Hi,

After following an article that I have been blogging about. I have been wondering how one secures their workstation and or server from such physical attacks, etc.

After reviewing a post located here. I have decided the full disk encryption is actually quite dangerous given the threat model I am putting forward.

Before asking my question I would like to tell you what I am using OpenSuSE 10.2 Linux and its file encryption system that it comes with along with Jetico Best Crypt. After reviewing the article from news.com I now have a few questions.

How "strong" is the encrypted file system on OpenSuSe against such attacks?

How does one shut off firewire in Linux?
How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?

Do I create a new user account then partition an encrypted directory to create this deniability?

How does one protect Workstations and Servers from physical attacks if they take your computer e.g a warrant etc.

How does one stop RAM from caching the key to your encrypted file system? Is there a way to prevent this form happening?

If such an official takes my wares and returns it, how would I know I am compromised with a root kit? Would chkrootkit and rkhunter even pick said root kit up?



if some one out there with knowledge on this subject could help me on my quest I would greatly appreciate it!

So how does the theory of plausible deniability go?


How does RAM work? Can a position hold 1 or more values simultaneously at the same time? How does overwriting a value work? How would you envision that you would work seamlessly with a encrypted file system if you don't store the key somewhere?


Almost all articles handle about Windows. As far as I've read they didn't plant rootkits but keyloggers. A rootkit is a toolkit but it just sounds more exhilarating for the cheap thrill craving audience. In GNU/Linux you'd just boot off a Live CD (since the VFS is dead there's few places for them to hide stuff statically) and verify the installation using a package manager (if capable), a file integrity checker like Aide, Samhain or even tripwire (if deployed before the incident) before moving to more specialist tools (forensics).


Sorry for this OT remark and with all due respect but your web log article does not contain any added value in terms of creativity or originality compared to the original one. Maybe it's me but just copying over an article doesn't seem web logging to me.

>How "strong" is the encrypted file system on OpenSuSe against such attacks?
Assume that it's as strong as the password and encryption method. If you use "dog" as your password a dictionary attack can comprimise it in a few seconds.

>How does one shut off firewire in Linux?
Train the driver to not load at boot. Load it manually when you need it with insmod and rmmod it when finished.

>How does one configure OpenSuSE Linux or any Linux to promote plausible deniability?
Depends on who the expert witness is. Currently drive encryption is considered a best effort if you use a strong password for the key, and also use a strong password on all of your accounts. I believe that this will become less so as time goes on. The sensitive data shouldn't be there in the first place unless you are busily working with it.

>How does one protect Workstations and Servers from physical attacks if they take your computer e.g a warrant etc.
You can't. Even if you zap the drive they can recover the data. Good encryption with a strong password just makes it take a lot longer.

>If such an official takes my wares and returns it, how would I know I am compromised with a root kit?

Depends on the root kit. Root kits alter the perception of the programs running on the computer so they can't see the rootkit. A well written rootkit is virtually undetectable, especially if it was written to elude rootkit detectors. Eventually the author of the detector will figure out how to detect it and it will be detectable. You have to know it's there first. It's an arms race, just like virus detection. You won't be able to find a well written new 0day root kit by yourself.

An IDS/packet sniffing (to see if your machine is sending packets to an unknown host) can help as can scanning the machine from the outside for new ports. It's still an arms race. If you are that concerned about your OS being altered, format the drive(and make sure you rewrite the boot sector), then patch the bios with the latest bios update (from a boot floppy) and reinstall the OS.

If someone else physically takes possession of your machine, they can always eventually compromise it if they know what they are doing. Encrypting the drive just slows them down.

In the case of border inspections, they could just ghost the drive, give you your laptop back 20 minutes later, then crack it at their leisure. Don't think there won't be a black market created over this. There will be id theives etc paying corrupt border inspectors off for drive images.

My favorite statement applies: "If man made it, man can break it." (by me)

All it takes is talent, time, and the right toolset.

For you, I'll make up another quote "If it has value, someone will be bribed for it.". Government officials don't always get paid very well. Everyone wants a new TV or car.

Kudos for noticing the security implications of these developments. Hopefully your employer appreciates your diligence.

The best advice you could possibly give your readers is to get a second laptop for traveling across borders and only take what they need for the trip on the drive. Assume that everything on there can and will be seen no matter what security precautions they take. If you expect this to happen, and prepare accordingly, it won't cause any trouble.

Alternately just get a second hard drive and swap it out with a stripped down clean one when flying.

The minute you think you can't be compromised, or that it's even possible to be 100% secure you have already lost the fight.

It'd be pretty smart to set up a couple of laptops for this purpose, have them hand in their local laptop, for a specially prepared "customs proof" one that always has a fresh copy of your image on it and is preinstalled with the VPN connection and _no data_. When they bring it back, simply ghost your image back over it so it's cleaned up for the next person. You might want to do a cursory check of the drive to find out what they gave customs, then do some damage control if you find something.

There's absolutely no reason for any sensitive data to be on a laptop while flying. They should VPN to the office from the destination to get this stuff when they need it, then promptly delete it with shred when they are finished, before heading to the airport, or even going to lunch. While not 100% effective this is damn close. It's definitely more effective than encryption by itself.

If they leave the office with a clean drive, then shred it all before leaving to come back you can't go wrong. You could even write a script that completely destroys all data on the drive, for them, before they leave at the end of their trip.

Doing that would hold up in any court of law as a best effort and is future proof. It's really hard to steal data that's not there and has been clobbered, even in deleted and encrypted form.

If you do this, the customs agents will take one look at it, and just move on to the 3 year old dell the next guy has, which has a gold mine on it (his entire life) and a sticky with the encryption password on the flat spot at the top of the keyboard or in his wallet (which they will also search 8)

When faced with a tough nut to crack and a shiny juicy apple, people tend to toss the nut in the trash and eat the big juicy apple.

"Suspicion breeds confidence" - Fyodor(author of nmap)

-Viz

Thats very good news and relieves my stress a bit

How does one "train the driver not to load" or better yet, Would uninstalling the packages to the firewire helps kill it?





That is some very good advice! So if I went onto the machine and actually run Nmap against it locally, would that help? Or do I have to be on another machine for the analysis. What program would I use for an IDS/packet sniffing?

So true!

That would make an awesome tee shirt!

Very true and wise words.

Thank you for your kind words and help .

Thats an awesome response and veer throughly detailed I very much appreciate your help and expertise on this subject! It has truly been invaluable.

Again thank you so much.

So how strong is that in absolute terms? And compared with what? Any pointers?


How would you configure SUSE to have any chance at plausible deniability? Please give some examples. Let's say the machine gets imaged by the CBP (Live, in a forensically sound way and on entry and exit), the hidden material is binary format, doesn't exceed 5MB in total uncompressed and has to be accessable while in the country.


Have you actually played with rootkits yourself? No running kernel, no hiding place for processes. I'll just boot a Live CD. Just have to know where to look.


Nice to use hedges like "well-written" and "0-day" but how many new, kernel 2.6-capable rootkits have left PoC stage the past five years?


Do you really think that, practically speaking, any agency would have planted *a rootkit* if they had the chance? And even if they did, they would be that stupid to make it "phone home"?


Yeah, that I can agree with.

Lets say to Bit locker or File Vault etc.




Where would you look? How do you know how to spot them? What should one look out for.



o.k. How many has there been?



Yes, because they have done some really daft things in the past.

There's some rootkit threads in this forum. Maybe you should go read some. Those threads and the docs referred to contain enough hooks to get the picture. If you're still interested after that we can go into details.

With respect to your other remarks (and I don't know how well you actually read posts) those are apparently in reply to what I'm asking rg.viza. I'm waiting for him to answer those, however I doubt he will.