In general, if what you do warrants that level of paranoia, qubes will help you massively.
Micah Lee held a great overview talk at HOPE 2018: https://www.youtube.com/watch?v=f4U8YbXKwog
details on using usb keyboard and mouse here: https://www.qubes-os.org/doc/usb-qubes/
Somewhat related, I'm wondering about the physical security of computers. There is an attack where they open your PC, take out the ram, and freeze it immediately so the bits don't decay and they can extract your encryption keys.
All BIOSes have an option for cassis intrusion detection, but I've never seen a case that has the necessary cable. Has anybody here set up a chassis intrusion kill switch that erases the RAM/shuts down the PC etc. if the case is opened improperly? Can you buy anything like this on the market?
There are so many possible evil maid attacks that I think it would be useful to add a pysical layer, just in case.
It would be interesting to leverage SEM to run a version of qubes where not only are the VMs isolated by the Xen hypervisor but are also separately encrypted using the PSP.
If memory serves correctly they achieved the best results by using a can of compressed air to freeze the ram in place before removal.
//Small edit to wording
It's a matter of being more determined than your attacker. Imagine a device that will irretrievably brick itself if tilted more than a certain angle, if left unpowered for more than a certain time, etc. and that has to be under constant guard. This seems almost incompatible with any kind of personal use. And some measures may only work in one instance, with the attacker planning for them the second time they have an operation.
Many attackers also don't have the same restrictions the police has. In the Ulbricht case the police may have been forced to use a device that copies the data with no human intervention just to preserve the chain of evidence and not have suspicions that the agent operating the laptop altered it while installing additional software. An attacker operating in the grey/dark area might just immobilize the user, snip the wrist cable, and then retrieve the necessary data either directly at the console or by siphoning it via the network. Or the police may just start video recording in great detail every step from the moment an agent touched the laptop until the data was exfiltrated to remove suspicions of tampering.
But such a tool would be of great effect against an undetermined, unsophisticated attacker committing a crime of opportunity.
Putting a regular device in a safe leaves it exposed to someone unlocking the safe and compromising the device by implanting a keylogger inside or even by putting a replacement identical device there and waiting for the user to type the boot password.
As for methods of emergency clearing sensitive data from memory while in operation, whatever method is employed will work once. The next time the attacker is ready for that particular method. For example the police might just have to completely immobilize the suspect (and their hands) and keep the laptop in the vicinity while the "dead man's switch" is bypassed.
Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad. And if you set the system up for unattended recovery from a power failure, then in all likelihood someone walking off with the server the HSM is in can use those keys indefinitely. But there are options.
Some HSMs have self-destruct mechanisms that attempt to prevent physical access to the private key (ie by lapping the chip). Some vendors (nCipher, IIRC) have a smart card (a second HSM) that is required to authorize certain activities, like signing, or key recovery. In fact they had a byzantine generals solution that either had the key or a password for the key split between n cards. In the latter case you needed one of the original HSMs in order to clone the key, so a movie plot where you kidnap the entire team at a conference doesn't work. During initial setup the cert would be generated on the first HSM and copied to the others, having never seen daylight.
That system was quite difficult to explain to users, and I had to document it just so I wouldn't get confused and trigger a reset of the evaluation hardware (at which point all of our test artifacts have to be rebuilt).
It might be more complicated to start WWIII than to protect a signing certificate, but only just.
I think we're talking about exactly the same thing :). That's what I meant by "even they rely on being stored in a physically secure room and protected from theft". Despite all the hardening that is applied to the device, it must always be kept secure and supervised. As an example, this is what Safenet considers the intended installation environment should be .
This can't be effectively applied to a personal computer.
Then your biggest problem is people thinking that stealing the cards will get them anything. Which, they're not entirely wrong, because those things are damned expensive. So you need a 'kinda' secure facility.
Again, the issue is that any hardware that will start up for you without any action on your part will likely start up for anybody else, too. Your laziness will probably win out...
"In recent years, however, it has become increasingly challenging to execute cold boot attacks or perform physical memory forensics due to the introduction of DRAM memory scramblers. Modern processors with DDR3 and DDR4 DRAM scramble data by XOR’ing it with a pseudorandom number before writing it to DRAM , . These scramblers were initially introduced to mitigate the effects excessive current fluctuations on bus lines by ensuring bits on the memory bus transition nearly 50% of the time"
DDR4 is also yes in the lab -
I’m not sure if it’s something they offer on current models, or to individuals at all (I bought it used from a corporate IT asset liquidator so it was likely originally purchased as part of a bulk deal). Regardless it makes a great little Linux box!
Also, does it still work if you open the machine with the power disconnected and battery removed?
... I don’t know of anyone actually implementing this though :)
If the latter, the server would probably be okay, and it would take a very long time for the termites to damage the surrounding room enough to be a security deterrent.
Nobody I know who got arrested ever managed to destroy anything. When I think about it, we all assumed the cops would storm in when we were in the act of doing something bad, probably like in the movies lol, when in practice, they tend to pick you up when you are really off guard, duh.
Very few people had automatic protections because like, our parents would probably get mad if we burned down the house :)
When it came to me, the FBI did knock on my front door, and I managed to dd if=/dev/random of=/dev/hda
I lost my entire BBS, all the custom code and ANSI I had for it, among other ancient treasures that I'd probably still have with my napster mp3s :)
Of course they didn't come for me, there had been a flasher in the neighborhood on halloween...
When I was a teen, I somehow got a modem number at NASA, and I stupidly gave it to a friend. He tried to brute force it, but he got door knocked. He quickly formatted his disks, but it wasn’t even the cops haha!
After 18, you're done, even if they can't think of a good charge, they'll make them up, which is exactly what they did back then, cross state commerce was a blanket thing to grab folks.
I stopped doing anything questionable well before I turned 18.
Today, you should encrypt everything, and cut power before physical access is obtained. Will that count as "tampering"? I was just turning off my computer. No, I do not remember the key.
In practice, the only real protection we had (those of us in my social group) was that we were minors, and lucky that laws hadn't caught up yet.
If I delete a file on my computer today that would be potentially "evidence" if seized, and the police come knocking tomorrow, I haven't committed a crime by using my personal computer in the past.
I only saw people in suits with a black car outside knocking on the door, also this was like 30 years ago so don't twist my arm :)
Could you expound on what this means? In the USA/UK, people most "at risk" of police kicking down the door seizing their laptops/computers while they are still running are child pornographers.
Perhaps this can be used "for good" under oppressive regimes (i.e. if you are a dissenting journalist) but then I think you won't get a fair trial anyway and having a kill switch just means more prison.
It can happen if you are a political activist in any fashion. Nothing violent, just speaking out for rent control and against gentrification can get you in trouble. Or hanging around with the wrong people.
When it happens, you want to leave them as little rope as possible to hang you with. As I said, the courts still are honest and they won't make up evidence, but they will take everything they can find to make a case - and to learn about your structures and networks while they are at it.
You are right, that in real oppressive regimes all bets are off. If they want to get you, they won't stop at their own laws. But even then, these techniques are useful against industrial espionage. If you are doing business in certain countries, the "evil maid" is quite real...
As for the dissenters, I’m sure they would appreciate their co-conspirators remain secret.
Can you provide any evidence at all of police or "thugs" (or anyone, really) kicking down doors to get at trade secrets being a common problem? Because there are countless news articles of police raids seizing computers to stop child porn.
I speculate any tool billed as "anti-forensic" will be used for immoral purposes more commonly than moral purposes.
That does not mean it should be banned. Knives are used for many things from cutting food and opening boxes to killing people. Nitrate based fertilizers can be used for vastly improving crop yields but can also be used for bombs. Encryption can be used to protect your sensitive personal data from criminals and prying eyes, but can also be used by the criminals themselves to hide their activities.
No state (even if it was the most ethically illuminated utopia) has the power to protect every person in every place at every time. Banning defensive tools is asinine as rarely does it mean that a criminal won't use them against you.
It is doubly foolish to believe that the police are the only users of forensic software when there is credit card theft and multmillion dollar ransomware rings out there. Robbing a bank by force or by heist is foregone jail but snatching a laptop from a banker? Far more petty in risk and disguised as mere property theft as opposed to the data theft.
I like this wording.
Disclaimer: Not a comment on current political happenings.
But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure. Just an option to disallow certain device classes would be appreciated.
This will not help against hardware that exploits bugs in the USB stack of the operating system.
Assuming the threat model is police or secret service seizing one's server, it is feasible that the attackers also have knowledge of the running OS (IIRC one can distinguish between Windows, Linux and xBSD by simply looking at TCP fingerprints) and thus can use a targeted exploit.
Some ten-odd years ago, I wrote how to create udev rules to execute a command after connecting a particular USB device:
SUBSYSTEM=="block", SUBSYSTEMS=="usb", OPTIONS+="ignore_device"
- hard work to make something easy to use
- hard work to make something easy to control
That's why I've made similar projects. One to detect when USB storage devices get attached to domain workstations, and email the administrator with device and user info..... https://github.com/zelon88/Workstation_USB_Monitor
And one which detects USB HID devices, confirms them, and notifies the administrator..... https://github.com/zelon88/Rubber_Ducky_Defender
Reminds me of some old Firewalls that would actively poll active connections, and when one is made that violates their rules, "immediately" terminate it. Often times, an attacker can embed a lot in just a single URL in the query string (stolen passwords etc) that would be done in < 5ms, faster than the firewall can act (if not even faster than the polling interval itself), specially if there is plenty of rules and active connections and/or the machine is slow (e.g playing games).
That's like choosing to not have a door on your house, because you know you can run fast and shoot the thief when they enter.
Maybe its not as bad for hardware due to the inherit latencies involved, but I am always skeptic about things that use polling vs sitting in the middle at the kernel before a USB connection is allowed to happen to the OS in the first place.
The default (aka the one that nobody will change) connection-polling interval for this thing is 250ms, which doesn't seem too small for me for many conceivable attack scenarios.
For Mac, it runs this:
os.system("killall Finder ; killall loginwindow ; halt -q")
This won't prevent windows from reopening after a reboot.
A possible exploit for this could be the USB pretending to be a keyboard, opening an exploit website or an app with malicious argument values, then you immediately shutdown the Mac, reboot manually and boom, the website/app opens up and the machine gets owned anyway post-reboot!
Also, lack of Windows support is upsetting, considering there isn't much code change required to do so.
The "melt" feature is one I really like and respect the thought they put to make it.
For others, even if the attacker is unaware of the utility, those shortcomings are still serious enough (e.g. rapid keyboard typing).
Something like this, that doesnt halt the computer but shows a warning on screen and logs information would perhaps be a solution to their problem. Although in the case of industrial espionage maybe locking the system would be worth it...
echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-changed.rules
Then just put whatever you want to be ran in /root/usb-changed.sh.
This line particularly caught my eye. I wonder what's the percentage of people (I'm presuming people working in security or those who are trying to avoid detection) go to this extreme?
Is is even extreme?
How exactly does this work? Is there a sort of software that runs automatically when you insert the stick, or did he have to click on it?
Great bit of example code, but opens a world of possibilities for what you could do with, say, a HID + Mass Storage composite device.
I type the above SO often every day, it should be on my gravestone. :D
For most common hardware this is just an 8051 variant that sets up the USB and DMA peripherals. It's easy enough to get something more powerful, but I am doubtful you'd want to reuse consumer hardware.
In this case any kind of MCU is making life harder than it needs to be.
Apparently, autorun from USB volumes was enabled for XP SP2:
>Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.
I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)
But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?
At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.
You should try Windows 10! It's very good. At least give it a whirl so you can have accurate facts to what it does, and not spread FUD about it.
For me an extreme measure would be to modify my motherboard in a way that I could connect RAM to my wrist and tear it away when necessary.
Bonus points if they cut it when the tackle you because they thought it was a deadman switch, like mentioned in the link.
A phone could work. An apparent car key would be better. Best would be a piece of clothing, like a belt.
For instance, if my laptop is locked (with a proper lock screen like xscreensaver) and that lock screen is capturing all keyboard input and magic SysRq keys are disabled, too, is there really no way an attacker could use a USB device to hack my laptop?
Similarly, if my laptop is not locked but comes with unusual key bindings (maybe even a different keyboard layout), what are the chances of me getting hacked with a USB device? (Let's assume that the attacker manages to secretly plug in said USB device but doesn't want to access my unlocked laptop directly – maybe because we're in an open office and people are watching.)
My impression had always been that USB devices are dangerous beyond simple keyboard emulation but I might be wrong.
They do this to make sure your computer stays on and your RAM doesn't get powered off, which will allow them to read any decrypted data in memory whether or not your data is encrypted on disk.
When they raid you, they come with massive UPS devices that they plug your computers into to give them as long a window as possible to get your data.
Just discovered this now myself. The same company sells mouse jigglers.
Yes, it won't defend against cord cutting.
Edit: A more interesting defense I think would be to modify a surge protector for this specifically to defeat HotPlug. Only put your computer on a specific outlet and wire it so that if any other outlets complete circuit to kill power to the whole thing.
Definitely would go with my modified surge protector plan then.
Sorry for the digression, but WTF is this guy doing? Looks like he redirects all requests that have HN as the referrer to a picture of a testicle. Copy-pasting the link (i.e., dropping the referrer) seems to work, though.
And of course, depending on the OS, it's possible to craft a USB stick that copies files to a remote server as soon as it's plugged in.
I know nothing!
Is this possible with Linux?
So it can do anything a newly plugged in keyboard can do. Which, if the user is already logged in, makes grabbing the user's files easy.
Ah. Found it:
See the Apple combo USBC/Thunderbolt ports.
never thought about shutting down the computer.
Security through (counter-measure) obscurity.
Apple phones can be wiped with 10 invalid password attempts, but the cops already know it. If it’s a piece of custom software that erases a computer after 2 attempts, can the prosecution really claim it was pure evidence destruction?
I honestly don’t know, but I’m curious.
if they use mousewiggling the screensaver could use other triggers/patterns to keep the box on. say 1 google search per 15 min minimum. randomly moving the mouse seems a good reason to shut down.
Something like this is probably good when you - as a person - are not around when your hardware gets extracted from your place. But then again, why would it be running openly and unattended in the first place?
A small laptop, a phone or a tablet can be stolen from you while powered on and unlocked by a simple thief that has no intention, nor ability, to capture and torture you.
The thief could then quickly hand the device to other people that flash it and sell it in a different country. But first they might extract any valuable data.
> [...] a simple thief that has no intention, nor ability, to capture and torture you
By your comment I assume you live in a developed country and/or are not within a regularly oppressed minority, which of course, is a nice privilege. Sadly not everyone is that lucky and torture over something simple as $1 online transactions is pretty real.
If they wanted protection against that they would recommended a gun or several mercenary bodyguards. Which would require money and connections. But the topic isn't "How to quickly kill or incapacitate three or more men with only your barehands while having legal cover".
But that may be preferable than them knowing about all those highly illegal nuclear doomsday space arms technology knowledge deals you've brokered, or that collection of child porn, or those detailed assassination plans, or whatever. Maybe the authorities suspect something, maybe a SWAT team will snatch your laptop, but if all evidence is in there and encrypted, you may get off with a lot less than otherwise.
Not sure what the situation is now.
+ The person being given the notice has the key
+ Investigators need the key to prevent or detect crime
+ Disclosure is proportionate
+ They can't get the encrypted material by other means
Not complying with the is a criminal offence. The maximum sentence is 2 years, unless it's a case involving child sexual exploitation or national security where the maximum sentence is 5 years.
There is a code of practice for use of these powers here: https://www.gov.uk/government/publications/code-of-practice-...
I think that properly regulated key disclosure powers are important. I'm not sure we're (the UK) are getting it right with RIPA. I'd want to see stronger audit and oversight of the S49 notices, and better advice given to people who are served S49 notices.
For example: I have no idea how many people are served S49 notices, and I don't really know how to find out. I don't know how many people have been imprisoned for not disclosing keys; I don't know what sentences they've been given; and I'm not clear on how to find that out. I feel that it should be easier for citizens to have clear data about these really intrusive powers.
EDIT: I just found this page, and it seems like it's small numbers of people. But still, it's a bit worrying. https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
That's a bit scary. 'Detect crime' could be pure speculation on the polices' part.
"We think you've done something bad, let us see the contents of your phone. No we don't have any evidence already as we're detecting the crime right now."
It's not great, but it's better than before where this kind of crime detection had much less regulation.