
Protecting a Laptop from Simple and Sophisticated Attacks - arb99
https://grepular.com/Protecting_a_Laptop_from_simple_and_Sophisticated_Attacks
======
there
If you're on OS X Lion, you should be using FileVault for whole disk
encryption. Enabling FileVault automatically disables Firewire/Thunderbolt DMA
access while the screen is locked. You can also tweak a setting to
automatically erase the FileVault key before suspending the laptop, requiring
it to be entered before booting back up:

    
    
        pmset -a destroyfvkeyonstandby 1
    

I use

    
    
        pmset -a destroyfvkeyonstandby 1 hibernatemode 25
    

to always hibernate the laptop instead of suspending. The FileVault key is
erased and the memory is dumped to disk encrypted.

~~~
wgx
You can also disable target disk mode and add a firmware password to prevent a
thief from booting the machine to any other disk, even removable media.

<http://support.apple.com/kb/HT1352>

edit: added Apple link.

~~~
nieve
Note that the firmware password can be bypassed by any Apple tech who calls
into their call center, identifies themselves, and requests it. It's defense
against a casual thief, but not someone with Apple connections, LEA, or any of
thousands of Apple employees and third-party repair places. Still worth doing,
just not as secure as the ones on old IBM thinkpads, say.

~~~
voltagex_
I wonder how that bypass works.

------
JoachimSchipper
A pretty good overview of "properly paranoid". Reading the comments, he does
have backups, which is a good idea.

As Timo Juhani Lindfors points out in the comments,

> The "xhost +local:mike.firefox" will let your mike.firefox user inject
> keystrokes to your X. This allows it to trivially escape the jail. I have
> personally been investigating solutions to this problem. The ones that I
> have found are: [qubes and xpra/vnc].

Finally, giving Firefox the ability to read audio is not ideal - it's probably
enough to get a fairly decent keylogger going, for instance. (Persons and
keyboards have characteristic sounds for keys/phrases.)

~~~
zorlem
By giving access to the X server, he effectively gives access to all keyboard
and mouse events, so recording the audio of the keystrokes is not necessary
(but could be another attack vector, if firefox could not be exploited for
code execution).

~~~
mike-cardwell
Just to be clear. Under normal circumstances, Firefox has all that access
anyway. Just like any other app running under X11.

Running it under a different user id means that if it is compromised, there is
an extra step required before it can access files. A step which could lead to
the compromise being noticed.

------
Roritharr
Finally someone who shows what length you have to go, to feel atleast mostly
secure about your environment, if you understand how it security works.

This is one of the reasons why its ok to be scared of "crypto stuff"... leave
it to pros like him that hand you a readily configured system like this, which
sounds, after all is said and done, pretty userfriendly for the amount of
security it provides.

------
tudorw
I have a tip, on purchase of a new laptop gather together as many old stickers
as you can, cover the case with them, then scribble and write, add a few
coffee marks, a scratch and a scrape, you will have the world's least
desirable target, it will look like shit, but it's your shit, and it's a
little safer :)

~~~
TwiztidK
This is honestly the best advice that there is.

About 11 months ago, my MacBook Pro was stolen from my house. I didn't keep a
password on it as any of my secure files were encrypted, so the theif did use
it for a bit. I had installed Prey, similar to this author, and a keylogger on
the computer, so I was able to collect copius amounts of information about the
theif (name, address, picture, phone number, email, usernames, passwords,
etc.). I had more than enough info to catch the theif including the address of
where the computer was being kept. I relayed everything I had to the police
officer in charge of my case. Basically, it was an open/shut case, he just
need to go and get it. To make a long story short, he did nothing. He never
pursued the case at all and I never got my computer back.

After a few months of inaction by the police, I did the best thing I could and
ssh'd into the computer and rm -rf'd it so the theif would have to reinstall
the OS and I wouldn't have watch someone else use _my_ computer. I would have
retrieved the computer myself, but I was very aware of the theif's criminal
record which mostly included assault, unlawful possesion of a firearm,
attempted murder, etc.

tl;dr - If your computer is stolen there is little to no hope for retrieval,
so do everything possible to prevent its theft.

~~~
keeperofdakeys
One of my friends also had his MacBook Pro with Prey installed stolen.
However, the police did retrieve it for him (he used wifi scanning around the
area to determine the exact location). The police also didn't share any
information about the person who had it, probably since it was stolen then
sold. From start to finish, the ordeal was probably two-three weeks (enough
for a new one to be shipped). Although this is one of the good stories, he
definitely takes security more seriously now.

------
david_shaw
I find it interesting that this article, while excellent and informative, does
nothing to address the most frequent attack vectors to which most users remain
vulnerable. Yes, it's true that simple theft (or worse, industrial espionage)
is a real threat. People may take your hardware and attempt to steal your
data. All of these solutions would certainly restrict their ability to do so
(and as a security professional, I recommend following these procedures), but
this article is analogous to putting a car without airbags in a garage with
blast doors and calling it "safe."

The most common attack vectors are not super spies silently breaking into your
home or office and attacking your boot loader. Far, far more frequently, the
culprit is operating system and non-OS application vulnerabilities. Remote
root exploits are obviously the most severe, but even information leaks,
access gained without privilege escalation, insufficient transport layer
security and others can relatively easily compromise the data that is being so
thoroughly protected by complex security measures. The important thing to
understand is that these attacks run _while the computer is running_ , not
against a cold hard disk. Military grade encryption would not protect against
these threats.

Again, I would always say that the more security you can throw on a system
without negatively impacting user experience, the better; that said, make sure
to install malicious host detection software, use an IDS, employ access
control lists, and more than anything, make sure you're checking security
advisories and keeping your patch levels up to date. In my professional
experience, the biggest security problems are caused by people using "very
stable" software who don't want or see the need to update.

Anyway, I'm not trying to bash the article at all--I thought it was a great
read--but while we're on the subject of security, it's better to protect
against common threats than against a state-sponsored intelligence agency
trying to steal your text files.

~~~
fjarlq
With regular users in mind, how much of a problem is social engineering these
days?

A couple years ago some Cisco researchers infiltrated a botnet and got to
interview the operator. They asked him what vulnerabilities he uses to grow
his network, and he said none:

[http://www.cisco.com/web/about/security/intelligence/bots.ht...](http://www.cisco.com/web/about/security/intelligence/bots.html)

Instead he spams instant messaging networks with "check out this cool
software: [link]", and he could count on 1% doing it.

This is the sort of thing my parents and grandparents fall for. Combine it
with social networks and the message appears to come from a trusted person.

For this reason I'm glad to see the arrival of curated app stores, despite
their many drawbacks. For regular users I think it will make it harder to be
tricked into voluntarily installing malware. But I don't know how significant
this problem is compared to not staying patched.

------
eli
I assume that if a thief steals my laptop, I'm not getting it back even if
it's got GPS, a car alarm, and exploding dye packs. Instead of worrying about
that, I just make sure I have good backups and that my insurance fully covers
all my equipment.

~~~
aw3c2
Do not forget about your privacy. Properly encrypting a laptop and making sure
it is still good enough if stolen while running (ie short time lock down) is a
good idea.

------
nicholassmith
I enjoy reading proper security geeks securing stuff. I have a password on my
MBA, and some stuff in some encrypted .DMGs.

That's about it. I like telling the people I know who work in security and
watching them get a mix of pity and shame in their eyes.

------
JoeAltmaier
The inevitable xkcd link: <http://xkcd.com/538/>

~~~
derrida
Julian Assange created a sort of defence against this attack on Disk
Encryption in the 90's called "Rubberhose" (after the attack vector).
<https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29> TrueCrypt has
some similar functionalities. Rubberhose doesn't work on modern kernels, so it
needs some love from a caring hacker to bring it up to date. :-)

~~~
tedunangst
"sort of defense" is right. When the people with rubber hoses know you are
using a "deniable" encryption system, they have little incentive to stop
beating you after the first, second, or any subsequent decryption.

~~~
derrida
Exactly. So don't let anybody know & let it decrypt to something plausible.
FYI there is no way of distinguishing Rubberhose from drive with random data.

~~~
tedunangst
Unless I have misunderstood you, you distinguish it by the fact that it uses
rubberhose to decrypt.

~~~
derrida
Yes, I think you are right. Badly phrased.

You can nest the volumes. So give attacker A-->B-->C instead of A-->D-->E
Also, there is no way of proving the existence of a hidden volume. It
basically makes the Rubberhose attack unreliable as an attack vector. That
doesn't mean some poor soul won't be beaten again, it just means that the
folks doing the beating aren't so sure this $5 wrench is a decent attack
vector.

------
16s
Another thing he might consider is setting multiple rounds on the SHA512-crypt
hash used by default in Ubuntu. Something like 'rounds=512000' would be
sufficiently strong for now. That would cause a perceivable delay during
logon. Probably about 4 to 5 seconds, but on a single-user laptop that would
be just a slight inconvenience. Also he should use an extremely strong/long
password that passwdqc approves of.

Doing this would protect against the scenario where he happens to leave a root
terminal open and the maid copies his /etc/shadow to a usb drive and gives it
to some government agent to crack... well good luck to them.

------
technomancy
Doesn't simply forcing your keychain and ssh/gpg agents to lock when your
machine suspends or locks protect you from the ram attacks? I suppose you
would still have to ensure your screen lock timeout is low enough and
correspondingly annoying enough.

I've just recently been able to stop having any plaintext credentials on my
drive, though it takes a bit of work in some security-naive programs like
s3cmd:
[https://github.com/technomancy/dotfiles/commit/da64e1c390421...](https://github.com/technomancy/dotfiles/commit/da64e1c390421c8df4060765370bc0b9f939e810)

------
sweis
PrivateCore is developing a product to defend against physical attacks,
including cold boot and DMA: <http://www.privatecore.com> . We offer stronger
security guarantees than what TRESOR can provide. However, we are currently
targeted toward the server market and not laptops. More details will be public
soon. Feel free to contact me directly if you're interested in learning more:
steve@privatecore.com

PS - We are hiring! Especially looking for experienced Linux kernel
developers.

~~~
rdl
This looks pretty awesome. I've messed around with TRESOR and it still feels
like a research project.

------
heyitsnick
Author mentions he runs his own VPN on linode.

Does anyone know of a simple step-by-step guide for doing this? I tried once
in the past but got stuck (I forget where) and gave up instead used a third
party service like StrongVPN which i'm not too happy with.

I would think it's a common enough use-case that maybe there's a repo I could
clone or something to make it super-simple.

~~~
mcobrien
<http://library.linode.com/networking/openvpn>

------
daemonize
I was disappointed that there was no mention of side channel attacks and
countermeasures.

[http://web.mit.edu/press/2012/thwarting-eavesdropping-
data.h...](http://web.mit.edu/press/2012/thwarting-eavesdropping-data.html)

Edit: added link

------
jesseendahl
It's worth noting that—annoying as it is—the soldered RAM modules in the
MacBook Air make it resistant to cold boot attacks. Combined with FileVault
FDE and the pmset command mentioned by "there," you get a pretty secure setup.

------
Estragon
This is cool. What are some plausible attacks via reading memory over firewire
or chilling the memory to preserve its state at shutdown?

Also, does anyone know what he does that the security of his laptop merits
this level of care?

~~~
mike-cardwell
The main attack is reading the full disk encryption key from the RAM. If you
manage that, then you can decrypt the full disk.

~~~
Estragon
Yeah, but how is someone going to get access to the laptop to do that?

~~~
keeperofdakeys
The idea behind some of these countermeasures are so if someone _steals_ your
laptop, they can't access the data. The article comes from the 'beyond
paranoid' side, since cold boot attacks especially are require a lot of setup
(of course, once you have a laptop, take it to a lab). The firewire attack is
as easy as plugging in a cable though, but still requires someone with the no-
how to find the password.

For most people, just having an encrypted drive is enough, since their data
probably isn't valuable enough for people to go out of their way to steal it.
You are mostly trying to protect your data from ordinary thieves.

~~~
Estragon
But these attacks are on the memory... I suppose there is a risk of the
machine being stolen while it's turned on?

~~~
mike-cardwell
The whole point of the "Evil Maid", "Cold Boot" and "Firewire" attacks that
are described in the blog post, is that physical access to the machine is
required in order to pull them off...

------
niels_olson
Has anyone done a cost analysis on Prey? Seems like FUD.

~~~
keeperofdakeys
Thanks to Prey my friend got his laptop back, with the help of police. I'm
pretty sure he was using the free version too, so there really is no 'cost'
for an increased chance of getting it stolen. Of course, you should always
ensure you have the serial numbers recorded so the police can verify it's the
right laptop.

------
drivebyacct2
This is fantastic, a few navie questions though:

1\. Why not find some permanently-read-only media for the boot drive and then
not have to be so paranoid about its physical integrity?

2\. Why not leverage the PGP smart card for more things like signin via PAM,
etc?

3\. Will Wayland help keep processes isolated from an eavesdropping
perspective? My understanding is that, worse than firefox having access to
your user files, that any X window can read/write from other X windows?

~~~
zorlem
With the read-only media you've got a problem with upgrading the kernel,
which, recently, you need to be doing quite often.

As for the PGP smartcard, I've posted a comment on the blog that it could hold
the private key used for decrypting the keyfile for the Full-Disk Encryption.

------
drivebyacct2
Sorry to double post, but I've love more information also on using TPM to
secure grub to remove the need for a physically secured grub boot. Thanks for
anything!

~~~
sporksmith
You may want to take a look at tboot: <http://tboot.sourceforge.net/>

tboot is a version of grub modified to perform a TPM-measured launch of the
OS. It's not sufficient by itself to do what you want, but you could build on
that by, say, sealing a volume encryption key under that measurement, such
that if the boot loader is modified, virtualized, etc., it won't be able to
decrypt the volume. (Or less aggressively, sealing a user-secret that is
displayed at the grub-menu, allowing you to verify the above, but not
completely hosing you if the measurement changes unexpectedly due to a
software upgrade etc.)

~~~
jonthedge
Another option is the "Trusted GRUB" patch:
<http://trousers.sourceforge.net/grub.html>

tboot as described above requires your system (CPU & chipset dependencies
above and beyond the TPM) to support Intel's "Trusted Execution Technology".
See, e.g.,
[http://ark.intel.com/search/advanced/?s=t&TXT=true](http://ark.intel.com/search/advanced/?s=t&TXT=true)

In either case, you end up with a record (cryptographic hash chain) of what
kernel + initrd + config options in some of the TPM's PCRs (Platform
Configuration Registers).

I'm not aware of any existing software to protect your FDE (full disk
encryption) key by "sealing" (a TPM operation) under those PCRs (i.e.,
decryption impossible unless they match) and unsealing at boot time, but many
of the tricky components already exist as open-source projects. See also:
<http://trustedjava.sourceforge.net/>

