Protecting a Laptop From Sophisticated Attacks 169
mike_cardwell sends in a detailed writeup of how he went about protecting a Ubuntu laptop from attacks of varying levels of sophistication, covering disk encryption, defense against cold boot attacks, and even simple smash-and-grabs. (He also acknowledges that no defense is perfect, and the xkcd password extraction tool would still work.) Quoting:
"An attacker with access to the online machine could simply hard reboot the machine from a USB stick or CD containing msramdmp to grab a copy of the RAM. You could password protect the BIOS and disable booting from anything other than the hard drive, but that still doesn't protect you. An attacker could cool the RAM, remove it from the running machine, place it in a second machine and boot from that instead. The first defense I used against this attack is procedure based. I shut down the machine when it's not in use. My old Macbook was hardly ever shut down, and lived in suspend to RAM mode when not in use. The second defense I used is far more interesting. I use something called TRESOR. TRESOR is an implementation of AES as a cipher kernel module which stores the keys in the CPU debug registers, and which handles all of the crypto operations directly on the CPU, in a way which prevents the key from ever entering RAM. The laptop I purchased works perfectly with TRESOR as it contains a Core i5 processor which has the AES-NI instruction set."
Re:This just reminds me of... (Score:2, Informative)
Fairly easy to detect, if you have access to the target machine multiple times.
Take bit-level snapshot of hard drive on first visit.
On subsequent visits, take bit-level snapshots and compare them. If the "random" data changes between snapshots, then something is touching it and your plausibility goes out the window.
Re:Bullshit! (Score:4, Informative)
It is a theoretical possibility and has been shown to be possible.
Lets be honest though.... it is just not that likely of an attack. Lets not forget you can't encrypt your initrd... Unless you store your boot partition on a USB key and carry it with you, then it can be modified by an attacker. All he has to do it reboot the machine, install a key logger in the initrd, and get the passphrase the next time you type it in.
That or install one between the keyboard and machine. Hell, can probably do everything he needs from the USB bus. Did they ever fix that USB bus problem where a USB device could get full DMA without any OS help required? Hell the USB device could even be installed inside the laptop so its active and invisible while you use it.
Thats before we even talk about things like, installing a pinhole camera to record your keystrokes....oh or using audio, as its been demonstrated that you can reliably recover typed information from recordings of the typing.
Without physical security there is no security. You can't prevent your hardware from being booby trapped... and there are people out there with entire labs devoted to producing this sort of clandestine equipment. Hell, the FBI is known in some instances to have put a tarp in front of a whole house at night, with a print of the original house on it...just so they could work undetected.
Its all a matter of who wants your data and what they are willing to get it.
-Steve
Re:This just reminds me of... (Score:3, Informative)
Let me put my tinfoil hat on for a moment... Beatings aren't necessary, the US gov't can simply use the NSAKEY [google.com] to decrypt anything encrypted using Microsoft libraries...
This story is about an Ubuntu laptop. I doubt any Microsoft libraries were used.