If you're on OS X Lion, you should be using FileVault for whole disk encryption. Enabling FileVault automatically disables Firewire/Thunderbolt DMA access while the screen is locked. You can also tweak a setting to automatically erase the FileVault key before suspending the laptop, requiring it to be entered before booting back up:
pmset -a destroyfvkeyonstandby 1
I use
pmset -a destroyfvkeyonstandby 1 hibernatemode 25
to always hibernate the laptop instead of suspending. The FileVault key is erased and the memory is dumped to disk encrypted.
It's not a good guide (anymore). It doesn't pertain to Lion or any recent version of OS X and is sorely outdated.
Much of the security-related technologies, especially FileVault, have been either seen significant changes or been replaced. As far as I can tell, it was last updated during the 10.4 days.
Aside from the general secure computing tips, it's a historical document.
Note that the firmware password can be bypassed by any Apple tech who calls into their call center, identifies themselves, and requests it. It's defense against a casual thief, but not someone with Apple connections, LEA, or any of thousands of Apple employees and third-party repair places. Still worth doing, just not as secure as the ones on old IBM thinkpads, say.
A pretty good overview of "properly paranoid". Reading the comments, he does have backups, which is a good idea.
As Timo Juhani Lindfors points out in the comments,
> The "xhost +local:mike.firefox" will let your mike.firefox user inject keystrokes to your X. This allows it to trivially escape the jail. I have personally been investigating solutions to this problem. The ones that I have found are: [qubes and xpra/vnc].
Finally, giving Firefox the ability to read audio is not ideal - it's probably enough to get a fairly decent keylogger going, for instance. (Persons and keyboards have characteristic sounds for keys/phrases.)
By giving access to the X server, he effectively gives access to all keyboard and mouse events, so recording the audio of the keystrokes is not necessary (but could be another attack vector, if firefox could not be exploited for code execution).
Just to be clear. Under normal circumstances, Firefox has all that access anyway. Just like any other app running under X11.
Running it under a different user id means that if it is compromised, there is an extra step required before it can access files. A step which could lead to the compromise being noticed.
Finally someone who shows what length you have to go, to feel atleast mostly secure about your environment, if you understand how it security works.
This is one of the reasons why its ok to be scared of "crypto stuff"... leave it to pros like him that hand you a readily configured system like this, which sounds, after all is said and done, pretty userfriendly for the amount of security it provides.
I have a tip, on purchase of a new laptop gather together as many old stickers as you can, cover the case with them, then scribble and write, add a few coffee marks, a scratch and a scrape, you will have the world's least desirable target, it will look like shit, but it's your shit, and it's a little safer :)
About 11 months ago, my MacBook Pro was stolen from my house. I didn't keep a password on it as any of my secure files were encrypted, so the theif did use it for a bit. I had installed Prey, similar to this author, and a keylogger on the computer, so I was able to collect copius amounts of information about the theif (name, address, picture, phone number, email, usernames, passwords, etc.). I had more than enough info to catch the theif including the address of where the computer was being kept. I relayed everything I had to the police officer in charge of my case. Basically, it was an open/shut case, he just need to go and get it. To make a long story short, he did nothing. He never pursued the case at all and I never got my computer back.
After a few months of inaction by the police, I did the best thing I could and ssh'd into the computer and rm -rf'd it so the theif would have to reinstall the OS and I wouldn't have watch someone else use my computer. I would have retrieved the computer myself, but I was very aware of the theif's criminal record which mostly included assault, unlawful possesion of a firearm, attempted murder, etc.
tl;dr - If your computer is stolen there is little to no hope for retrieval, so do everything possible to prevent its theft.
One of my friends also had his MacBook Pro with Prey installed stolen. However, the police did retrieve it for him (he used wifi scanning around the area to determine the exact location). The police also didn't share any information about the person who had it, probably since it was stolen then sold. From start to finish, the ordeal was probably two-three weeks (enough for a new one to be shipped). Although this is one of the good stories, he definitely takes security more seriously now.
This works excellently. A few months ago I was on the road 24/7, including some pretty seedy airports and coffee shops all over the world. In Taiwan I got one of those clear plastic cover cases for my 15" MacBook and absolutely plastered the clear case with stickers, and over time I ehem... "applied" a few unvoluntary scratches as well. Bad news is people do tend to stare at your laptop abomination, but the good part is indeed nobody wants it. Also, being a detachable cover, I could take the camouflage off for stuffy business meetings.
I'm the author of the article. The laptop in question is a Thinkpad. The good thing about Thinkpads is they all look the same, and they don't look valuable. Well, not like a Macbook or a Sony Vaio. I don't think they look like particularly valuable targets even when they're brand new.
I use Apple products and this really annoys some people, but I let my stuff get beaten my cosmetically. I fix it up when I'm selling but no one looks at it with 'oh that looks shiny and new'.
I find it interesting that this article, while excellent and informative, does nothing to address the most frequent attack vectors to which most users remain vulnerable. Yes, it's true that simple theft (or worse, industrial espionage) is a real threat. People may take your hardware and attempt to steal your data. All of these solutions would certainly restrict their ability to do so (and as a security professional, I recommend following these procedures), but this article is analogous to putting a car without airbags in a garage with blast doors and calling it "safe."
The most common attack vectors are not super spies silently breaking into your home or office and attacking your boot loader. Far, far more frequently, the culprit is operating system and non-OS application vulnerabilities. Remote root exploits are obviously the most severe, but even information leaks, access gained without privilege escalation, insufficient transport layer security and others can relatively easily compromise the data that is being so thoroughly protected by complex security measures. The important thing to understand is that these attacks run while the computer is running, not against a cold hard disk. Military grade encryption would not protect against these threats.
Again, I would always say that the more security you can throw on a system without negatively impacting user experience, the better; that said, make sure to install malicious host detection software, use an IDS, employ access control lists, and more than anything, make sure you're checking security advisories and keeping your patch levels up to date. In my professional experience, the biggest security problems are caused by people using "very stable" software who don't want or see the need to update.
Anyway, I'm not trying to bash the article at all--I thought it was a great read--but while we're on the subject of security, it's better to protect against common threats than against a state-sponsored intelligence agency trying to steal your text files.
With regular users in mind, how much of a problem is social engineering these days?
A couple years ago some Cisco researchers infiltrated a botnet and got to interview the operator. They asked him what vulnerabilities he uses to grow his network, and he said none:
Instead he spams instant messaging networks with "check out this cool software: [link]", and he could count on 1% doing it.
This is the sort of thing my parents and grandparents fall for. Combine it with social networks and the message appears to come from a trusted person.
For this reason I'm glad to see the arrival of curated app stores, despite their many drawbacks. For regular users I think it will make it harder to be tricked into voluntarily installing malware. But I don't know how significant this problem is compared to not staying patched.
I assume that if a thief steals my laptop, I'm not getting it back even if it's got GPS, a car alarm, and exploding dye packs. Instead of worrying about that, I just make sure I have good backups and that my insurance fully covers all my equipment.
Do not forget about your privacy. Properly encrypting a laptop and making sure it is still good enough if stolen while running (ie short time lock down) is a good idea.
Julian Assange created a sort of defence against this attack on Disk Encryption in the 90's called "Rubberhose" (after the attack vector). https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29 TrueCrypt has some similar functionalities. Rubberhose doesn't work on modern kernels, so it needs some love from a caring hacker to bring it up to date. :-)
"sort of defense" is right. When the people with rubber hoses know you are using a "deniable" encryption system, they have little incentive to stop beating you after the first, second, or any subsequent decryption.
Exactly. So don't let anybody know & let it decrypt to something plausible. FYI there is no way of distinguishing Rubberhose from drive with random data.
You can nest the volumes. So give attacker A-->B-->C instead of A-->D-->E Also, there is no way of proving the existence of a hidden volume. It basically makes the Rubberhose attack unreliable as an attack vector. That doesn't mean some poor soul won't be beaten again, it just means that the folks doing the beating aren't so sure this $5 wrench is a decent attack vector.
Another thing he might consider is setting multiple rounds on the SHA512-crypt hash used by default in Ubuntu. Something like 'rounds=512000' would be sufficiently strong for now. That would cause a perceivable delay during logon. Probably about 4 to 5 seconds, but on a single-user laptop that would be just a slight inconvenience. Also he should use an extremely strong/long password that passwdqc approves of.
Doing this would protect against the scenario where he happens to leave a root terminal open and the maid copies his /etc/shadow to a usb drive and gives it to some government agent to crack... well good luck to them.
Doesn't simply forcing your keychain and ssh/gpg agents to lock when your machine suspends or locks protect you from the ram attacks? I suppose you would still have to ensure your screen lock timeout is low enough and correspondingly annoying enough.
PrivateCore is developing a product to defend against physical attacks, including cold boot and DMA: http://www.privatecore.com . We offer stronger security guarantees than what TRESOR can provide. However, we are currently targeted toward the server market and not laptops. More details will be public soon. Feel free to contact me directly if you're interested in learning more: steve@privatecore.com
PS - We are hiring! Especially looking for experienced Linux kernel developers.
Does anyone know of a simple step-by-step guide for doing this? I tried once in the past but got stuck (I forget where) and gave up instead used a third party service like StrongVPN which i'm not too happy with.
I would think it's a common enough use-case that maybe there's a repo I could clone or something to make it super-simple.
Simple SSH and an HTTP proxy on the Linode will allow 99% of your network applications' traffic to tunnel through the Linode. A Layer 3 tunnel adds network overhead while a Layer 7 tunnel just passes the data and minimal control information. (And SOCKS can also pass name resolution along, which is handy)
It's worth noting that—annoying as it is—the soldered RAM modules in the MacBook Air make it resistant to cold boot attacks. Combined with FileVault FDE and the pmset command mentioned by "there," you get a pretty secure setup.
The idea behind some of these countermeasures are so if someone steals your laptop, they can't access the data. The article comes from the 'beyond paranoid' side, since cold boot attacks especially are require a lot of setup (of course, once you have a laptop, take it to a lab). The firewire attack is as easy as plugging in a cable though, but still requires someone with the no-how to find the password.
For most people, just having an encrypted drive is enough, since their data probably isn't valuable enough for people to go out of their way to steal it. You are mostly trying to protect your data from ordinary thieves.
The whole point of the "Evil Maid", "Cold Boot" and "Firewire" attacks that are described in the blog post, is that physical access to the machine is required in order to pull them off...
This is a very strange question. Presumably they'd get physical access to it using any of the methods anyone ever uses to get physical access to something...
Thanks to Prey my friend got his laptop back, with the help of police. I'm pretty sure he was using the free version too, so there really is no 'cost' for an increased chance of getting it stolen. Of course, you should always ensure you have the serial numbers recorded so the police can verify it's the right laptop.
1. Why not find some permanently-read-only media for the boot drive and then not have to be so paranoid about its physical integrity?
2. Why not leverage the PGP smart card for more things like signin via PAM, etc?
3. Will Wayland help keep processes isolated from an eavesdropping perspective? My understanding is that, worse than firefox having access to your user files, that any X window can read/write from other X windows?
With the read-only media you've got a problem with upgrading the kernel, which, recently, you need to be doing quite often.
As for the PGP smartcard, I've posted a comment on the blog that it could hold the private key used for decrypting the keyfile for the Full-Disk Encryption.
Sorry to double post, but I've love more information also on using TPM to secure grub to remove the need for a physically secured grub boot. Thanks for anything!
tboot is a version of grub modified to perform a TPM-measured launch of the OS. It's not sufficient by itself to do what you want, but you could build on that by, say, sealing a volume encryption key under that measurement, such that if the boot loader is modified, virtualized, etc., it won't be able to decrypt the volume. (Or less aggressively, sealing a user-secret that is displayed at the grub-menu, allowing you to verify the above, but not completely hosing you if the measurement changes unexpectedly due to a software upgrade etc.)
tboot as described above requires your system (CPU & chipset dependencies above and beyond the TPM) to support Intel's "Trusted Execution Technology". See, e.g., http://ark.intel.com/search/advanced/?s=t&TXT=true
In either case, you end up with a record (cryptographic hash chain) of what kernel + initrd + config options in some of the TPM's PCRs (Platform Configuration Registers).
I'm not aware of any existing software to protect your FDE (full disk encryption) key by "sealing" (a TPM operation) under those PCRs (i.e., decryption impossible unless they match) and unsealing at boot time, but many of the tricky components already exist as open-source projects. See also:
http://trustedjava.sourceforge.net/
