enforcement? Malum prohibitum .
The frozen RAM trick is a neat concept and all but, let's get real for a moment. How real is the risk? Have you got anything that anyone wants that badly? If you do, is it really worth that much to you to prevent such a desperado from gaining access?
I've go highly sensitive bank(I work there) data on my laptop. It's very important that I prevent the leakage of that data. So much so that I spent an extra $100 to use a hardware encrypted disk(FDE). The baddies would have to grab it while it's running and unlocked or they've got to freeze the memory etcetera. But those are highly unlikely scenarios and they are simply not worth defending against.
Laptops go missing everyday, even in my own company. But, it's usually lost or stolen at an airport or train station, powered off, in its bag and unusable(at least the existing data is) to the person who finds it because of hardware encrypted FDE disks.
All further paranoia is futile. And, for those that say; 'well, I don't have a hardware encrypted disk.' If you're so worried about this stuff and your data isn't worth $100 to protect it with a hardware encrypted disk, then STFU.
Unless they know what they want and don't find it in your primary encrypted drive, in which case they'll continue to beat you. What, you don't think they also know about plausibly deniable encryption?
With pretty much every nation either already being a police state or quickly becoming one, I don't see any scenario in which they would actually avoid the sadistic pleasure of beating on a suspect, whether or not they really think they could get what they want.
More Twoson than Cupertino
That's just a problem of data rather then the mechanism, the whole point of deniable encryption is they can't prove it exists, from that point you have to use that to your advantage. Also, in most scenarios involving an attacker like that it's more likely going to be law enforcement using court orders to compel you to hand over keys, in a scenario against law enforcement deniable encryption definitely starts to have real world practicality. These days, I think it's more likely that someone is going to be attacked with a criminal or civil court order rather then a wrench when it comes to seizing data.
I would imagine that would take a combination of your bluffing skills, and the stregnth of your hoax. Say you have a laptop with 500,000 SSN's on them, you mirror the fake to be exactly like the real, except then you have it randomize all of the SSNs. Now of course you then need to get the heck out of town as soon as they can confirm that you have tricked them.
I'd imagine a better honeypot. Just install MoviX with preinstalled Cursed Tape from The Ring. Now, if they steal your laptop, Samara gets them in exactly SEVEN DAYS
Bears.
An attacker could cool the RAM, remove it from
the running machine, place it in a second machine
and boot from that instead.
This is the biggest bunch of bullshit I've ever read. This guy needs slapped.
There's caring about the safety and security of your data, then there's being obsessed about the safety and security of your data, and way over the horizon is this guy.
One of the universal rules of happiness is always be wary of any helpful item that weighs less than its operating manual
this much effort is excessive
Oh let the guy fantasize that he's Johnny Mnemonic or whatever. It's preferable to playing with guns and pretending he's The Terminator
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
its like putting your life savings in your wallet.
Fairly easy to detect, if you have access to the target machine multiple times.
Take bit-level snapshot of hard drive on first visit.
On subsequent visits, take bit-level snapshots and compare them. If the "random" data changes between snapshots, then something is touching it and your plausibility goes out the window.
Learning HOW to think is more important than learning WHAT to think.
Axiom 1: The cost of security must never exceed the value of the asset. Just saying.
Only if you're a Packers or Lions fan.
Learning HOW to think is more important than learning WHAT to think.
Yes.
TFA's a fine intellectual exercise, but as explicitly pointed out, the willingness to commit kidnapping and inflict torture rather pathetically trumps all of that.
Interesting. Not completely practical, but interesting.
Well, it depends on how you define practical - and what kind of situation you're in.
I mean, if it were my laptop? Sure, probably not worth this kind of security. Someone could get credit card numbers, site passwords perhaps, and possibly enough personal information to do some identity theft scheme... Damaging stuff, potentially, but probably not worth their while to extract the data, or worth my while to protect it.
But let's say it contained some sensitive, valuable information from my job - so that stealing my laptop could be a worthwhile target for corporate espionage. Then it might be worth protecting it a little more carefully...
Another thing to consider is that, while the XKCD password cracking algorithm does trump most forms of security, that's only true if someone is actually willing to use it. I could see kidnapping and torture as a real possibility if you were dealing with organized crime or an intelligence agency... Otherwise, the escalation of the crime (from simple theft of a moderately expensive piece of hardware to various forms of felony) would deter most people from attempting it.
If someone has reason to believe it's worth stealing my laptop for the information on it, simply stealing a laptop would be pretty easy. Nick it when I'm at a hotel or something - talk their way past the cleaning staff to get into the room, game over. If a laptop is stolen, police aren't going to care. The machine is simply gone. As long as the initial theft goes off without a hitch, it's a pretty safe crime, especially if they don't try to sell the machine after stealing it.
There's bound to be some level at which information is worth enough to be worth stealing a laptop, but not worth kidnapping and torturing someone for a password... So locking down the machine from those kinds of attacks isn't totally impractical. It just depends on what's on the machine.
Bow-ties are cool.
No, robots. They steal old people's medicine.
TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM.
Awesome, its stores the keys in the cpu debug registers when in use. The data to recreate them still has to flow into the CPU from ram, so all you're taking out is the path between ram and the CPU for an intermediate step. So all you get is a speed boost, no security gain since the attacker already knows the algorithm your using and all the data you provided to the CPU. The speed boost is nice if its being used all over the place (like for an encrypted FS) but otherwise its not that big of a deal and its certainly not new.
As for the rest, cryptfs or bitlocker with your screensaver/lock setup to throw out your keys when the screen blanks/suspends/whatever.
So basically Win7 with BitLocker enabled or whatever alternative setup results in the same thing on Linux. Its not even a little hard, and you've already got well past the point where they'll just beat the password out of you.
If you did it to learn, good for you. If you did it for some sort of practical value, then this really is one place where epic fail applies.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I once worked with an embedded device that demonstrates that nicely. This device didn't clear its display frame buffer on boot. You could power it down, then turn it back on and even several days later and the initial image on the display was recognizable (there was obvious corruption, but you could certainly tell what had been there before).
In general, when law enforcement has an instance where someone won't give up a password, they just put you in jail anyway, effectively that is just as good as finding you guilty, either way, you end up in jail. You lose.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead
Half of my netbook's memory isn't removable and if the author is actually worried about this kind of thing he can get a similar model and bite the bullet on performance by operating it with only the internal ram. I doubt the residual charge would last through unsoldering the chips and attaching them to a board to be put in another machine.
... as the root keys never leave the chip. But hey, trusted computing is eevil right?
Let me put my tinfoil hat on for a moment... Beatings aren't necessary, the US gov't can simply use the NSAKEY to decrypt anything encrypted using Microsoft libraries, this was revealed back in NT4 and again when Win2k SP2 source code was leaked. This is to make their encryption methods export compliant. This is the only legit news article I could dig up on it right now, but if you look around, I'm sure you'll find more. Pretty sure I read somewhere that there's another "unknown" key out there that they think is for the UK gov't to use as well; actually that might be what was revealed in the SP2 source code leak.
grep -iw skynet
If the AES keys never touch the RAM, then whatever is on the RAM is useless to anyone who does not have the keys.
In general, when law enforcement has an instance where someone won't give up a password, they just put you in jail anyway, effectively that is just as good as finding you guilty, either way, you end up in jail. You lose.
If they're set on it, there's nothing you can say that will change an officer's mind about putting you in jail once they've decided they're going to. Give them all the passwords you want. Refuse them. It doesn't really matter.
Incidentally, whenever you ask a lawyer if they've ever had a case helped by the client opening his mouth to police investigators, they just start laughing. Opening your mouth, even about a password, even if you're TRYING to help, cannot possibly help you.
What does he have on his laptop that's so gd important that he has to go through this much hassle to secure it....kiddie porn?
If your laptop is valuable enough that someone would go through the effort of chilling the RAM and booting the machine, you should probably not be laying your laptop out on the table at Starbucks. In fact, if your laptop is that valuable, you've done something incredibly stupid in your systems design.
Encrypt the data (either individual files, your homedir, or the whole drive), and don't use a really stupid password. If that's not good enough for your data, then your data belongs on a system which is not portable and which has actual physical security applied.
What has happened in the past (and was reported on in the news a few weeks ago), is that a judge orders you to divulge the password(s) and if you refuse he sentences you to contempt of court and keeps you in jail/prison until you do reveal the passwords.
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
I must be new here, I thought it was traditional to at least RTFS, if not RTFA.
Your not the new one.... someone needs to tell Soulskill the obligatory XKCD belongs in the comments not the summary.
Jeez, taco's gone for one day and posters start slacking.
You're assuming the data changes often if at all.
You are thinking of firewire.
To jail you they will have to charge you with something, typically contempt of court or obstruction. Neither of these is a felony where I live and the prison terms are modest. Meaning that once released you'd still be young, able to vote, carry a firearm and get a job. Plus by standing up for your privacy you might help change the society we live in.
weird... i'm watching Inception right now, while reading this post.
...at least that's what i _think_ is going on....
Did you not notice the reply right above yours?
No, I didn't. Because as of when I loaded the story, it did not exist. Notice that there is only a 2 minute difference between their post and mine.
In the US at least, contempt of court has a prison term of 'until you comply with the court order.'
Still untested for all practical purposes, but...
The fifth amendment here in the US *should* protect you from being compelled to give up passwords that are not written down, including punishment via contempt of court.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Really?
Where was this?
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Federal judges can jail you forever. Terms vary in state courts.
That's still being debated. It depends on the circumstances. It's a new thing for the courts to deal with, and we can all see where this is going.
What has happened in the past (and was reported on in the news a few weeks ago), is that a judge orders you to divulge the password(s) and if you refuse he sentences you to contempt of court and keeps you in jail/prison until you do reveal the passwords.
...
[citation needed]
Failing that you take the Screwed less test:
Will disclosing the key screw me more or less than keeping it secret?
If the answer is less, well, give up the key.
If it is more give up the key with a typo or two.
(Ollie North style)
"I'm sorry sir I don't recall"
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
---Anonymous Coward
Impossible in my jurisdiction.
Free Manning, jail Obama.
Let me put my tinfoil hat on for a moment... Beatings aren't necessary, the US gov't can simply use the NSAKEY to decrypt anything encrypted using Microsoft libraries...
This story is about an Ubuntu laptop. I doubt any Microsoft libraries were used.
alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
It is a neat experiment.
Unfortunately, some people need to have a laptop and move around in the field. I am not talking about executives either. So this is hardly worthless.
Regardless of what he said, I am reminded about the security principle of "Once the equipment is out of your possession, there is no security".
To make sure we have always been secure, we don't store sensitive data on the laptops themselves, but remote in and do work on different machines. Windows Server 2008 remote desktop sessions are nice when you need that platform and then have consistent tools and versions for multiple people.
If we ever lose a laptop, which has happened, there is somebody available 24/7 to change the security credentials to prevent access. Add some low level BIOS services to render the machine useless, report its position, take a picture, and destroy the OS is also nice to have.
We have never been under the impression though that you can truly secure hardware when it is out of your possession, which is why they are primarily used as thin clients to do work elsewhere.
For some people that might not work, and need to work locally, but for what we do work ain't happening without an Internet connection anyways.
Isn't there that feature in TrueCrypt which will overwrite the encrypted data unless you tell it not to by checking the box and entering the password? In this case I guess it's a matter of how much you want to keep the data compared to how much you want to keep it secret.
Unless there's a plausible reason for the data to change. For example, if I keep taking shots of a lava lamp every 1 second and hide the data in the images, it is perfectly reasonable to expect the data from my lava lamp pictures to be different the next time they look at it.
Life is too short to proofread.
Oh, wait now - let's not take our tinfoil hats off to quickly! You don't think that Canonical took a bribe from the US government to use Microsoft libraries on their machine do you? Hey, they might be disguised with a new name or something!
Thanks for your post though - when I read GP post, I was sort of scratching my head. "Didn't I read Ubuntu in the summary?" My brain works slow when I wake up, but it does work, LOL
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
"how much you want to keep the data compared to how much you want to keep it secret."
Exactly. When the data becomes a liability, then you wipe it.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Isn't there a truecrypt feature that allows you to have 2 passwords, each one showing a different partition. This allows you plausible deniability. Just hand over the dummy password and they can see the stuff you want them to see.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
(I know I'll get flamed for targeting all the Comment owners) But here's what I think. You guys are sad for all saying the same thing almost (This is insane, this isn't needed, he's playing with guns..etc)...
Well, what you guys are saying is exactly in the lines of "640K ought to be enough for everybody". There was no RSA before RSA came... There was no Captcha (and then the bots made you have Captcha)... and so on.
Making your laptop more secure is good. It's advisable. However much you can make it secure, the better. Because, sooner than later, you'll realize the "freaky" attacks that he'd described will be common-place script-kiddie stuff and then, you'll be scavenging for his post so you can apply the rules!!!
He's done an excellent job in explaining how to do things (I loved the part on running your firefox as a different user and one of the comments on the main article, points out a flaw and gives a better way... I'm going to implement it soon)
Look at the sophisticated attacks by Anonymous and Lul(whatever)... Those "sophisticated" attacks will be common place in a year or 2... And qubes is a great alternative as well... Security by Isolation is a good example. /. is losing edge is because you all have failed to SEE THE AWESOME NERDINESS of the post! Where's your .. love for nerd-shit!
Anyway, why I say the crowd at
I mean, since when have all of you become so oh "practical" and "live real bro".. I bet all of you were checking your facebook without http while posting your silly comments!
We need an overhaul of real geek nerd crowd here to talk real stuff!!! And I hope most of you were through a Linux / BSD Distribution while commenting and not... cheekily using the pre-installed Windows 7 and just posting Love for Linux when you don't know how to run 3 commands through it.
Step up. Just because Rob quit don't mean the good guys go away! (I don't have a /. id, so if you want to personally flame me... omar dot technologies at gmail dot com
Isn't there a truecrypt feature that allows you to have 2 passwords, each one showing a different partition. This allows you plausible deniability. Just hand over the dummy password and they can see the stuff you want them to see.
And if you don't have a second one, they're assume you do anyway, and torture you until you give up the 'other' password.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Since I recently set up BitLocker on a Windows 7 laptop (requires Ultimate or Enterprise which are not cheap) - if you have a TPM chip it's convenient to use in the default setup with keys held in the TPM, but if the laptop is stolen it doesn't stop anyone booting it and trying passwords, though it does stop them booting from CD/USB drive to read the disk, or putting the disk in another PC.
TrueCrypt and commercial Windows tools such as PointSec which require a separate disk decryption password every time you boot, which I think is more secure.
"Man, i can't boot anymore, that sucks!"
"How come?"
"A fish ate my USB disk"
Another thing to consider is that, while the XKCD password cracking algorithm does trump most forms of security, that's only true if someone is actually willing to use it. I could see kidnapping and torture as a real possibility if you were dealing with organized crime or an intelligence agency... Otherwise, the escalation of the crime (from simple theft of a moderately expensive piece of hardware to various forms of felony) would deter most people from attempting it.
Not only that, but one also has to consider that most attempts to steal information from say a laptop probably has as an requirement that it is done in stealth which means that they cannot go the XKCD route. Much information gathered would be worthless if the victim knew that it had been stolen.
Okay, I learned about TRESOR, that's cool. Also, running firefox as a different user is an old trick I've been using for a long time.
However, I live by a basic rule that's served me well. Laptops are fundamentally weak places to keep data.
Yes Francis, the world has gone crazy.
Just write some dumbass crypto program that does something no other crypto program is doing. Put some backdoors in the source code but obfuscate them properly. Mike Cardwell will try out the program....mission accomplished.
Hey, wait, this is not fair! Now WE don't have anything to post anymore.
That's why fixing this bug will help more for plausible deniability than Truecrypt's "feature": https://bugs.launchpad.net/ubuntu/+bug/148440
When "everyone" has an encrypted partition/file whether they use it or not, it's much easier to deny using it.
This is the case in the US. It isn't hard for a lot charges to be piled on someone, and with the job of judges hinging on the campaign contributions from private prisons, they have to give the max sentences, or they will be replaced by judges who will.
Telling someone that they, or one of their family members (hint: it is damn easy for marijuana to wind up in the strangest of places, or that a death threat "mysteriously" will appear) will be facing life in the joint, and almost anyone will spill the beans.
Don't get yourself in the situation where you have to defend yourself from people that want your info that badly. Disk encryption is fine, sure it drains battery. But i'd say 99% of people that get your laptop from there will give up. If you have to worry about the other 1% your life is pretty whacked. Or you are in the military and they have standards you should be following.
Has a profile in its tests for "SSLF Laptop", which really might be of assist here to others in that capacity - it has other test profiles, but the "SSLF" ones ARE the MAIN ONES to use (they push the security settings to the max/limit is why: Why else do securing a system unless you do that after all... imo, @ least!)
This test not only extends to Windows, but also Linux (and many other OS platforms as well), & is VERY comprehensive - based on "best practices" from the security realm! It was also highly acclaimed in COMPUTERWORLD here:
http://www.computerworld.com/s/article/9018362/CIS_tool_aims_to_help_federal_agencies_check_Windows_security_settings
* For those of you interested in acquiring a test license/evaluation (good for 33 days iirc)? Go here:
http://benchmarks.cisecurity.org/en-us/?route=default
(It's "The GOOD STUFF"...)
APK
P.S.=> In fact? Well - I just finished up doing it on my home system (91% score of 100, & would be 98% IF I didn't disagree with a couple settings they espouse, whereas I do not (I will be discussing it w/ they via email shortly/soon this week in fact)), since the folks @ CIS know I've been "championing it" since late 2007, here:
http://www.google.com/#sclient=psy&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&pbx=1&oq=%22HOW+TO+SECURE+Windows+2000%2FXP%22&aq=f&aqi=&aql=1&gs_sm=e&gs_upl=3242l10817l0l11038l35l28l1l0l0l0l373l5510l0.6.15.3l24l0&bav=on.2,or.r_gc.r_pw.&fp=87cd2c56f2a7d925&biw=983&bih=646
And gave me a license recently (very cool of they, imo!)
I did it for my home system, a Windows 7 64-bit based one, using the SSLF Desktop profile (been using this tool for YEARS now, since 2007 or so, because it makes securing a system @ the software/OS level almost "fun-to-do" - like running a performance benchmark test program, albeit for SECURITY PURPOSES!)...
... apk
isn't this, what we have apparmor for?
The real enemy, which is the alien space zebra vampires that are out to suck your blood.
Seriously, this much effort is excessive considering the value of what anybody in a normal situation should have on their laptop. If you have a genuine need for this, you should be on the level of the person carrying the Football, and as such, you would be better investing in the Secret Service equivalent.
I think the education of the author and indirectly those who read the post goes far beyond the value of protecting that particular laptop. I don't have the patience to spend as much time as he did researching and experimenting, but now I can benefit for his work by implementing some of the same protections. The logical extension of this project would be to produce an install disk making it possible for anyone to have the same level of security on her laptop with only slightly more effort than a standard Ubuntu install. The benefit of that would easily outweigh the time spent on the prototype. Such a Ubuntu (or other distribution) installer could be created by the author, since he's already done some work in that direction, or anyone else who reads the post.
One thing that I really like about his technique is the practical application of the honeypot. It would be great for crossing the border back into the U.S.
Customs Agent: Please open and log on to your laptop.
Honeypot Owner: Yessir! (logs on to functional Win 7 partition while his private stuff is nicely hidden away)
The problem for me is that an 8 gig partition is not viable.
When you sympathize with stupidity, you start thinking like an idiot.
USB and Firewire Ports, meet Mister Hot Glue Gun. Mister Hot, the heat is on, do your thing, get some holes lubed up, do the old in-out, fill 'em up good with the creamy goodness.