LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Evil maid detector? (http://www.linuxquestions.org/questions/linux-security-4/evil-maid-detector-4175447870/)

displace 01-30-2013 12:22 PM

Evil maid detector?
 
Hello.

<blablabla>
Recently I started encrypting all my hard disks by default. For linux boxes I'm using full disk encryption with LUKS/LVM. Well technically it is not really "full" disk encryption because the computers have to boot from some unencrypted space. This will most likely be a part of the HDD where the MBR and the /boot partition reside - both unencrypted. The boot partition is home to the kernel, the grub2 boot loader, etc. The computers do not support secure boot.

Out of curiosity I did a little research on this subject, and I read about this thing called "evil maid" attack. It's a process where an adversary sneaks into your quarters and gains physical access to the computer. While he may not be able to obtain any data from it (data is encrypted, adversary doesn't have the password), he can easily modify the kernel or some other script and insert a malicious keylogger on the unencrypted /boot partition. Finally he leaves the place and waits for me to login again and type the password, unaware that the computer has been bugged. The keylogger either writes down the password to an unencrypted space on /boot for later retrieval or it can transmit the key to a specified IP address once I connect to the internet.
</blablabla>


Is there a decent way to protect against this attack? I'm talking about detecting, if the unencrypted space has been bugged before any damage is done. Yes yes, I know I can move the /boot partition and the bootloader to an external USB stick and boot from there. I already do that for a number of computers, but it gets a bit unpractical having to carry around a large stash of USB keys. What if I misplace them?

The only idea I came up with was to hash the boot sector/MBR and the /boot partition each time a PC boots, then compare the hashes against stored values, and abort the boot process until the attack can be migitated. But I can't come up with a decent way of implementing it. If the hashing scripts reside on the /boot partition then they can easily be bypassed. If they reside inside the encrypted space then the keylogger will have already logged the key before the execution reaches the point where the hashing scripts are executed. The only sensible solution here appears to be a setup that uses two encrypted partitions - first one stores the hashing scripts, and the second the actual operating system. This way the user has to enter two passwords. The first password prevents the adversary from modifying the verification scripts while allowing the scripts to warn the user not to enter the second password, which protects the operating system.


This is the theory at least. Has anybody experimented with this yet?

~dis

Habitual 01-30-2013 01:34 PM

There is NO security without physical security.

frieza 01-30-2013 01:45 PM

not much you can do about this one, you could take some steps to physically lock down your computer, but ultimately if someone is determined to get at your data, they will.
so the answer to your question is how much time and money are you willing to invest in physically securing access to the location, but ultimately the most dangerous people at a company are it's employees, the 'evil maid' you speak of however isn't just anyone sneaking in to your quarters and exploiting your computer, it's someone you hired to work for you (eg a janitor, sectretary) or a friend, in short someone to whom you gave the key to the room, who is doing the exploiting, hence the 'maid' part, so i suppose the best way to protect from this is simply make sure you trust the people you grant access to the room where the computer is.

rknichols 01-30-2013 10:51 PM

Put /boot (unencrypted) on a USB flash drive. Encrypt everything on the machine's hard drives. You only need to have the USB flash drive installed for booting and for kernel updates. Keep it in a secure place at all other times.

chrism01 02-01-2013 01:16 AM

For the original qn; you hash the /boot, grub, whatever, then carry just the hashes around on USB key. You can get plenty ona modern USB key.
Obviously you keep the hash prog on the USB key, maybe leave a copy for bad guy to play with. Take a hash of the hash prog so you can check.

Of course if they put a HW keylogger in your keybd .... its game over.
Allegedly this is one method used by the various Secret Services around the world.

You may possibly be over-worrying unless you work for a eg a Govt Dept already, in which case that's what Guards (people, ideally with HKs) are for.

frieza 02-01-2013 03:13 AM

that doesn't stop someone from sticking a cd in the drive, booting from it, and making a copy of the drive and taking that with them to crack, nor does it detect it since hashing only detect CHANGES.

displace 02-01-2013 07:36 AM

Quote:

Originally Posted by frieza (Post 4880874)
not much you can do about this one, you could take some steps to physically lock down your computer, but ultimately if someone is determined to get at your data, they will.
so the answer to your question is how much time and money are you willing to invest in physically securing access to the location, but ultimately the most dangerous people at a company are it's employees, the 'evil maid' you speak of however isn't just anyone sneaking in to your quarters and exploiting your computer, it's someone you hired to work for you (eg a janitor, sectretary) or a friend, in short someone to whom you gave the key to the room, who is doing the exploiting, hence the 'maid' part, so i suppose the best way to protect from this is simply make sure you trust the people you grant access to the room where the computer is.

Thank you for the insight.

Regarding the sneaking part, I understand its the everyday people who are most likely to commit an attack. I was only implying that the attack is going to happen in my absence. The theory is that in order for the attack to be successful it must happen in multiple stages. The first stage is the part where an adversary bugs my computer with a keylogger let it be hardware or software. This stage is never going to be successful alone. The crucial stage is the second one where it is required that the unaware user types in the passphrase which will be keylogged. Finally the third stage is the recovery of the passphrase and decrypton of encrypted data.

If I manage to detect the first stage of the attack, I can easily mitigate without any real damage.


Quote:

Originally Posted by rknichols (Post 4881078)
Put /boot (unencrypted) on a USB flash drive. Encrypt everything on the machine's hard drives. You only need to have the USB flash drive installed for booting and for kernel updates. Keep it in a secure place at all other times.

I am already doing this for a couple of computers. But as I said in my first post, its difficult to always carry the keys along and keep an eye out on them. There's also a possibility that I misplace/lose them - no more access without a proper backup. A single key can only hold boot data for a single computer - lots of computers = lots of USB keys.

Quote:

Originally Posted by chrism01 (Post 4881983)
For the original qn; you hash the /boot, grub, whatever, then carry just the hashes around on USB key. You can get plenty ona modern USB key.
Obviously you keep the hash prog on the USB key, maybe leave a copy for bad guy to play with. Take a hash of the hash prog so you can check.

Of course if they put a HW keylogger in your keybd .... its game over.
Allegedly this is one method used by the various Secret Services around the world.

You may possibly be over-worrying unless you work for a eg a Govt Dept already, in which case that's what Guards (people, ideally with HKs) are for.

I do not work for any Govt, and am not on any watch list - at least not to my knowledge or expectations. Regardless, I still like to properly secure my data. It never hurts to be careful though. It's a good idea to have a single USB key that contains only hashes for multiple computers! Perhaps I can add a GRUB option to verify the hashes...

I know that some hardware keyloggers are available in the shape of a small plug that can be placed inbetween a computer and the USB (or PS/2) plug of a keyboard. Fortunately these can be easily spotted. And laptops have a built-in hardware keyboard so unless they're going to open the case I don't see a way how they could keylog my laptop with a HW keylogger. I mean is there even enough space inside a laptop to install a HW keylogger? I could probably place some hard-to-forge sticker (similar to those "warranty void, if removed" seals) over the case and check whether it has been torn. This would indicate someone opened the case. I've also heard that some people weigh their laptops. An increase in mass would suggest extra hardware has been installed.

Quote:

Originally Posted by frieza (Post 4882055)
that doesn't stop someone from sticking a cd in the drive, booting from it, and making a copy of the drive and taking that with them to crack, nor does it detect it since hashing only detect CHANGES.

Yes, I am familiar with the procedure. I used to rescue data on a number of HDDs like that (systemrescuecd). But let's assume that the passphrase is too strong to crack. Personally I use passphrases at least 16 characters long, without any words that can be found in a dictionary. I use a combination of uppercase and lowercase letters, at least one number and at least one special character.

Habitual 02-01-2013 09:00 AM

You sound like me my first week over at http://ga-asi.com/ . When they appointed me as Network/Systems Admin and Oracle DBA for a 15 million dollar project, all their "product" was sitting on an Oracle Database on WindowsNT 4.0. OMG.

For a year, I worried about those Ones and Zeros, reliable backups, intrusion response, etc. Shit, the USGovt. has serious standards and I wasn't quite sure that our setup would pass any of their tests, even if it passed mine.

I moved Oracle to a Sun box (without any data loss or downtime) with Solaris 8 (I think)
and left the Window-only client-app to a Citrix front-end.


One of those tests I had, was I called a hacker friend of mine and gave him an IP to the Citrix Server and a port and said "go". 3 hours later, he told me I was good to go. He did not succeed.

In the end, I just made sure NO ONE but me had physical access to the "gold1" and gold2" servers at http://ga-asi.com/ and I had reduntant backups of the Oracle data.

"the unaware user"... are there any other kind? :twocents:

A shout out to the folks over at the MIS Dept. of General Atomics, Aeronautical Systems.

John Jones

BlackRider 02-06-2013 01:46 PM

Quote:

Originally Posted by Habitual
There is NO security without physical security.

THIS.

Even if your software structure was invulnerable (and it won't be), there are funny hardware keyloggers and toys they can place in your computer... Even hardware keyloggers for laptops.

If we are up to the level of awareness involved in protecting against a Evil Maid attack, you should beware these.

It remembers me of a film when they take the things of a lawyer and replace them with hacked copies.

The most reasonable thing would be, at least for me, to set the /boot on an external device you have always secured, and periodically perform integrity checks on it just in case.

Detection of a conventional disk encryption scheme... well, you could run Aide or some other integrity checks, but once they have managed to run a bootkit on you, they could be able to cover their tracks and remain undetected in unsuspected ways.

BlackRider 02-06-2013 01:49 PM

Quote:

A single key can only hold boot data for a single computer
It depends. I sometimes build multi-boot USB devices for fun. Just saying.


All times are GMT -5. The time now is 11:13 PM.