Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting a Laptop From Sophisticated Attacks

Posted by Soulskill on from the living-inside-a-faraday-cage-doesn't-count dept.

mike_cardwell sends in a detailed writeup of how he went about protecting a Ubuntu laptop from attacks of varying levels of sophistication, covering disk encryption, defense against cold boot attacks, and even simple smash-and-grabs. (He also acknowledges that no defense is perfect, and the xkcd password extraction tool would still work.) Quoting: "An attacker with access to the online machine could simply hard reboot the machine from a USB stick or CD containing msramdmp to grab a copy of the RAM. You could password protect the BIOS and disable booting from anything other than the hard drive, but that still doesn't protect you. An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead. The first defense I used against this attack is procedure based. I shut down the machine when it's not in use. My old Macbook was hardly ever shut down, and lived in suspend to RAM mode when not in use. The second defense I used is far more interesting. I use something called TRESOR. TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM. The laptop I purchased works perfectly with TRESOR as it contains a Core i5 processor which has the AES-NI instruction set."

6 of 169 comments (clear)

  1. And all of this effort will not protect you from by Anonymous Coward · · Score: 3, Funny

    The real enemy, which is the alien space zebra vampires that are out to suck your blood.

    Seriously, this much effort is excessive considering the value of what anybody in a normal situation should have on their laptop. If you have a genuine need for this, you should be on the level of the person carrying the Football, and as such, you would be better investing in the Secret Service equivalent.

  2. Re:Or for even better security... by Anonymous Coward · · Score: 4, Funny

    Doesn't protect you from Murlocs or Aquaman.

    Aquaman is out to get you, that's why he has been using his aquatic telepathy to convince you to throw your laptop overboard.

    The concrete is to protect it from the pressure.

    He's very cunning. You have to be with such a lame power.

  3. Re:And all of this effort will not protect you fro by CadentOrange · · Score: 3, Insightful

    I agree that it's just too much hassle to go through to secure a standard laptop. It's still an interesting experiment and it neatly lays out the attack vectors and potential counters.

  4. Re:Paranoid Much? by Sancho · · Score: 4, Insightful

    Think of it like a hobby. It may not be really practical, but it's interesting to some people.

  5. Re:Bullshit! by TheCarp · · Score: 3, Informative

    It is a theoretical possibility and has been shown to be possible.

    Lets be honest though.... it is just not that likely of an attack. Lets not forget you can't encrypt your initrd... Unless you store your boot partition on a USB key and carry it with you, then it can be modified by an attacker. All he has to do it reboot the machine, install a key logger in the initrd, and get the passphrase the next time you type it in.

    That or install one between the keyboard and machine. Hell, can probably do everything he needs from the USB bus. Did they ever fix that USB bus problem where a USB device could get full DMA without any OS help required? Hell the USB device could even be installed inside the laptop so its active and invisible while you use it.

    Thats before we even talk about things like, installing a pinhole camera to record your keystrokes....oh or using audio, as its been demonstrated that you can reliably recover typed information from recordings of the typing.

    Without physical security there is no security. You can't prevent your hardware from being booby trapped... and there are people out there with entire labs devoted to producing this sort of clandestine equipment. Hell, the FBI is known in some instances to have put a tarp in front of a whole house at night, with a print of the original house on it...just so they could work undetected.

    Its all a matter of who wants your data and what they are willing to get it.

    -Steve

    --
    "I opened my eyes, and everything went dark again"
  6. Re:This just reminds me of... by stderr_dk · · Score: 3, Informative

    Let me put my tinfoil hat on for a moment... Beatings aren't necessary, the US gov't can simply use the NSAKEY to decrypt anything encrypted using Microsoft libraries...

    This story is about an Ubuntu laptop. I doubt any Microsoft libraries were used.

    --
    alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr