Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday November 19 2022, @10:18PM   Printer-friendly
from the stay-safe-and-secure dept.

We all know that when somebody gets unauthorised access to your computer hardware that security is out of the window! But what if you have to leave your hardware unattended but ostensibly in a 'secure' location - your hotel room or somebody else's home? fab23 has submitted this article on what you can do if that is the case:

The SANS Internet Storm Center published the guest diary Evil Maid Attacks - Remediation for the Cheap:

The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way, e.g.:

There are several ways to minimize the risk of an unnoticed, successful evil maid attack. Which road you go depends on your personal threat model (and your budget, of course).

[...] If you want to have a cheap solution to be reasonably sure nobody messes unnoticed with your device when you have to leave it alone, you may carry out some countermeasures, e.g.:

Seal all screws with nail polish or glue with glitter pieces in it, and take pictures that are stored offline so that you will be able to spot manipulations

Seal not needed peripheral interfaces (e.g. USB ports)

Lock needed peripheral ports with tamper-proof solutions (e.g. one-time locks which have to be destroyed to access the port)

Leave the device in the bootup password prompt of the FDE (Full Disk Encryption) password:

  • Reboot your device to the FDE password prompt

  • and enter the first few chars of the correct password (important!)

  • make sure the device stays in this mode till you return (e.g. has enough power or the power supply is plugged in, disable energy saving settings, ...)

  • When you're back, enter the rest of the FDE password, and if the device boots, then you could be reasonably sure it hasn't been tampered with. Of course, you have to examine the device physically thoroughly, e.g., the screws, peripheral ports, seals, etc. One important precondition for this to work is that the FDE boot code allows the password prompt to stay as it is after entering some chars. Fedora 7 and Ubuntu 20.04 seem to work, but Bitlocker (Windows) does not. Is this bulletproof? No. Will this be reasonably secure? Depends on your threat model. But it's definitely better than doing nothing, having the OS left up and running, or having the device powered off completely. Stay safe and secure!

So, if you absolutely have no other option, what do you do to ensure that your data remains as secure as possible?


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Funny) by Anonymous Coward on Saturday November 19 2022, @10:57PM (1 child)

    by Anonymous Coward on Saturday November 19 2022, @10:57PM (#1280557)

    So, if you absolutely have no other option, what do you do to ensure that your data remains as secure as possible?

    https://en.wikipedia.org/wiki/Snow_Crash [wikipedia.org]

    Inspired by Snow Crash, I've wired my laptop to a suitcase nuke. If anyone tampers with it, we'll all know about it!

    • (Score: 4, Funny) by driverless on Sunday November 20 2022, @06:39AM

      by driverless (4770) on Sunday November 20 2022, @06:39AM (#1280616)

      Friend if mine puts his laptop on top of the clicker for a Claymore mine, with the mine under the laptop. Anyone tries to tamper with it gets shredded.

      Only downside so far is that he has to get a new laptop every time he rigs one like this, but it's a small price to pay I reckon.

  • (Score: 1) by AlwaysNever on Sunday November 20 2022, @12:33AM (5 children)

    by AlwaysNever (5817) on Sunday November 20 2022, @12:33AM (#1280566)

    I don't see the point of so many things to do.

    If you are using full disk encryption, and you left your device powered off, what could an evil maid do apart from stealing it?

    If you are worried of someone inserting a hardware keylogger inside your laptop, you have bigger problems in life than computer security!

    • (Score: 5, Insightful) by Immerman on Sunday November 20 2022, @12:57AM (2 children)

      by Immerman (3985) on Sunday November 20 2022, @12:57AM (#1280569)

      >what could an evil maid do apart from stealing it?

      Clone the hard drive and install hardware keyloggers? That lets them access everything as soon as you log in, and the logger calls home (or the maid extracts it the next time you're away)

      Install a low-profile "evil usb drive" that can issue commands (as a keyboard/mouse) to do... basically anything.

      Even if you're really good about never dealing with sensitive information on your laptop, it can still offer an intrusion vector into more secure networks

      >If you are worried of someone inserting a hardware keylogger inside your laptop, you have bigger problems in life than computer security!

      I wasn't aware that having a sensitive job was inherently a problem? *Anyone* working with sufficiently sensitive information has a huge target painted on their back. Acquiring military, political, and corporate secrets are all big business - when billions are on the line, unethical players can be willing to pay enormous amounts for a decisive edge. And ethical people rarely get the chance to play the game at that level in the first place.

      • (Score: 1) by shrewdsheep on Sunday November 20 2022, @01:22PM (1 child)

        by shrewdsheep (5215) on Sunday November 20 2022, @01:22PM (#1280664)

        I would be curious to know whether there are reported instances of the attach you outline. This would seem to be an operation at the nation state level (like stucnet). On another note, are there any known hardware-keyloggers that can bypass the OS to get information out?

        • (Score: 4, Interesting) by Immerman on Sunday November 20 2022, @05:02PM

          by Immerman (3985) on Sunday November 20 2022, @05:02PM (#1280691)

          Yeah, that's about the level I suspect it becomes commonplace. Consider though that many modern corporations have larger budgets than most nation-states, and industrial espionage has a -long- history.

          As for reported instances? Of drive cloning? I doubt they'd ever know. I know I've heard of "evil drives" in the media.

          As for keyloggers calling home - it seems like it should be easy enough to do, so I assume they're out in the wild. One thought that occurred to me shortly after posting was that you wouldn't need to physically retrieve the logger - just be able to make it transmit its recordings so it could be later read from a distance. And there's no need to even go all cloak-and-dagger about it - the easiest way to bypass the OS is to entirely bypass the computer. The keylogger could easily have its own wifi antenna to quietly watch for open networks and send data home from anywhere. Or it could connect to the cellular phone network. The hardware has gotten tiny, and the laptop provides ample power.

    • (Score: 2) by aafcac on Sunday November 20 2022, @01:01PM

      by aafcac (17646) on Sunday November 20 2022, @01:01PM (#1280662)

      If people are really that concerned, they shouldn't be leaving it unattended. But, the next best thing would be to not have a disk in it and only boot from a USB drive that you take with you everywhere. Not that it is lacking in risk, somebody could probably still add a hardware keylogger or mess with the bios to send the information over the net. But, that's not really the easiest thing to do.

    • (Score: 0) by Anonymous Coward on Sunday November 20 2022, @06:25PM

      by Anonymous Coward on Sunday November 20 2022, @06:25PM (#1280701)

      Cameras, microphones or even TEMPEST[1] stuff can be used to guess your passwords. https://www.newscientist.com/article/dn7996-keyboard-sounds-reveal-their-words/ [newscientist.com]

      Evil maid while pretending to clean your keyboard, or just "messing about harmlessly" could just type QWERTY etc a few times so that the different sounds for the keys are recorded.

      [1] https://en.wikipedia.org/wiki/Tempest_(codename) [wikipedia.org]

  • (Score: 1) by Anartech Systems on Sunday November 20 2022, @01:44AM (4 children)

    by Anartech Systems (11857) on Sunday November 20 2022, @01:44AM (#1280576)

    > So, if you absolutely have no other option, what do you do to ensure that your data remains as secure as possible?
    Store all my secure data in an encrypted bucket on a VPS server, and use 2FA with the login method. You can clone my disk all you want, you might find some spicy memes you don't currently have in your collection and maybe the odd dick pic to properly mess with you, but that will be about it.

    • (Score: 1) by Anartech Systems on Sunday November 20 2022, @01:51AM

      by Anartech Systems (11857) on Sunday November 20 2022, @01:51AM (#1280577)

      s/server/host. BRB, going to the ATM machine to cash out my nerd credit.

    • (Score: 5, Insightful) by maxwell demon on Sunday November 20 2022, @06:31AM

      by maxwell demon (1608) on Sunday November 20 2022, @06:31AM (#1280615) Journal

      As long as you use your laptop to access that VPS server, it's a target. If the attacker manages to infiltrate your laptop, he can simply access the VPS the next time you access it (you can't even protect yourself by not connecting to a network, since without network you'll not be able to access that VPS). You'll do the login, so that's not a problem, and 2FA won't help with that.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by driverless on Sunday November 20 2022, @07:41AM (1 child)

      by driverless (4770) on Sunday November 20 2022, @07:41AM (#1280629)

      Store all my secure data in an encrypted bucket on a VPS server,

      Don't have anything of interest or worth stealing on my devices. Being too boring to be of interest is also a defence mechanism.

      • (Score: 4, Interesting) by janrinok on Sunday November 20 2022, @09:30AM

        by janrinok (52) Subscriber Badge on Sunday November 20 2022, @09:30AM (#1280645) Journal

        It doesn't have to be secret information.

        Your email address book is valuable for identity theft, not only of yourself but for each of the people in there. With access to your laptop somebody could send emails purporting to be you and also make sure that you don't see the replies as they gather information on somebody else, If you ever log in to another network using your laptop then you have just provided access to that network for somebody who isn't supposed to be there.

        You might think that you are boring. Those that practise social engineering think that you and your laptop are very valuable assets because you don't even think that your data is worth protecting.

  • (Score: 2, Touché) by looorg on Sunday November 20 2022, @04:42AM (3 children)

    by looorg (578) on Sunday November 20 2022, @04:42AM (#1280593)

    If there is sensitive or super-duper-secret stuff on your phone/laptop you don't leave it around all over the place, you carry it with you thereby defeating all the evil maids and possibly also other evil service minions.

    • (Score: 3, Informative) by janrinok on Sunday November 20 2022, @09:43AM (2 children)

      by janrinok (52) Subscriber Badge on Sunday November 20 2022, @09:43AM (#1280646) Journal

      So, if you absolutely have no other option, what do you do to ensure that your data remains as secure as possible?

      So you avoided answering the question by not even reading the question.

      If you have super-duper-secret stuff on your laptop (such information NEVER goes on a 'phone) then there are already rules and facilities in place to cater for such eventualities in most countries. Having travelled with classified information in the UK and Europe there was always a plan to ensure secure storage if I could not continue to protect the information myself.

      • (Score: 2) by looorg on Sunday November 20 2022, @03:53PM

        by looorg (578) on Sunday November 20 2022, @03:53PM (#1280684)

        So you avoided answering the question by not even reading the question.

        If you have super-duper-secret stuff on your laptop (such information NEVER goes on a 'phone) then there are already rules and facilities in place to cater for such eventualities in most countries. Having travelled with classified information in the UK and Europe there was always a plan to ensure secure storage if I could not continue to protect the information myself.

        No. I read it. But the scenario given by that last line is just bad. There are always options, that said all of them are or might not be good. As noted there are levels of how super-duper-secret the stuff is. Some of it you don't, or are supposed to, even leave the building. But then there always appear to be exceptions caused by a lack of security or people that do think that the rules doesn't apply to them they apparently have no options so they resort to stupid things like taking physical things with them, mailing it to their private accounts or just storing it on a USB-stick that they drop or forget someplace (after all they are so small).

        If your phone is encrypted, or the storage on it, then I don't see why that would be worse then an encrypted laptop. Bad security is bad security and the device in question doesn't really matter all that much. The hackability of it should be similar in that regard -- phone connected, unlocked and unattended vs laptop connected, unlocked and unattended. In that regard is there even a difference? Except size of the device. Perhaps the laptop can still be used without a connection while the phone is then a small paperweight cause at least the laptop you can disconnect and not use wi-fi. But beyond that.

      • (Score: 2) by aafcac on Monday November 21 2022, @01:19AM

        by aafcac (17646) on Monday November 21 2022, @01:19AM (#1280741)

        Shy of either carrying it with you or locking it in a safe that somehow is anchored to something large enough to prevent removal, there's not really much you can do that really addresses the problem. Sure, there are things you can do like encrypting the harddrive or not even having one, but at the end of the day, any equipment that's left out and accessible is going to be subject to attack by anybody with access and interest in doing so.

  • (Score: 1) by crotherm on Sunday November 20 2022, @10:54PM (1 child)

    by crotherm (5427) Subscriber Badge on Sunday November 20 2022, @10:54PM (#1280725)

    How good are the hotel room safes?

(1)