how do you secure a computer, network with paranoia?

[Cpgeek]

I work in IT as a combination network administrator and computer consultant. I often get the question of "how do I keep my computer secure", however, despite the normal "best practices" that I typically return to the average people that I help regularly, I always think to myself "you know, I can think of a few ways these normal techniques can be circumvented" or "normal computer security techniques would probably be a joke to circumvent for the $name_of_3_letter_intelligence_organization".

So I started thinking... How do government intelligence agencies handle security? If I did want to commit some kind of massive information crime (not that I would ever want to), how could I ensure that nobody could figure out my physical location, and if they do, how could I secure the information on my equipment in such a way that if seized and analysed by the best computer forensics and cryptoanalysts in the world, that they would find none of the incriminating information for prosecution.

It occurs to me that most publicly available crypto software is likely either not strong enough to resist the repeated attempts at circumvention by a government agency with as many resources as the NSA. Is there better software available than bitlocker / filevault2 / truecrypt / luks/dmcrypt? How does one mitigate cold boot attacks? What about mitigating against simple coercion? I know that for most standard United States trials, the fifth amendment gives some protection to people against giving up information in their head as they don't make you testify against yourself, but what about those people in non-public situations or outside of the united states on a waterboard? - a system with authentication expiration would probably be a good idea. somehow integrating a dead-man's-switch into the mix.

But in all seriousness, in these days of lowered trust in governments and law enforcement officials, with anti-piracy crackdowns and governments like the Koreans and Chinese who have no free speech policies, or simple private communications, how does one create a secure system? can we really trust the common operating systems we use? windows? mac os x? - even linux and it's associated programs that make up standard distributions that are completely open source, do they have the code scrutiny to say "yes, this is completely secure!"? I really don't think so. and then worse, once you get the base system set up (even if you assume it's 100% secure), once you start adding software that you use on a daily basis, things like word processors, video players, graphical window managers, etc. how do we trust that the programs or the interactions between those programs will be secure as well?

tl;dr: If you were Batman, Nick Fury, or the CIA or NSA's CIO, what kind of computer systems would you use and how would you make sure that they were totally and completely secure? How would you secure their networking? and if someone were to raid and seize these machines, how would you make it so the expert government agency with virtually unlimited resources can't access any incriminating data?

[sud0nick]

My best guess?

Buy a computer in a random city not near your home. Pay only with cash and immediately wipe the drive. Use Tails as your OS and never connect it to the internet from a privately owned (by you) network. Use anonymous VPN software to do your work online (again, from public APs in cities far from where you live). Never EVER log into any personal websites or anything that can identify you. I'm probably missing a few things but I think you get the point.

[Cpgeek]

depending on your level of paranoia, video surveillance could (is probably) in whatever shop you buy that computer from, it's also possible that if you're already on a powerful intelligence agency's radar, that they could trace the currency you use. using TAILS is a pretty good idea imho, but tails has it's share of known bugs that continue to crop up that can reveal your pop, ip, geolocation data with remote code execution possible. Also, it doesn't include any data storage - how would one secure the ~6tb of secret information that you create in your lifetime? it's also possible for the place that you're connecting from logs mac addresses at the switch, router, or other managed network infastructure that logs enabling them to possibly trace the ownership of the computer or wi-fi device you're using.

[sud0nick]

If you pay in cash it would be really difficult to trace you. By the time anyone figures out you are doing something wrong those bills will be long gone and they won't be able to match it to a bank or company that passed them out. Video surveillance may be an issue but you can easily buy a computer on an online yard sale (again, with cash). Geolocation is not a problem because of the anonymous VPN. The egress point of all traffic would appear to come from elsewhere. Even if it was traced back to the original location we come back to my point of being in a city far from your home. You would travel for a legitimate purpose then do your hacking during that time. Who cares if the MAC address is logged at the switch/router. All that proves is that device was there (among hundreds of other devices) but does not prove who used it.

The only thing I don't have an answer for is securing your TBs worth of data. There are many solutions to this today but as we all know, today's solution is tomorrow's vulnerability.

Edited January 16, 2015 by sud0nick

[cooper]

I'd have a separate public and private network and retain an air-gap between them. The private network uses switches that only accept the allowed MAC address on the designated port. Wireless networking is strictly forbidden. FIPS 140-2 is where things start. Your harddisk is encrypted. All network traffic is encrypted. The only USB port that works is the one on MY machine and when people want to extract a file from the private network they'd have to go though me (if my criminal hive was sufficiently large, I'd possibly allow some of my lieutenants to handle this, but nothing below that).

As for the public network, fuck it. I'd rob fort knox and use the money to buy some damned impressive hosting and some pimply-faced youths to design the most spiffy looking web presence. If it gets hacked... Meh. No sweat of my back.

[overwraith]

Had a thought the other day, wrote a program that essentially created a file called encrypted.bin and filled it with random data. Called it redherring.exe or something. Bet they would have fun trying to crack that "encryption". Could just as easily encrypt a meaningless string message like "If you cracked this file you had way too much time on your hands" * 1000 with cypher block chaining and a random password of massive length. The only problem with the program I wrote is that it does not necessarily create even numbered bytes which would give it away, so will have to tweak it later. Other anti forensics could be employed as well. Have heard of people creating programs which delete the file tree when certain actions are taken, or certain commands are run. Often times however a forensic investigator will simply unplug the machine for dead forensics rather than tripping some subroutine on the computer. There are some live forensics programs out there, these collect contents of ram etc, and there are some programs out there which detect these live forensics programs, and run the deletion routines when they encounter them. I thought it would be really cool to make a raspberry pi project with associated robotics for the purpose of firing a bullet directly down into the connected drives when some parameter is encountered. I don't have the mechanical inclination to pull something like this off however. Could also use salting or an initialization vector for your encryption which would complicate things immensely. Encryption works, it's just a matter of finding some settings which will complicate things for a nation state. Nuke on delete is a registry setting which will tell the OS to immediately re purpose deleted files on deletion, on windows. You probably don't want to use windows anyway, too much opportunity for metadata recording. Word records username metadata which could be used against you, as well as date etc. Defragging does obliterate some data from deleted files, but should not be relied on. Special software should be relied on for securely deleting files. Often times solid state drives will become forensically unsound after a certain amount of time because of the built in garbage collection routines, so you could successfully argue that since the drive hash does not match the original hash, the data must therefore not be your data because it has changed. I know, isn't legal semantics fun?

[barry99705]

http://www.irongeek.com/i.php?page=videos/derbycon1/int0x80-of-dual-core-anti-forensics-for-the-louise

https://github.com/int0x80

[barry99705]

I work in IT as a combination network administrator and computer consultant. I often get the question of "how do I keep my computer secure", however, despite the normal "best practices" that I typically return to the average people that I help regularly, I always think to myself "you know, I can think of a few ways these normal techniques can be circumvented" or "normal computer security techniques would probably be a joke to circumvent for the $name_of_3_letter_intelligence_organization".

So I started thinking... How do government intelligence agencies handle security? If I did want to commit some kind of massive information crime (not that I would ever want to), how could I ensure that nobody could figure out my physical location, and if they do, how could I secure the information on my equipment in such a way that if seized and analysed by the best computer forensics and cryptoanalysts in the world, that they would find none of the incriminating information for prosecution.

It occurs to me that most publicly available crypto software is likely either not strong enough to resist the repeated attempts at circumvention by a government agency with as many resources as the NSA. Is there better software available than bitlocker / filevault2 / truecrypt / luks/dmcrypt? How does one mitigate cold boot attacks? What about mitigating against simple coercion? I know that for most standard United States trials, the fifth amendment gives some protection to people against giving up information in their head as they don't make you testify against yourself, but what about those people in non-public situations or outside of the united states on a waterboard? - a system with authentication expiration would probably be a good idea. somehow integrating a dead-man's-switch into the mix.

But in all seriousness, in these days of lowered trust in governments and law enforcement officials, with anti-piracy crackdowns and governments like the Koreans and Chinese who have no free speech policies, or simple private communications, how does one create a secure system? can we really trust the common operating systems we use? windows? mac os x? - even linux and it's associated programs that make up standard distributions that are completely open source, do they have the code scrutiny to say "yes, this is completely secure!"? I really don't think so. and then worse, once you get the base system set up (even if you assume it's 100% secure), once you start adding software that you use on a daily basis, things like word processors, video players, graphical window managers, etc. how do we trust that the programs or the interactions between those programs will be secure as well?

tl;dr: If you were Batman, Nick Fury, or the CIA or NSA's CIO, what kind of computer systems would you use and how would you make sure that they were totally and completely secure? How would you secure their networking? and if someone were to raid and seize these machines, how would you make it so the expert government agency with virtually unlimited resources can't access any incriminating data?

Pretty sure they use Dell, and Windows 7.

Kali has a pretty cool patch to lukscrypt. They have a luksnuke addition that if the nuke password is used, it wipes the keyfiles from the drive. Even if you use the proper password after that it still can't decrypt the drive. That's how I have my laptops set up.

Edited January 17, 2015 by barry99705

[digininja]

Simple answer, you can't protect yourself if they want to get you. Look at Lulzsec, DPR and similar guys, most very very clever and put a lot of effort into hiding but still got caught.

[Cpgeek]

Simple answer, you can't protect yourself if they want to get you. Look at Lulzsec, DPR and similar guys, most very very clever and put a lot of effort into hiding but still got caught.

So I suppose the appropriate response would be to document the technical and social bugs that were exploited in the big long line of hackers who have been caught and create protocols for avoiding similar problems.

[sud0nick]

That sounds like a solution to me.

today's solution is tomorrow's vulnerability.

[digininja]

One of the biggest problems you can't mitigate is lazyness, its to easy to do the wrong thing rather than spend time or effort doing the right one.

[cooper]

The most secure way would be to become really, really restrictive. For every service on every machine you'd have a list of machines that are allowed to access it and, per machine, the user who's allowed to access it. Any access goes to an audit log in full and is scanned for possible tampering at the protocol level. You can do this right now and it wouldn't be hard to do either. The problem is that the administration of it all will be an absolute nightmare. People are inherently lazy and as DigiNinja pointed out that laziness is a threat. Your users will be lazy so when the appserver, in response to a request, needs to access the database server, it will do so with generic credentials that identify the appserver rather than the currently logged-in user because it's simply easier to set up, easier to test and easier to maintain. Your admins will be lazy because they have a gazillion other things to do today and creating a machine-level account on the DB is *FAR* less work than meticulously authorizing the various users of a system for access to that machine.

Look at the network you're adminning. Check out the users list. If not appliccable, imagine your company having more than 100 employees. How many of them currently still work at the company? How many actually worked at the company to begin with, as opposed to being contractors? Does the user list show this distinction? Is their access appropriately limited? Are you sure about your answers, or is it an educated guess?

[overwraith]

So I suppose the appropriate response would be to document the technical and social bugs that were exploited in the big long line of hackers who have been caught and create protocols for avoiding similar problems.

This would be an interesting continuance of this thread. How would we go about researching such things?

[cooper]

I would've expected exploit-db and the long list of CVE's to provide sufficient insight for the technical side of things. Caught hackers should only be used for insight into the social exploitations that have occurred, but I don't think most of those take a particularly large amount of imagination.

[digininja]

As well as lazyness, trust is a big part of security whether you are a good guy or a bad one. As a good guy you have to trust that as well as you doing all the right things that all your fellow admins and users are also doing the right things, this is rare. As a criminal you have to trust all your accomplices, once one turns then everyone else is at risk, think Sabu.

I'll also throw greed in, I was out with one of the Lulzsec guys last week and we were talking about criminals getting caught as they want just one more score, one more robbery, one more shell. Its very addictive, made even more so if you've not been caught so far as you feel invincible.

[triphazard]

For coldboot attacks, I can only find a few answers. Like "don't let anyone steal your laptop", and make sure it's powered off when you're not using it. One thing I've always wondered, is how can I be sure my system hasn't been tampered with. Yes, I have an encrypted drive, but no, my boot sector obviously can't be encrypted. I suppose I could boot from a USB and verify it's integrity some how before rebooting. Could use Arch, or something else that comes small and boots fast, to create a utility to boot, check, display an ok or danger message, and reboot. But I have no idea where to start to mitigate a bios modification. What vectors can be used to modify BIOS. And how would one test for or resolve issues. I completely expect what the three letter agencies to use yesterday to be used by criminals tomorrow.

[cooper]

What would it take, you think, for such an agency to target you in such a way? Are you really that interesting to them?

How much time would it take for someone in possession of your laptop to somehow tamper with your laptop in such a way that all keypresses are either stored or communicated out? Like, would they have to screw it open to do the mod or do you think they can do a soft-mod?

You could/should have 2-factor authentication when the bootloader requests input from you to decrypt the harddrive. Something like having your passphrase XORed with a code that's on a USB drive you have or, better yet, your mobile - something you'd notice to be missing quite quickly and you're not in the habit of leaving behind when you go anywhere, with or without your laptop.

[digininja]

For coldboot attacks, I can only find a few answers. Like "don't let anyone steal your laptop", and make sure it's powered off when you're not using it. One thing I've always wondered, is how can I be sure my system hasn't been tampered with.

Who are you expecting to tamper with it? The attacker determins the defenses.

I completely expect what the three letter agencies to use yesterday to be used by criminals tomorrow.

Unfortunately as defenders we are often behind, we need to know the attacks being used to defend against them, we can predict some but as soon as we launch the defenses the attackers change strategies.